@primitivedotdev/cli 0.32.0 → 0.32.1

package/dist/oclif/index.js

@@ -2,10 +2,10 @@ import { Args, Command, Errors, Flags } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { basename, dirname, join, resolve } from "node:path";
-import { spawn } from "node:child_process";
 import { hostname } from "node:os";
 import process$1 from "node:process";
 import { createInterface } from "node:readline/promises";
+import { spawn } from "node:child_process";
 //#region \0rolldown/runtime.js
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
@@ -13133,8 +13133,14 @@ var PrimitiveApiClient = class {
 //#region src/oclif/auth.ts
 const CREDENTIALS_FILE = "credentials.json";
 const CREDENTIALS_LOCK_DIR = "credentials.lock";
+const CREDENTIALS_LOCK_OWNER_FILE = "owner.json";
 const CREDENTIALS_LOCK_STALE_MS = 1800 * 1e3;
 const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive signin`.";
+const CREDENTIALS_LOCK_CLEANUP_SIGNALS = [
+	"SIGINT",
+	"SIGTERM",
+	"SIGHUP"
+];
 function isRecord$2(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
@@ -13181,6 +13187,9 @@ function parseCredentials(raw) {
 function credentialsPath(configDir) {
 	return join(configDir, CREDENTIALS_FILE);
 }
+function credentialsLockPath(configDir) {
+	return join(configDir, CREDENTIALS_LOCK_DIR);
+}
 function normalize(url, fallback) {
 	const trimmed = url?.trim();
 	if (!trimmed) return fallback;
@@ -13239,6 +13248,12 @@ function saveCliCredentials(configDir, credentials) {
 function deleteCliCredentials(configDir) {
 	rmSync(credentialsPath(configDir), { force: true });
 }
+function deleteCliCredentialsLock(configDir) {
+	rmSync(credentialsLockPath(configDir), {
+		force: true,
+		recursive: true
+	});
+}
 function errorCode(error) {
 	return error && typeof error === "object" ? error.code : void 0;
 }
@@ -13256,12 +13271,85 @@ function removeStaleCliCredentialsLock(lockPath, staleMs, now) {
 	});
 	return true;
 }
+function readCliCredentialsLockOwner(lockPath) {
+	let raw;
+	try {
+		raw = readFileSync(join(lockPath, CREDENTIALS_LOCK_OWNER_FILE), "utf8");
+	} catch (error) {
+		if (errorCode(error) === "ENOENT") return null;
+		throw error;
+	}
+	try {
+		const pid = JSON.parse(raw)?.pid;
+		return Number.isInteger(pid) && pid > 0 ? { pid } : null;
+	} catch {
+		return null;
+	}
+}
+function processIsRunning(pid) {
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch (error) {
+		if (errorCode(error) === "ESRCH") return false;
+		return true;
+	}
+}
+function removeRecoverableCliCredentialsLock(params) {
+	const owner = readCliCredentialsLockOwner(params.lockPath);
+	if (owner && params.isRunning(owner.pid)) return false;
+	if (owner) {
+		rmSync(params.lockPath, {
+			force: true,
+			recursive: true
+		});
+		return true;
+	}
+	return removeStaleCliCredentialsLock(params.lockPath, params.staleMs, params.now);
+}
+function writeCliCredentialsLockOwner(lockPath) {
+	const ownerPath = join(lockPath, CREDENTIALS_LOCK_OWNER_FILE);
+	writeFileSync(ownerPath, `${JSON.stringify({
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		pid: process.pid
+	})}\n`, { mode: 384 });
+	chmodSync(ownerPath, 384);
+}
+function installCredentialsLockSignalCleanup(lockPath) {
+	let active = true;
+	const listeners = CREDENTIALS_LOCK_CLEANUP_SIGNALS.map((signal) => {
+		const listener = () => {
+			if (!active) return;
+			active = false;
+			rmSync(lockPath, {
+				force: true,
+				recursive: true
+			});
+			process.exit(signal === "SIGINT" ? 130 : signal === "SIGTERM" ? 143 : 129);
+		};
+		process.once(signal, listener);
+		return {
+			listener,
+			signal
+		};
+	});
+	return () => {
+		if (!active) return;
+		active = false;
+		for (const { listener, signal } of listeners) process.removeListener(signal, listener);
+	};
+}
+function credentialsLockInProgressMessage(lockPath) {
+	return `Another Primitive CLI credential operation is already in progress. Wait for it to finish, then retry. If no Primitive auth command is still running, run \`primitive logout --force\` to clear local CLI auth state and remove ${lockPath}.`;
+}
 function acquireCliCredentialsLock(configDir, options = {}) {
 	mkdirSync(configDir, {
 		mode: 448,
 		recursive: true
 	});
-	const lockPath = join(configDir, CREDENTIALS_LOCK_DIR);
+	const lockPath = credentialsLockPath(configDir);
+	const installSignalHandlers = options.installSignalHandlers ?? true;
+	const isRunning = options.isProcessRunning ?? processIsRunning;
 	const now = options.now ?? Date.now;
 	const staleMs = options.staleMs ?? CREDENTIALS_LOCK_STALE_MS;
 	let acquired = false;
@@ -13271,14 +13359,30 @@ function acquireCliCredentialsLock(configDir, options = {}) {
 		break;
 	} catch (error) {
 		if (errorCode(error) !== "EEXIST") throw error;
-		if (removeStaleCliCredentialsLock(lockPath, staleMs, now)) continue;
-		throw new Error("Another Primitive CLI credential operation is already in progress. Wait for it to finish, then retry.");
+		if (removeRecoverableCliCredentialsLock({
+			isRunning,
+			lockPath,
+			now,
+			staleMs
+		})) continue;
+		throw new Error(credentialsLockInProgressMessage(lockPath));
+	}
+	if (!acquired) throw new Error(credentialsLockInProgressMessage(lockPath));
+	try {
+		writeCliCredentialsLockOwner(lockPath);
+	} catch (error) {
+		rmSync(lockPath, {
+			force: true,
+			recursive: true
+		});
+		throw error;
 	}
-	if (!acquired) throw new Error("Another Primitive CLI credential operation is already in progress. Wait for it to finish, then retry.");
+	const removeSignalCleanup = installSignalHandlers ? installCredentialsLockSignalCleanup(lockPath) : () => void 0;
 	let released = false;
 	return () => {
 		if (released) return;
 		released = true;
+		removeSignalCleanup();
 		rmSync(lockPath, {
 			force: true,
 			recursive: true
@@ -13298,7 +13402,7 @@ function resolveCliAuth(params) {
 	const credentials = loadCliCredentials(params.configDir);
 	if (credentials) return {
 		apiKey: credentials.access_token,
-		apiBaseUrl1: params.apiBaseUrl1 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : credentials.api_base_url_1,
+		apiBaseUrl1: credentials.api_base_url_1,
 		apiBaseUrl2,
 		credentials,
 		source: "stored"
@@ -14051,7 +14155,10 @@ const RESERVED_FLAG_NAMES = new Set([
 ]);
 function bodyFieldFlag(field) {
 	const common = { description: field.description || field.name };
-	if (field.kind === "boolean") return Flags.boolean(common);
+	if (field.kind === "boolean") return Flags.boolean({
+		...common,
+		allowNo: true
+	});
 	if (field.kind === "integer") return Flags.integer({
 		...common,
 		...numericFlagOptions(field)
@@ -14084,7 +14191,10 @@ function buildFlags(operation) {
 		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
-	if (!operation.binaryResponse) flags.envelope = Flags.boolean({ description: "Print the full response envelope, including pagination metadata such as meta.cursor. Defaults to printing only the data payload for backward compatibility." });
+	if (!operation.binaryResponse) {
+		flags.json = Flags.boolean({ description: "Accepted for consistency with task-focused commands. Generated API commands already print JSON by default." });
+		flags.envelope = Flags.boolean({ description: "Print the full response envelope, including pagination metadata such as meta.cursor. Defaults to printing only the data payload for backward compatibility." });
+	}
 	for (const parameter of [...operation.pathParams, ...operation.queryParams]) flags[flagName(parameter.name)] = flagForParameter(parameter);
 	const bodyFieldFlagToProperty = /* @__PURE__ */ new Map();
 	if (operation.hasJsonBody) {
@@ -14126,11 +14236,21 @@ function collectValues(parameters, flags) {
 function operationOutputPayload(envelope, includeEnvelope) {
 	return includeEnvelope ? envelope ?? null : envelope?.data ?? null;
 }
+function isIncompleteDomainVerification(operation, envelope) {
+	if (operation.sdkName !== "verifyDomain") return false;
+	const data = envelope?.data;
+	if (!data || typeof data !== "object") return false;
+	return data.verified === false;
+}
+function writeIncompleteDomainVerificationHint() {
+	process.stderr.write("Domain verification is incomplete. Add or fix the DNS records shown above, or run `primitive domains zone-file --id <domain-id>` to download the complete zone file, then retry `primitive domains verify --id <domain-id>`.\n");
+}
 const OPERATION_HINTS = {
 	addDomain: "Tip: after this returns a domain id, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` when the user wants an importable DNS zone file.",
 	verifyDomain: "Tip: if DNS is still missing, run `primitive domains zone-file --id <domain-id> --output <domain>.zone` to give the user an importable DNS zone file.",
 	downloadDomainZoneFile: "Tip: prefer `primitive domains zone-file --id <domain-id> --output <domain>.zone` for CLI-friendly file output.",
 	getInboxStatus: "Tip: prefer `primitive inbox status` for a compact readiness summary and next-step commands.",
+	getSendPermissions: "Tip: this command answers where you may send mail to. To find usable sender domains for --from, run `primitive domains list` or `primitive inbox status` and use an address at an active verified domain.",
 	sendEmail: "Tip: prefer `primitive send --to <address> --body <text> --attachment <file>` for file attachments. This raw command exists for callers passing JSON.",
 	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
