npm - @primitivedotdev/cli - Versions diffs - 0.31.3 → 0.31.5 - Mend

@primitivedotdev/cli 0.31.3 → 0.31.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/oclif/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { Args, Command, Errors, Flags } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
-import { dirname, join, resolve } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 import { spawn } from "node:child_process";
 import { hostname } from "node:os";
 import process$1 from "node:process";
@@ -645,11 +645,13 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	deleteFunctionSecret: () => deleteFunctionSecret,
 	discardEmailContent: () => discardEmailContent,
 	downloadAttachments: () => downloadAttachments,
+	downloadDomainZoneFile: () => downloadDomainZoneFile,
 	downloadRawEmail: () => downloadRawEmail,
 	getAccount: () => getAccount,
 	getEmail: () => getEmail,
 	getFunction: () => getFunction,
 	getFunctionTestRunTrace: () => getFunctionTestRunTrace,
+	getInboxStatus: () => getInboxStatus,
 	getSendPermissions: () => getSendPermissions,
 	getSentEmail: () => getSentEmail,
 	getStorageStats: () => getStorageStats,
@@ -941,9 +943,11 @@ const listDomains = (options) => (options?.client ?? client).get({
 /**
 * Claim a new domain
 *
-* Creates an unverified domain claim. You will receive a
-* `verification_token` to add as a DNS TXT record before
-* calling the verify endpoint.
+* Creates an unverified domain claim and returns the exact
+* DNS records to publish in `dns_records`. Publish those
+* records before calling the verify endpoint. To give users
+* an importable DNS file, call `downloadDomainZoneFile` or run
+* `primitive domains zone-file --id <domain-id>`.
 *
 */
 const addDomain = (options) => (options.client ?? client).post({
@@ -993,9 +997,15 @@ const updateDomain = (options) => (options.client ?? client).patch({
 /**
 * Verify domain ownership
 *
-* Checks DNS records (MX and TXT) to verify domain ownership.
+* Checks DNS records required for inbound routing, ownership,
+* and outbound authentication: MX, ownership TXT, SPF, DKIM,
+* DMARC, and TLS-RPT.
 * On success, the domain is promoted from unverified to verified.
-* On failure, returns which checks passed and which failed.
+* On failure, returns which checks passed and which failed,
+* plus the exact DNS records still expected. To give users
+* an importable DNS file for missing records, call
+* `downloadDomainZoneFile` or run
+* `primitive domains zone-file --id <domain-id>`.
 *
 */
 const verifyDomain = (options) => (options.client ?? client).post({
@@ -1007,6 +1017,45 @@ const verifyDomain = (options) => (options.client ?? client).post({
 	...options
 });
 /**
+* Download domain DNS zone file
+*
+* Downloads a BIND-format DNS zone file containing the DNS records
+* required for a domain claim. Agents should offer this after
+* `addDomain` when users want to import DNS records instead of
+* copying each record manually.
+*
+*/
+const downloadDomainZoneFile = (options) => (options.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/domains/{id}/zone-file",
+	...options
+});
+/**
+* Get inbound inbox readiness
+*
+* Returns one consolidated view of inbound domain readiness,
+* webhook/function processing routes, deployed Functions, and
+* recent inbound email activity.
+*
+* Agents should call this before guiding a user through inbound
+* setup. It answers the practical questions "can I receive mail",
+* "will anything process that mail", and "what should I do next"
+* without forcing clients to stitch together domains, endpoints,
+* functions, and emails manually.
+*
+*/
+const getInboxStatus = (options) => (options?.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/inbox/status",
+	...options
+});
+/**
 * List inbound emails
 *
 * Returns a paginated list of INBOUND emails received at your
@@ -1868,6 +1917,10 @@ const openapiDocument = {
 			"name": "Domains",
 			"description": "Claim, verify, and manage email domains"
 		},
+		{
+			"name": "Inbox",
+			"description": "Check inbound email setup and processing readiness"
+		},
 		{
 			"name": "Emails",
 			"description": "List, inspect, and manage received emails"
@@ -2333,7 +2386,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "addDomain",
 				"summary": "Claim a new domain",
-				"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+				"description": "Creates an unverified domain claim and returns the exact\nDNS records to publish in `dns_records`. Publish those\nrecords before calling the verify endpoint. To give users\nan importable DNS file, call `downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 				"tags": ["Domains"],
 				"requestBody": {
 					"required": true,
@@ -2426,7 +2479,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "verifyDomain",
 				"summary": "Verify domain ownership",
-				"description": "Checks DNS records (MX and TXT) to verify domain ownership.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed.\n",
+				"description": "Checks DNS records required for inbound routing, ownership,\nand outbound authentication: MX, ownership TXT, SPF, DKIM,\nDMARC, and TLS-RPT.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed,\nplus the exact DNS records still expected. To give users\nan importable DNS file for missing records, call\n`downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 				"tags": ["Domains"],
 				"responses": {
 					"200": {
@@ -2442,6 +2495,55 @@ const openapiDocument = {
 				}
 			}
 		},
+		"/domains/{id}/zone-file": {
+			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
+			"get": {
+				"operationId": "downloadDomainZoneFile",
+				"summary": "Download domain DNS zone file",
+				"description": "Downloads a BIND-format DNS zone file containing the DNS records\nrequired for a domain claim. Agents should offer this after\n`addDomain` when users want to import DNS records instead of\ncopying each record manually.\n",
+				"tags": ["Domains"],
+				"parameters": [{
+					"name": "outbound_only",
+					"in": "query",
+					"schema": { "type": "boolean" },
+					"description": "When true, include only outbound DNS records. Verified domains\ndefault to outbound-only; pending claims default to all required\nrecords.\n"
+				}],
+				"responses": {
+					"200": {
+						"description": "BIND-format zone file",
+						"content": { "text/plain": { "schema": {
+							"type": "string",
+							"format": "binary"
+						} } },
+						"headers": { "Content-Disposition": { "schema": {
+							"type": "string",
+							"example": "attachment; filename=\"example.com.zone\""
+						} } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" },
+					"429": { "$ref": "#/components/responses/RateLimited" }
+				}
+			}
+		},
+		"/inbox/status": { "get": {
+			"operationId": "getInboxStatus",
+			"summary": "Get inbound inbox readiness",
+			"description": "Returns one consolidated view of inbound domain readiness,\nwebhook/function processing routes, deployed Functions, and\nrecent inbound email activity.\n\nAgents should call this before guiding a user through inbound\nsetup. It answers the practical questions \"can I receive mail\",\n\"will anything process that mail\", and \"what should I do next\"\nwithout forcing clients to stitch together domains, endpoints,\nfunctions, and emails manually.\n",
+			"tags": ["Inbox"],
+			"responses": {
+				"200": {
+					"description": "Consolidated inbox readiness status",
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/InboxStatus" } }
+					}] } } }
+				},
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/emails": { "get": {
 			"operationId": "listEmails",
 			"summary": "List inbound emails",
@@ -4730,8 +4832,183 @@ const openapiDocument = {
 				} },
 				"required": ["secret"]
 			},
+			"InboxStatus": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"ready": {
+						"type": "boolean",
+						"description": "True when at least one active inbound domain has an enabled processing route."
+					},
+					"receiving_ready": {
+						"type": "boolean",
+						"description": "True when at least one active verified or managed domain can receive mail."
+					},
+					"processing_ready": {
+						"type": "boolean",
+						"description": "True when at least one receiving-ready domain has an enabled webhook or function route."
