@primitivedotdev/cli 0.31.3 → 0.31.4

package/dist/oclif/index.js

@@ -1,7 +1,7 @@
 import { Args, Command, Errors, Flags } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
-import { dirname, join, resolve } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 import { spawn } from "node:child_process";
 import { hostname } from "node:os";
 import process$1 from "node:process";
@@ -645,6 +645,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	deleteFunctionSecret: () => deleteFunctionSecret,
 	discardEmailContent: () => discardEmailContent,
 	downloadAttachments: () => downloadAttachments,
+	downloadDomainZoneFile: () => downloadDomainZoneFile,
 	downloadRawEmail: () => downloadRawEmail,
 	getAccount: () => getAccount,
 	getEmail: () => getEmail,
@@ -941,9 +942,11 @@ const listDomains = (options) => (options?.client ?? client).get({
 /**
 * Claim a new domain
 *
-* Creates an unverified domain claim. You will receive a
-* `verification_token` to add as a DNS TXT record before
-* calling the verify endpoint.
+* Creates an unverified domain claim and returns the exact
+* DNS records to publish in `dns_records`. Publish those
+* records before calling the verify endpoint. To give users
+* an importable DNS file, call `downloadDomainZoneFile` or run
+* `primitive domains zone-file --id <domain-id>`.
 *
 */
 const addDomain = (options) => (options.client ?? client).post({
@@ -993,9 +996,15 @@ const updateDomain = (options) => (options.client ?? client).patch({
 /**
 * Verify domain ownership
 *
-* Checks DNS records (MX and TXT) to verify domain ownership.
+* Checks DNS records required for inbound routing, ownership,
+* and outbound authentication: MX, ownership TXT, SPF, DKIM,
+* DMARC, and TLS-RPT.
 * On success, the domain is promoted from unverified to verified.
-* On failure, returns which checks passed and which failed.
+* On failure, returns which checks passed and which failed,
+* plus the exact DNS records still expected. To give users
+* an importable DNS file for missing records, call
+* `downloadDomainZoneFile` or run
+* `primitive domains zone-file --id <domain-id>`.
 *
 */
 const verifyDomain = (options) => (options.client ?? client).post({
@@ -1007,6 +1016,23 @@ const verifyDomain = (options) => (options.client ?? client).post({
 	...options
 });
 /**
+* Download domain DNS zone file
+*
+* Downloads a BIND-format DNS zone file containing the DNS records
+* required for a domain claim. Agents should offer this after
+* `addDomain` when users want to import DNS records instead of
+* copying each record manually.
+*
+*/
+const downloadDomainZoneFile = (options) => (options.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/domains/{id}/zone-file",
+	...options
+});
+/**
 * List inbound emails
 *
 * Returns a paginated list of INBOUND emails received at your
@@ -2333,7 +2359,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "addDomain",
 				"summary": "Claim a new domain",
-				"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+				"description": "Creates an unverified domain claim and returns the exact\nDNS records to publish in `dns_records`. Publish those\nrecords before calling the verify endpoint. To give users\nan importable DNS file, call `downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 				"tags": ["Domains"],
 				"requestBody": {
 					"required": true,
@@ -2426,7 +2452,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "verifyDomain",
 				"summary": "Verify domain ownership",
-				"description": "Checks DNS records (MX and TXT) to verify domain ownership.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed.\n",
+				"description": "Checks DNS records required for inbound routing, ownership,\nand outbound authentication: MX, ownership TXT, SPF, DKIM,\nDMARC, and TLS-RPT.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed,\nplus the exact DNS records still expected. To give users\nan importable DNS file for missing records, call\n`downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 				"tags": ["Domains"],
 				"responses": {
 					"200": {
@@ -2442,6 +2468,38 @@ const openapiDocument = {
 				}
 			}
 		},
+		"/domains/{id}/zone-file": {
+			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
+			"get": {
+				"operationId": "downloadDomainZoneFile",
+				"summary": "Download domain DNS zone file",
+				"description": "Downloads a BIND-format DNS zone file containing the DNS records\nrequired for a domain claim. Agents should offer this after\n`addDomain` when users want to import DNS records instead of\ncopying each record manually.\n",
+				"tags": ["Domains"],
+				"parameters": [{
+					"name": "outbound_only",
+					"in": "query",
+					"schema": { "type": "boolean" },