@@ -14233,6 +14353,10 @@ function createOperationCommand(operation) {
 					process.stderr.write(chunk);
 				} });
 				this.log(JSON.stringify(operationOutputPayload(envelope, parsedFlags.envelope === true), null, 2));
+				if (isIncompleteDomainVerification(operation, envelope)) {
+					writeIncompleteDomainVerificationHint();
+					process.exitCode = 1;
+				}
 			});
 		}
 	}
@@ -14348,6 +14472,13 @@ function cursorFromRows(rows) {
 	const last = rows.at(-1);
 	return last ? encodeReceivedAtSearchCursor(last) : null;
 }
+function cursorFromAcceptedRows(rows) {
+	for (let i = rows.length - 1; i >= 0; i--) {
+		const row = rows[i];
+		if (row.status === "accepted" || row.status === "completed") return encodeReceivedAtSearchCursor(row);
+	}
+	return null;
+}
 function collectNewAcceptedEmails(rows, seenIds) {
 	const fresh = [];
 	for (const row of rows) {
@@ -14613,41 +14744,40 @@ function buildChatFollowUpCommands(context) {
 	return commands;
 }
 function buildChatRecoveryCommands(context) {
-	return [
-		buildCommand("wait_threaded_reply", "Wait for the threaded reply again", [
-			"primitive",
-			"emails",
-			"wait",
-			"--reply-to-sent-email-id",
-			context.sent.id,
-			"--to",
-			context.from,
-			"--since",
-			context.sentAtIso,
-			"--timeout",
-			String(context.timeoutSeconds)
-		]),
-		buildCommand("wait_fallback_reply", "Fallback wait by sender/time window", [
-			"primitive",
-			"emails",
-			"wait",
-			"--from",
-			context.recipient,
-			"--to",
-			context.from,
-			"--since",
-			context.sentAtIso,
-			"--timeout",
-			String(context.timeoutSeconds)
-		]),
-		buildCommand("inspect_sent_email", "Inspect the outbound send", [
-			"primitive",
-			"sent",
-			"get",
-			"--id",
-			context.sent.id
-		])
-	];
+	const commands = [buildCommand("wait_threaded_reply", "Wait for the threaded reply again", [
+		"primitive",
+		"emails",
+		"wait",
+		"--reply-to-sent-email-id",
+		context.sent.id,
+		"--to",
+		context.from,
+		"--since",
+		context.sentAtIso,
+		"--timeout",
+		String(context.timeoutSeconds)
+	])];
+	if (!context.strictOnly) commands.push(buildCommand("wait_fallback_reply", "Fallback wait by sender/time window", [
+		"primitive",
+		"emails",
+		"wait",
+		"--from",
+		context.recipient,
+		"--to",
+		context.from,
+		"--since",
+		context.sentAtIso,
+		"--timeout",
+		String(context.timeoutSeconds)
+	]));
+	commands.push(buildCommand("inspect_sent_email", "Inspect the outbound send", [
+		"primitive",
+		"sent",
+		"get",
+		"--id",
+		context.sent.id
+	]));
+	return commands;
 }
 function buildChatJsonEnvelope(context) {
 	const responseBody = resolveChatResponseBody(context.reply);
@@ -14794,7 +14924,7 @@ var ChatCommand = class ChatCommand extends Command {
 	static summary = "Chat with an agent over email (send and wait for the reply)";
 	static examples = [
 		"<%= config.bin %> chat help@agent.acme.dev 'how do I rotate my API key?'",
-		"cat error.log | <%= config.bin %> chat help@agent.acme.dev --subject 'webhook 401s'",
+		"cat error.log | <%= config.bin %> chat help@agent.acme.dev",
 		"<%= config.bin %> chat help@agent.acme.dev --reply 'one more thing'",
 		"<%= config.bin %> chat help@agent.acme.dev --reply 'one more thing' --reply-to-email-id <inbound-email-id>",
 		"<%= config.bin %> chat help@agent.acme.dev 'follow up question' --json",
@@ -14823,7 +14953,10 @@ var ChatCommand = class ChatCommand extends Command {
 			hidden: true
 		}),
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
-		subject: Flags.string({ description: "Subject line. Defaults to the first line of the message when omitted." }),
+		subject: Flags.string({
+			description: "Advanced email transport override. Usually omit; chat threading does not depend on the subject.",
+			hidden: true
+		}),
 		reply: Flags.string({ description: "Reply body. Continues the latest inbound email from the recipient to your sender address; pass --reply-to-email-id for an exact thread." }),
 		"reply-to-email-id": Flags.string({ description: "Inbound email id to continue exactly. Uses Primitive's reply endpoint, so recipient, subject, and threading headers are derived from the inbound email." }),
 		"in-reply-to": Flags.string({ description: "Raw Message-Id of the parent email to thread a new send against. Prefer --reply-to-email-id with --reply when continuing an inbound email stored by Primitive." }),
@@ -15130,6 +15263,38 @@ function redactConfig(config) {
 		environments: Object.fromEntries(Object.entries(config.environments).map(([name, environment]) => [name, redactCliEnvironment(environment)]))
 	};
 }
+function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
+	const previousConfig = loadOrCreateConfig(params.configDir);
+	const previousActiveEnvironment = resolveConfigEnvironment(previousConfig);
+	const previousEnvironment = previousActiveEnvironment?.name ?? null;
+	const config = upsertCliEnvironment({
+		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl2: params.apiBaseUrl2,
+		config: previousConfig,
+		environmentName: params.environmentName,
+		headers: params.headers,
+		unsetHeaders: params.unsetHeaders
+	});
+	const activeEnvironment = resolveConfigEnvironment(config);
+	const environment = activeEnvironment?.name ?? null;
+	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url_1 !== activeEnvironment?.config.api_base_url_1);
+	let removedCredentials = false;
+	if (shouldClearCredentials) {
+		const releaseLock = acquireCliCredentialsLock(params.configDir);
+		try {
+			saveCliConfig(params.configDir, config);
+			removedCredentials = existsSync(credentialsPath(params.configDir));
+			deleteCliCredentials(params.configDir);
+		} finally {
+			releaseLock();
+		}
+	} else saveCliConfig(params.configDir, config);
+	return {
+		environment,
+		previousEnvironment,
+		removedCredentials
+	};
+}
 function switchCliEnvironment(configDir, environmentName) {
 	const environment = normalizeCliEnvironmentName(environmentName);
 	const config = loadOrCreateConfig(configDir);
@@ -15179,16 +15344,16 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 		const { flags } = await this.parse(ConfigSetCommand);
 		const headers = flags.header ?? [];
 		if (flags["api-base-url-1"] === void 0 && flags["api-base-url-2"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
-		const config = upsertCliEnvironment({
+		const { environment, removedCredentials } = upsertCliEnvironmentAndClearCredentialsIfSwitched({
 			apiBaseUrl1: flags["api-base-url-1"],
 			apiBaseUrl2: flags["api-base-url-2"],
-			config: loadOrCreateConfig(this.config.configDir),
+			configDir: this.config.configDir,
 			environmentName: flags.environment,
 			headers,
 			unsetHeaders: flags["unset-header"]
 		});
-		saveCliConfig(this.config.configDir, config);
-		process.stderr.write(`Primitive CLI environment ${config.current_environment} is active.\n`);
+		process.stderr.write(`Primitive CLI environment ${environment} is active.\n`);
+		if (removedCredentials) process.stderr.write("Removed saved Primitive CLI credentials. Run `primitive signin` to authenticate in the active environment.\n");
 	}
 };
 var ConfigUseCommand = class ConfigUseCommand extends Command {
@@ -15878,7 +16043,9 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 				process.exitCode = 1;
 				return;
 			}
-			cursor = page.cursor ?? cursor;
+			const nextCursor = cursorFromAcceptedRows(page.rows);
+			const cursorAdvanced = Boolean(nextCursor && nextCursor !== cursor);
+			if (nextCursor) cursor = nextCursor;
 			for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
 				if (flags.table) {
 					if (!headerPrinted) {
@@ -15890,7 +16057,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 				matched += 1;
 				if (matched >= flags.number) return;
 			}
-			if (page.rows.length > 0) continue;
+			if (cursorAdvanced) continue;
 			if (deadline !== null && Date.now() >= deadline) break;
 			await sleep$1(flags.interval * 1e3);
 		}
@@ -16000,7 +16167,9 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 				process.exitCode = 1;
 				return;
 			}
-			cursor = page.cursor ?? cursor;
+			const nextCursor = cursorFromAcceptedRows(page.rows);
+			const cursorAdvanced = Boolean(nextCursor && nextCursor !== cursor);
+			if (nextCursor) cursor = nextCursor;
 			for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
 				if (flags.jsonl) this.log(JSON.stringify(email));
 				else {
@@ -16013,7 +16182,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 				printed += 1;
 				if (flags.number && printed >= flags.number) return;
 			}
-			if (page.rows.length > 0) continue;
+			if (cursorAdvanced) continue;
 			if (deadline !== null && Date.now() >= deadline) break;
 			await sleep$1(flags.interval * 1e3);
 		}
@@ -16769,7 +16938,7 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	url: "https://primitive.dev"
 };
 const SDK_VERSION_RANGE = "^0.32.0";
-const CLI_VERSION_RANGE = "^0.32.0";
+const CLI_VERSION_RANGE = "^0.32.1";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -16795,49 +16964,93 @@ interface Env {
   PRIMITIVE_WEBHOOK_SECRET: string;
 }
 
-// Loop-protection knob. Only used by the isLoop helper below; the
-// handler's outbound reply address is server-defaulted (no
-// from-address parameter is passed to client.reply). Update this if
-// you later switch to sending from a non-managed-domain address so
-// the loop guard recognizes mail returning to it as self-traffic.