+					},
+					"summary": {
+						"type": "string",
+						"description": "Short human-readable status summary."
+					},
+					"next_actions": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/InboxStatusNextAction" }
+					},
+					"domains": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/InboxStatusDomain" }
+					},
+					"endpoints": { "$ref": "#/components/schemas/InboxStatusEndpointSummary" },
+					"functions": { "$ref": "#/components/schemas/InboxStatusFunctionSummary" },
+					"recent_emails": { "$ref": "#/components/schemas/InboxStatusRecentEmailSummary" }
+				},
+				"required": [
+					"ready",
+					"receiving_ready",
+					"processing_ready",
+					"summary",
+					"next_actions",
+					"domains",
+					"endpoints",
+					"functions",
+					"recent_emails"
+				]
+			},
+			"InboxStatusNextAction": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"kind": {
+						"type": "string",
+						"enum": [
+							"add_domain",
+							"verify_domain",
+							"configure_processing",
+							"send_test_email",
+							"fix_failed_functions"
+						]
+					},
+					"message": {
+						"type": "string",
+						"description": "Human-readable next step."
+					},
+					"command": {
+						"type": "string",
+						"description": "Suggested Primitive CLI command when there is an obvious next step."
+					}
+				},
+				"required": ["kind", "message"]
+			},
+			"InboxStatusDomain": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"id": { "type": "string" },
+					"domain": { "type": "string" },
+					"verified": { "type": "boolean" },
+					"active": { "type": "boolean" },
+					"managed": { "type": "boolean" },
+					"receiving_ready": { "type": "boolean" },
+					"processing_ready": { "type": "boolean" },
+					"processing_route_count": { "type": "integer" },
+					"endpoint_count": { "type": "integer" },
+					"enabled_endpoint_count": { "type": "integer" },
+					"function_endpoint_count": { "type": "integer" },
+					"email_count": {
+						"type": "integer",
+						"description": "Number of inbound emails received for this domain in the last 30 days."
+					},
+					"latest_email_received_at": {
+						"type": ["string", "null"],
+						"format": "date-time",
+						"description": "Most recent inbound email received for this domain in the last 30 days."
+					},
+					"status": {
+						"type": "string",
+						"enum": [
+							"ready",
+							"stored_only",
+							"pending_dns",
+							"inactive"
+						]
+					}
+				},
+				"required": [
+					"id",
+					"domain",
+					"verified",
+					"active",
+					"managed",
+					"receiving_ready",
+					"processing_ready",
+					"processing_route_count",
+					"endpoint_count",
+					"enabled_endpoint_count",
+					"function_endpoint_count",
+					"email_count",
+					"latest_email_received_at",
+					"status"
+				]
+			},
+			"InboxStatusEndpointSummary": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"total": { "type": "integer" },
+					"enabled": { "type": "integer" },
+					"disabled": { "type": "integer" },
+					"fallback_enabled": { "type": "integer" },
+					"domain_scoped_enabled": { "type": "integer" },
+					"http_enabled": { "type": "integer" },
+					"function_enabled": { "type": "integer" }
+				},
+				"required": [
+					"total",
+					"enabled",
+					"disabled",
+					"fallback_enabled",
+					"domain_scoped_enabled",
+					"http_enabled",
+					"function_enabled"
+				]
+			},
+			"InboxStatusFunctionSummary": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"total": { "type": "integer" },
+					"deployed": { "type": "integer" },
+					"pending": { "type": "integer" },
+					"failed": { "type": "integer" }
+				},
+				"required": [
+					"total",
+					"deployed",
+					"pending",
+					"failed"
+				]
+			},
+			"InboxStatusRecentEmailSummary": {
+				"type": "object",
+				"description": "Inbound email activity from the last 30 days.",
+				"additionalProperties": false,
+				"properties": {
+					"total": {
+						"type": "integer",
+						"description": "Number of inbound emails received in the last 30 days."
+					},
+					"latest_received_at": {
+						"type": ["string", "null"],
+						"format": "date-time",
+						"description": "Most recent inbound email received in the last 30 days."
+					}
+				},
+				"required": ["total", "latest_received_at"]
+			},
 			"Domain": {
-				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
+				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` and `dns_records` for DNS setup.\n",
 				"oneOf": [{ "$ref": "#/components/schemas/VerifiedDomain" }, { "$ref": "#/components/schemas/UnverifiedDomain" }]
 			},
 			"VerifiedDomain": {
@@ -4771,6 +5048,74 @@ const openapiDocument = {
 					"created_at"
 				]
 			},
+			"DomainDnsRecord": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"type": {
+						"type": "string",
+						"enum": ["MX", "TXT"],
+						"description": "DNS record type."
+					},
+					"name": {
+						"type": "string",
+						"description": "DNS-provider host/name value relative to the managed root zone."
+					},
+					"fqdn": {
+						"type": "string",
+						"description": "Fully-qualified DNS record name."
+					},
+					"value": {
+						"type": "string",
+						"description": "Exact value to publish."
+					},
+					"priority": {
+						"type": "integer",
+						"description": "MX priority. Present only for MX records."
+					},
+					"ttl": {
+						"type": "integer",
+						"description": "Suggested TTL in seconds when the API can provide one."
+					},
+					"required": {
+						"type": "boolean",
+						"const": true
+					},
+					"purpose": {
+						"type": "string",
+						"enum": [
+							"inbound_mx",
+							"ownership_verification",
+							"spf",
+							"dkim",
+							"dmarc",
+							"tls_reporting"
+						]
+					},
+					"status": {
+						"type": "string",
+						"enum": [
+							"pending",
+							"found",
+							"missing",
+							"incorrect"
+						]
+					},
+					"message": {
+						"type": "string",
+						"description": "Short explanation of why this record is needed."
+					}
+				},
+				"required": [
+					"type",
+					"name",
+					"fqdn",
+					"value",
+					"required",
+					"purpose",
+					"status"
+				]
+			},
 			"UnverifiedDomain": {
 				"type": "object",
 				"properties": {
@@ -4791,6 +5136,11 @@ const openapiDocument = {
 						"type": "string",
 						"description": "Add this value as a TXT record to verify ownership"
 					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records to publish for this pending domain claim.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -4808,12 +5158,23 @@ const openapiDocument = {
 			"AddDomainInput": {
 				"type": "object",
 				"additionalProperties": false,
-				"properties": { "domain": {
-					"type": "string",
-					"minLength": 1,
-					"maxLength": 253,
-					"description": "The domain name to claim (e.g. \"example.com\")"
-				} },
+				"properties": {
+					"domain": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 253,
+						"description": "The domain name to claim (e.g. \"example.com\")"
+					},
+					"confirmed": {
+						"type": "boolean",
+						"description": "Set to true to confirm replacing an existing mailbox provider after an mx_conflict response."
+					},
+					"outbound": {
+						"type": "boolean",
+						"deprecated": true,
+						"description": "Deprecated and ignored. Outbound DNS is provisioned for every new domain claim."
+					}
+				},
 				"required": ["domain"]
 			},
 			"UpdateDomainInput": {
@@ -4835,10 +5196,17 @@ const openapiDocument = {
 			},
 			"DomainVerifyResult": { "oneOf": [{
 				"type": "object",
-				"properties": { "verified": {
-					"type": "boolean",
-					"const": true
-				} },
+				"properties": {
+					"verified": {
+						"type": "boolean",
+						"const": true
+					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records checked for this verification attempt.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					}
+				},
 				"required": ["verified"]
 			}, {
 				"type": "object",
@@ -4855,6 +5223,27 @@ const openapiDocument = {
 						"type": "boolean",
 						"description": "Whether the TXT verification record was found"
 					},
+					"spfFound": {
+						"type": "boolean",
+						"description": "Whether the SPF record includes Primitive."