+					"description": "When true, include only outbound DNS records. Verified domains\ndefault to outbound-only; pending claims default to all required\nrecords.\n"
+				}],
+				"responses": {
+					"200": {
+						"description": "BIND-format zone file",
+						"content": { "text/plain": { "schema": {
+							"type": "string",
+							"format": "binary"
+						} } },
+						"headers": { "Content-Disposition": { "schema": {
+							"type": "string",
+							"example": "attachment; filename=\"example.com.zone\""
+						} } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" },
+					"429": { "$ref": "#/components/responses/RateLimited" }
+				}
+			}
+		},
 		"/emails": { "get": {
 			"operationId": "listEmails",
 			"summary": "List inbound emails",
@@ -4731,7 +4789,7 @@ const openapiDocument = {
 				"required": ["secret"]
 			},
 			"Domain": {
-				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
+				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` and `dns_records` for DNS setup.\n",
 				"oneOf": [{ "$ref": "#/components/schemas/VerifiedDomain" }, { "$ref": "#/components/schemas/UnverifiedDomain" }]
 			},
 			"VerifiedDomain": {
@@ -4771,6 +4829,74 @@ const openapiDocument = {
 					"created_at"
 				]
 			},
+			"DomainDnsRecord": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"type": {
+						"type": "string",
+						"enum": ["MX", "TXT"],
+						"description": "DNS record type."
+					},
+					"name": {
+						"type": "string",
+						"description": "DNS-provider host/name value relative to the managed root zone."
+					},
+					"fqdn": {
+						"type": "string",
+						"description": "Fully-qualified DNS record name."
+					},
+					"value": {
+						"type": "string",
+						"description": "Exact value to publish."
+					},
+					"priority": {
+						"type": "integer",
+						"description": "MX priority. Present only for MX records."
+					},
+					"ttl": {
+						"type": "integer",
+						"description": "Suggested TTL in seconds when the API can provide one."
+					},
+					"required": {
+						"type": "boolean",
+						"const": true
+					},
+					"purpose": {
+						"type": "string",
+						"enum": [
+							"inbound_mx",
+							"ownership_verification",
+							"spf",
+							"dkim",
+							"dmarc",
+							"tls_reporting"
+						]
+					},
+					"status": {
+						"type": "string",
+						"enum": [
+							"pending",
+							"found",
+							"missing",
+							"incorrect"
+						]
+					},
+					"message": {
+						"type": "string",
+						"description": "Short explanation of why this record is needed."
+					}
+				},
+				"required": [
+					"type",
+					"name",
+					"fqdn",
+					"value",
+					"required",
+					"purpose",
+					"status"
+				]
+			},
 			"UnverifiedDomain": {
 				"type": "object",
 				"properties": {
@@ -4791,6 +4917,11 @@ const openapiDocument = {
 						"type": "string",
 						"description": "Add this value as a TXT record to verify ownership"
 					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records to publish for this pending domain claim.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -4808,12 +4939,23 @@ const openapiDocument = {
 			"AddDomainInput": {
 				"type": "object",
 				"additionalProperties": false,
-				"properties": { "domain": {
-					"type": "string",
-					"minLength": 1,
-					"maxLength": 253,
-					"description": "The domain name to claim (e.g. \"example.com\")"
-				} },
+				"properties": {
+					"domain": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 253,
+						"description": "The domain name to claim (e.g. \"example.com\")"
+					},
+					"confirmed": {
+						"type": "boolean",
+						"description": "Set to true to confirm replacing an existing mailbox provider after an mx_conflict response."
+					},
+					"outbound": {
+						"type": "boolean",
+						"deprecated": true,
+						"description": "Deprecated and ignored. Outbound DNS is provisioned for every new domain claim."
+					}
+				},
 				"required": ["domain"]
 			},
 			"UpdateDomainInput": {
@@ -4835,10 +4977,17 @@ const openapiDocument = {
 			},
 			"DomainVerifyResult": { "oneOf": [{
 				"type": "object",
-				"properties": { "verified": {
-					"type": "boolean",
-					"const": true
-				} },
+				"properties": {
+					"verified": {
+						"type": "boolean",
+						"const": true
+					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records checked for this verification attempt.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					}
+				},
 				"required": ["verified"]
 			}, {
 				"type": "object",
@@ -4855,6 +5004,27 @@ const openapiDocument = {
 						"type": "boolean",
 						"description": "Whether the TXT verification record was found"
 					},
+					"spfFound": {
+						"type": "boolean",
+						"description": "Whether the SPF record includes Primitive."