-const REPLY_FROM = "you@your-domain.primitive.email";
+// Optional loop-protection knob. client.reply() server-defaults the
+// outbound from-address from the inbound recipient, so most handlers
+// do not need to fill this in. Add any extra addresses your handler
+// sends from if you later switch to client.send or a custom domain.
+const EXTRA_SELF_ADDRESSES: string[] = [
+  // "bot@your-domain.example",
+];
+
+function extractEmailAddresses(value: string | null | undefined): string[] {
+  return (
+    value?.match(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,}/gi)?.map((address) =>
+      address.toLowerCase(),
+    ) ?? []
+  );
+}
+
+function domainPart(address: string): string | null {
+  const at = address.lastIndexOf("@");
+  return at === -1 ? null : address.slice(at + 1).toLowerCase();
+}
+
+function localPart(address: string): string {
+  const at = address.lastIndexOf("@");
+  return at === -1 ? address.toLowerCase() : address.slice(0, at).toLowerCase();
+}
+
+function inboundRecipientAddresses(event: EmailReceivedEvent): string[] {
+  return [
+    ...event.email.smtp.rcpt_to.flatMap(extractEmailAddresses),
+    ...extractEmailAddresses(event.email.headers.to),
+  ];
+}
+
+function inboundRecipientDomains(event: EmailReceivedEvent): Set<string> {
+  return new Set(
+    inboundRecipientAddresses(event)
+      .map(domainPart)
+      .filter((domain): domain is string => domain !== null),
+  );
+}
 
 // Loop protection. A newly deployed Function starts as a fallback
-// endpoint for managed *.primitive.email domains that do not have a
-// domain-scoped endpoint. That can include bounces and auto-replies
-// generated by the handler's own outbound traffic. Without this guard
-// the handler can respond to its own bounces and create a fan-out loop.
+// endpoint for managed domains and can receive bounces or auto-replies
+// generated by its own outbound mail. Do not hardcode a managed suffix:
+// staging, production, and custom domains all arrive through the same
+// webhook shape. Derive the handler's inbound domains from the actual
+// SMTP recipients instead.
 //
-// The default check returns true when From is on any *.primitive.email
-// address (covers managed-domain fallback mail, the simple
-// self-reply case, and bounces from mailer-daemon@*.primitive.email)
-// or when From contains REPLY_FROM as a case-insensitive substring.
-// Substring matching is deliberate so display-name forms like
-// "Support <support@example.com>" match a bare-address REPLY_FROM,
-// but it also accepts false positives where REPLY_FROM is a suffix
-// of another address (e.g. REPLY_FROM="info@x.com" matches
-// "mr.info@x.com"). For strict equality, parse the address out of the
-// header and exact-match against REPLY_FROM.
+// The default check skips:
+//   - direct self-mail where From equals one of the inbound recipients;
+//   - mailer-daemon/postmaster bounces from the same domain as the inbound;
+//   - any address explicitly listed in EXTRA_SELF_ADDRESSES.
 //
 // Extend this helper if you need stricter detection. Common additions:
-//   - Match the org's signup / account-owner email (not auto-injected
-//     into env today; either bake it into a SIGNUP_EMAIL const or read
-//     it from a secret you set via \`primitive functions:set-secret\`).
 //   - Honor RFC 3834 auto-response headers: skip when
-//     \`event.email.headers["auto-submitted"]\` is anything other than
-//     "no", or when a \`List-Unsubscribe\` / \`Precedence: bulk\` header
-//     is present.
+//     event.email.headers["auto-submitted"] is anything other than "no",
+//     or when a List-Unsubscribe / Precedence: bulk header is present.
 //   - Track Message-ID / In-Reply-To chains to break ping-pong loops
 //     between two cooperating handlers on different domains.
 export function isLoop(event: EmailReceivedEvent): boolean {
-  // event.email.headers.from is the raw RFC 2822 header value, so it
-  // may be a bare address ("alice@example.com") or a display-name form
-  // ("Alice <alice@example.com>"). Lowercase substring checks match
-  // both shapes without needing to parse the bracketed address.
-  const from = event.email.headers.from?.toLowerCase() ?? "";
-  if (!from) return false;
-  if (from.includes(".primitive.email")) return true;
-  if (from.includes(REPLY_FROM.toLowerCase())) return true;
+  const fromAddresses = [
+    ...extractEmailAddresses(event.email.headers.from),
+    ...extractEmailAddresses(event.email.smtp.mail_from),
+  ];
+  if (fromAddresses.length === 0) return false;
+
+  const inboundAddresses = new Set(inboundRecipientAddresses(event));
+  const inboundDomains = inboundRecipientDomains(event);
+  const extraSelfAddresses = new Set(
+    EXTRA_SELF_ADDRESSES.map((address) => address.toLowerCase()),
+  );
+
+  for (const from of fromAddresses) {
+    if (inboundAddresses.has(from)) return true;
+    if (extraSelfAddresses.has(from)) return true;
+
+    const fromDomain = domainPart(from);
+    const fromLocal = localPart(from);
+    const sameInboundDomain = fromDomain ? inboundDomains.has(fromDomain) : false;
+    if (
+      sameInboundDomain &&
+      (fromLocal === "mailer-daemon" || fromLocal === "postmaster")
+    ) {
+      return true;
+    }
+  }
+
   return false;
 }
 
@@ -16885,11 +17098,16 @@ export default {
         apiBaseUrl1: env.PRIMITIVE_API_BASE_URL,
       });
 
+      // To add an LLM or another API, store its key as a Function secret.
+      // Example:
+      //   export OPENAI_KEY=sk-...
+      //   primitive functions set-secret --id <fn-id> --key OPENAI_KEY --value-from-env OPENAI_KEY --redeploy
+
       // Recipient gate
       // https://www.primitive.dev/docs/sending#who-you-can-send-to
       // Even via client.reply, sends to the original sender are
       // subject to the recipient gate. New accounts can send to
-      // *.primitive.email addresses, verified domains, addresses that
+      // Primitive-managed domains, verified domains, addresses that
       // have authenticated to you, and other org-member signup emails.
       // Sends to arbitrary external addresses return 403
       // recipient_not_allowed with a structured gates[] array until
@@ -16939,8 +17157,10 @@ function renderPackageJson(name) {
 		type: "module",
 		scripts: {
 			build: "node build.mjs",
-			deploy: `npm run build && primitive functions deploy --name ${name} --file ./dist/handler.js`,
-			redeploy: "npm run build && primitive functions redeploy --id $PRIMITIVE_FUNCTION_ID --file ./dist/handler.js"
+			deploy: `npm run build && primitive functions deploy --name ${name} --file ./dist/handler.js --wait`,
+			"test:function": "primitive functions test --id $PRIMITIVE_FUNCTION_ID --wait --show-sends",
+			logs: "primitive functions logs --id $PRIMITIVE_FUNCTION_ID",
+			redeploy: "npm run build && primitive functions redeploy --id $PRIMITIVE_FUNCTION_ID --file ./dist/handler.js --wait"
 		},
 		dependencies: { "@primitivedotdev/sdk": SDK_VERSION_RANGE },
 		devDependencies: {
@@ -17011,13 +17231,47 @@ npm run build
 npm run deploy
 \`\`\`
 
-The deploy step calls \`primitive functions deploy\` (provided by the
-\`@primitivedotdev/cli\` package; install with
+The deploy step calls \`primitive functions deploy --wait\` (provided
+by the \`@primitivedotdev/cli\` package; install with
 \`npm install -g @primitivedotdev/cli\` or run via
 \`npx @primitivedotdev/cli@latest <command>\`). It requires
 \`PRIMITIVE_API_KEY\` to be set in your shell (or pass \`--api-key\`).
 Run \`primitive signin\` once to save a key in your CLI config if you
 prefer that to an env var.
+
+After the first deploy, copy the returned function id into your shell:
+
+\`\`\`
+export PRIMITIVE_FUNCTION_ID=<fn-id>
+\`\`\`
+
+## Prove it works
+
+\`\`\`
+primitive inbox status
+npm run test:function
+npm run logs
+\`\`\`
+
+\`npm run test:function\` sends a real test email through MX, waits for
+the Function to process it, and prints any outbound replies emitted by
+the handler.
+
+## Redeploy
+
+\`\`\`
+npm run redeploy
+\`\`\`
+
+## Secrets
+
+Use secrets for API keys used by your handler. \`--redeploy\` makes the
+new value visible to the running Function immediately.
+
+\`\`\`
+export OPENAI_KEY=sk-...