+					},
+					"dkimFound": {
+						"type": "boolean",
+						"description": "Whether the DKIM public key record was found."
+					},
+					"dmarcFound": {
+						"type": "boolean",
+						"description": "Whether the DMARC record was found."
+					},
+					"tlsRptFound": {
+						"type": "boolean",
+						"description": "Whether the TLS-RPT record was found."
+					},
+					"dns_records": {
+						"type": "array",
+						"description": "Exact DNS records checked for this verification attempt.",
+						"items": { "$ref": "#/components/schemas/DomainDnsRecord" }
+					},
 					"error": {
 						"type": "string",
 						"description": "Human-readable verification failure reason"
@@ -5167,6 +5556,31 @@ const openapiDocument = {
 					"created_at"
 				]
 			},
+			"SendMailAttachment": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"filename": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 255,
+						"description": "Attachment filename. Control characters are rejected."
+					},
+					"content_type": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 255,
+						"description": "Optional MIME content type. Control characters are rejected."
+					},
+					"content_base64": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 44040192,
+						"description": "Base64-encoded attachment bytes."
+					}
+				},
+				"required": ["filename", "content_base64"]
+			},
 			"SendMailInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -5215,6 +5629,12 @@ const openapiDocument = {
 							"pattern": "^[^\\x00-\\x1F\\x7F]+$"
 						}
 					},
+					"attachments": {
+						"type": "array",
+						"maxItems": 100,
+						"description": "Inline attachments. Send requests with attachments to https://api.primitive.dev/v1/send-mail. Combined raw decoded attachment bytes must be at most 31457280.",
+						"items": { "$ref": "#/components/schemas/SendMailAttachment" }
+					},
 					"wait": {
 						"type": "boolean",
 						"description": "When true, wait for the first downstream SMTP delivery outcome before returning."
@@ -7502,7 +7922,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "add-domain",
-		"description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+		"description": "Creates an unverified domain claim and returns the exact\nDNS records to publish in `dns_records`. Publish those\nrecords before calling the verify endpoint. To give users\nan importable DNS file, call `downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "addDomain",
@@ -7512,12 +7932,23 @@ const operationManifest = [
 		"requestSchema": {
 			"type": "object",
 			"additionalProperties": false,
-			"properties": { "domain": {
-				"type": "string",
-				"minLength": 1,
-				"maxLength": 253,
-				"description": "The domain name to claim (e.g. \"example.com\")"
-			} },
+			"properties": {
+				"domain": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 253,
+					"description": "The domain name to claim (e.g. \"example.com\")"
+				},
+				"confirmed": {
+					"type": "boolean",
+					"description": "Set to true to confirm replacing an existing mailbox provider after an mx_conflict response."
+				},
+				"outbound": {
+					"type": "boolean",
+					"deprecated": true,
+					"description": "Deprecated and ignored. Outbound DNS is provisioned for every new domain claim."
+				}
+			},
 			"required": ["domain"]
 		},
 		"responseSchema": {
@@ -7540,14 +7971,86 @@ const operationManifest = [
 					"type": "string",
 					"description": "Add this value as a TXT record to verify ownership"
 				},
-				"created_at": {
-					"type": "string",
-					"format": "date-time"
-				}
-			},
-			"required": [
-				"id",
-				"org_id",
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records to publish for this pending domain claim.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				},
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				}
+			},
+			"required": [
+				"id",
+				"org_id",
 				"domain",
 				"verified",
 				"verification_token",
@@ -7583,6 +8086,36 @@ const operationManifest = [
 		"tag": "Domains",
 		"tagCommand": "domains"
 	},
+	{
+		"binaryResponse": true,
+		"bodyRequired": false,
+		"command": "download-domain-zone-file",
+		"description": "Downloads a BIND-format DNS zone file containing the DNS records\nrequired for a domain claim. Agents should offer this after\n`addDomain` when users want to import DNS records instead of\ncopying each record manually.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "downloadDomainZoneFile",
+		"path": "/domains/{id}/zone-file",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [{
+			"description": "When true, include only outbound DNS records. Verified domains\ndefault to outbound-only; pending claims default to all required\nrecords.\n",
+			"enum": null,
+			"name": "outbound_only",
+			"required": false,
+			"type": "boolean"
+		}],
+		"requestSchema": null,
+		"responseSchema": null,
+		"sdkName": "downloadDomainZoneFile",
+		"summary": "Download domain DNS zone file",
+		"tag": "Domains",
+		"tagCommand": "domains"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -7598,7 +8131,7 @@ const operationManifest = [
 		"responseSchema": {
 			"type": "array",
 			"items": {
-				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` for DNS verification.\n",
+				"description": "A domain can be either verified or unverified. Verified domains have\n`is_active` and `spam_threshold` fields. Unverified domains have a\n`verification_token` and `dns_records` for DNS setup.\n",
 				"oneOf": [{
 					"type": "object",
 					"properties": {
@@ -7655,6 +8188,78 @@ const operationManifest = [
 							"type": "string",
 							"description": "Add this value as a TXT record to verify ownership"
 						},
+						"dns_records": {
+							"type": "array",
+							"description": "Exact DNS records to publish for this pending domain claim.",
+							"items": {
+								"type": "object",
+								"additionalProperties": false,
+								"properties": {
+									"type": {
+										"type": "string",
+										"enum": ["MX", "TXT"],
+										"description": "DNS record type."
+									},
+									"name": {
+										"type": "string",
+										"description": "DNS-provider host/name value relative to the managed root zone."
+									},
+									"fqdn": {
+										"type": "string",
+										"description": "Fully-qualified DNS record name."
+									},
+									"value": {
+										"type": "string",
+										"description": "Exact value to publish."
+									},
+									"priority": {
+										"type": "integer",
+										"description": "MX priority. Present only for MX records."
+									},
+									"ttl": {
+										"type": "integer",
+										"description": "Suggested TTL in seconds when the API can provide one."
+									},
+									"required": {
+										"type": "boolean",
+										"const": true
+									},
+									"purpose": {
+										"type": "string",
+										"enum": [
+											"inbound_mx",
+											"ownership_verification",
+											"spf",
+											"dkim",
+											"dmarc",
+											"tls_reporting"
+										]
+									},
+									"status": {
+										"type": "string",
+										"enum": [
+											"pending",
+											"found",
+											"missing",
+											"incorrect"
+										]
+									},
+									"message": {
+										"type": "string",
+										"description": "Short explanation of why this record is needed."
