@primitivedotdev/cli 0.31.2 → 0.31.4

package/dist/oclif/index.js

@@ -1,7 +1,7 @@
 import { Args, Command, Errors, Flags } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
-import { dirname, join, resolve } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 import { spawn } from "node:child_process";
 import { hostname } from "node:os";
 import process$1 from "node:process";
@@ -645,6 +645,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	deleteFunctionSecret: () => deleteFunctionSecret,
 	discardEmailContent: () => discardEmailContent,
 	downloadAttachments: () => downloadAttachments,
+	downloadDomainZoneFile: () => downloadDomainZoneFile,
 	downloadRawEmail: () => downloadRawEmail,
 	getAccount: () => getAccount,
 	getEmail: () => getEmail,
@@ -941,9 +942,11 @@ const listDomains = (options) => (options?.client ?? client).get({
 /**
 * Claim a new domain
 *
-* Creates an unverified domain claim. You will receive a
-* `verification_token` to add as a DNS TXT record before
-* calling the verify endpoint.
+* Creates an unverified domain claim and returns the exact
+* DNS records to publish in `dns_records`. Publish those
+* records before calling the verify endpoint. To give users
+* an importable DNS file, call `downloadDomainZoneFile` or run
+* `primitive domains zone-file --id <domain-id>`.
 *
 */
 const addDomain = (options) => (options.client ?? client).post({
@@ -993,9 +996,15 @@ const updateDomain = (options) => (options.client ?? client).patch({
 /**
 * Verify domain ownership
 *
-* Checks DNS records (MX and TXT) to verify domain ownership.
+* Checks DNS records required for inbound routing, ownership,
+* and outbound authentication: MX, ownership TXT, SPF, DKIM,
+* DMARC, and TLS-RPT.
 * On success, the domain is promoted from unverified to verified.
-* On failure, returns which checks passed and which failed.
+* On failure, returns which checks passed and which failed,
+* plus the exact DNS records still expected. To give users
+* an importable DNS file for missing records, call
+* `downloadDomainZoneFile` or run
+* `primitive domains zone-file --id <domain-id>`.
 *
 */
 const verifyDomain = (options) => (options.client ?? client).post({
@@ -1007,6 +1016,23 @@ const verifyDomain = (options) => (options.client ?? client).post({
 	...options
 });
 /**
+* Download domain DNS zone file
+*
+* Downloads a BIND-format DNS zone file containing the DNS records
+* required for a domain claim. Agents should offer this after
+* `addDomain` when users want to import DNS records instead of
+* copying each record manually.
+*
+*/
+const downloadDomainZoneFile = (options) => (options.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/domains/{id}/zone-file",
+	...options
+});
+/**
 * List inbound emails
 *
 * Returns a paginated list of INBOUND emails received at your
@@ -2333,7 +2359,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "addDomain",
 				"summary": "Claim a new domain",
-				"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+				"description": "Creates an unverified domain claim and returns the exact\nDNS records to publish in `dns_records`. Publish those\nrecords before calling the verify endpoint. To give users\nan importable DNS file, call `downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 				"tags": ["Domains"],
 				"requestBody": {
 					"required": true,
@@ -2426,7 +2452,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "verifyDomain",
 				"summary": "Verify domain ownership",
-				"description": "Checks DNS records (MX and TXT) to verify domain ownership.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed.\n",
+				"description": "Checks DNS records required for inbound routing, ownership,\nand outbound authentication: MX, ownership TXT, SPF, DKIM,\nDMARC, and TLS-RPT.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed,\nplus the exact DNS records still expected. To give users\nan importable DNS file for missing records, call\n`downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 				"tags": ["Domains"],
 				"responses": {
 					"200": {
@@ -2442,6 +2468,38 @@ const openapiDocument = {
 				}
 			}
 		},
+		"/domains/{id}/zone-file": {
+			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
+			"get": {
+				"operationId": "downloadDomainZoneFile",
+				"summary": "Download domain DNS zone file",
+				"description": "Downloads a BIND-format DNS zone file containing the DNS records\nrequired for a domain claim. Agents should offer this after\n`addDomain` when users want to import DNS records instead of\ncopying each record manually.\n",
+				"tags": ["Domains"],
+				"parameters": [{
+					"name": "outbound_only",
+					"in": "query",
+					"schema": { "type": "boolean" },
+					"description": "When true, include only outbound DNS records. Verified domains\ndefault to outbound-only; pending claims default to all required\nrecords.\n"
+				}],
+				"responses": {
+					"200": {
+						"description": "BIND-format zone file",
+						"content": { "text/plain": { "schema": {
+							"type": "string",
+							"format": "binary"
+						} } },
+						"headers": { "Content-Disposition": { "schema": {
+							"type": "string",
+							"example": "attachment; filename=\"example.com.zone\""
+						} } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" },
+					"429": { "$ref": "#/components/responses/RateLimited" }
+				}
+			}
+		},
 		"/emails": { "get": {
 			"operationId": "listEmails",
 			"summary": "List inbound emails",
@@ -4731,7 +4789,7 @@ const openapiDocument = {
 				"required": ["secret"]
 			},
 			"Domain": {
-				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
+				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` and `dns_records` for DNS setup.\n",
 				"oneOf": [{ "$ref": "#/components/schemas/VerifiedDomain" }, { "$ref": "#/components/schemas/UnverifiedDomain" }]
 			},
 			"VerifiedDomain": {
@@ -4771,6 +4829,74 @@ const openapiDocument = {
 					"created_at"
 				]
 			},
+			"DomainDnsRecord": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"type": {
+						"type": "string",
+						"enum": ["MX", "TXT"],
+						"description": "DNS record type."
+					},
+					"name": {
+						"type": "string",
+						"description": "DNS-provider host/name value relative to the managed root zone."
+					},
+					"fqdn": {
+						"type": "string",
+						"description": "Fully-qualified DNS record name."
+					},
+					"value": {
+						"type": "string",
+						"description": "Exact value to publish."
+					},
+					"priority": {
+						"type": "integer",
+						"description": "MX priority. Present only for MX records."
+					},
+					"ttl": {
+						"type": "integer",
+						"description": "Suggested TTL in seconds when the API can provide one."
+					},
+					"required": {
+						"type": "boolean",
+						"const": true
+					},
+					"purpose": {
+						"type": "string",
+						"enum": [
+							"inbound_mx",
+							"ownership_verification",
+							"spf",
+							"dkim",
+							"dmarc",
+							"tls_reporting"
+						]
+					},
+					"status": {
+						"type": "string",
+						"enum": [
+							"pending",
+							"found",
+							"missing",
+							"incorrect"
+						]
+					},
+					"message": {
+						"type": "string",
+						"description": "Short explanation of why this record is needed."
+					}
+				},
+				"required": [
+					"type",
+					"name",
+					"fqdn",
+					"value",
+					"required",
+					"purpose",
+					"status"
+				]
+			},
 			"UnverifiedDomain": {
 				"type": "object",
 				"properties": {
@@ -4791,6 +4917,11 @@ const openapiDocument = {
 						"type": "string",
 						"description": "Add this value as a TXT record to verify ownership"
 					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records to publish for this pending domain claim.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -4808,12 +4939,23 @@ const openapiDocument = {
 			"AddDomainInput": {
 				"type": "object",
 				"additionalProperties": false,
-				"properties": { "domain": {
-					"type": "string",
-					"minLength": 1,
-					"maxLength": 253,
-					"description": "The domain name to claim (e.g. \"example.com\")"
-				} },
+				"properties": {
+					"domain": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 253,
+						"description": "The domain name to claim (e.g. \"example.com\")"
+					},
+					"confirmed": {
+						"type": "boolean",
+						"description": "Set to true to confirm replacing an existing mailbox provider after an mx_conflict response."