+primitive functions set-secret --id "$PRIMITIVE_FUNCTION_ID" --key OPENAI_KEY --value-from-env OPENAI_KEY --redeploy
+\`\`\`
 `;
 }
 function renderEmailReplyTemplateFiles(name) {
@@ -17192,8 +17446,9 @@ var FunctionsInitCommand = class FunctionsInitCommand extends Command {
 		this.log("Next:");
 		this.log(`  cd ${outDir}`);
 		this.log("  npm install");
-		this.log("  npm run build");
-		this.log(`  primitive functions deploy --name ${args.name} --file ./dist/handler.js`);
+		this.log("  npm run deploy");
+		this.log("  export PRIMITIVE_FUNCTION_ID=<id-from-deploy-output>");
+		this.log("  npm run test:function");
 	}
 };
 //#endregion
@@ -17823,26 +18078,32 @@ var FunctionsTemplatesCommand = class FunctionsTemplatesCommand extends Command
 //#endregion
 //#region src/oclif/commands/functions-test-function.ts
 const DEFAULT_WAIT_TIMEOUT_SECONDS = 60;
-const TERMINAL_WEBHOOK_STATUSES = new Set(["fired", "exhausted"]);
+const TERMINAL_TEST_TRACE_STATES = new Set([
+	"completed",
+	"failed",
+	"send_failed"
+]);
 function buildFunctionTestOutcome(params) {
+	const inbound = params.trace.inbound_email;
 	const outcome = {
 		elapsed_seconds: params.elapsedSeconds,
 		function_id: params.functionId,
 		inbound_domain: params.invocation.inbound_domain,
-		inbound_id: params.inboundId,
+		inbound_id: inbound?.id ?? null,
 		inbound_to: params.invocation.to,
 		poll_since: params.invocation.poll_since,
+		state: params.trace.state,
 		test_run_id: params.invocation.test_run_id,
 		test_send_id: params.invocation.send_id,
 		test_subject: params.invocation.subject,
 		trace_url: params.invocation.trace_url,
 		watch_url: params.invocation.watch_url,
-		webhook_attempt_count: params.detail.webhook_attempt_count,
-		webhook_last_error: params.detail.webhook_last_error,
-		webhook_last_status_code: params.detail.webhook_last_status_code,
-		webhook_status: params.detail.webhook_status
+		webhook_attempt_count: inbound?.webhook_attempt_count ?? null,
+		webhook_last_error: inbound?.webhook_last_error ?? null,
+		webhook_last_status_code: inbound?.webhook_last_status_code ?? null,
+		webhook_status: inbound?.webhook_status ?? null
 	};
-	if (params.showSends) outcome.sent_emails = params.detail.replies;
+	if (params.showSends) outcome.sent_emails = params.trace.replies;
 	return outcome;
 }
 function writeFunctionTestProgress(message, writeStderr = (chunk) => {
@@ -17941,7 +18202,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 			required: true
 		}),
 		"local-part": Flags.string({ description: "Override the synthetic local-part the test inbound is addressed to. Otherwise the runtime picks `__primitive_function_test+<random>`." }),
-		wait: Flags.boolean({ description: "Block until the function has processed the test inbound (webhook status is `fired` or `exhausted`) or --timeout elapses. Exits non-zero on timeout or on exhausted retries." }),
+		wait: Flags.boolean({ description: "Block until the function test run reaches `completed`, `failed`, or `send_failed`, or --timeout elapses. Exits non-zero on timeout or terminal failure." }),
 		"show-sends": Flags.boolean({ description: "When the wait resolves, also print the outbound emails the function emitted while processing the test inbound (id, status, to, subject). Implies --wait." }),
 		timeout: Flags.integer({
 			default: DEFAULT_WAIT_TIMEOUT_SECONDS,
@@ -18001,41 +18262,15 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 			const timeoutMs = flags.timeout * 1e3;
 			const pollIntervalMs = flags["poll-interval"] * 1e3;
 			const isExpired = () => flags.timeout > 0 && Date.now() - startedAt > timeoutMs;
-			writeFunctionTestProgress(`Waiting for test inbound to arrive at ${invocation.to}...`);
-			let inboundId;
-			while (!isExpired()) {
-				const page = await fetchEmailSearchPage({
-					apiClient,
-					filters: { to: invocation.to },
-					pageSize: 25,
-					since: invocation.poll_since
-				});
-				if (!page.ok) {
-					const payload = extractErrorPayload(page.error);
-					writeErrorWithHints(payload);
-					surfaceUnauthorizedHint({
-						auth,
-						baseUrlOverridden,
-						configDir: this.config.configDir,
-						payload
-					});
-					process.exitCode = 1;
-					return;
-				}
-				const found = page.rows[0];
-				if (found) {
-					inboundId = found.id;
-					break;
-				}
-				await sleep$1(pollIntervalMs);
-			}
-			if (!inboundId) this.error(`Timed out after ${flags.timeout}s waiting for test inbound ${invocation.to} to land. Browse ${invocation.watch_url} for the live view.`, { exit: 2 });
-			writeFunctionTestProgress(`Inbound landed (${inboundId}). Waiting for function to run...`);
-			let detail;
+			writeFunctionTestProgress(`Waiting for test run ${invocation.test_run_id} to complete for ${invocation.to}...`);
+			let trace;
 			while (!isExpired()) {
-				const result = await getEmail({
+				const result = await getFunctionTestRunTrace({
 					client: apiClient.client,
-					path: { id: inboundId },
+					path: {
+						id: flags.id,
+						run_id: invocation.test_run_id
+					},
 					responseStyle: "fields"
 				});
 				if (result.error) {
@@ -18051,24 +18286,22 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 					return;
 				}
 				const fetched = result.data.data;
-				if (fetched.webhook_status && TERMINAL_WEBHOOK_STATUSES.has(fetched.webhook_status)) {
-					detail = fetched;
+				if (TERMINAL_TEST_TRACE_STATES.has(fetched.state)) {
+					trace = fetched;
 					break;
 				}
 				await sleep$1(pollIntervalMs);
 			}
-			if (!detail) this.error(`Timed out after ${flags.timeout}s waiting for function webhook to fire for inbound ${inboundId}. Browse ${invocation.watch_url} for the live view.`, { exit: 2 });
-			const elapsedSeconds = Math.round((Date.now() - startedAt) / 1e3);
+			if (!trace) this.error(`Timed out after ${flags.timeout}s waiting for function test run ${invocation.test_run_id} to complete. Browse ${invocation.watch_url} for the live view, or inspect ${invocation.trace_url}.`, { exit: 2 });
 			const outcome = buildFunctionTestOutcome({
-				detail,
-				elapsedSeconds,
+				elapsedSeconds: Math.round((Date.now() - startedAt) / 1e3),
 				functionId: flags.id,
-				inboundId,
 				invocation,
-				showSends: shouldShowSends
+				showSends: shouldShowSends,
+				trace
 			});
 			this.log(JSON.stringify(outcome, null, 2));
-			if (detail.webhook_status === "exhausted") process.exitCode = 1;
+			if (trace.state === "failed" || trace.state === "send_failed") process.exitCode = 1;
 		});
 	}
 };
@@ -18319,7 +18552,7 @@ async function checkExistingLogin(params) {
 		message: code === API_ERROR_CODES.unauthorized ? "Saved Primitive CLI OAuth credentials were rejected by an API URL different from the one they were saved with. Run `primitive logout` to remove them, or switch back to the original environment before logging in again." : "A saved Primitive CLI OAuth session exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again."
 	};
 }
-var LoginCommand = class extends Command {
+var LoginCommand$1 = class extends Command {
 	static description = "Log in by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
 	static summary = "Log in with browser approval";
 	static examples = [
@@ -18343,6 +18576,9 @@ var LoginCommand = class extends Command {
 	async run() {
 		const commandClass = this.constructor;
 		const { flags } = await this.parse(commandClass);
+		await this.runBrowserLogin(flags, this.retryCommand());
+	}
+	async runBrowserLogin(flags, retryCommand = this.retryCommand()) {
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
@@ -18350,7 +18586,7 @@ var LoginCommand = class extends Command {
 			throw cliError$3(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await this.runWithCredentialLock(flags, this.retryCommand());
+			await this.runWithCredentialLock(flags, retryCommand);
 		} finally {
 			releaseCredentialsLock();
 		}
@@ -18458,520 +18694,85 @@ var LoginCommand = class extends Command {
 	}
 };
 //#endregion
-//#region src/oclif/commands/logout.ts
+//#region src/oclif/commands/signup.ts
+const INVALID_VERIFICATION_CODE = "invalid_verification_code";
+const EXPIRED_TOKEN = "expired_token";
+const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
+const SLOW_DOWN = "slow_down";
+const PENDING_SIGNUP_FILE = "signup.json";
+const DEFAULT_SIGNUP_COMMAND_COPY = {
+	actionNoun: "signup",
+	actionGerund: "creating a new account",
+	confirmCommand: (email) => `signup confirm ${email} <code>`,
+	resendCommand: (email) => `signup resend ${email}`,
+	startCommand: (email) => `signup ${email}`
+};
 function cliError$2(message) {
 	return new Errors.CLIError(message, { exit: 1 });
 }
 function unwrapData$1(value) {
 	return value?.data ?? null;
 }
-function isSavedOAuthSessionExpiredError(error) {
-	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
+function isRecord(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
-async function runLogoutWithCredentialLock(params) {
-	const deps = {
-		cliLogout,
-		createAuthenticatedCliApiClient,
-		...params.deps
+function normalizeEmail(email) {
+	return email.trim().toLowerCase();
+}
+function pendingSignupFromJson(value) {
+	if (!isRecord(value)) return null;
+	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	return {
+		api_base_url_1: value.api_base_url_1,
+		created_at: value.created_at,
+		email: value.email,
+		expires_at: value.expires_at,
+		expires_in: value.expires_in,
+		resend_after: value.resend_after,
+		signup_token: value.signup_token,
+		verification_code_length: value.verification_code_length
 	};
-	let credentials;
+}
+function pendingSignupPath(configDir) {
+	return join(configDir, PENDING_SIGNUP_FILE);
+}
+function deletePendingAgentSignup(configDir) {
+	rmSync(pendingSignupPath(configDir), { force: true });
+}
+function pendingSignupFromStart(start, apiBaseUrl1) {
+	return {
+		...start,
+		api_base_url_1: apiBaseUrl1,
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
+	};
+}
+function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
+	mkdirSync(configDir, {
+		mode: 448,
+		recursive: true
+	});
+	const pending = pendingSignupFromStart(start, apiBaseUrl1);
+	const path = pendingSignupPath(configDir);
+	const tempPath = join(configDir, `${PENDING_SIGNUP_FILE}.${process$1.pid}.${randomUUID()}.tmp`);
 	try {
-		credentials = loadCliCredentials(params.configDir);
+		writeFileSync(tempPath, `${JSON.stringify(pending, null, 2)}\n`, { mode: 384 });
+		chmodSync(tempPath, 384);
+		renameSync(tempPath, path);
+		chmodSync(path, 384);
+		return pending;
 	} catch (error) {
-		deleteCliCredentials(params.configDir);
-		const detail = error instanceof Error ? error.message : String(error);
-		process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing OAuth grant was not revoked: ${detail}\n`);
-		process.exitCode = 1;
-		return;
+		rmSync(tempPath, { force: true });