+									}
+								},
+								"required": [
+									"type",
+									"name",
+									"fqdn",
+									"value",
+									"required",
+									"purpose",
+									"status"
+								]
+							}
+						},
 						"created_at": {
 							"type": "string",
 							"format": "date-time"
@@ -7756,7 +8361,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "verify-domain",
-		"description": "Checks DNS records (MX and TXT) to verify domain ownership.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed.\n",
+		"description": "Checks DNS records required for inbound routing, ownership,\nand outbound authentication: MX, ownership TXT, SPF, DKIM,\nDMARC, and TLS-RPT.\nOn success, the domain is promoted from unverified to verified.\nOn failure, returns which checks passed and which failed,\nplus the exact DNS records still expected. To give users\nan importable DNS file for missing records, call\n`downloadDomainZoneFile` or run\n`primitive domains zone-file --id <domain-id>`.\n",
 		"hasJsonBody": false,
 		"method": "POST",
 		"operationId": "verifyDomain",
@@ -7772,10 +8377,84 @@ const operationManifest = [
 		"requestSchema": null,
 		"responseSchema": { "oneOf": [{
 			"type": "object",
-			"properties": { "verified": {
-				"type": "boolean",
-				"const": true
-			} },
+			"properties": {
+				"verified": {
+					"type": "boolean",
+					"const": true
+				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records checked for this verification attempt.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				}
+			},
 			"required": ["verified"]
 		}, {
 			"type": "object",
@@ -7792,6 +8471,94 @@ const operationManifest = [
 					"type": "boolean",
 					"description": "Whether the TXT verification record was found"
 				},
+				"spfFound": {
+					"type": "boolean",
+					"description": "Whether the SPF record includes Primitive."
+				},
+				"dkimFound": {
+					"type": "boolean",
+					"description": "Whether the DKIM public key record was found."
+				},
+				"dmarcFound": {
+					"type": "boolean",
+					"description": "Whether the DMARC record was found."
+				},
+				"tlsRptFound": {
+					"type": "boolean",
+					"description": "Whether the TLS-RPT record was found."
+				},
+				"dns_records": {
+					"type": "array",
+					"description": "Exact DNS records checked for this verification attempt.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["MX", "TXT"],
+								"description": "DNS record type."
+							},
+							"name": {
+								"type": "string",
+								"description": "DNS-provider host/name value relative to the managed root zone."
+							},
+							"fqdn": {
+								"type": "string",
+								"description": "Fully-qualified DNS record name."
+							},
+							"value": {
+								"type": "string",
+								"description": "Exact value to publish."
+							},
+							"priority": {
+								"type": "integer",
+								"description": "MX priority. Present only for MX records."
+							},
+							"ttl": {
+								"type": "integer",
+								"description": "Suggested TTL in seconds when the API can provide one."
+							},
+							"required": {
+								"type": "boolean",
+								"const": true
+							},
+							"purpose": {
+								"type": "string",
+								"enum": [
+									"inbound_mx",
+									"ownership_verification",
+									"spf",
+									"dkim",
+									"dmarc",
+									"tls_reporting"
+								]
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"pending",
+									"found",
+									"missing",
+									"incorrect"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Short explanation of why this record is needed."
+							}
+						},
+						"required": [
+							"type",
+							"name",
+							"fqdn",
+							"value",
+							"required",
+							"purpose",
+							"status"
+						]
+					}
+				},
 				"error": {
 					"type": "string",
 					"description": "Human-readable verification failure reason"
@@ -10299,39 +11066,226 @@ const operationManifest = [
 						"pending",
 						"deployed",
 						"failed"
-					],
-					"description": "Lifecycle state of the latest deploy attempt:\n  * `pending` — deploy in flight; the runtime has not yet\n    confirmed the new bundle is live.\n  * `deployed` — the running edge handler is the latest code.\n  * `failed` — the most recent deploy attempt failed; the\n    previously-live code (if any) is still running. The\n    `deploy_error` field carries the error message.\n"
-				},
-				"deploy_error": {
-					"type": ["string", "null"],
-					"description": "Error message from the most recent failed deploy, or null\nafter a successful deploy. Surface this to users to explain\na `failed` status without polling.\n"
-				},
-				"deployed_at": {
-					"type": ["string", "null"],
-					"format": "date-time"
-				},
-				"created_at": {
-					"type": "string",
-					"format": "date-time"
+					],
+					"description": "Lifecycle state of the latest deploy attempt:\n  * `pending` — deploy in flight; the runtime has not yet\n    confirmed the new bundle is live.\n  * `deployed` — the running edge handler is the latest code.\n  * `failed` — the most recent deploy attempt failed; the\n    previously-live code (if any) is still running. The\n    `deploy_error` field carries the error message.\n"
+				},
+				"deploy_error": {
+					"type": ["string", "null"],
+					"description": "Error message from the most recent failed deploy, or null\nafter a successful deploy. Surface this to users to explain\na `failed` status without polling.\n"
+				},
+				"deployed_at": {
+					"type": ["string", "null"],
+					"format": "date-time"
+				},
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"updated_at": {
+					"type": "string",
+					"format": "date-time"
+				}
+			},
+			"required": [
+				"id",
+				"name",
+				"code",
+				"deploy_status",
+				"created_at",
+				"updated_at"
+			]
+		},
+		"sdkName": "updateFunction",
+		"summary": "Update and redeploy a function",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "get-inbox-status",
+		"description": "Returns one consolidated view of inbound domain readiness,\nwebhook/function processing routes, deployed Functions, and\nrecent inbound email activity.\n\nAgents should call this before guiding a user through inbound\nsetup. It answers the practical questions \"can I receive mail\",\n\"will anything process that mail\", and \"what should I do next\"\nwithout forcing clients to stitch together domains, endpoints,\nfunctions, and emails manually.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "getInboxStatus",
+		"path": "/inbox/status",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"ready": {
+					"type": "boolean",
+					"description": "True when at least one active inbound domain has an enabled processing route."
+				},
+				"receiving_ready": {
+					"type": "boolean",
+					"description": "True when at least one active verified or managed domain can receive mail."
+				},
+				"processing_ready": {
+					"type": "boolean",
+					"description": "True when at least one receiving-ready domain has an enabled webhook or function route."
+				},
+				"summary": {
+					"type": "string",
+					"description": "Short human-readable status summary."
+				},
+				"next_actions": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"kind": {
+								"type": "string",
+								"enum": [
+									"add_domain",
+									"verify_domain",
+									"configure_processing",
+									"send_test_email",
+									"fix_failed_functions"
+								]
+							},
+							"message": {
+								"type": "string",
+								"description": "Human-readable next step."
+							},
+							"command": {
+								"type": "string",
+								"description": "Suggested Primitive CLI command when there is an obvious next step."
+							}
+						},
+						"required": ["kind", "message"]
+					}
+				},
+				"domains": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"id": { "type": "string" },
+							"domain": { "type": "string" },
+							"verified": { "type": "boolean" },
+							"active": { "type": "boolean" },
+							"managed": { "type": "boolean" },
+							"receiving_ready": { "type": "boolean" },
+							"processing_ready": { "type": "boolean" },
+							"processing_route_count": { "type": "integer" },
+							"endpoint_count": { "type": "integer" },
+							"enabled_endpoint_count": { "type": "integer" },
+							"function_endpoint_count": { "type": "integer" },
+							"email_count": {
+								"type": "integer",
+								"description": "Number of inbound emails received for this domain in the last 30 days."
+							},
+							"latest_email_received_at": {
+								"type": ["string", "null"],
+								"format": "date-time",
+								"description": "Most recent inbound email received for this domain in the last 30 days."