+					},
+					"dkimFound": {
+						"type": "boolean",
+						"description": "Whether the DKIM public key record was found."
+					},
+					"dmarcFound": {
+						"type": "boolean",
+						"description": "Whether the DMARC record was found."
+					},
+					"tlsRptFound": {
+						"type": "boolean",
+						"description": "Whether the TLS-RPT record was found."
+					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records checked for this verification attempt.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					},
 					"error": {
 						"type": "string",
 						"description": "Human-readable verification failure reason"
@@ -5167,6 +5337,31 @@ const openapiDocument = {
 					"created_at"
 				]
 			},
+			"SendMailAttachment": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"filename": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 255,
+						"description": "Attachment filename. Control characters are rejected."
+					},
+					"content_type": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 255,
+						"description": "Optional MIME content type. Control characters are rejected."
+					},
+					"content_base64": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 44040192,
+						"description": "Base64-encoded attachment bytes."
+					}
+				},
+				"required": ["filename", "content_base64"]
+			},
 			"SendMailInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -5215,6 +5410,12 @@ const openapiDocument = {
 							"pattern": "^[^\\x00-\\x1F\\x7F]+$"
 						}
 					},
+					"attachments": {
+						"type": "array",
+						"maxItems": 100,
+						"description": "Inline attachments. Send requests with attachments to https://api.primitive.dev/v1/send-mail. Combined raw decoded attachment bytes must be at most 31457280.",
+						"items": { "$ref": "#/components/schemas/SendMailAttachment" }
+					},
 					"wait": {
 						"type": "boolean",
 						"description": "When true, wait for the first downstream SMTP delivery outcome before returning."
@@ -7502,7 +7703,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "add-domain",
-		"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+		"description": "Creates an unverified domain claim and returns the exact\nDNS records to publish in `dns_records`. Publish those\nrecords before calling the verify endpoint. To give users\nan importable DNS file, call `downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "addDomain",
@@ -7512,12 +7713,23 @@ const operationManifest = [
 		"requestSchema": {
 			"type": "object",
 			"additionalProperties": false,
-			"properties": { "domain": {
-				"type": "string",
-				"minLength": 1,
-				"maxLength": 253,
-				"description": "The domain name to claim (e.g. \"example.com\")"
-			} },
+			"properties": {
+				"domain": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 253,
+					"description": "The domain name to claim (e.g. \"example.com\")"
+				},
+				"confirmed": {
+					"type": "boolean",
+					"description": "Set to true to confirm replacing an existing mailbox provider after an mx_conflict response."
+				},
+				"outbound": {
+					"type": "boolean",
+					"deprecated": true,
+					"description": "Deprecated and ignored. Outbound DNS is provisioned for every new domain claim."
+				}
+			},
 			"required": ["domain"]
 		},
 		"responseSchema": {
@@ -7540,6 +7752,78 @@ const operationManifest = [
 					"type": "string",
 					"description": "Add this value as a TXT record to verify ownership"
 				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records to publish for this pending domain claim.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				},
 				"created_at": {
 					"type": "string",
 					"format": "date-time"
@@ -7583,6 +7867,36 @@ const operationManifest = [
 		"tag": "Domains",
 		"tagCommand": "domains"
 	},
+	{
+		"binaryResponse": true,
+		"bodyRequired": false,
+		"command": "download-domain-zone-file",
+		"description": "Downloads a BIND-format DNS zone file containing the DNS records\nrequired for a domain claim. Agents should offer this after\n`addDomain` when users want to import DNS records instead of\ncopying each record manually.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "downloadDomainZoneFile",
+		"path": "/domains/{id}/zone-file",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [{
+			"description": "When true, include only outbound DNS records. Verified domains\ndefault to outbound-only; pending claims default to all required\nrecords.\n",
+			"enum": null,
+			"name": "outbound_only",
+			"required": false,
+			"type": "boolean"
+		}],
+		"requestSchema": null,
+		"responseSchema": null,
+		"sdkName": "downloadDomainZoneFile",
+		"summary": "Download domain DNS zone file",
+		"tag": "Domains",
+		"tagCommand": "domains"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -7598,7 +7912,7 @@ const operationManifest = [
 		"responseSchema": {
 			"type": "array",
 			"items": {
-				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
+				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` and `dns_records` for DNS setup.\n",
 				"oneOf": [{
 					"type": "object",
 					"properties": {
@@ -7655,6 +7969,78 @@ const operationManifest = [
 							"type": "string",
 							"description": "Add this value as a TXT record to verify ownership"
 						},
+						"dns_records": {
+							"type": "array",
+							"description": "Exact DNS records to publish for this pending domain claim.",
+							"items": {
+								"type": "object",
+								"additionalProperties": false,
+								"properties": {
+									"type": {
+										"type": "string",
+										"enum": ["MX", "TXT"],
+										"description": "DNS record type."