+		throw error;
 	}
-	if (!credentials) throw cliError$2("Not logged in. Run `primitive signin` to create saved CLI credentials.");
-	let authenticated;
+}
+function loadPendingAgentSignup(configDir, apiBaseUrl1) {
+	const path = pendingSignupPath(configDir);
+	let contents;
 	try {
-		authenticated = await deps.createAuthenticatedCliApiClient({
-			apiBaseUrl1: params.flags["api-base-url-1"],
-			configDir: params.configDir,
-			credentialsLockHeld: true
-		});
+		contents = readFileSync(path, "utf8");
 	} catch (error) {
-		if (isSavedOAuthSessionExpiredError(error) && loadCliCredentials(params.configDir) === null) {
-			process.stderr.write("Logged out (OAuth session was already expired or revoked on the server).\n");
-			return;
-		}
-		throw error;
-	}
-	const freshCredentials = authenticated.auth.credentials ?? credentials;
-	const result = await deps.cliLogout({
-		body: { key_id: freshCredentials.oauth_grant_id },
-		client: authenticated.apiClient.client,
-		responseStyle: "fields"
-	});
-	if (result.error) {
-		const payload = extractErrorPayload(result.error);
-		const code = extractErrorCode(payload);
-		if (code === API_ERROR_CODES.unauthorized || code === API_ERROR_CODES.notFound) {
-			deleteCliCredentials(params.configDir);
-			writeErrorWithHints(payload);
-			process.stderr.write("Removed saved Primitive CLI credentials because the backing OAuth grant is already unavailable.\n");
-			process.exitCode = 1;
-			return;
-		}
-		writeErrorWithHints(payload);
-		throw cliError$2("Could not revoke the saved Primitive CLI OAuth grant.");
-	}
-	const logout = unwrapData$1(result.data);
-	deleteCliCredentials(params.configDir);
-	const grantId = logout?.oauth_grant_id ?? freshCredentials.oauth_grant_id;
-	process.stderr.write(`Logged out and revoked OAuth grant ${grantId}.\n`);
-}
-var LogoutCommand = class LogoutCommand extends Command {
-	static description = "Log out by revoking the saved Primitive CLI OAuth grant and deleting local credentials.";
-	static summary = "Log out and revoke the saved CLI OAuth grant";
-	static examples = ["<%= config.bin %> logout"];
-	static flags = { "api-base-url-1": Flags.string({
-		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
-		hidden: true
-	}) };
-	async run() {
-		const { flags } = await this.parse(LogoutCommand);
-		let releaseCredentialsLock;
-		try {
-			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
-		} catch (error) {
-			throw cliError$2(error instanceof Error ? error.message : String(error));
-		}
-		try {
-			await runLogoutWithCredentialLock({
-				configDir: this.config.configDir,
-				flags
-			});
-		} finally {
-			releaseCredentialsLock();
-		}
-	}
-};
-//#endregion
-//#region src/oclif/message-body-sources.ts
-function defaultReadFile(path) {
-	return readFileSync(path, "utf8");
-}
-function defaultReadStdin() {
-	if (process.stdin.isTTY) throw new Error("stdin is a TTY; pipe a value into this command or pass a file/string source instead.");
-	return readFileSync(0, "utf8");
-}
-function selectedSources(sources) {
-	return sources.filter(([, selected]) => selected).map(([label]) => label);
-}
-function readTextFile(path, label, readFile) {
-	try {
-		return {
-			content: readFile(path),
-			kind: "ok"
-		};
-	} catch (error) {
-		return {
-			kind: "error",
-			message: `Could not read ${label} ${path}: ${error instanceof Error ? error.message : String(error)}`
-		};
-	}
-}
-function readTextStdin(label, readStdin) {
-	try {
-		return {
-			content: readStdin(),
-			kind: "ok"
-		};
-	} catch (error) {
-		return {
-			kind: "error",
-			message: `Could not read ${label}: ${error instanceof Error ? error.message : String(error)}`
-		};
-	}
-}
-function resolveMessageBodies(input) {
-	const bodySources = selectedSources([
-		["--body", input.body !== void 0],
-		["--body-file", input.bodyFile !== void 0],
-		["--body-stdin", input.bodyStdin === true]
-	]);
-	if (bodySources.length > 1) return {
-		kind: "error",
-		message: `Pass only one plain-text body source (got ${bodySources.join(", ")}).`
-	};
-	const htmlSources = selectedSources([
-		["--html", input.html !== void 0],
-		["--html-file", input.htmlFile !== void 0],
-		["--html-stdin", input.htmlStdin === true]
-	]);
-	if (htmlSources.length > 1) return {
-		kind: "error",
-		message: `Pass only one HTML body source (got ${htmlSources.join(", ")}).`
-	};
-	const stdinSources = selectedSources([["--body-stdin", input.bodyStdin === true], ["--html-stdin", input.htmlStdin === true]]);
-	if (stdinSources.length > 1) return {
-		kind: "error",
-		message: `Stdin can only be consumed once (got ${stdinSources.join(", ")}).`
-	};
-	if (bodySources.length === 0 && htmlSources.length === 0) return {
-		kind: "error",
-		message: "Either a plain-text body source or an HTML body source is required."
-	};
-	const readFile = input.readFile ?? defaultReadFile;
-	const readStdin = input.readStdin ?? defaultReadStdin;
-	let body = input.body;
-	let html = input.html;
-	if (input.bodyFile !== void 0) {
-		const result = readTextFile(input.bodyFile, "--body-file", readFile);
-		if (result.kind === "error") return result;
-		body = result.content;
-	}
-	if (input.bodyStdin === true) {
-		const result = readTextStdin("--body-stdin", readStdin);
-		if (result.kind === "error") return result;
-		body = result.content;
-	}
-	if (input.htmlFile !== void 0) {
-		const result = readTextFile(input.htmlFile, "--html-file", readFile);
-		if (result.kind === "error") return result;
-		html = result.content;
-	}
-	if (input.htmlStdin === true) {
-		const result = readTextStdin("--html-stdin", readStdin);
-		if (result.kind === "error") return result;
-		html = result.content;
-	}
-	if (!body && !html) return {
-		kind: "error",
-		message: "Either a non-empty plain-text body or a non-empty HTML body is required."
-	};
-	return {
-		...body !== void 0 ? { body } : {},
-		...html !== void 0 ? { html } : {},
-		kind: "ok"
-	};
-}
-//#endregion
-//#region src/oclif/commands/reply.ts
-var ReplyCommand = class ReplyCommand extends Command {
-	static description = `Reply to an inbound email.
-
-  The API derives recipients, the Re: subject, and threading headers from the inbound email id. Use \`primitive send --in-reply-to <message-id>\` only when you need to thread against a raw Message-Id instead of an inbound email stored by Primitive.`;
-	static summary = "Reply to an inbound email";
-	static examples = [
-		"<%= config.bin %> reply --id <inbound-email-id> --body 'Thanks, got it.'",
-		"<%= config.bin %> reply --id <inbound-email-id> --body-file ./reply.txt",
-		"<%= config.bin %> reply --id <inbound-email-id> --html '<p>Thanks, got it.</p>' --wait",
-		"<%= config.bin %> reply --id <inbound-email-id> --from 'Support <support@example.com>' --body 'Thanks!'"
-	];
-	static flags = {
-		"api-key": Flags.string({
-			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
-			env: "PRIMITIVE_API_KEY"
-		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
-			hidden: true
-		}),
-		id: Flags.string({
-			description: "Inbound email id to reply to.",
-			required: true
-		}),
-		body: Flags.string({ description: "Plain-text reply body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
-		"body-stdin": Flags.boolean({ description: "Read the plain-text reply body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
-		html: Flags.string({ description: "HTML reply body. Either --body or --html (or both) is required." }),
-		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
-		"html-stdin": Flags.boolean({ description: "Read the HTML reply body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
-		from: Flags.string({ description: "Optional From header override. Defaults to the inbound recipient." }),
-		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the reply for delivery." }),
-		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
-		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
-	};
-	async run() {
-		const { flags } = await this.parse(ReplyCommand);
-		const bodies = resolveMessageBodies({
-			body: flags.body,
-			bodyFile: flags["body-file"],
-			bodyStdin: flags["body-stdin"],
-			html: flags.html,
-			htmlFile: flags["html-file"],
-			htmlStdin: flags["html-stdin"]
-		});
-		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
-		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
-				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
-				configDir: this.config.configDir
-			});
-			const result = await replyToEmail({
-				body: {
-					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
-					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
-					...flags.from !== void 0 ? { from: flags.from } : {},
-					...flags.wait !== void 0 ? { wait: flags.wait } : {},
-					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
-				},
-				client: apiClient.client,
-				path: { id: flags.id },
-				responseStyle: "fields"
-			});
-			if (result.error) {
-				const errorPayload = extractErrorPayload(result.error);
-				writeErrorWithHints(errorPayload);
-				surfaceUnauthorizedHint({
-					auth,
-					baseUrlOverridden,
-					configDir: this.config.configDir,
-					payload: errorPayload
-				});
-				process.exitCode = 1;
-				return;
-			}
-			const envelope = result.data;
-			writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
-				process.stderr.write(chunk);
-			} });
-			this.log(JSON.stringify(envelope?.data ?? null, null, 2));
-		});
-	}
-};
-//#endregion
-//#region src/oclif/attachments.ts
-function readAttachmentBytes(path, readFile) {
-	try {
-		return Buffer.from(readFile(path));
-	} catch (error) {
-		const detail = error instanceof Error ? error.message : String(error);
-		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
-	}
-}
-function hasControlCharacter(value) {
-	return Array.from(value).some((character) => {
-		const code = character.charCodeAt(0);
-		return code <= 31 || code >= 127 && code <= 159;
-	});
-}
-function validateAttachmentFilename(path, filename) {
-	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
-	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
-}
-function readAttachmentFiles(paths, readFile = readFileSync) {
-	if (!paths || paths.length === 0) return void 0;
-	return paths.map((path) => {
-		const filename = basename(path);
-		validateAttachmentFilename(path, filename);
-		const bytes = readAttachmentBytes(path, readFile);
-		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
-		return {
-			content_base64: bytes.toString("base64"),
-			filename
-		};
-	});
-}
-//#endregion
-//#region src/oclif/commands/send.ts
-var SendCommand = class SendCommand extends Command {
-	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
-
-  --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
-  --subject defaults to the first line of the body when omitted.