+							},
+							"status": {
+								"type": "string",
+								"enum": [
+									"ready",
+									"stored_only",
+									"pending_dns",
+									"inactive"
+								]
+							}
+						},
+						"required": [
+							"id",
+							"domain",
+							"verified",
+							"active",
+							"managed",
+							"receiving_ready",
+							"processing_ready",
+							"processing_route_count",
+							"endpoint_count",
+							"enabled_endpoint_count",
+							"function_endpoint_count",
+							"email_count",
+							"latest_email_received_at",
+							"status"
+						]
+					}
+				},
+				"endpoints": {
+					"type": "object",
+					"additionalProperties": false,
+					"properties": {
+						"total": { "type": "integer" },
+						"enabled": { "type": "integer" },
+						"disabled": { "type": "integer" },
+						"fallback_enabled": { "type": "integer" },
+						"domain_scoped_enabled": { "type": "integer" },
+						"http_enabled": { "type": "integer" },
+						"function_enabled": { "type": "integer" }
+					},
+					"required": [
+						"total",
+						"enabled",
+						"disabled",
+						"fallback_enabled",
+						"domain_scoped_enabled",
+						"http_enabled",
+						"function_enabled"
+					]
+				},
+				"functions": {
+					"type": "object",
+					"additionalProperties": false,
+					"properties": {
+						"total": { "type": "integer" },
+						"deployed": { "type": "integer" },
+						"pending": { "type": "integer" },
+						"failed": { "type": "integer" }
+					},
+					"required": [
+						"total",
+						"deployed",
+						"pending",
+						"failed"
+					]
 				},
-				"updated_at": {
-					"type": "string",
-					"format": "date-time"
+				"recent_emails": {
+					"type": "object",
+					"description": "Inbound email activity from the last 30 days.",
+					"additionalProperties": false,
+					"properties": {
+						"total": {
+							"type": "integer",
+							"description": "Number of inbound emails received in the last 30 days."
+						},
+						"latest_received_at": {
+							"type": ["string", "null"],
+							"format": "date-time",
+							"description": "Most recent inbound email received in the last 30 days."
+						}
+					},
+					"required": ["total", "latest_received_at"]
 				}
 			},
 			"required": [
-				"id",
-				"name",
-				"code",
-				"deploy_status",
-				"created_at",
-				"updated_at"
+				"ready",
+				"receiving_ready",
+				"processing_ready",
+				"summary",
+				"next_actions",
+				"domains",
+				"endpoints",
+				"functions",
+				"recent_emails"
 			]
 		},
-		"sdkName": "updateFunction",
-		"summary": "Update and redeploy a function",
-		"tag": "Functions",
-		"tagCommand": "functions"
+		"sdkName": "getInboxStatus",
+		"summary": "Get inbound inbox readiness",
+		"tag": "Inbox",
+		"tagCommand": "inbox"
 	},
 	{
 		"binaryResponse": false,
@@ -11165,6 +12119,36 @@ const operationManifest = [
 						"pattern": "^[^\\x00-\\x1F\\x7F]+$"
 					}
 				},
+				"attachments": {
+					"type": "array",
+					"maxItems": 100,
+					"description": "Inline attachments. Send requests with attachments to https://api.primitive.dev/v1/send-mail. Combined raw decoded attachment bytes must be at most 31457280.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"filename": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Attachment filename. Control characters are rejected."
+							},
+							"content_type": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Optional MIME content type. Control characters are rejected."
+							},
+							"content_base64": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 44040192,
+								"description": "Base64-encoded attachment bytes."
+							}
+						},
+						"required": ["filename", "content_base64"]
+					}
+				},
 				"wait": {
 					"type": "boolean",
 					"description": "When true, wait for the first downstream SMTP delivery outcome before returning."
@@ -12501,6 +13485,11 @@ function operationOutputPayload(envelope, includeEnvelope) {
 	return includeEnvelope ? envelope ?? null : envelope?.data ?? null;
 }
 const OPERATION_HINTS = {
+	addDomain: "Tip: after this returns a domain id, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` when the user wants an importable DNS zone file.",
+	verifyDomain: "Tip: if DNS is still missing, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` to give the user an importable DNS zone file.",
+	downloadDomainZoneFile: "Tip: prefer `primitive domains zone-file --id <domain-id> --output <domain>.zone` for CLI-friendly file output.",
+	getInboxStatus: "Tip: prefer `primitive inbox status` for a compact readiness summary and next-step commands.",
+	sendEmail: "Tip: prefer `primitive send --to <address> --body <text> --attachment <file>` for file attachments. This raw command exists for callers passing JSON.",
 	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	createFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
@@ -12612,7 +13601,8 @@ const EMPTY_RESULT_HINTS = {
 	listEndpoints: "(no results) No webhook endpoints configured. Add one with `primitive endpoints create --url <your-url>`.",
 	listEmails: "(no results) No inbound emails received yet on this account. Send one to a verified domain to populate this list. For a compact view, prefer `primitive emails latest`.",
 	listDomains: "(no results) No domains on this account. Add one with `primitive domains add --domain <yourdomain.example>`.",
-	listFilters: "(no results) No filter rules configured."
+	listFilters: "(no results) No filter rules configured.",
+	listFunctions: "(no results) No Functions configured yet. Start with `primitive functions templates`, then `primitive functions init --template <template>` and `primitive functions deploy --name <name> --file <bundle>`."
 };
 function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
@@ -13379,6 +14369,144 @@ var DoctorCommand = class DoctorCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/domains-zone-file.ts
+function zoneFileUrl(baseUrl, domainId, outboundOnly) {
+	const url = new URL(`${baseUrl.replace(/\/$/, "")}/domains/${encodeURIComponent(domainId)}/zone-file`);
+	if (outboundOnly) url.searchParams.set("outbound_only", "true");
+	return url.toString();
+}
+function contentDispositionFilename(value) {
+	if (!value) return null;
+	const match = /filename\*=UTF-8''([^;]+)|filename="?([^";]+)"?/i.exec(value);
+	const raw = match?.[1] ?? match?.[2];
+	if (!raw) return null;
+	try {
+		return decodeURIComponent(raw);
+	} catch {
+		return raw;
+	}
+}
+function findDomain(domains, domain) {
+	const match = domains.find((entry) => entry.domain === domain);
+	if (!match) throw new Errors.CLIError(`Domain ${domain} was not found.`, { exit: 1 });
+	return match;
+}
+async function responseErrorPayload(response) {
+	if ((response.headers.get("content-type")?.toLowerCase() ?? "").includes("application/json")) return response.json().catch(() => ({
+		code: "http_error",
+		message: `HTTP ${response.status} ${response.statusText}`.trim()
+	}));
+	return {
+		code: "http_error",
+		message: (await response.text().catch(() => "")).trim() || `HTTP ${response.status} ${response.statusText}`.trim()
+	};
+}
+var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
+	static description = `Download a BIND-format DNS zone file for a domain claim.
+  Use this when a DNS provider supports zone-file import and you want to publish all required records at once instead of copying each record manually. The file is generated by the Primitive API, matching the dashboard download flow.
+  Agents: after claiming a domain, tell users they can run \`primitive domains zone-file --id <domain-id> --output <domain>.zone\` to get an importable DNS zone file.`;
+	static summary = "Download a DNS zone file for a domain";
+	static examples = [
+		"<%= config.bin %> domains zone-file --id <domain-id>",
+		"<%= config.bin %> domains zone-file --id <domain-id> --output example.com.zone",
+		"<%= config.bin %> domains zone-file --domain example.com --output example.com.zone",
+		"<%= config.bin %> domains zone-file --id <domain-id> --outbound-only"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		domain: Flags.string({ description: "Domain name to look up before downloading its zone file. Prefer --id when you have the domain id from `primitive domains add`." }),
+		id: Flags.string({ description: "Domain id returned by `primitive domains add` or `primitive domains list`." }),
+		output: Flags.string({
+			char: "o",
+			description: "Write the zone file to this path instead of stdout. Defaults to stdout."