+					},
+					"outbound": {
+						"type": "boolean",
+						"deprecated": true,
+						"description": "Deprecated and ignored. Outbound DNS is provisioned for every new domain claim."
+					}
+				},
 				"required": ["domain"]
 			},
 			"UpdateDomainInput": {
@@ -4835,10 +4977,17 @@ const openapiDocument = {
 			},
 			"DomainVerifyResult": { "oneOf": [{
 				"type": "object",
-				"properties": { "verified": {
-					"type": "boolean",
-					"const": true
-				} },
+				"properties": {
+					"verified": {
+						"type": "boolean",
+						"const": true
+					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records checked for this verification attempt.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					}
+				},
 				"required": ["verified"]
 			}, {
 				"type": "object",
@@ -4855,6 +5004,27 @@ const openapiDocument = {
 						"type": "boolean",
 						"description": "Whether the TXT verification record was found"
 					},
+					"spfFound": {
+						"type": "boolean",
+						"description": "Whether the SPF record includes Primitive."
+					},
+					"dkimFound": {
+						"type": "boolean",
+						"description": "Whether the DKIM public key record was found."
+					},
+					"dmarcFound": {
+						"type": "boolean",
+						"description": "Whether the DMARC record was found."
+					},
+					"tlsRptFound": {
+						"type": "boolean",
+						"description": "Whether the TLS-RPT record was found."
+					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records checked for this verification attempt.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					},
 					"error": {
 						"type": "string",
 						"description": "Human-readable verification failure reason"
@@ -5167,6 +5337,31 @@ const openapiDocument = {
 					"created_at"
 				]
 			},
+			"SendMailAttachment": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"filename": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 255,
+						"description": "Attachment filename. Control characters are rejected."
+					},
+					"content_type": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 255,
+						"description": "Optional MIME content type. Control characters are rejected."
+					},
+					"content_base64": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 44040192,
+						"description": "Base64-encoded attachment bytes."
+					}
+				},
+				"required": ["filename", "content_base64"]
+			},
 			"SendMailInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -5215,6 +5410,12 @@ const openapiDocument = {
 							"pattern": "^[^\\x00-\\x1F\\x7F]+$"
 						}
 					},
+					"attachments": {
+						"type": "array",
+						"maxItems": 100,
+						"description": "Inline attachments. Send requests with attachments to https://api.primitive.dev/v1/send-mail. Combined raw decoded attachment bytes must be at most 31457280.",
+						"items": { "$ref": "#/components/schemas/SendMailAttachment" }
+					},
 					"wait": {
 						"type": "boolean",
 						"description": "When true, wait for the first downstream SMTP delivery outcome before returning."
@@ -7502,7 +7703,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "add-domain",
-		"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+		"description": "Creates an unverified domain claim and returns the exact\nDNS records to publish in `dns_records`. Publish those\nrecords before calling the verify endpoint. To give users\nan importable DNS file, call `downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "addDomain",
@@ -7512,12 +7713,23 @@ const operationManifest = [
 		"requestSchema": {
 			"type": "object",
 			"additionalProperties": false,
-			"properties": { "domain": {
-				"type": "string",
-				"minLength": 1,
-				"maxLength": 253,
-				"description": "The domain name to claim (e.g. \"example.com\")"
-			} },
+			"properties": {
+				"domain": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 253,
+					"description": "The domain name to claim (e.g. \"example.com\")"
+				},
+				"confirmed": {
+					"type": "boolean",
+					"description": "Set to true to confirm replacing an existing mailbox provider after an mx_conflict response."
+				},
+				"outbound": {
+					"type": "boolean",
+					"deprecated": true,
+					"description": "Deprecated and ignored. Outbound DNS is provisioned for every new domain claim."
+				}
+			},
 			"required": ["domain"]
 		},
 		"responseSchema": {
@@ -7540,6 +7752,78 @@ const operationManifest = [
 					"type": "string",
 					"description": "Add this value as a TXT record to verify ownership"
 				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records to publish for this pending domain claim.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				},
 				"created_at": {
 					"type": "string",
 					"format": "date-time"
@@ -7583,6 +7867,36 @@ const operationManifest = [
 		"tag": "Domains",
 		"tagCommand": "domains"
 	},
+	{
+		"binaryResponse": true,
+		"bodyRequired": false,
+		"command": "download-domain-zone-file",
+		"description": "Downloads a BIND-format DNS zone file containing the DNS records\nrequired for a domain claim. Agents should offer this after\n`addDomain` when users want to import DNS records instead of\ncopying each record manually.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "downloadDomainZoneFile",
+		"path": "/domains/{id}/zone-file",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [{
+			"description": "When true, include only outbound DNS records. Verified domains\ndefault to outbound-only; pending claims default to all required\nrecords.\n",
+			"enum": null,
+			"name": "outbound_only",
+			"required": false,
+			"type": "boolean"
+		}],
+		"requestSchema": null,
+		"responseSchema": null,
+		"sdkName": "downloadDomainZoneFile",
+		"summary": "Download domain DNS zone file",
+		"tag": "Domains",
+		"tagCommand": "domains"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -7598,7 +7912,7 @@ const operationManifest = [
 		"responseSchema": {
 			"type": "array",
 			"items": {
-				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
+				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` and `dns_records` for DNS setup.\n",
 				"oneOf": [{
 					"type": "object",
 					"properties": {
@@ -7655,6 +7969,78 @@ const operationManifest = [
 							"type": "string",
 							"description": "Add this value as a TXT record to verify ownership"
 						},
+						"dns_records": {
+							"type": "array",
+							"description": "Exact DNS records to publish for this pending domain claim.",
+							"items": {
+								"type": "object",
+								"additionalProperties": false,
+								"properties": {
+									"type": {
+										"type": "string",
+										"enum": ["MX", "TXT"],
+										"description": "DNS record type."
+									},
+									"name": {
+										"type": "string",
+										"description": "DNS-provider host/name value relative to the managed root zone."
+									},
+									"fqdn": {
+										"type": "string",
+										"description": "Fully-qualified DNS record name."
+									},
+									"value": {
+										"type": "string",
+										"description": "Exact value to publish."
+									},
+									"priority": {
+										"type": "integer",
+										"description": "MX priority. Present only for MX records."
+									},
+									"ttl": {
+										"type": "integer",
+										"description": "Suggested TTL in seconds when the API can provide one."
+									},
+									"required": {
+										"type": "boolean",
+										"const": true
+									},
+									"purpose": {
+										"type": "string",
+										"enum": [
+											"inbound_mx",
+											"ownership_verification",
+											"spf",
+											"dkim",
+											"dmarc",
+											"tls_reporting"
+										]
+									},
+									"status": {
+										"type": "string",
+										"enum": [
+											"pending",
+											"found",
+											"missing",
+											"incorrect"
+										]
+									},
+									"message": {
+										"type": "string",
+										"description": "Short explanation of why this record is needed."