+									},
+									"name": {
+										"type": "string",
+										"description": "DNS-provider host/name value relative to the managed root zone."
+									},
+									"fqdn": {
+										"type": "string",
+										"description": "Fully-qualified DNS record name."
+									},
+									"value": {
+										"type": "string",
+										"description": "Exact value to publish."
+									},
+									"priority": {
+										"type": "integer",
+										"description": "MX priority. Present only for MX records."
+									},
+									"ttl": {
+										"type": "integer",
+										"description": "Suggested TTL in seconds when the API can provide one."
+									},
+									"required": {
+										"type": "boolean",
+										"const": true
+									},
+									"purpose": {
+										"type": "string",
+										"enum": [
+											"inbound_mx",
+											"ownership_verification",
+											"spf",
+											"dkim",
+											"dmarc",
+											"tls_reporting"
+										]
+									},
+									"status": {
+										"type": "string",
+										"enum": [
+											"pending",
+											"found",
+											"missing",
+											"incorrect"
+										]
+									},
+									"message": {
+										"type": "string",
+										"description": "Short explanation of why this record is needed."
+									}
+								},
+								"required": [
+									"type",
+									"name",
+									"fqdn",
+									"value",
+									"required",
+									"purpose",
+									"status"
+								]
+							}
+						},
 						"created_at": {
 							"type": "string",
 							"format": "date-time"
@@ -7756,7 +8142,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "verify-domain",
-		"description": "Checks DNS records (MX and TXT) to verify domain ownership.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed.\n",
+		"description": "Checks DNS records required for inbound routing, ownership,\nand outbound authentication: MX, ownership TXT, SPF, DKIM,\nDMARC, and TLS-RPT.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed,\nplus the exact DNS records still expected. To give users\nan importable DNS file for missing records, call\n`downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 		"hasJsonBody": false,
 		"method": "POST",
 		"operationId": "verifyDomain",
@@ -7772,10 +8158,84 @@ const operationManifest = [
 		"requestSchema": null,
 		"responseSchema": { "oneOf": [{
 			"type": "object",
-			"properties": { "verified": {
-				"type": "boolean",
-				"const": true
-			} },
+			"properties": {
+				"verified": {
+					"type": "boolean",
+					"const": true
+				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records checked for this verification attempt.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				}
+			},
 			"required": ["verified"]
 		}, {
 			"type": "object",
@@ -7792,6 +8252,94 @@ const operationManifest = [
 					"type": "boolean",
 					"description": "Whether the TXT verification record was found"
 				},
+				"spfFound": {
+					"type": "boolean",
+					"description": "Whether the SPF record includes Primitive."
+				},
+				"dkimFound": {
+					"type": "boolean",
+					"description": "Whether the DKIM public key record was found."
+				},
+				"dmarcFound": {
+					"type": "boolean",
+					"description": "Whether the DMARC record was found."
+				},
+				"tlsRptFound": {
+					"type": "boolean",
+					"description": "Whether the TLS-RPT record was found."
+				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records checked for this verification attempt.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				},
 				"error": {
 					"type": "string",
 					"description": "Human-readable verification failure reason"
@@ -11165,6 +11713,36 @@ const operationManifest = [
 						"pattern": "^[^\\x00-\\x1F\\x7F]+$"
 					}
 				},
+				"attachments": {
+					"type": "array",
+					"maxItems": 100,
+					"description": "Inline attachments. Send requests with attachments to https://api.primitive.dev/v1/send-mail. Combined raw decoded attachment bytes must be at most 31457280.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"filename": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Attachment filename. Control characters are rejected."
+							},
+							"content_type": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Optional MIME content type. Control characters are rejected."
+							},
+							"content_base64": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 44040192,
+								"description": "Base64-encoded attachment bytes."