-  --attachment attaches a file; repeat it to attach multiple files.
-
-  For the full flag set (custom message-id threading on the wire,
-  references arrays, etc.), use \`primitive sending send\`.`;
-	static summary = "Send an email (simplified, agent-friendly)";
-	static examples = [
-		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
-		"<%= config.bin %> send --to alice@example.com --body-file ./message.txt",
-		"<%= config.bin %> send --to alice@example.com --body 'See attached.' --attachment ./report.pdf",
-		"<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
-		"<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
-		"<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
-		"<%= config.bin %> send --to inbox@your-managed-domain.primitive.email --body 'self-loop smoke test' --wait  # any *.primitive.email address routes back to the sending account; useful for proving outbound + inbound work end-to-end"
-	];
-	static flags = {
-		"api-key": Flags.string({
-			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
-			env: "PRIMITIVE_API_KEY"
-		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
-			hidden: true
-		}),
-		to: Flags.string({
-			description: "Recipient address (e.g. alice@example.com).",
-			required: true
-		}),
-		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
-		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
-		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. This does not attach the file; use --attachment for file attachments. Mutually exclusive with --body and --body-stdin." }),
-		"body-stdin": Flags.boolean({ description: "Read the plain-text message body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
-		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
-		"html-file": Flags.string({ description: "Read the HTML message body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
-		"html-stdin": Flags.boolean({ description: "Read the HTML message body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
-		attachment: Flags.string({
-			description: "Attach a file to the email. Repeatable. Sends file bytes as a MIME attachment; use --body-file only for message body text.",
-			multiple: true
-		}),
-		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
-		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
-		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
-		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
-	};
-	async run() {
-		const { flags } = await this.parse(SendCommand);
-		const bodies = resolveMessageBodies({
-			body: flags.body,
-			bodyFile: flags["body-file"],
-			bodyStdin: flags["body-stdin"],
-			html: flags.html,
-			htmlFile: flags["html-file"],
-			htmlStdin: flags["html-stdin"]
-		});
-		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
-		const attachments = readAttachmentFiles(flags.attachment);
-		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
-				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
-				configDir: this.config.configDir
-			});
-			const authFailureContext = {
-				auth,
-				baseUrlOverridden,
-				configDir: this.config.configDir
-			};
-			const from = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
-			const subject = flags.subject ?? (bodies.body ? deriveSubject(bodies.body) : "Message");
-			const result = await sendEmail({
-				body: {
-					from,
-					to: flags.to,
-					subject,
-					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
-					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
-					...attachments !== void 0 ? { attachments } : {},
-					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
-					...flags.wait !== void 0 ? { wait: flags.wait } : {},
-					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
-				},
-				client: apiClient._sendClient,
-				responseStyle: "fields"
-			});
-			if (result.error) {
-				const errorPayload = extractErrorPayload(result.error);
-				writeErrorWithHints(errorPayload);
-				surfaceUnauthorizedHint({
-					...authFailureContext,
-					payload: errorPayload
-				});
-				process.exitCode = 1;
-				return;
-			}
-			const envelope = result.data;
-			writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
-				process.stderr.write(chunk);
-			} });
-			this.log(JSON.stringify(envelope?.data ?? null, null, 2));
-		});
-	}
-};
-//#endregion
-//#region src/oclif/commands/signup.ts
-const INVALID_VERIFICATION_CODE = "invalid_verification_code";
-const EXPIRED_TOKEN = "expired_token";
-const INVALID_SIGNUP_TOKEN = "invalid_signup_token";
-const SLOW_DOWN = "slow_down";
-const PENDING_SIGNUP_FILE = "signup.json";
-const DEFAULT_SIGNUP_COMMAND_COPY = {
-	actionNoun: "signup",
-	actionGerund: "creating a new account",
-	confirmCommand: (email) => `signup confirm ${email} <code>`,
-	resendCommand: (email) => `signup resend ${email}`,
-	startCommand: (email) => `signup ${email}`
-};
-function cliError$1(message) {
-	return new Errors.CLIError(message, { exit: 1 });
-}
-function unwrapData(value) {
-	return value?.data ?? null;
-}
-function isRecord(value) {
-	return value !== null && typeof value === "object" && !Array.isArray(value);
-}
-function normalizeEmail(email) {
-	return email.trim().toLowerCase();
-}
-function pendingSignupFromJson(value) {
-	if (!isRecord(value)) return null;
-	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
-	return {
-		api_base_url_1: value.api_base_url_1,
-		created_at: value.created_at,
-		email: value.email,
-		expires_at: value.expires_at,
-		expires_in: value.expires_in,
-		resend_after: value.resend_after,
-		signup_token: value.signup_token,
-		verification_code_length: value.verification_code_length
-	};
-}
-function pendingSignupPath(configDir) {
-	return join(configDir, PENDING_SIGNUP_FILE);
-}
-function deletePendingAgentSignup(configDir) {
-	rmSync(pendingSignupPath(configDir), { force: true });
-}
-function pendingSignupFromStart(start, apiBaseUrl1) {
-	return {
-		...start,
-		api_base_url_1: apiBaseUrl1,
-		created_at: (/* @__PURE__ */ new Date()).toISOString(),
-		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
-	};
-}
-function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
-	mkdirSync(configDir, {
-		mode: 448,
-		recursive: true
-	});
-	const pending = pendingSignupFromStart(start, apiBaseUrl1);
-	const path = pendingSignupPath(configDir);
-	const tempPath = join(configDir, `${PENDING_SIGNUP_FILE}.${process$1.pid}.${randomUUID()}.tmp`);
-	try {
-		writeFileSync(tempPath, `${JSON.stringify(pending, null, 2)}\n`, { mode: 384 });
-		chmodSync(tempPath, 384);
-		renameSync(tempPath, path);
-		chmodSync(path, 384);
-		return pending;
-	} catch (error) {
-		rmSync(tempPath, { force: true });
-		throw error;
-	}
-}
-function loadPendingAgentSignup(configDir, apiBaseUrl1) {
-	const path = pendingSignupPath(configDir);
-	let contents;
-	try {
-		contents = readFileSync(path, "utf8");
-	} catch (error) {
-		if (error && typeof error === "object" && error.code === "ENOENT") return null;
+		if (error && typeof error === "object" && error.code === "ENOENT") return null;
 		throw error;
 	}
 	let pending;
@@ -18997,8 +18798,8 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 function requirePendingSignupForEmail(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
-	if (!pending) throw cliError$1(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
-	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$1(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
 }
 function retryAfterSeconds(result) {
@@ -19039,7 +18840,7 @@ async function confirmTerms() {
 	process$1.stderr.write("  https://primitive.dev/terms\n");
 	process$1.stderr.write("  https://primitive.dev/privacy\n");
 	const answer = (await promptRequired("Type 'yes' to continue: ")).toLowerCase();
-	if (answer !== "yes" && answer !== "y") throw cliError$1("You must accept the terms to create an account.");
+	if (answer !== "yes" && answer !== "y") throw cliError$2("You must accept the terms to create an account.");
 }
 async function checkExistingCredentials(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
@@ -19070,9 +18871,9 @@ async function checkExistingCredentials(params) {
 	}
 	if (existingStatus.status === "blocked") {
 		writeErrorWithHints(existingStatus.payload);
-		throw cliError$1(existingStatus.message);
+		throw cliError$2(existingStatus.message);
 	}
-	throw cliError$1(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
+	throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
 }
 function saveSignupCredentials(params) {
 	saveCliCredentials(params.configDir, {
@@ -19106,7 +18907,7 @@ async function startSignup(params) {
 				started: false
 			};
 		}
-		throw cliError$1(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+		throw cliError$2(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
 	if (params.flags.force) deletePendingAgentSignup(params.configDir);
 	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
@@ -19126,10 +18927,10 @@ async function startSignup(params) {
 	});
 	if (started.error) {
 		writeErrorWithHints(extractErrorPayload(started.error));
-		throw cliError$1("Could not start Primitive agent signup.");
+		throw cliError$2("Could not start Primitive agent signup.");
 	}
-	const startResult = unwrapData(started.data);
-	if (!startResult) throw cliError$1("Primitive API returned an empty agent signup response.");
+	const startResult = unwrapData$1(started.data);
+	if (!startResult) throw cliError$2("Primitive API returned an empty agent signup response.");
 	return {
 		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
 		started: true
@@ -19142,7 +18943,7 @@ async function resendVerificationCode(params) {
 		responseStyle: "fields"
 	});
 	if (resent.data) {
-		const resend = unwrapData(resent.data);
+		const resend = unwrapData$1(resent.data);
 		const next = resend ? {
 			email: resend.email,
 			expires_in: resend.expires_in,
@@ -19167,7 +18968,7 @@ async function resendVerificationCode(params) {
 	}
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(params.configDir);
 	writeErrorWithHints(payload);
-	throw cliError$1("Could not resend Primitive agent signup verification email.");
+	throw cliError$2("Could not resend Primitive agent signup verification email.");
 }
 async function runSignupStartWithCredentialLock(params) {
 	const { configDir, flags } = params;
@@ -19227,8 +19028,8 @@ async function runSignupConfirmWithCredentialLock(params) {
 		responseStyle: "fields"
 	});
 	if (verified.data) {
-		const signup = unwrapData(verified.data);
-		if (!signup) throw cliError$1("Primitive API returned an empty agent signup verification response.");
+		const signup = unwrapData$1(verified.data);
+		if (!signup) throw cliError$2("Primitive API returned an empty agent signup verification response.");
 		saveSignupCredentials({
 			apiBaseUrl1,
 			configDir,
@@ -19242,10 +19043,10 @@ async function runSignupConfirmWithCredentialLock(params) {
 	}
 	const payload = extractErrorPayload(verified.error);
 	const code = extractErrorCode(payload);
-	if (code === INVALID_VERIFICATION_CODE) throw cliError$1(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
+	if (code === INVALID_VERIFICATION_CODE) throw cliError$2(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
 	writeErrorWithHints(payload);
-	throw cliError$1("Primitive agent signup failed while verifying the account.");
+	throw cliError$2("Primitive agent signup failed while verifying the account.");
 }
 async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
@@ -19332,40 +19133,268 @@ async function runSignupInteractiveWithCredentialLock(params) {
 		}
 	}
 }
-function commonStartFlags() {
-	return {