+									}
+								},
+								"required": [
+									"type",
+									"name",
+									"fqdn",
+									"value",
+									"required",
+									"purpose",
+									"status"
+								]
+							}
+						},
 						"created_at": {
 							"type": "string",
 							"format": "date-time"
@@ -7756,7 +8142,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "verify-domain",
-		"description": "Checks DNS records (MX and TXT) to verify domain ownership.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed.\n",
+		"description": "Checks DNS records required for inbound routing, ownership,\nand outbound authentication: MX, ownership TXT, SPF, DKIM,\nDMARC, and TLS-RPT.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed,\nplus the exact DNS records still expected. To give users\nan importable DNS file for missing records, call\n`downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 		"hasJsonBody": false,
 		"method": "POST",
 		"operationId": "verifyDomain",
@@ -7772,10 +8158,84 @@ const operationManifest = [
 		"requestSchema": null,
 		"responseSchema": { "oneOf": [{
 			"type": "object",
-			"properties": { "verified": {
-				"type": "boolean",
-				"const": true
-			} },
+			"properties": {
+				"verified": {
+					"type": "boolean",
+					"const": true
+				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records checked for this verification attempt.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				}
+			},
 			"required": ["verified"]
 		}, {
 			"type": "object",
@@ -7792,6 +8252,94 @@ const operationManifest = [
 					"type": "boolean",
 					"description": "Whether the TXT verification record was found"
 				},
+				"spfFound": {
+					"type": "boolean",
+					"description": "Whether the SPF record includes Primitive."
+				},
+				"dkimFound": {
+					"type": "boolean",
+					"description": "Whether the DKIM public key record was found."
+				},
+				"dmarcFound": {
+					"type": "boolean",
+					"description": "Whether the DMARC record was found."
+				},
+				"tlsRptFound": {
+					"type": "boolean",
+					"description": "Whether the TLS-RPT record was found."
+				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records checked for this verification attempt.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				},
 				"error": {
 					"type": "string",
 					"description": "Human-readable verification failure reason"
@@ -11165,6 +11713,36 @@ const operationManifest = [
 						"pattern": "^[^\\x00-\\x1F\\x7F]+$"
 					}
 				},
+				"attachments": {
+					"type": "array",
+					"maxItems": 100,
+					"description": "Inline attachments. Send requests with attachments to https://api.primitive.dev/v1/send-mail. Combined raw decoded attachment bytes must be at most 31457280.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"filename": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Attachment filename. Control characters are rejected."
+							},
+							"content_type": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Optional MIME content type. Control characters are rejected."
+							},
+							"content_base64": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 44040192,
+								"description": "Base64-encoded attachment bytes."
+							}
+						},
+						"required": ["filename", "content_base64"]
+					}
+				},
 				"wait": {
 					"type": "boolean",
 					"description": "When true, wait for the first downstream SMTP delivery outcome before returning."
@@ -11508,7 +12086,7 @@ var PrimitiveApiClient = class {
 const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
-const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
+const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive signin`.";
 function isRecord$2(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
@@ -11586,10 +12164,10 @@ function loadCliCredentials(configDir) {
 			try {
 				rmSync(path, { force: true });
 			} catch {}
-			process.stderr.write("Removed local Primitive CLI API-key login state. API keys are still valid when passed explicitly, but `primitive login` now uses OAuth. Run `primitive login` to create an OAuth session. No API key was revoked.\n");
+			process.stderr.write("Removed local Primitive CLI API-key login state. API keys are still valid when passed explicitly, but saved CLI auth now uses OAuth. Run `primitive signin` to create an OAuth session. No API key was revoked.\n");
 			return null;
 		}
-		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive login`.");
+		if (error instanceof SyntaxError) throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive signin`.");
 		throw error;
 	}
 }
@@ -11872,7 +12450,7 @@ function redactCliEnvironment(environment) {
 //#region src/oclif/api-client.ts
 const API_HEADERS_ENV = "PRIMITIVE_API_HEADERS";
 const OAUTH_REFRESH_SKEW_MS = 60 * 1e3;
-const SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE = "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive login` to authenticate again.";
+const SAVED_CLI_OAUTH_SESSION_EXPIRED_MESSAGE = "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
 function mergeHeaders(...headers) {
 	const merged = {};
 	for (const headerSet of headers) {
@@ -11970,7 +12548,7 @@ async function refreshStoredCliCredentials(params) {
 			throw new Errors.CLIError(detail, { exit: 1 });
 		}
 		const current = loadCliCredentials(params.configDir);
-		if (!current) throw new Errors.CLIError("Saved Primitive CLI OAuth session is no longer available. Run `primitive login` to authenticate again.", { exit: 1 });
+		if (!current) throw new Errors.CLIError("Saved Primitive CLI OAuth session is no longer available. Run `primitive signin` to authenticate again.", { exit: 1 });
 		if (!shouldRefresh(current, now)) return current;
 		const fetchImpl = params.fetch ?? fetch;
 		const body = new URLSearchParams({
@@ -12279,26 +12857,26 @@ function coerceParameterValue(parameter, value) {
 	if (typeof value === "boolean" || typeof value === "number" || typeof value === "string") return value;
 	throw new Errors.CLIError(`Unsupported flag value for --${parameter.name}`);
 }
-function cliError$6(message) {
+function cliError$7(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function parseJson(source, flagLabel) {
 	try {
 		return JSON.parse(source);
 	} catch (error) {
-		throw cliError$6(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$7(`${flagLabel} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function readJsonBody(flags) {
 	const bodyFile = flags["body-file"];
 	const rawBody = flags["raw-body"];
-	if (bodyFile && rawBody) throw cliError$6("Use either --raw-body or --body-file, not both");
+	if (bodyFile && rawBody) throw cliError$7("Use either --raw-body or --body-file, not both");
 	if (typeof bodyFile === "string") {
 		let contents;
 		try {
 			contents = readFileSync(bodyFile, "utf8");
 		} catch (error) {
-			throw cliError$6(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
+			throw cliError$7(`Could not read --body-file ${bodyFile}: ${error instanceof Error ? error.message : String(error)}`);
 		}
 		return parseJson(contents, `--body-file ${bodyFile}`);
 	}
@@ -12308,7 +12886,7 @@ function readTextFileFlag(path, flagLabel) {
 	try {
 		return readFileSync(path, "utf8");
 	} catch (error) {
-		throw cliError$6(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
+		throw cliError$7(`Could not read ${flagLabel} ${path}: ${error instanceof Error ? error.message : String(error)}`);
 	}
 }
 function extractErrorPayload(raw) {
@@ -12355,7 +12933,7 @@ function extractErrorCode(payload) {
 		if (typeof direct === "string") return direct;
 	}
 }
-const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive login`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify auth is live." };
+const ERROR_CODE_HINTS = { [API_ERROR_CODES.unauthorized]: "Hint: run `primitive signin`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify auth is live." };
 const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
@@ -12393,7 +12971,7 @@ function surfaceUnauthorizedHint(params) {
 		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
-	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive login` to mint a fresh session.\n");
+	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive signin` to mint a fresh session.\n");
 }
 function formatElapsed(ms) {
 	const seconds = ms / 1e3;
@@ -12501,6 +13079,10 @@ function operationOutputPayload(envelope, includeEnvelope) {
 	return includeEnvelope ? envelope ?? null : envelope?.data ?? null;
 }
 const OPERATION_HINTS = {
+	addDomain: "Tip: after this returns a domain id, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` when the user wants an importable DNS zone file.",
+	verifyDomain: "Tip: if DNS is still missing, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` to give the user an importable DNS zone file.",
+	downloadDomainZoneFile: "Tip: prefer `primitive domains zone-file --id <domain-id> --output <domain>.zone` for CLI-friendly file output.",
+	sendEmail: "Tip: prefer `primitive send --to <address> --body <text> --attachment <file>` for file attachments. This raw command exists for callers passing JSON.",
 	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	createFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
@@ -12612,7 +13194,8 @@ const EMPTY_RESULT_HINTS = {
 	listEndpoints: "(no results) No webhook endpoints configured. Add one with `primitive endpoints create --url <your-url>`.",
 	listEmails: "(no results) No inbound emails received yet on this account. Send one to a verified domain to populate this list. For a compact view, prefer `primitive emails latest`.",
 	listDomains: "(no results) No domains on this account. Add one with `primitive domains add --domain <yourdomain.example>`.",
-	listFilters: "(no results) No filter rules configured."