+							}
+						},
+						"required": ["filename", "content_base64"]
+					}
+				},
 				"wait": {
 					"type": "boolean",
 					"description": "When true, wait for the first downstream SMTP delivery outcome before returning."
@@ -12501,6 +13079,10 @@ function operationOutputPayload(envelope, includeEnvelope) {
 	return includeEnvelope ? envelope ?? null : envelope?.data ?? null;
 }
 const OPERATION_HINTS = {
+	addDomain: "Tip: after this returns a domain id, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` when the user wants an importable DNS zone file.",
+	verifyDomain: "Tip: if DNS is still missing, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` to give the user an importable DNS zone file.",
+	downloadDomainZoneFile: "Tip: prefer `primitive domains zone-file --id <domain-id> --output <domain>.zone` for CLI-friendly file output.",
+	sendEmail: "Tip: prefer `primitive send --to <address> --body <text> --attachment <file>` for file attachments. This raw command exists for callers passing JSON.",
 	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	createFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
@@ -12612,7 +13194,8 @@ const EMPTY_RESULT_HINTS = {
 	listEndpoints: "(no results) No webhook endpoints configured. Add one with `primitive endpoints create --url <your-url>`.",
 	listEmails: "(no results) No inbound emails received yet on this account. Send one to a verified domain to populate this list. For a compact view, prefer `primitive emails latest`.",
 	listDomains: "(no results) No domains on this account. Add one with `primitive domains add --domain <yourdomain.example>`.",
-	listFilters: "(no results) No filter rules configured."
+	listFilters: "(no results) No filter rules configured.",
+	listFunctions: "(no results) No Functions configured yet. Start with `primitive functions templates`, then `primitive functions init --template <template>` and `primitive functions deploy --name <name> --file <bundle>`."
 };
 function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
@@ -13379,6 +13962,144 @@ var DoctorCommand = class DoctorCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/domains-zone-file.ts
+function zoneFileUrl(baseUrl, domainId, outboundOnly) {
+	const url = new URL(`${baseUrl.replace(/\/$/, "")}/domains/${encodeURIComponent(domainId)}/zone-file`);
+	if (outboundOnly) url.searchParams.set("outbound_only", "true");
+	return url.toString();
+}
+function contentDispositionFilename(value) {
+	if (!value) return null;
+	const match = /filename\*=UTF-8''([^;]+)|filename="?([^";]+)"?/i.exec(value);
+	const raw = match?.[1] ?? match?.[2];
+	if (!raw) return null;
+	try {
+		return decodeURIComponent(raw);
+	} catch {
+		return raw;
+	}
+}
+function findDomain(domains, domain) {
+	const match = domains.find((entry) => entry.domain === domain);
+	if (!match) throw new Errors.CLIError(`Domain ${domain} was not found.`, { exit: 1 });
+	return match;
+}
+async function responseErrorPayload(response) {
+	if ((response.headers.get("content-type")?.toLowerCase() ?? "").includes("application/json")) return response.json().catch(() => ({
+		code: "http_error",
+		message: `HTTP ${response.status} ${response.statusText}`.trim()
+	}));
+	return {
+		code: "http_error",
+		message: (await response.text().catch(() => "")).trim() || `HTTP ${response.status} ${response.statusText}`.trim()
+	};
+}
+var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
+	static description = `Download a BIND-format DNS zone file for a domain claim.
+
+  Use this when a DNS provider supports zone-file import and you want to publish all required records at once instead of copying each record manually. The file is generated by the Primitive API, matching the dashboard download flow.
+
+  Agents: after claiming a domain, tell users they can run \`primitive domains zone-file --id <domain-id> --output <domain>.zone\` to get an importable DNS zone file.`;
+	static summary = "Download a DNS zone file for a domain";
+	static examples = [
+		"<%= config.bin %> domains zone-file --id <domain-id>",
+		"<%= config.bin %> domains zone-file --id <domain-id> --output example.com.zone",
+		"<%= config.bin %> domains zone-file --domain example.com --output example.com.zone",
+		"<%= config.bin %> domains zone-file --id <domain-id> --outbound-only"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		domain: Flags.string({ description: "Domain name to look up before downloading its zone file. Prefer --id when you have the domain id from `primitive domains add`." }),
+		id: Flags.string({ description: "Domain id returned by `primitive domains add` or `primitive domains list`." }),
+		output: Flags.string({
+			char: "o",
+			description: "Write the zone file to this path instead of stdout. Defaults to stdout."