+		}),
+		"outbound-only": Flags.boolean({ description: "Include only outbound DNS records. Verified domains default to outbound-only at the API; this flag is explicit for agents and scripts." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(DomainsZoneFileCommand);
+		if (flags.id && flags.domain) throw new Errors.CLIError("Use only one of --id or --domain.", { exit: 1 });
+		if (!flags.id && !flags.domain) throw new Errors.CLIError("Pass --id <domain-id> or --domain <domain>.", { exit: 1 });
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			let domainId = flags.id;
+			if (!domainId && flags.domain) {
+				const result = await listDomains({
+					client: apiClient.client,
+					responseStyle: "fields"
+				});
+				if (result.error) {
+					const errorPayload = extractErrorPayload(result.error);
+					writeErrorWithHints(errorPayload);
+					surfaceUnauthorizedHint({
+						auth,
+						baseUrlOverridden,
+						configDir: this.config.configDir,
+						payload: errorPayload
+					});
+					process.exitCode = 1;
+					return;
+				}
+				const envelope = result.data;
+				domainId = findDomain(envelope?.data ?? [], flags.domain).id;
+			}
+			if (!domainId) throw new Errors.CLIError("Could not resolve a domain id.", { exit: 1 });
+			let response;
+			try {
+				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl1, domainId, flags["outbound-only"]), { headers: {
+					...requestConfig.headers ?? {},
+					...auth.apiKey ? { authorization: `Bearer ${auth.apiKey}` } : {}
+				} });
+			} catch (error) {
+				writeErrorWithHints(error);
+				process.exitCode = 1;
+				return;
+			}
+			if (!response.ok) {
+				const errorPayload = extractErrorPayload(await responseErrorPayload(response));
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const zoneFile = await response.text();
+			const output = flags.output;
+			if (output) {
+				writeFileSync(output, zoneFile, "utf8");
+				const filename = contentDispositionFilename(response.headers.get("content-disposition"));
+				process.stderr.write(`Wrote ${filename ?? "zone file"} to ${output}\n`);
+				return;
+			}
+			process.stdout.write(zoneFile);
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/emails-latest.ts
 const DEFAULT_LIMIT = 10;
 const MAX_LIMIT = 100;
@@ -13387,7 +14515,7 @@ const ADDRESS_DISPLAY_WIDTH = 32;
 const ID_DISPLAY_WIDTH_SHORT = 8;
 const ID_DISPLAY_WIDTH_FULL = 36;
 const RECEIVED_DISPLAY_WIDTH = 19;
-function truncate(value, width) {
+function truncate$1(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -13402,7 +14530,7 @@ function pickIdWidth(isTty) {
 	return isTty ? ID_DISPLAY_WIDTH_SHORT : ID_DISPLAY_WIDTH_FULL;
 }
 function formatRow(email, idWidth) {
-	return `${truncate(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
+	return `${truncate$1(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$1(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
 }
 function formatHeader(idWidth) {
 	return `${"ID".padEnd(idWidth)}  ${"RECEIVED (UTC)".padEnd(RECEIVED_DISPLAY_WIDTH)}  ${"FROM".padEnd(ADDRESS_DISPLAY_WIDTH)}  ${"TO".padEnd(ADDRESS_DISPLAY_WIDTH)}  SUBJECT`;
@@ -15788,6 +16916,174 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 	}
 };
 //#endregion
+//#region src/oclif/commands/inbox-status.ts
+const DOMAIN_DISPLAY_WIDTH = 34;
+const STATUS_DISPLAY_WIDTH = 12;
+const BOOL_DISPLAY_WIDTH = 7;
+const NUM_DISPLAY_WIDTH = 6;
+function plural(count, singular, pluralValue = `${singular}s`) {
+	return `${count} ${count === 1 ? singular : pluralValue}`;
+}
+function statusText(status) {
+	switch (status) {
+		case "ready": return "ready";
+		case "stored_only": return "stored-only";
+		case "pending_dns": return "pending-dns";
+		case "inactive": return "inactive";
+		default: return String(status);
+	}
+}
+function yesNo(value) {
+	return value ? "yes" : "no";
+}
+function formatInboxDate(value) {
+	if (!value) return "never";
+	const d = new Date(value);
+	if (Number.isNaN(d.getTime())) return value;
+	const pad = (n) => String(n).padStart(2, "0");
+	return `${d.getUTCFullYear()}-${pad(d.getUTCMonth() + 1)}-${pad(d.getUTCDate())} ${pad(d.getUTCHours())}:${pad(d.getUTCMinutes())}:${pad(d.getUTCSeconds())} UTC`;
+}
+function truncate(value, width) {
+	if (value.length <= width) return value.padEnd(width);
+	return `${value.slice(0, width - 3)}...`;
+}
+function domainSummary(domain) {
+	switch (domain.status) {
+		case "ready": return `${domain.domain} can receive mail and has ${plural(domain.processing_route_count, "processing route")}.`;
+		case "stored_only": return `${domain.domain} can receive and store mail, but has no enabled processing route.`;
+		case "pending_dns": return `${domain.domain} is waiting on DNS verification before it can receive mail.`;
+		case "inactive": return `${domain.domain} is verified but inactive.`;
+		default: return `${domain.domain} has status ${String(domain.status)}.`;
+	}
+}
+function focusInboxStatus(status, domainName) {
+	const normalized = domainName.toLowerCase();
+	const domain = status.domains.find((entry) => entry.domain.toLowerCase() === normalized);
+	if (!domain) throw new Errors.CLIError(`Domain ${domainName} was not found.`, { exit: 1 });
+	return {
+		...status,
+		domains: [domain],
+		ready: domain.receiving_ready && domain.processing_ready,
+		receiving_ready: domain.receiving_ready,
+		processing_ready: domain.processing_ready,
+		summary: domainSummary(domain),
+		recent_emails: {
+			total: domain.email_count,
+			latest_received_at: domain.latest_email_received_at
+		}
+	};
+}
+function formatDomainHeader() {
+	return [
+		"DOMAIN".padEnd(DOMAIN_DISPLAY_WIDTH),
+		"STATUS".padEnd(STATUS_DISPLAY_WIDTH),
+		"RECEIVE".padEnd(BOOL_DISPLAY_WIDTH),
+		"PROCESS".padEnd(BOOL_DISPLAY_WIDTH),
+		"EMAILS".padStart(NUM_DISPLAY_WIDTH),
+		"ROUTES".padStart(NUM_DISPLAY_WIDTH)
+	].join("  ");
+}
+function formatDomainRow(domain) {
+	return [
+		truncate(domain.domain, DOMAIN_DISPLAY_WIDTH),
+		statusText(domain.status).padEnd(STATUS_DISPLAY_WIDTH),
+		yesNo(domain.receiving_ready).padEnd(BOOL_DISPLAY_WIDTH),
+		yesNo(domain.processing_ready).padEnd(BOOL_DISPLAY_WIDTH),
+		String(domain.email_count).padStart(NUM_DISPLAY_WIDTH),
+		String(domain.processing_route_count).padStart(NUM_DISPLAY_WIDTH)
+	].join("  ");
+}
+function formatNextAction(action) {
+	return action.command ? `- ${action.message}\n  ${action.command}` : `- ${action.message}`;
+}
+function formatInboxStatus(status) {
+	const lines = [
+		status.summary,
+		"",
+		"Domains"
+	];
+	if (status.domains.length === 0) lines.push("No domains configured.");
+	else {
+		lines.push(formatDomainHeader());
+		for (const domain of status.domains) lines.push(formatDomainRow(domain));
+	}
+	lines.push("", `Endpoints: ${status.endpoints.enabled}/${status.endpoints.total} enabled (${status.endpoints.fallback_enabled} fallback, ${status.endpoints.domain_scoped_enabled} domain-scoped, ${status.endpoints.function_enabled} function)`, `Functions: ${status.functions.deployed}/${status.functions.total} deployed (${status.functions.pending} pending, ${status.functions.failed} failed)`, `Recent inbound: ${plural(status.recent_emails.total, "email")} latest ${formatInboxDate(status.recent_emails.latest_received_at)}`);
+	if (status.next_actions.length > 0) {
+		lines.push("", "Next actions");
+		for (const action of status.next_actions) lines.push(formatNextAction(action));
+	}
+	return lines.join("\n");
+}
+var InboxStatusCommand = class InboxStatusCommand extends Command {
+	static description = `Show consolidated inbound email readiness.