+	listFilters: "(no results) No filter rules configured.",
+	listFunctions: "(no results) No Functions configured yet. Start with `primitive functions templates`, then `primitive functions init --template <template>` and `primitive functions deploy --name <name> --file <bundle>`."
 };
 function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
@@ -12756,11 +13339,11 @@ function sleep$1(ms) {
 //#region src/oclif/commands/chat.ts
 const DEFAULT_CHAT_TIMEOUT_SECONDS = 120;
 const DEFAULT_STRICT_PHASE_SECONDS = 60;
-function cliError$5(message) {
+function cliError$6(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 async function readStdinToString() {
-	if (process.stdin.isTTY) throw cliError$5("No message provided. Pass the message as the second positional argument or pipe it via stdin.");
+	if (process.stdin.isTTY) throw cliError$6("No message provided. Pass the message as the second positional argument or pipe it via stdin.");
 	const chunks = [];
 	for await (const chunk of process.stdin) chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
 	return Buffer.concat(chunks).toString("utf8");
@@ -12796,7 +13379,7 @@ var ChatCommand = class ChatCommand extends Command {
 	};
 	static flags = {
 		"api-key": Flags.string({
-			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
@@ -12841,7 +13424,7 @@ var ChatCommand = class ChatCommand extends Command {
 	async run() {
 		const { args, flags } = await this.parse(ChatCommand);
 		const message = args.message !== void 0 && args.message !== "" ? args.message : await readStdinToString();
-		if (!message.trim()) throw cliError$5("Message body is empty.");
+		if (!message.trim()) throw cliError$6("Message body is empty.");
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
@@ -12879,7 +13462,7 @@ var ChatCommand = class ChatCommand extends Command {
 				return;
 			}
 			const sent = sendResult.data?.data;
-			if (!sent) throw cliError$5("Send succeeded but the API returned no data.");
+			if (!sent) throw cliError$6("Send succeeded but the API returned no data.");
 			const reply = await waitForReply({
 				apiClient,
 				authFailureContext,
@@ -13203,23 +13786,23 @@ function checkApiKey(opts) {
 		if (typeof parsed?.api_key === "string" && parsed.api_key.length > 0) return {
 			status: "fail",
 			message: `${credsPath} contains legacy API-key login state`,
-			hint: "Run `primitive login` to create saved OAuth credentials. Existing API keys still work with --api-key or PRIMITIVE_API_KEY."
+			hint: "Run `primitive signin` to create saved OAuth credentials. Existing API keys still work with --api-key or PRIMITIVE_API_KEY."
 		};
 		if (parsed) return {
 			status: "fail",
 			message: `${credsPath} exists but contains no OAuth access_token`,
-			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
+			hint: "Run `primitive logout` to clear it, then `primitive signin` to recreate."
 		};
 		return {
 			status: "fail",
 			message: `${credsPath} exists but is unreadable or malformed${parseError ? ` (${parseError})` : ""}`,
-			hint: "Run `primitive logout` to clear it, then `primitive login` to recreate."
+			hint: "Run `primitive logout` to clear it, then `primitive signin` to recreate."
 		};
 	}
 	return {
 		status: "fail",
 		message: "no CLI OAuth session or explicit API key found",
-		hint: "Run `primitive login`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
+		hint: "Run `primitive signin`, pass --api-key explicitly, or export PRIMITIVE_API_KEY=prim_..."
 	};
 }
 async function checkAccount(client) {
@@ -13379,6 +13962,144 @@ var DoctorCommand = class DoctorCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/domains-zone-file.ts
+function zoneFileUrl(baseUrl, domainId, outboundOnly) {
+	const url = new URL(`${baseUrl.replace(/\/$/, "")}/domains/${encodeURIComponent(domainId)}/zone-file`);
+	if (outboundOnly) url.searchParams.set("outbound_only", "true");
+	return url.toString();
+}
+function contentDispositionFilename(value) {
+	if (!value) return null;
+	const match = /filename\*=UTF-8''([^;]+)|filename="?([^";]+)"?/i.exec(value);
+	const raw = match?.[1] ?? match?.[2];
+	if (!raw) return null;
+	try {
+		return decodeURIComponent(raw);
+	} catch {
+		return raw;
+	}
+}
+function findDomain(domains, domain) {
+	const match = domains.find((entry) => entry.domain === domain);
+	if (!match) throw new Errors.CLIError(`Domain ${domain} was not found.`, { exit: 1 });
+	return match;
+}
+async function responseErrorPayload(response) {
+	if ((response.headers.get("content-type")?.toLowerCase() ?? "").includes("application/json")) return response.json().catch(() => ({
+		code: "http_error",
+		message: `HTTP ${response.status} ${response.statusText}`.trim()
+	}));
+	return {
+		code: "http_error",
+		message: (await response.text().catch(() => "")).trim() || `HTTP ${response.status} ${response.statusText}`.trim()
+	};
+}
+var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
+	static description = `Download a BIND-format DNS zone file for a domain claim.
+
+  Use this when a DNS provider supports zone-file import and you want to publish all required records at once instead of copying each record manually. The file is generated by the Primitive API, matching the dashboard download flow.
+
+  Agents: after claiming a domain, tell users they can run \`primitive domains zone-file --id <domain-id> --output <domain>.zone\` to get an importable DNS zone file.`;
+	static summary = "Download a DNS zone file for a domain";
+	static examples = [
+		"<%= config.bin %> domains zone-file --id <domain-id>",
+		"<%= config.bin %> domains zone-file --id <domain-id> --output example.com.zone",
+		"<%= config.bin %> domains zone-file --domain example.com --output example.com.zone",
+		"<%= config.bin %> domains zone-file --id <domain-id> --outbound-only"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		domain: Flags.string({ description: "Domain name to look up before downloading its zone file. Prefer --id when you have the domain id from `primitive domains add`." }),
+		id: Flags.string({ description: "Domain id returned by `primitive domains add` or `primitive domains list`." }),
+		output: Flags.string({
+			char: "o",
+			description: "Write the zone file to this path instead of stdout. Defaults to stdout."