-		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+function commonStartFlags() {
+	return {
+		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending signup state when needed"
+		}),
+		"signup-code": Flags.string({
+			description: "Signup code required to create an account",
+			env: "PRIMITIVE_SIGNUP_CODE"
+		})
+	};
+}
+var SignupCommand = class SignupCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address to sign up",
+		required: false
+	}) };
+	static description = "Start a Primitive account signup, send an email verification code, and save a pending signup token locally.";
+	static summary = "Start account signup";
+	static examples = [
+		"<%= config.bin %> signup user@example.com",
+		"<%= config.bin %> signup user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signup confirm user@example.com 123456"
+	];
+	static flags = commonStartFlags();
+	async run() {
+		const { args, flags } = await this.parse(SignupCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$2(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupConfirmCommand = class SignupConfirmCommand extends Command {
+	static args = {
+		email: Args.string({
+			description: "Email address used to start signup",
+			required: true
+		}),
+		code: Args.string({
+			description: "Verification code from the signup email",
+			required: true
+		})
+	};
+	static description = "Confirm a pending Primitive signup, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm account signup";
+	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = {
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials after verification"
+		}),
+		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SignupConfirmCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$2(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupConfirmWithCredentialLock({
+				code: args.code,
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupResendCommand = class SignupResendCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address used to start signup",
+		required: true
+	}) };
+	static description = "Resend the verification code for a pending signup.";
+	static summary = "Resend signup verification code";
+	static examples = ["<%= config.bin %> signup resend user@example.com"];
+	static flags = { "api-base-url-1": Flags.string({
+		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+		env: "PRIMITIVE_API_BASE_URL_1",
+		hidden: true
+	}) };
+	async run() {
+		const { args, flags } = await this.parse(SignupResendCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$2(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupResendWithCredentialLock({
+				configDir: this.config.configDir,
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
+	static description = "Run the full signup flow in one interactive terminal session.";
+	static summary = "Run interactive account signup";
+	static examples = ["<%= config.bin %> signup interactive"];
+	static flags = commonStartFlags();
+	async run() {
+		const { flags } = await this.parse(SignupInteractiveCommand);
+		let releaseCredentialsLock;
+		try {
+			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+		} catch (error) {
+			throw cliError$2(error instanceof Error ? error.message : String(error));
+		}
+		try {
+			await runSignupInteractiveWithCredentialLock({
+				configDir: this.config.configDir,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
+};
+//#endregion
+//#region src/oclif/commands/logout.ts
+function cliError$1(message) {
+	return new Errors.CLIError(message, { exit: 1 });
+}
+function unwrapData(value) {
+	return value?.data ?? null;
+}
+function isSavedOAuthSessionExpiredError(error) {
+	return error instanceof Error && error.message === "Saved Primitive CLI OAuth session expired or was revoked. Run `primitive signin` to authenticate again.";
+}
+async function runLogoutWithCredentialLock(params) {
+	const deps = {
+		cliLogout,
+		createAuthenticatedCliApiClient,
+		...params.deps
+	};
+	let credentials;
+	try {
+		credentials = loadCliCredentials(params.configDir);
+	} catch (error) {
+		deleteCliCredentials(params.configDir);
+		const detail = error instanceof Error ? error.message : String(error);
+		process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing OAuth grant was not revoked: ${detail}\n`);
+		process.exitCode = 1;
+		return;
+	}
+	if (!credentials) throw cliError$1("Not logged in. Run `primitive signin` to create saved CLI credentials.");
+	let authenticated;
+	try {
+		authenticated = await deps.createAuthenticatedCliApiClient({
+			apiBaseUrl1: params.flags["api-base-url-1"],
+			configDir: params.configDir,
+			credentialsLockHeld: true
+		});
+	} catch (error) {
+		if (isSavedOAuthSessionExpiredError(error) && loadCliCredentials(params.configDir) === null) {
+			process.stderr.write("Logged out (OAuth session was already expired or revoked on the server).\n");
+			return;
+		}
+		throw error;
+	}
+	const freshCredentials = authenticated.auth.credentials ?? credentials;
+	const result = await deps.cliLogout({
+		body: { key_id: freshCredentials.oauth_grant_id },
+		client: authenticated.apiClient.client,
+		responseStyle: "fields"
+	});
+	if (result.error) {
+		const payload = extractErrorPayload(result.error);
+		const code = extractErrorCode(payload);
+		if (code === API_ERROR_CODES.unauthorized || code === API_ERROR_CODES.notFound) {
+			deleteCliCredentials(params.configDir);
+			writeErrorWithHints(payload);
+			process.stderr.write("Removed saved Primitive CLI credentials because the backing OAuth grant is already unavailable.\n");
+			process.exitCode = 1;
+			return;
+		}
+		writeErrorWithHints(payload);
+		throw cliError$1("Could not revoke the saved Primitive CLI OAuth grant.");
+	}
+	const logout = unwrapData(result.data);
+	deleteCliCredentials(params.configDir);
+	const grantId = logout?.oauth_grant_id ?? freshCredentials.oauth_grant_id;
+	process.stderr.write(`Logged out and revoked OAuth grant ${grantId}.\n`);
+}
+function runForceLogout(params) {
+	const localCredentialsPath = credentialsPath(params.configDir);
+	const pendingPath = pendingSignupPath(params.configDir);
+	const lockPath = credentialsLockPath(params.configDir);
+	const removed = [
+		existsSync(localCredentialsPath) ? "local Primitive CLI credentials" : null,
+		existsSync(pendingPath) ? "pending email-code auth state" : null,
+		existsSync(lockPath) ? "credential lock" : null
+	].filter((value) => value !== null);
+	deleteCliCredentials(params.configDir);
+	deletePendingAgentSignup(params.configDir);
+	deleteCliCredentialsLock(params.configDir);
+	if (removed.length === 0) {
+		process.stderr.write("No local Primitive CLI auth state was present. Backing OAuth grant was not revoked.\n");
+		return;
+	}
+	process.stderr.write(`Removed ${formatList(removed)}. Backing OAuth grant was not revoked.\n`);
+}
+function formatList(values) {
+	if (values.length <= 1) return values[0] ?? "";
+	if (values.length === 2) return `${values[0]} and ${values[1]}`;
+	return `${values.slice(0, -1).join(", ")}, and ${values.at(-1)}`;
+}
+var LogoutCommand = class LogoutCommand extends Command {
+	static description = "Log out by revoking the saved Primitive CLI OAuth grant and deleting local credentials. Use --force to remove local credentials, pending email-code auth state, and stale credential locks without contacting Primitive.";
+	static summary = "Log out and revoke the saved CLI OAuth grant";
+	static examples = ["<%= config.bin %> logout", "<%= config.bin %> logout --force"];
+	static flags = {
 		"api-base-url-1": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 			env: "PRIMITIVE_API_BASE_URL_1",
 			hidden: true
 		}),
-		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials or pending signup state when needed"
-		}),
-		"signup-code": Flags.string({
-			description: "Signup code required to create an account",
-			env: "PRIMITIVE_SIGNUP_CODE"
+			description: "Remove local CLI credentials, pending email-code auth state, and any credential lock without revoking the server OAuth grant"
 		})
 	};
-}
-var SignupCommand = class SignupCommand extends Command {
-	static args = { email: Args.string({
-		description: "Email address to sign up",
-		required: false
-	}) };
-	static description = "Start a Primitive account signup, send an email verification code, and save a pending signup token locally.";
-	static summary = "Start account signup";
-	static examples = [
-		"<%= config.bin %> signup user@example.com",
-		"<%= config.bin %> signup user@example.com --signup-code invite-code --accept-terms",
-		"<%= config.bin %> signup confirm user@example.com 123456"
-	];
-	static flags = commonStartFlags();
 	async run() {
-		const { args, flags } = await this.parse(SignupCommand);
+		const { flags } = await this.parse(LogoutCommand);
+		if (flags.force) {
+			runForceLogout({ configDir: this.config.configDir });
+			return;
+		}
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
@@ -19373,9 +19402,8 @@ var SignupCommand = class SignupCommand extends Command {
 			throw cliError$1(error instanceof Error ? error.message : String(error));
 		}
 		try {
-			await runSignupStartWithCredentialLock({
+			await runLogoutWithCredentialLock({
 				configDir: this.config.configDir,
-				email: args.email,
 				flags
 			});
 		} finally {
@@ -19383,105 +19411,344 @@ var SignupCommand = class SignupCommand extends Command {
 		}
 	}
 };
-var SignupConfirmCommand = class SignupConfirmCommand extends Command {
-	static args = {
-		email: Args.string({
-			description: "Email address used to start signup",
-			required: true
+//#endregion
+//#region src/oclif/message-body-sources.ts
+function defaultReadFile(path) {
+	return readFileSync(path, "utf8");
+}
+function defaultReadStdin() {
+	if (process.stdin.isTTY) throw new Error("stdin is a TTY; pipe a value into this command or pass a file/string source instead.");
+	return readFileSync(0, "utf8");
+}
+function selectedSources(sources) {
+	return sources.filter(([, selected]) => selected).map(([label]) => label);
+}
+function readTextFile(path, label, readFile) {
+	try {
+		return {
+			content: readFile(path),
+			kind: "ok"
+		};
+	} catch (error) {
+		return {
+			kind: "error",
+			message: `Could not read ${label} ${path}: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+function readTextStdin(label, readStdin) {
+	try {
+		return {
+			content: readStdin(),
+			kind: "ok"
+		};
+	} catch (error) {
+		return {
+			kind: "error",
+			message: `Could not read ${label}: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+function resolveMessageBodies(input) {
+	const bodySources = selectedSources([
+		["--body", input.body !== void 0],
+		["--body-file", input.bodyFile !== void 0],
+		["--body-stdin", input.bodyStdin === true]
+	]);
+	if (bodySources.length > 1) return {
+		kind: "error",
+		message: `Pass only one plain-text body source (got ${bodySources.join(", ")}).`
+	};
+	const htmlSources = selectedSources([
+		["--html", input.html !== void 0],
+		["--html-file", input.htmlFile !== void 0],
+		["--html-stdin", input.htmlStdin === true]
+	]);
+	if (htmlSources.length > 1) return {
+		kind: "error",
+		message: `Pass only one HTML body source (got ${htmlSources.join(", ")}).`
+	};
+	const stdinSources = selectedSources([["--body-stdin", input.bodyStdin === true], ["--html-stdin", input.htmlStdin === true]]);
+	if (stdinSources.length > 1) return {
+		kind: "error",
+		message: `Stdin can only be consumed once (got ${stdinSources.join(", ")}).`
+	};
+	if (bodySources.length === 0 && htmlSources.length === 0) return {
+		kind: "error",
+		message: "Either a plain-text body source or an HTML body source is required."