+		}),
+		"outbound-only": Flags.boolean({ description: "Include only outbound DNS records. Verified domains default to outbound-only at the API; this flag is explicit for agents and scripts." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(DomainsZoneFileCommand);
+		if (flags.id && flags.domain) throw new Errors.CLIError("Use only one of --id or --domain.", { exit: 1 });
+		if (!flags.id && !flags.domain) throw new Errors.CLIError("Pass --id <domain-id> or --domain <domain>.", { exit: 1 });
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			let domainId = flags.id;
+			if (!domainId && flags.domain) {
+				const result = await listDomains({
+					client: apiClient.client,
+					responseStyle: "fields"
+				});
+				if (result.error) {
+					const errorPayload = extractErrorPayload(result.error);
+					writeErrorWithHints(errorPayload);
+					surfaceUnauthorizedHint({
+						auth,
+						baseUrlOverridden,
+						configDir: this.config.configDir,
+						payload: errorPayload
+					});
+					process.exitCode = 1;
+					return;
+				}
+				const envelope = result.data;
+				domainId = findDomain(envelope?.data ?? [], flags.domain).id;
+			}
+			if (!domainId) throw new Errors.CLIError("Could not resolve a domain id.", { exit: 1 });
+			let response;
+			try {
+				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl1, domainId, flags["outbound-only"]), { headers: {
+					...requestConfig.headers ?? {},
+					...auth.apiKey ? { authorization: `Bearer ${auth.apiKey}` } : {}
+				} });
+			} catch (error) {
+				writeErrorWithHints(error);
+				process.exitCode = 1;
+				return;
+			}
+			if (!response.ok) {
+				const errorPayload = extractErrorPayload(await responseErrorPayload(response));
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const zoneFile = await response.text();
+			const output = flags.output;
+			if (output) {
+				writeFileSync(output, zoneFile, "utf8");
+				const filename = contentDispositionFilename(response.headers.get("content-disposition"));
+				process.stderr.write(`Wrote ${filename ?? "zone file"} to ${output}\n`);
+				return;
+			}
+			process.stdout.write(zoneFile);
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/emails-latest.ts
 const DEFAULT_LIMIT = 10;
 const MAX_LIMIT = 100;
@@ -16291,12 +17012,46 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/attachments.ts
+function readAttachmentBytes(path, readFile) {
+	try {
+		return Buffer.from(readFile(path));
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
+	}
+}
+function hasControlCharacter(value) {
+	return Array.from(value).some((character) => {
+		const code = character.charCodeAt(0);
+		return code <= 31 || code >= 127 && code <= 159;
+	});
+}
+function validateAttachmentFilename(path, filename) {
+	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
+	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+}
+function readAttachmentFiles(paths, readFile = readFileSync) {
+	if (!paths || paths.length === 0) return void 0;
+	return paths.map((path) => {
+		const filename = basename(path);
+		validateAttachmentFilename(path, filename);
+		const bytes = readAttachmentBytes(path, readFile);
+		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
+		return {
+			content_base64: bytes.toString("base64"),
+			filename
+		};
+	});
+}
+//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
 
   --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
   --subject defaults to the first line of the body when omitted.
+  --attachment attaches a file; repeat it to attach multiple files.