+		}),
+		"outbound-only": Flags.boolean({ description: "Include only outbound DNS records. Verified domains default to outbound-only at the API; this flag is explicit for agents and scripts." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(DomainsZoneFileCommand);
+		if (flags.id && flags.domain) throw new Errors.CLIError("Use only one of --id or --domain.", { exit: 1 });
+		if (!flags.id && !flags.domain) throw new Errors.CLIError("Pass --id <domain-id> or --domain <domain>.", { exit: 1 });
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			let domainId = flags.id;
+			if (!domainId && flags.domain) {
+				const result = await listDomains({
+					client: apiClient.client,
+					responseStyle: "fields"
+				});
+				if (result.error) {
+					const errorPayload = extractErrorPayload(result.error);
+					writeErrorWithHints(errorPayload);
+					surfaceUnauthorizedHint({
+						auth,
+						baseUrlOverridden,
+						configDir: this.config.configDir,
+						payload: errorPayload
+					});
+					process.exitCode = 1;
+					return;
+				}
+				const envelope = result.data;
+				domainId = findDomain(envelope?.data ?? [], flags.domain).id;
+			}
+			if (!domainId) throw new Errors.CLIError("Could not resolve a domain id.", { exit: 1 });
+			let response;
+			try {
+				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl1, domainId, flags["outbound-only"]), { headers: {
+					...requestConfig.headers ?? {},
+					...auth.apiKey ? { authorization: `Bearer ${auth.apiKey}` } : {}
+				} });
+			} catch (error) {
+				writeErrorWithHints(error);
+				process.exitCode = 1;
+				return;
+			}
+			if (!response.ok) {
+				const errorPayload = extractErrorPayload(await responseErrorPayload(response));
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const zoneFile = await response.text();
+			const output = flags.output;
+			if (output) {
+				writeFileSync(output, zoneFile, "utf8");
+				const filename = contentDispositionFilename(response.headers.get("content-disposition"));
+				process.stderr.write(`Wrote ${filename ?? "zone file"} to ${output}\n`);
+				return;
+			}
+			process.stdout.write(zoneFile);
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/emails-latest.ts
 const DEFAULT_LIMIT = 10;
 const MAX_LIMIT = 100;
@@ -13489,7 +14210,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 //#endregion
 //#region src/oclif/commands/emails-wait.ts
 const DEFAULT_WAIT_TIMEOUT_SECONDS$1 = 300;
-function cliError$4(message) {
+function cliError$5(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWaitCommand = class EmailsWaitCommand extends Command {
@@ -13564,7 +14285,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$4(error instanceof Error ? error.message : String(error));
+			throw cliError$5(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.timeout === 0 ? null : Date.now() + flags.timeout * 1e3;
@@ -13615,7 +14336,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-watch.ts
-function cliError$3(message) {
+function cliError$4(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 var EmailsWatchCommand = class EmailsWatchCommand extends Command {
@@ -13686,7 +14407,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		try {
 			since = sinceFromFlags(flags);
 		} catch (error) {
-			throw cliError$3(error instanceof Error ? error.message : String(error));
+			throw cliError$4(error instanceof Error ? error.message : String(error));
 		}
 		const filters = filtersFromFlags(flags);
 		const deadline = flags.seconds ? Date.now() + flags.seconds * 1e3 : null;
@@ -14731,7 +15452,7 @@ The deploy step calls \`primitive functions deploy\` (provided by the
 \`npm install -g @primitivedotdev/cli\` or run via
 \`npx @primitivedotdev/cli@latest <command>\`). It requires
 \`PRIMITIVE_API_KEY\` to be set in your shell (or pass \`--api-key\`).
-Run \`primitive login\` once to save a key in your CLI config if you
+Run \`primitive signin\` once to save a key in your CLI config if you
 prefer that to an env var.
 `;
 }
@@ -15790,7 +16511,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 //#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
-function cliError$2(message) {
+function cliError$3(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function sleep(ms) {
@@ -15866,7 +16587,7 @@ async function checkExistingLogin(params) {
 		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI OAuth credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI OAuth session exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
 	};
 }
-var LoginCommand = class LoginCommand extends Command {
+var LoginCommand = class extends Command {
 	static description = "Log in by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
 	static summary = "Log in with browser approval";
 	static examples = [
@@ -15884,24 +16605,28 @@ var LoginCommand = class LoginCommand extends Command {
 		"no-browser": Flags.boolean({ description: "Do not attempt to open the browser automatically" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials without first verifying the existing login"
+			description: "Replace saved credentials without first verifying the existing session"
 		})
 	};
 	async run() {
-		const { flags } = await this.parse(LoginCommand);
+		const commandClass = this.constructor;
+		const { flags } = await this.parse(commandClass);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$2(error instanceof Error ? error.message : String(error));
+			throw cliError$3(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags);
+			await this.runWithCredentialLock(flags, this.retryCommand());
 		} finally {
 			releaseCredentialsLock();
 		}
 	}
-	async runWithCredentialLock(flags) {
+	retryCommand() {
+		return "login";
+	}
+	async runWithCredentialLock(flags, retryCommand) {
 		const { apiClient, requestConfig } = createCliApiClient({
 			apiBaseUrl1: flags["api-base-url-1"],
 			configDir: this.config.configDir
@@ -15927,8 +16652,8 @@ var LoginCommand = class LoginCommand extends Command {
 			if (existingStatus.status === "removed_stale") process.stderr.write("Continuing with a new Primitive CLI login...\n");
 			else if (existingStatus.status === "blocked") {
 				writeErrorWithHints(existingStatus.payload);
-				throw cliError$2(existingStatus.message);
-			} else throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
+				throw cliError$3(existingStatus.message);
+			} else throw cliError$3(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before logging in again.`);
 		}
 		const started = await startCliLogin({
 			body: { device_name: flags["device-name"] ?? hostname() },
@@ -15937,11 +16662,11 @@ var LoginCommand = class LoginCommand extends Command {
 		});
 		if (started.error) {
 			writeErrorWithHints(extractErrorPayload(started.error));
-			throw cliError$2("Could not start Primitive CLI login.");
+			throw cliError$3("Could not start Primitive CLI login.");
 		}
 		const start = unwrapData$2(started.data);
-		if (!start) throw cliError$2("Primitive API returned an empty CLI login response.");
-		process.stderr.write(`Your login code is: ${start.user_code}\n`);
+		if (!start) throw cliError$3("Primitive API returned an empty CLI login response.");
+		process.stderr.write(`Your sign-in code is: ${start.user_code}\n`);
 		if (!flags["no-browser"]) {
 			openBrowser(start.verification_uri_complete);
 			process.stderr.write("Opening Primitive in your browser...\n");
@@ -15961,7 +16686,7 @@ var LoginCommand = class LoginCommand extends Command {
 			});
 			if (polled.data) {
 				const login = unwrapData$2(polled.data);
-				if (!login) throw cliError$2("Primitive API returned an empty CLI poll response.");
+				if (!login) throw cliError$3("Primitive API returned an empty CLI poll response.");
 				saveCliCredentials(this.config.configDir, {
 					access_token: login.access_token,
 					api_base_url_1: apiBaseUrl1,
@@ -15991,25 +16716,25 @@ var LoginCommand = class LoginCommand extends Command {
 				nextPollDelay = interval;
 				continue;
 			}
-			if (code === API_ERROR_CODES.accessDenied) throw cliError$2("Primitive CLI login was denied in the browser.");
-			if (code === API_ERROR_CODES.expiredToken) throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
-			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$2("Primitive CLI login device code is invalid. Run `primitive login` again.");
+			if (code === API_ERROR_CODES.accessDenied) throw cliError$3("Primitive CLI login was denied in the browser.");
+			if (code === API_ERROR_CODES.expiredToken) throw cliError$3(`Primitive CLI login expired. Run \`primitive ${retryCommand}\` again.`);
+			if (code === API_ERROR_CODES.invalidDeviceCode) throw cliError$3(`Primitive CLI login device code is invalid. Run \`primitive ${retryCommand}\` again.`);
 			writeErrorWithHints(payload);
-			throw cliError$2("Primitive CLI login failed while polling for approval.");
+			throw cliError$3("Primitive CLI login failed while polling for approval.");
 		}
-		throw cliError$2("Primitive CLI login expired. Run `primitive login` again.");
+		throw cliError$3(`Primitive CLI login expired. Run \`primitive ${retryCommand}\` again.`);
 	}
 };
 //#endregion
 //#region src/oclif/commands/logout.ts
-function cliError$1(message) {
+function cliError$2(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData$1(value) {
 	return value?.data ?? null;
 }
 function isSavedOAuthSessionExpiredError(error) {
-	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive login` to authenticate again.";
+	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
 }
 async function runLogoutWithCredentialLock(params) {
 	const deps = {
@@ -16027,7 +16752,7 @@ async function runLogoutWithCredentialLock(params) {
 		process.exitCode = 1;
 		return;
 	}
-	if (!credentials) throw cliError$1("Not logged in. Run `primitive login` to create saved CLI credentials.");
+	if (!credentials) throw cliError$2("Not logged in. Run `primitive signin` to create saved CLI credentials.");
 	let authenticated;
 	try {
 		authenticated = await deps.createAuthenticatedCliApiClient({
@@ -16059,7 +16784,7 @@ async function runLogoutWithCredentialLock(params) {
 			return;
 		}
 		writeErrorWithHints(payload);
-		throw cliError$1("Could not revoke the saved Primitive CLI OAuth grant.");
+		throw cliError$2("Could not revoke the saved Primitive CLI OAuth grant.");
 	}
 	const logout = unwrapData$1(result.data);
 	deleteCliCredentials(params.configDir);
@@ -16081,7 +16806,7 @@ var LogoutCommand = class LogoutCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
+			throw cliError$2(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runLogoutWithCredentialLock({
@@ -16287,12 +17012,46 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/attachments.ts
+function readAttachmentBytes(path, readFile) {
+	try {
+		return Buffer.from(readFile(path));
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
+	}
+}
+function hasControlCharacter(value) {
+	return Array.from(value).some((character) => {
+		const code = character.charCodeAt(0);
+		return code <= 31 || code >= 127 && code <= 159;
+	});
+}
+function validateAttachmentFilename(path, filename) {
+	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
+	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+}
+function readAttachmentFiles(paths, readFile = readFileSync) {
+	if (!paths || paths.length === 0) return void 0;
+	return paths.map((path) => {
+		const filename = basename(path);
+		validateAttachmentFilename(path, filename);
+		const bytes = readAttachmentBytes(path, readFile);
+		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
+		return {
+			content_base64: bytes.toString("base64"),
+			filename
+		};
+	});
+}
+//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
 
   --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
   --subject defaults to the first line of the body when omitted.