+  This checks the server-owned inbox status API instead of reconstructing readiness locally from separate domain, endpoint, function, and email lists. Use it before testing inbound email setup: it tells you whether mail can be received, whether anything will process it, and which next command is most useful.`;
+	static summary = "Show inbound email readiness";
+	static examples = [
+		"<%= config.bin %> inbox status",
+		"<%= config.bin %> inbox status --domain example.com",
+		"<%= config.bin %> inbox status --json | jq '.data.next_actions'"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: API_BASE_URL_1_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: API_BASE_URL_2_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		domain: Flags.string({ description: "Focus domain readiness and recent email fields on one domain returned by the inbox status API." }),
+		json: Flags.boolean({ description: "Print the raw response envelope as JSON. With --domain, domain readiness and recent email fields are focused while endpoint, function, and next-action summaries remain account-level." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(InboxStatusCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			const result = await getInboxStatus({
+				client: apiClient.client,
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data ?? {};
+			const status = envelope.data;
+			if (!status) throw new Errors.CLIError("Primitive API returned no inbox status.", { exit: 1 });
+			const outputStatus = flags.domain ? focusInboxStatus(status, flags.domain) : status;
+			if (flags.json) {
+				this.log(JSON.stringify({
+					...envelope,
+					data: outputStatus
+				}, null, 2));
+				return;
+			}
+			this.log(formatInboxStatus(outputStatus));
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
 function cliError$3(message) {
@@ -16291,12 +17587,46 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/attachments.ts
+function readAttachmentBytes(path, readFile) {
+	try {
+		return Buffer.from(readFile(path));
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
+	}
+}
+function hasControlCharacter(value) {
+	return Array.from(value).some((character) => {
+		const code = character.charCodeAt(0);
+		return code <= 31 || code >= 127 && code <= 159;
+	});
+}
+function validateAttachmentFilename(path, filename) {
+	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
+	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+}
+function readAttachmentFiles(paths, readFile = readFileSync) {
+	if (!paths || paths.length === 0) return void 0;
+	return paths.map((path) => {
+		const filename = basename(path);
+		validateAttachmentFilename(path, filename);
+		const bytes = readAttachmentBytes(path, readFile);
+		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
+		return {
+			content_base64: bytes.toString("base64"),
+			filename
+		};
+	});
+}
+//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
   --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
   --subject defaults to the first line of the body when omitted.
+  --attachment attaches a file; repeat it to attach multiple files.
   For the full flag set (custom message-id threading on the wire,
   references arrays, etc.), use \`primitive sending send\`.`;
@@ -16304,6 +17634,7 @@ var SendCommand = class SendCommand extends Command {
 	static examples = [
 		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
 		"<%= config.bin %> send --to alice@example.com --body-file ./message.txt",
+		"<%= config.bin %> send --to alice@example.com --body 'See attached.' --attachment ./report.pdf",
 		"<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
 		"<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
 		"<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
@@ -16331,11 +17662,15 @@ var SendCommand = class SendCommand extends Command {
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
 		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
 		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. This does not attach the file; use --attachment for file attachments. Mutually exclusive with --body and --body-stdin." }),
 		"body-stdin": Flags.boolean({ description: "Read the plain-text message body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
 		"html-file": Flags.string({ description: "Read the HTML message body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
 		"html-stdin": Flags.boolean({ description: "Read the HTML message body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
+		attachment: Flags.string({
+			description: "Attach a file to the email. Repeatable. Sends file bytes as a MIME attachment; use --body-file only for message body text.",
+			multiple: true
+		}),
 		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
 		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
@@ -16352,6 +17687,7 @@ var SendCommand = class SendCommand extends Command {
 			htmlStdin: flags["html-stdin"]
 		});
 		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
+		const attachments = readAttachmentFiles(flags.attachment);
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
@@ -16373,6 +17709,7 @@ var SendCommand = class SendCommand extends Command {
 					subject,
 					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
 					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
+					...attachments !== void 0 ? { attachments } : {},
 					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
@@ -17153,25 +18490,39 @@ var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/whoami.ts
+function formatWhoamiSummary(account) {
+	return [
+		`Authenticated as ${account.email}`,
+		`Account id: ${account.id}`,
+		`Plan: ${account.plan}`
+	].join("\n");
+}
 var WhoamiCommand = class WhoamiCommand extends Command {
-	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.`;
+	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.
+  The default output is a concise human summary. Pass --json only when a script intentionally needs the full /account response.`;
 	static summary = "Print the authenticated account (credentials smoke test)";
-	static examples = ["<%= config.bin %> whoami", "<%= config.bin %> whoami --api-key prim_..."];
+	static examples = [
+		"<%= config.bin %> whoami",
+		"<%= config.bin %> whoami --api-key prim_...",
+		"<%= config.bin %> whoami --json | jq .id"
+	];
 	static flags = {
 		"api-key": Flags.string({
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
 		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			description: API_BASE_URL_1_FLAG_DESCRIPTION,
 			env: "PRIMITIVE_API_BASE_URL_1",
 			hidden: true
 		}),
 		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			description: API_BASE_URL_2_FLAG_DESCRIPTION,
 			env: "PRIMITIVE_API_BASE_URL_2",
 			hidden: true
 		}),
+		json: Flags.boolean({ description: "Print the full account JSON response. Default output hides setup and billing internals." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
 	async run() {
@@ -17204,12 +18555,11 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 				process.stderr.write("Server returned an empty account body; this should not happen for a valid key.\n");
 				throw new Errors.CLIError("unexpected empty response");
 			}
-			const onboarding = account.onboarding_completed === true ? "complete" : account.onboarding_step ? `in progress (step: ${account.onboarding_step})` : "incomplete";
-			process.stderr.write(`Authenticated as ${account.email}\n`);
-			process.stderr.write(`  Account id: ${account.id}\n`);
-			process.stderr.write(`  Plan:       ${account.plan}\n`);
-			process.stderr.write(`  Onboarding: ${onboarding}\n`);
-			this.log(JSON.stringify(account, null, 2));
+			if (flags.json) {