 
   For the full flag set (custom message-id threading on the wire,
   references arrays, etc.), use \`primitive sending send\`.`;
@@ -16304,6 +17059,7 @@ var SendCommand = class SendCommand extends Command {
 	static examples = [
 		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
 		"<%= config.bin %> send --to alice@example.com --body-file ./message.txt",
+		"<%= config.bin %> send --to alice@example.com --body 'See attached.' --attachment ./report.pdf",
 		"<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
 		"<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
 		"<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
@@ -16331,11 +17087,15 @@ var SendCommand = class SendCommand extends Command {
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
 		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
 		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. This does not attach the file; use --attachment for file attachments. Mutually exclusive with --body and --body-stdin." }),
 		"body-stdin": Flags.boolean({ description: "Read the plain-text message body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
 		"html-file": Flags.string({ description: "Read the HTML message body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
 		"html-stdin": Flags.boolean({ description: "Read the HTML message body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
+		attachment: Flags.string({
+			description: "Attach a file to the email. Repeatable. Sends file bytes as a MIME attachment; use --body-file only for message body text.",
+			multiple: true
+		}),
 		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
 		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
@@ -16352,6 +17112,7 @@ var SendCommand = class SendCommand extends Command {
 			htmlStdin: flags["html-stdin"]
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
+		const attachments = readAttachmentFiles(flags.attachment);
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
@@ -16373,6 +17134,7 @@ var SendCommand = class SendCommand extends Command {
 					subject,
 					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
 					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
+					...attachments !== void 0 ? { attachments } : {},
 					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
@@ -17283,36 +18045,88 @@ function renderFishCompletion(binName) {
 //#endregion
 //#region src/oclif/index.ts
 var ListOperationsCommand = class extends Command {
-	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command>`.";
+	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command-or-operation-name>`.";
 	static summary = "List all generated API operations (JSON)";
 	async run() {
 		this.log(JSON.stringify(operationManifest, null, 2));
 	}
 };
+function operationId(operation) {
+	return `${operation.tagCommand}:${operation.command}`;
+}
+function normalizeLookupToken(value) {
+	return value.toLowerCase().replace(/[^a-z0-9]/g, "");
+}
+function unique(values) {
+	return [...new Set(values)];
+}
+function operationLookupTokens(operation) {
+	return unique([
+		operationId(operation),
+		operation.command,
+		operation.operationId,
+		operation.sdkName,
+		`${operation.tagCommand}:${operation.operationId}`,
+		`${operation.tagCommand}:${operation.sdkName}`
+	]);
+}
+function levenshteinDistance(left, right) {
+	if (left === right) return 0;
+	if (left.length === 0) return right.length;
+	if (right.length === 0) return left.length;
+	let previous = Array.from({ length: right.length + 1 }, (_, index) => index);
+	for (let leftIndex = 0; leftIndex < left.length; leftIndex += 1) {
+		const current = [leftIndex + 1];
+		for (let rightIndex = 0; rightIndex < right.length; rightIndex += 1) {
+			const substitutionCost = left[leftIndex] === right[rightIndex] ? 0 : 1;
+			current[rightIndex + 1] = Math.min(current[rightIndex] + 1, previous[rightIndex + 1] + 1, previous[rightIndex] + substitutionCost);
+		}
+		previous = current;
+	}
+	return previous[right.length] ?? Number.POSITIVE_INFINITY;
+}
+function scoreLookupToken(query, token) {
+	const normalizedQuery = normalizeLookupToken(query);
+	const normalizedToken = normalizeLookupToken(token);
+	if (!normalizedQuery || !normalizedToken) return 0;
+	if (normalizedQuery === normalizedToken) return 100;
+	if (normalizedToken.includes(normalizedQuery)) return Math.max(50, 90 - (normalizedToken.length - normalizedQuery.length));
+	if (normalizedQuery.includes(normalizedToken)) return Math.max(45, 80 - (normalizedQuery.length - normalizedToken.length));
+	const distance = levenshteinDistance(normalizedQuery, normalizedToken);
+	const maxLength = Math.max(normalizedQuery.length, normalizedToken.length);
+	return Math.round((1 - distance / maxLength) * 75);
+}
+function scoreOperation(query, operation) {
+	return Math.max(...operationLookupTokens(operation).map((token) => scoreLookupToken(query, token)));
+}
 function lookupOperation(id) {
 	const trimmed = resolveOperationAlias(id.trim());
-	const sep = trimmed.indexOf(":");
-	const tag = sep === -1 ? "" : trimmed.slice(0, sep);
-	const cmd = sep === -1 ? trimmed : trimmed.slice(sep + 1);
-	const match = operationManifest.find((op) => op.command === cmd && op.tagCommand === tag) ?? null;
+	const match = operationManifest.find((op) => operationLookupTokens(op).some((token) => token === trimmed || normalizeLookupToken(token) === normalizeLookupToken(trimmed))) ?? null;
 	if (match) return {
 		match,
 		candidates: []
 	};
 	return {
 		match: null,
-		candidates: operationManifest.filter((op) => op.command.includes(cmd) || op.tagCommand.includes(tag)).slice(0, 5).map((op) => op.tagCommand ? `${op.tagCommand}:${op.command}` : op.command)
+		candidates: operationManifest.map((op) => ({
+			id: operationId(op),
+			score: scoreOperation(trimmed, op)
+		})).filter(({ score }) => score >= 45).sort((left, right) => right.score - left.score || left.id.localeCompare(right.id)).slice(0, 5).map(({ id }) => id)
 	};
 }
 var DescribeCommand = class DescribeCommand extends Command {
 	static args = { command: Args.string({
-		description: "Command id to describe, e.g. `emails:list` or `emails:get-email`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command)\"'` to enumerate generated operation ids.",
+		description: "Command id, alias, or SDK operation name to describe, e.g. `emails:list`, `emails:get-email`, or `getEmail`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command) \\(.operationId)\"'` to enumerate generated operation ids.",
 		required: true
 	}) };
 	static description = `Print the full operation manifest entry for a single API command, including the path, request schema, response schema, and per-field descriptions sourced from the OpenAPI spec.