+  --attachment attaches a file; repeat it to attach multiple files.
 
   For the full flag set (custom message-id threading on the wire,
   references arrays, etc.), use \`primitive sending send\`.`;
@@ -16300,6 +17059,7 @@ var SendCommand = class SendCommand extends Command {
 	static examples = [
 		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
 		"<%= config.bin %> send --to alice@example.com --body-file ./message.txt",
+		"<%= config.bin %> send --to alice@example.com --body 'See attached.' --attachment ./report.pdf",
 		"<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
 		"<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
 		"<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
@@ -16327,11 +17087,15 @@ var SendCommand = class SendCommand extends Command {
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
 		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
 		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. This does not attach the file; use --attachment for file attachments. Mutually exclusive with --body and --body-stdin." }),
 		"body-stdin": Flags.boolean({ description: "Read the plain-text message body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
 		"html-file": Flags.string({ description: "Read the HTML message body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
 		"html-stdin": Flags.boolean({ description: "Read the HTML message body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
+		attachment: Flags.string({
+			description: "Attach a file to the email. Repeatable. Sends file bytes as a MIME attachment; use --body-file only for message body text.",
+			multiple: true
+		}),
 		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
 		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
@@ -16348,6 +17112,7 @@ var SendCommand = class SendCommand extends Command {
 			htmlStdin: flags["html-stdin"]
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
+		const attachments = readAttachmentFiles(flags.attachment);
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
@@ -16369,6 +17134,7 @@ var SendCommand = class SendCommand extends Command {
 					subject,
 					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
 					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
+					...attachments !== void 0 ? { attachments } : {},
 					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
@@ -16401,7 +17167,14 @@ const EXPIRED_TOKEN = "expired_token";
 const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
 const SLOW_DOWN = "slow_down";
 const PENDING_SIGNUP_FILE = "signup.json";
-function cliError(message) {
+const DEFAULT_SIGNUP_COMMAND_COPY = {
+	actionNoun: "signup",
+	actionGerund: "creating a new account",
+	confirmCommand: (email) => `signup confirm ${email} <code>`,
+	resendCommand: (email) => `signup resend ${email}`,
+	startCommand: (email) => `signup ${email}`
+};
+function cliError$1(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData(value) {
@@ -16490,9 +17263,10 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 	};
 }
 function requirePendingSignupForEmail(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
-	if (!pending) throw cliError(`No pending signup for ${params.email}. Run \`primitive signup ${params.email}\` first.`);
-	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError(`Pending signup is for ${pending.email}, not ${params.email}. Run \`primitive signup ${params.email} --force\` to replace it.`);
+	if (!pending) throw cliError$1(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$1(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
 }
 function retryAfterSeconds(result) {
@@ -16529,13 +17303,14 @@ async function promptRequired(question) {
 	}
 }
 async function confirmTerms() {
-	process$1.stderr.write("By creating an account, you agree to Primitive's Terms of Service and Privacy Policy:\n");
+	process$1.stderr.write("By continuing, you agree to Primitive's Terms of Service and Privacy Policy:\n");
 	process$1.stderr.write("  https://primitive.dev/terms\n");
 	process$1.stderr.write("  https://primitive.dev/privacy\n");
 	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
-	if (answer !== "yes" && answer !== "y") throw cliError("You must accept the terms to create an account.");
+	if (answer !== "yes" && answer !== "y") throw cliError$1("You must accept the terms to create an account.");
 }
 async function checkExistingCredentials(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const checkExistingLoginFn = params.deps.checkExistingLogin ?? checkExistingLogin;
 	let existing;
 	try {
@@ -16547,7 +17322,7 @@ async function checkExistingCredentials(params) {
 		existing = null;
 	}
 	if (existing && params.flags.force) {
-		process$1.stderr.write("Replacing saved Primitive CLI credentials after signup because --force was set.\n");
+		process$1.stderr.write(`Replacing saved Primitive CLI credentials after ${copy.actionNoun} because --force was set.\n`);
 		return;
 	}
 	if (!existing) return;
@@ -16563,9 +17338,9 @@ async function checkExistingCredentials(params) {
 	}
 	if (existingStatus.status === "blocked") {
 		writeErrorWithHints(existingStatus.payload);
-		throw cliError(existingStatus.message);
+		throw cliError$1(existingStatus.message);
 	}
-	throw cliError(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before creating a new account.`);
+	throw cliError$1(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
 }
 function saveSignupCredentials(params) {
 	saveCliCredentials(params.configDir, {
@@ -16582,23 +17357,24 @@ function saveSignupCredentials(params) {
 		token_type: params.signup.token_type
 	});
 }
-function writeStartInstructions(start) {
+function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 	process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
 	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
-	process$1.stderr.write(`Run \`primitive signup confirm ${start.email} <code>\` to finish.\n`);
+	process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(start.email)}\` to finish.\n`);
 }
 async function startSignup(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
 	if (existingPending && !params.flags.force) {
 		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
-			process$1.stderr.write(`Continuing pending Primitive signup for ${existingPending.email}.\n`);
-			process$1.stderr.write(`Run \`primitive signup confirm ${existingPending.email} <code>\` to finish, or \`primitive signup resend ${existingPending.email}\` to send a new code.\n`);
+			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
+			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, or \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code.\n`);
 			return {
 				pending: existingPending,
 				started: false
 			};
 		}
-		throw cliError(`Pending signup is for ${existingPending.email}. Run \`primitive signup ${params.email} --force\` to replace it.`);
+		throw cliError$1(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
 	if (params.flags.force) deletePendingAgentSignup(params.configDir);
 	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
@@ -16618,10 +17394,10 @@ async function startSignup(params) {
 	});
 	if (started.error) {
 		writeErrorWithHints(extractErrorPayload(started.error));
-		throw cliError("Could not start Primitive agent signup.");
+		throw cliError$1("Could not start Primitive agent signup.");
 	}
 	const startResult = unwrapData(started.data);
-	if (!startResult) throw cliError("Primitive API returned an empty agent signup response.");
+	if (!startResult) throw cliError$1("Primitive API returned an empty agent signup response.");
 	return {
 		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
 		started: true
@@ -16659,7 +17435,7 @@ async function resendVerificationCode(params) {
 	}
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(params.configDir);
 	writeErrorWithHints(payload);
-	throw cliError("Could not resend Primitive agent signup verification email.");