+				this.log(JSON.stringify(account, null, 2));
+				return;
+			}
+			this.log(formatWhoamiSummary(account));
 		});
 	}
 };
@@ -17283,36 +18633,88 @@ function renderFishCompletion(binName) {
 //#endregion
 //#region src/oclif/index.ts
 var ListOperationsCommand = class extends Command {
-	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command>`.";
+	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command-or-operation-name>`.";
 	static summary = "List all generated API operations (JSON)";
 	async run() {
 		this.log(JSON.stringify(operationManifest, null, 2));
 	}
 };
+function operationId(operation) {
+	return `${operation.tagCommand}:${operation.command}`;
+}
+function normalizeLookupToken(value) {
+	return value.toLowerCase().replace(/[^a-z0-9]/g, "");
+}
+function unique(values) {
+	return [...new Set(values)];
+}
+function operationLookupTokens(operation) {
+	return unique([
+		operationId(operation),
+		operation.command,
+		operation.operationId,
+		operation.sdkName,
+		`${operation.tagCommand}:${operation.operationId}`,
+		`${operation.tagCommand}:${operation.sdkName}`
+	]);
+}
+function levenshteinDistance(left, right) {
+	if (left === right) return 0;
+	if (left.length === 0) return right.length;
+	if (right.length === 0) return left.length;
+	let previous = Array.from({ length: right.length + 1 }, (_, index) => index);
+	for (let leftIndex = 0; leftIndex < left.length; leftIndex += 1) {
+		const current = [leftIndex + 1];
+		for (let rightIndex = 0; rightIndex < right.length; rightIndex += 1) {
+			const substitutionCost = left[leftIndex] === right[rightIndex] ? 0 : 1;
+			current[rightIndex + 1] = Math.min(current[rightIndex] + 1, previous[rightIndex + 1] + 1, previous[rightIndex] + substitutionCost);
+		}
+		previous = current;
+	}
+	return previous[right.length] ?? Number.POSITIVE_INFINITY;
+}
+function scoreLookupToken(query, token) {
+	const normalizedQuery = normalizeLookupToken(query);
+	const normalizedToken = normalizeLookupToken(token);
+	if (!normalizedQuery || !normalizedToken) return 0;
+	if (normalizedQuery === normalizedToken) return 100;
+	if (normalizedToken.includes(normalizedQuery)) return Math.max(50, 90 - (normalizedToken.length - normalizedQuery.length));
+	if (normalizedQuery.includes(normalizedToken)) return Math.max(45, 80 - (normalizedQuery.length - normalizedToken.length));
+	const distance = levenshteinDistance(normalizedQuery, normalizedToken);
+	const maxLength = Math.max(normalizedQuery.length, normalizedToken.length);
+	return Math.round((1 - distance / maxLength) * 75);
+}
+function scoreOperation(query, operation) {
+	return Math.max(...operationLookupTokens(operation).map((token) => scoreLookupToken(query, token)));
+}
 function lookupOperation(id) {
 	const trimmed = resolveOperationAlias(id.trim());
-	const sep = trimmed.indexOf(":");
-	const tag = sep === -1 ? "" : trimmed.slice(0, sep);
-	const cmd = sep === -1 ? trimmed : trimmed.slice(sep + 1);
-	const match = operationManifest.find((op) => op.command === cmd && op.tagCommand === tag) ?? null;
+	const match = operationManifest.find((op) => operationLookupTokens(op).some((token) => token === trimmed || normalizeLookupToken(token) === normalizeLookupToken(trimmed))) ?? null;
 	if (match) return {
 		match,
 		candidates: []
 	};
 	return {
 		match: null,
-		candidates: operationManifest.filter((op) => op.command.includes(cmd) || op.tagCommand.includes(tag)).slice(0, 5).map((op) => op.tagCommand ? `${op.tagCommand}:${op.command}` : op.command)
+		candidates: operationManifest.map((op) => ({
+			id: operationId(op),
+			score: scoreOperation(trimmed, op)
+		})).filter(({ score }) => score >= 45).sort((left, right) => right.score - left.score || left.id.localeCompare(right.id)).slice(0, 5).map(({ id }) => id)
 	};
 }
 var DescribeCommand = class DescribeCommand extends Command {
 	static args = { command: Args.string({
-		description: "Command id to describe, e.g. `emails:list` or `emails:get-email`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command)\"'` to enumerate generated operation ids.",
+		description: "Command id, alias, or SDK operation name to describe, e.g. `emails:list`, `emails:get-email`, or `getEmail`. Run `primitive list-operations | jq -r '.[] | \"\\(.tagCommand):\\(.command) \\(.operationId)\"'` to enumerate generated operation ids.",
 		required: true
 	}) };
 	static description = `Print the full operation manifest entry for a single API command, including the path, request schema, response schema, and per-field descriptions sourced from the OpenAPI spec.
   The manifest entry's \`responseSchema\` carries the inlined JSON Schema for the operation's 200/201 \`data\` envelope contents (\`$ref\`s resolved). Use it to look up what specific response fields mean. Examples:
+      # Domain setup records returned by add/verify
+      primitive describe domains:add
+      primitive describe addDomain
       # Which of EmailDetail's sender-shaped fields is canonical?
       primitive describe emails:get | jq '.responseSchema.properties | keys'
       primitive describe emails:get | jq -r '.responseSchema.properties.from_email.description'
@@ -17322,7 +18724,12 @@ var DescribeCommand = class DescribeCommand extends Command {
   \`requestSchema\` is the same shape for the request body when one exists. For a single field across many operations at once, use \`primitive list-operations | jq\` instead.`;
 	static summary = "Describe a single API operation in detail";
-	static examples = ["<%= config.bin %> describe emails:get", "<%= config.bin %> describe sent:get"];
+	static examples = [
+		"<%= config.bin %> describe addDomain",
+		"<%= config.bin %> describe domains:add",
+		"<%= config.bin %> describe emails:get",
+		"<%= config.bin %> describe sent:get"
+	];
 	async run() {
 		const { args } = await this.parse(DescribeCommand);
 		const { match, candidates } = lookupOperation(args.command);
@@ -17355,9 +18762,6 @@ var CompletionCommand = class CompletionCommand extends Command {
 		await this.config.runCommand("autocomplete", [args.shell]);
 	}
 };
-function commandId(operation) {
-	return `${operation.tagCommand}:${operation.command}`;
-}
 const CANONICAL_OPERATION_ALIASES = {
 	"account:show": "account:get-account",
 	"account:storage": "account:get-storage-stats",
@@ -17402,14 +18806,19 @@ const CANONICAL_OPERATION_ALIASES = {
 };
 const DESCRIBE_OPERATION_ALIASES = {
 	...CANONICAL_OPERATION_ALIASES,
+	"domains:zone-file": "domains:download-domain-zone-file",
 	"functions:logs": "functions:list-function-logs",
 	reply: "sending:reply-to-email"
 };
 function resolveOperationAlias(id) {
 	return DESCRIBE_OPERATION_ALIASES[id] ?? id;
 }
-const OVERRIDDEN_OPERATION_IDS = new Set(["functions:test-function"]);
-const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(commandId(operation))).map((operation) => [commandId(operation), createOperationCommand(operation)]));
+const OVERRIDDEN_OPERATION_IDS = new Set([
+	"domains:download-domain-zone-file",
+	"functions:test-function",
+	"inbox:get-inbox-status"
+]);
+const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(operationId(operation))).map((operation) => [operationId(operation), createOperationCommand(operation)]));
 const COMMANDS = {
 	completion: CompletionCommand,
 	"list-operations": ListOperationsCommand,
@@ -17438,6 +18847,10 @@ const COMMANDS = {
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	"domains:zone-file": DomainsZoneFileCommand,
+	"domains:download-domain-zone-file": DomainsZoneFileCommand,
+	"inbox:status": InboxStatusCommand,
+	"inbox:get-inbox-status": InboxStatusCommand,
 	"functions:init": FunctionsInitCommand,
 	"functions:templates": FunctionsTemplatesCommand,
 	"functions:deploy": FunctionsDeployCommand,