 
   The manifest entry's \`responseSchema\` carries the inlined JSON Schema for the operation's 200/201 \`data\` envelope contents (\`$ref\`s resolved). Use it to look up what specific response fields mean. Examples:
 
+      # Domain setup records returned by add/verify
+      primitive describe domains:add
+      primitive describe addDomain
+
       # Which of EmailDetail's sender-shaped fields is canonical?
       primitive describe emails:get | jq '.responseSchema.properties | keys'
       primitive describe emails:get | jq -r '.responseSchema.properties.from_email.description'
@@ -17322,7 +18136,12 @@ var DescribeCommand = class DescribeCommand extends Command {
 
   \`requestSchema\` is the same shape for the request body when one exists. For a single field across many operations at once, use \`primitive list-operations | jq\` instead.`;
 	static summary = "Describe a single API operation in detail";
-	static examples = ["<%= config.bin %> describe emails:get", "<%= config.bin %> describe sent:get"];
+	static examples = [
+		"<%= config.bin %> describe addDomain",
+		"<%= config.bin %> describe domains:add",
+		"<%= config.bin %> describe emails:get",
+		"<%= config.bin %> describe sent:get"
+	];
 	async run() {
 		const { args } = await this.parse(DescribeCommand);
 		const { match, candidates } = lookupOperation(args.command);
@@ -17355,9 +18174,6 @@ var CompletionCommand = class CompletionCommand extends Command {
 		await this.config.runCommand("autocomplete", [args.shell]);
 	}
 };
-function commandId(operation) {
-	return `${operation.tagCommand}:${operation.command}`;
-}
 const CANONICAL_OPERATION_ALIASES = {
 	"account:show": "account:get-account",
 	"account:storage": "account:get-storage-stats",
@@ -17402,14 +18218,15 @@ const CANONICAL_OPERATION_ALIASES = {
 };
 const DESCRIBE_OPERATION_ALIASES = {
 	...CANONICAL_OPERATION_ALIASES,
+	"domains:zone-file": "domains:download-domain-zone-file",
 	"functions:logs": "functions:list-function-logs",
 	reply: "sending:reply-to-email"
 };
 function resolveOperationAlias(id) {
 	return DESCRIBE_OPERATION_ALIASES[id] ?? id;
 }
-const OVERRIDDEN_OPERATION_IDS = new Set(["functions:test-function"]);
-const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(commandId(operation))).map((operation) => [commandId(operation), createOperationCommand(operation)]));
+const OVERRIDDEN_OPERATION_IDS = new Set(["domains:download-domain-zone-file", "functions:test-function"]);
+const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(operationId(operation))).map((operation) => [operationId(operation), createOperationCommand(operation)]));
 const COMMANDS = {
 	completion: CompletionCommand,
 	"list-operations": ListOperationsCommand,
@@ -17438,6 +18255,8 @@ const COMMANDS = {
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	"domains:zone-file": DomainsZoneFileCommand,
+	"domains:download-domain-zone-file": DomainsZoneFileCommand,
 	"functions:init": FunctionsInitCommand,
 	"functions:templates": FunctionsTemplatesCommand,
 	"functions:deploy": FunctionsDeployCommand,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "0.31.3",
+  "version": "0.31.4",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,
@@ -38,7 +38,7 @@
         "description": "Agent signup and authentication API operations"
       },
       "domains": {
-        "description": "Claim, verify, and manage email domains"
+        "description": "Claim, verify, manage email domains, and download DNS zone files"
       },
       "emails": {
         "description": "List, inspect, and wait for received emails. Prefer task aliases like `primitive emails list`, `primitive emails get`, `primitive emails latest`, `primitive emails wait`, and `primitive emails watch`; generated API names remain available for compatibility."