+	throw cliError$1("Could not resend Primitive agent signup verification email.");
 }
 async function runSignupStartWithCredentialLock(params) {
 	const { configDir, flags } = params;
@@ -16669,6 +17445,7 @@ async function runSignupStartWithCredentialLock(params) {
 	await checkExistingCredentials({
 		apiBaseUrl1: flags["api-base-url-1"],
 		configDir,
+		copy: params.copy,
 		deps,
 		flags
 	});
@@ -16680,11 +17457,12 @@ async function runSignupStartWithCredentialLock(params) {
 		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
 		apiClient,
 		configDir,
+		copy: params.copy,
 		deps,
 		email,
 		flags
 	});
-	if (start.started) writeStartInstructions(start.pending);
+	if (start.started) writeStartInstructions(start.pending, params.copy);
 }
 async function runSignupConfirmWithCredentialLock(params) {
 	const { configDir, flags } = params;
@@ -16692,6 +17470,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
 		apiBaseUrl1: flags["api-base-url-1"],
 		configDir,
+		copy: params.copy,
 		deps,
 		flags
 	});
@@ -16702,6 +17481,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
 	const pending = requirePendingSignupForEmail({
 		apiBaseUrl1,
+		copy: params.copy,
 		configDir,
 		email: params.email
 	});
@@ -16716,7 +17496,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 	});
 	if (verified.data) {
 		const signup = unwrapData(verified.data);
-		if (!signup) throw cliError("Primitive API returned an empty agent signup verification response.");
+		if (!signup) throw cliError$1("Primitive API returned an empty agent signup verification response.");
 		saveSignupCredentials({
 			apiBaseUrl1,
 			configDir,
@@ -16730,10 +17510,10 @@ async function runSignupConfirmWithCredentialLock(params) {
 	}
 	const payload = extractErrorPayload(verified.error);
 	const code = extractErrorCode(payload);
-	if (code === INVALID_VERIFICATION_CODE) throw cliError("Invalid verification code. Try again or run signup resend.");
+	if (code === INVALID_VERIFICATION_CODE) throw cliError$1(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
 	writeErrorWithHints(payload);
-	throw cliError("Primitive agent signup failed while verifying the account.");
+	throw cliError$1("Primitive agent signup failed while verifying the account.");
 }
 async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
@@ -16743,6 +17523,7 @@ async function runSignupResendWithCredentialLock(params) {
 	});
 	const pending = requirePendingSignupForEmail({
 		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		copy: params.copy,
 		configDir: params.configDir,
 		email: params.email
 	});
@@ -16857,7 +17638,7 @@ var SignupCommand = class SignupCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupStartWithCredentialLock({
@@ -16902,7 +17683,7 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupConfirmWithCredentialLock({
@@ -16935,7 +17716,7 @@ var SignupResendCommand = class SignupResendCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupResendWithCredentialLock({
@@ -16959,7 +17740,7 @@ var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
 		} catch (error) {
-			throw cliError(error instanceof Error ? error.message : String(error));
+			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
 			await runSignupInteractiveWithCredentialLock({
@@ -16972,6 +17753,167 @@ var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/signin.ts
+function cliError(message) {
+	return new Errors.CLIError(message, { exit: 1 });
+}
+const SIGNIN_OTP_COPY = {
+	actionNoun: "sign-in",
+	actionGerund: "signing in",
+	confirmCommand: (email) => `signin otp confirm ${email} <code>`,
+	resendCommand: (email) => `signin otp resend ${email}`,
+	startCommand: (email) => `signin otp ${email}`
+};
+function acquireCredentialsLock(configDir) {
+	try {
+		return acquireCliCredentialsLock(configDir);
+	} catch (error) {
+		throw cliError(error instanceof Error ? error.message : String(error));
+	}
+}
+function commonOtpStartFlags() {
+	return {
+		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending sign-in state when needed"
+		}),
+		"signup-code": Flags.string({
+			description: "Signup code required to start OTP sign-in",
+			env: "PRIMITIVE_SIGNUP_CODE"
+		})
+	};
+}
+var SigninCommand = class extends LoginCommand {
+	static description = `Sign in to an existing Primitive account with browser approval and save an org-scoped OAuth session locally.
+
+This is the canonical sign-in command. It defaults to the same browser approval flow as \`primitive signin browser\`. For email-code sign-in, use \`primitive signin otp <email> --signup-code <code>\`, then \`primitive signin otp confirm <email> <code>\`. For new account creation, use \`primitive signup <email>\`.`;
+	static summary = "Sign in to an existing account";
+	static examples = [
+		"<%= config.bin %> signin",
+		"<%= config.bin %> signin browser",
+		"<%= config.bin %> signin --no-browser",
+		"<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signin otp confirm user@example.com 123456"
+	];
+	retryCommand() {
+		return "signin";
+	}
+};
+var SigninBrowserCommand = class extends LoginCommand {
+	static description = "Sign in to an existing Primitive account by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
+	static summary = "Sign in with browser approval";
+	static examples = [
+		"<%= config.bin %> signin browser",
+		"<%= config.bin %> signin browser --device-name work-laptop",
+		"<%= config.bin %> signin browser --no-browser",
+		"<%= config.bin %> signin browser --force"
+	];
+	retryCommand() {
+		return "signin browser";
+	}
+};
+var SigninOtpCommand = class SigninOtpCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address to sign in with",
+		required: false
+	}) };
+	static description = "Start email-code sign-in using Primitive's signup/auth OTP flow, send a verification code, and save the pending token locally. Requires a signup code.";
+	static summary = "Start OTP sign-in";
+	static examples = ["<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms", "<%= config.bin %> signin otp confirm user@example.com 123456"];
+	static flags = commonOtpStartFlags();
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SigninOtpConfirmCommand = class SigninOtpConfirmCommand extends Command {
+	static args = {
+		email: Args.string({
+			description: "Email address used to start OTP sign-in",
+			required: true
+		}),
+		code: Args.string({
+			description: "Verification code from the sign-in email",
+			required: true
+		})
+	};
+	static description = "Confirm a pending OTP sign-in, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm OTP sign-in";
+	static examples = ["<%= config.bin %> signin otp confirm user@example.com 123456", "<%= config.bin %> signin otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = {
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials after verification"
+		}),
+		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpConfirmCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupConfirmWithCredentialLock({
+				code: args.code,
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address used to start OTP sign-in",
+		required: true
+	}) };
+	static description = "Resend the verification code for a pending OTP sign-in.";
+	static summary = "Resend OTP sign-in code";
+	static examples = ["<%= config.bin %> signin otp resend user@example.com"];
+	static flags = { "api-base-url-1": Flags.string({
+		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+		env: "PRIMITIVE_API_BASE_URL_1",
+		hidden: true
+	}) };
+	async run() {
+		const { args, flags } = await this.parse(SigninOtpResendCommand);
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupResendWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: SIGNIN_OTP_COPY,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+//#endregion
 //#region src/oclif/commands/whoami.ts
 var WhoamiCommand = class WhoamiCommand extends Command {
 	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.`;
@@ -17103,36 +18045,88 @@ function renderFishCompletion(binName) {
 //#endregion
 //#region src/oclif/index.ts
 var ListOperationsCommand = class extends Command {
-	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command>`.";
+	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command-or-operation-name>`.";
 	static summary = "List all generated API operations (JSON)";
 	async run() {
 		this.log(JSON.stringify(operationManifest, null, 2));
 	}
 };
+function operationId(operation) {
+	return `${operation.tagCommand}:${operation.command}`;
+}
+function normalizeLookupToken(value) {
+	return value.toLowerCase().replace(/[^a-z0-9]/g, "");
+}
+function unique(values) {
+	return [...new Set(values)];
+}
+function operationLookupTokens(operation) {
+	return unique([
+		operationId(operation),
+		operation.command,
+		operation.operationId,
+		operation.sdkName,
+		`${operation.tagCommand}:${operation.operationId}`,
+		`${operation.tagCommand}:${operation.sdkName}`
+	]);
+}
+function levenshteinDistance(left, right) {
+	if (left === right) return 0;
+	if (left.length === 0) return right.length;
+	if (right.length === 0) return left.length;
+	let previous = Array.from({ length: right.length + 1 }, (_, index) => index);
+	for (let leftIndex = 0; leftIndex < left.length; leftIndex += 1) {
+		const current = [leftIndex + 1];
+		for (let rightIndex = 0; rightIndex < right.length; rightIndex += 1) {
+			const substitutionCost = left[leftIndex] === right[rightIndex] ? 0 : 1;
+			current[rightIndex + 1] = Math.min(current[rightIndex] + 1, previous[rightIndex + 1] + 1, previous[rightIndex] + substitutionCost);
+		}
+		previous = current;
+	}
+	return previous[right.length] ?? Number.POSITIVE_INFINITY;
+}
+function scoreLookupToken(query, token) {
+	const normalizedQuery = normalizeLookupToken(query);
+	const normalizedToken = normalizeLookupToken(token);
+	if (!normalizedQuery || !normalizedToken) return 0;
+	if (normalizedQuery === normalizedToken) return 100;
+	if (normalizedToken.includes(normalizedQuery)) return Math.max(50, 90 - (normalizedToken.length - normalizedQuery.length));
+	if (normalizedQuery.includes(normalizedToken)) return Math.max(45, 80 - (normalizedQuery.length - normalizedToken.length));
+	const distance = levenshteinDistance(normalizedQuery, normalizedToken);
+	const maxLength = Math.max(normalizedQuery.length, normalizedToken.length);
+	return Math.round((1 - distance / maxLength) * 75);
+}
+function scoreOperation(query, operation) {
+	return Math.max(...operationLookupTokens(operation).map((token) => scoreLookupToken(query, token)));
+}
 function lookupOperation(id) {
 	const trimmed = resolveOperationAlias(id.trim());
-	const sep = trimmed.indexOf(":");
-	const tag = sep === -1 ? "" : trimmed.slice(0, sep);
-	const cmd = sep === -1 ? trimmed : trimmed.slice(sep + 1);
-	const match = operationManifest.find((op) => op.command === cmd && op.tagCommand === tag) ?? null;
+	const match = operationManifest.find((op) => operationLookupTokens(op).some((token) => token === trimmed || normalizeLookupToken(token) === normalizeLookupToken(trimmed))) ?? null;
 	if (match) return {
 		match,
 		candidates: []
 	};
 	return {
 		match: null,
-		candidates: operationManifest.filter((op) => op.command.includes(cmd) || op.tagCommand.includes(tag)).slice(0, 5).map((op) => op.tagCommand ? `${op.tagCommand}:${op.command}` : op.command)
+		candidates: operationManifest.map((op) => ({
+			id: operationId(op),
+			score: scoreOperation(trimmed, op)
+		})).filter(({ score }) => score >= 45).sort((left, right) => right.score - left.score || left.id.localeCompare(right.id)).slice(0, 5).map(({ id }) => id)
 	};
 }
 var DescribeCommand = class DescribeCommand extends Command {
 	static args = { command: Args.string({
-		description: "Command id to describe, e.g. `emails:list` or `emails:get-email`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command)\"'` to enumerate generated operation ids.",
+		description: "Command id, alias, or SDK operation name to describe, e.g. `emails:list`, `emails:get-email`, or `getEmail`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command) \\(.operationId)\"'` to enumerate generated operation ids.",
 		required: true
 	}) };
 	static description = `Print the full operation manifest entry for a single API command, including the path, request schema, response schema, and per-field descriptions sourced from the OpenAPI spec.
 
   The manifest entry's \`responseSchema\` carries the inlined JSON Schema for the operation's 200/201 \`data\` envelope contents (\`$ref\`s resolved). Use it to look up what specific response fields mean. Examples:
 
+      # Domain setup records returned by add/verify
+      primitive describe domains:add
+      primitive describe addDomain
+
       # Which of EmailDetail's sender-shaped fields is canonical?
       primitive describe emails:get | jq '.responseSchema.properties | keys'
       primitive describe emails:get | jq -r '.responseSchema.properties.from_email.description'
@@ -17142,7 +18136,12 @@ var DescribeCommand = class DescribeCommand extends Command {
 
   \`requestSchema\` is the same shape for the request body when one exists. For a single field across many operations at once, use \`primitive list-operations | jq\` instead.`;
 	static summary = "Describe a single API operation in detail";
-	static examples = ["<%= config.bin %> describe emails:get", "<%= config.bin %> describe sent:get"];
+	static examples = [
+		"<%= config.bin %> describe addDomain",
+		"<%= config.bin %> describe domains:add",
+		"<%= config.bin %> describe emails:get",
+		"<%= config.bin %> describe sent:get"
+	];
 	async run() {
 		const { args } = await this.parse(DescribeCommand);
 		const { match, candidates } = lookupOperation(args.command);
@@ -17175,9 +18174,6 @@ var CompletionCommand = class CompletionCommand extends Command {
 		await this.config.runCommand("autocomplete", [args.shell]);
 	}
 };
-function commandId(operation) {
-	return `${operation.tagCommand}:${operation.command}`;
-}
 const CANONICAL_OPERATION_ALIASES = {
 	"account:show": "account:get-account",
 	"account:storage": "account:get-storage-stats",
@@ -17222,14 +18218,15 @@ const CANONICAL_OPERATION_ALIASES = {
 };
 const DESCRIBE_OPERATION_ALIASES = {
 	...CANONICAL_OPERATION_ALIASES,
+	"domains:zone-file": "domains:download-domain-zone-file",
 	"functions:logs": "functions:list-function-logs",
 	reply: "sending:reply-to-email"
 };
 function resolveOperationAlias(id) {
 	return DESCRIBE_OPERATION_ALIASES[id] ?? id;
 }
-const OVERRIDDEN_OPERATION_IDS = new Set(["functions:test-function"]);
-const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(commandId(operation))).map((operation) => [commandId(operation), createOperationCommand(operation)]));
+const OVERRIDDEN_OPERATION_IDS = new Set(["domains:download-domain-zone-file", "functions:test-function"]);
+const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(operationId(operation))).map((operation) => [operationId(operation), createOperationCommand(operation)]));
 const COMMANDS = {
 	completion: CompletionCommand,
 	"list-operations": ListOperationsCommand,
@@ -17243,6 +18240,11 @@ const COMMANDS = {
 	reply: ReplyCommand,
 	chat: ChatCommand,
 	login: LoginCommand,
+	signin: SigninCommand,
+	"signin:browser": SigninBrowserCommand,
+	"signin:otp": SigninOtpCommand,
+	"signin:otp:confirm": SigninOtpConfirmCommand,
+	"signin:otp:resend": SigninOtpResendCommand,
 	signup: SignupCommand,
 	"signup:confirm": SignupConfirmCommand,
 	"signup:interactive": SignupInteractiveCommand,
@@ -17253,6 +18255,8 @@ const COMMANDS = {
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	"domains:zone-file": DomainsZoneFileCommand,
+	"domains:download-domain-zone-file": DomainsZoneFileCommand,
 	"functions:init": FunctionsInitCommand,
 	"functions:templates": FunctionsTemplatesCommand,
 	"functions:deploy": FunctionsDeployCommand,