+	};
+	const readFile = input.readFile ?? defaultReadFile;
+	const readStdin = input.readStdin ?? defaultReadStdin;
+	let body = input.body;
+	let html = input.html;
+	if (input.bodyFile !== void 0) {
+		const result = readTextFile(input.bodyFile, "--body-file", readFile);
+		if (result.kind === "error") return result;
+		body = result.content;
+	}
+	if (input.bodyStdin === true) {
+		const result = readTextStdin("--body-stdin", readStdin);
+		if (result.kind === "error") return result;
+		body = result.content;
+	}
+	if (input.htmlFile !== void 0) {
+		const result = readTextFile(input.htmlFile, "--html-file", readFile);
+		if (result.kind === "error") return result;
+		html = result.content;
+	}
+	if (input.htmlStdin === true) {
+		const result = readTextStdin("--html-stdin", readStdin);
+		if (result.kind === "error") return result;
+		html = result.content;
+	}
+	if (!body && !html) return {
+		kind: "error",
+		message: "Either a non-empty plain-text body or a non-empty HTML body is required."
+	};
+	return {
+		...body !== void 0 ? { body } : {},
+		...html !== void 0 ? { html } : {},
+		kind: "ok"
+	};
+}
+//#endregion
+//#region src/oclif/commands/reply.ts
+var ReplyCommand = class ReplyCommand extends Command {
+	static description = `Reply to an inbound email.
+
+  The API derives recipients, the Re: subject, and threading headers from the inbound email id. Use \`primitive send --in-reply-to <message-id>\` only when you need to thread against a raw Message-Id instead of an inbound email stored by Primitive.`;
+	static summary = "Reply to an inbound email";
+	static examples = [
+		"<%= config.bin %> reply --id <inbound-email-id> --body 'Thanks, got it.'",
+		"<%= config.bin %> reply --id <inbound-email-id> --body-file ./reply.txt",
+		"<%= config.bin %> reply --id <inbound-email-id> --html '<p>Thanks, got it.</p>' --wait",
+		"<%= config.bin %> reply --id <inbound-email-id> --from 'Support <support@example.com>' --body 'Thanks!'"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
 		}),
-		code: Args.string({
-			description: "Verification code from the signup email",
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		id: Flags.string({
+			description: "Inbound email id to reply to.",
 			required: true
-		})
+		}),
+		body: Flags.string({ description: "Plain-text reply body. Either --body or --html (or both) is required." }),
+		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-stdin": Flags.boolean({ description: "Read the plain-text reply body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
+		html: Flags.string({ description: "HTML reply body. Either --body or --html (or both) is required." }),
+		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
+		"html-stdin": Flags.boolean({ description: "Read the HTML reply body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
+		from: Flags.string({ description: "Optional From header override. Defaults to the inbound recipient." }),
+		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the reply for delivery." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
-	static description = "Confirm a pending Primitive signup, create an OAuth session, and save CLI credentials locally.";
-	static summary = "Confirm account signup";
-	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	async run() {
+		const { flags } = await this.parse(ReplyCommand);
+		const bodies = resolveMessageBodies({
+			body: flags.body,
+			bodyFile: flags["body-file"],
+			bodyStdin: flags["body-stdin"],
+			html: flags.html,
+			htmlFile: flags["html-file"],
+			htmlStdin: flags["html-stdin"]
+		});
+		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			const result = await replyToEmail({
+				body: {
+					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
+					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
+					...flags.from !== void 0 ? { from: flags.from } : {},
+					...flags.wait !== void 0 ? { wait: flags.wait } : {}
+				},
+				client: apiClient.client,
+				path: { id: flags.id },
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data;
+			writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
+				process.stderr.write(chunk);
+			} });
+			this.log(JSON.stringify(envelope?.data ?? null, null, 2));
+		});
+	}
+};
+//#endregion
+//#region src/oclif/attachments.ts
+function readAttachmentBytes(path, readFile) {
+	try {
+		return Buffer.from(readFile(path));
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
+	}
+}
+function hasControlCharacter(value) {
+	return Array.from(value).some((character) => {
+		const code = character.charCodeAt(0);
+		return code <= 31 || code >= 127 && code <= 159;
+	});
+}
+function validateAttachmentFilename(path, filename) {
+	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
+	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+}
+function readAttachmentFiles(paths, readFile = readFileSync) {
+	if (!paths || paths.length === 0) return void 0;
+	return paths.map((path) => {
+		const filename = basename(path);
+		validateAttachmentFilename(path, filename);
+		const bytes = readAttachmentBytes(path, readFile);
+		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
+		return {
+			content_base64: bytes.toString("base64"),
+			filename
+		};
+	});
+}
+//#endregion
+//#region src/oclif/commands/send.ts
+var SendCommand = class SendCommand extends Command {
+	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
+
+  --from defaults to agent@<your-first-verified-outbound-domain> when omitted.
+  --subject defaults to the first line of the body when omitted.
+  --attachment attaches a file; repeat it to attach multiple files.
+
+  For the full flag set (custom message-id threading on the wire,
+  references arrays, etc.), use \`primitive sending send\`.`;
+	static summary = "Send an email (simplified, agent-friendly)";
+	static examples = [
+		"<%= config.bin %> send --to alice@example.com --body 'Hi Alice!'",
+		"<%= config.bin %> send --to alice@example.com --body-file ./message.txt",
+		"<%= config.bin %> send --to alice@example.com --body 'See attached.' --attachment ./report.pdf",
+		"<%= config.bin %> send --to alice@example.com --from support@yourcompany.com --subject 'Quick question' --body 'Are you free Thursday?'",
+		"<%= config.bin %> send --to alice@example.com --html '<p>Hello!</p>'",
+		"<%= config.bin %> send --to alice@example.com --body 'Confirmed' --wait",
+		"<%= config.bin %> send --to inbox@your-managed-domain.primitive.email --body 'self-loop smoke test' --wait  # any *.primitive.email address routes back to the sending account; useful for proving outbound + inbound work end-to-end"
+	];
 	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
 		"api-base-url-1": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 			env: "PRIMITIVE_API_BASE_URL_1",
 			hidden: true
 		}),
-		force: Flags.boolean({
-			char: "f",
-			description: "Replace saved credentials after verification"
+		"api-base-url-2": Flags.string({
+			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
 		}),
-		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
+		to: Flags.string({
+			description: "Recipient address (e.g. alice@example.com).",
+			required: true
+		}),
+		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
+		subject: Flags.string({ description: "Subject line. Defaults to the first line of --body / --html when omitted." }),
+		body: Flags.string({ description: "Plain-text message body. Either --body or --html (or both) is required." }),
+		"body-file": Flags.string({ description: "Read the plain-text message body from a UTF-8 file. This does not attach the file; use --attachment for file attachments. Mutually exclusive with --body and --body-stdin." }),
+		"body-stdin": Flags.boolean({ description: "Read the plain-text message body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
+		html: Flags.string({ description: "HTML message body. Either --body or --html (or both) is required." }),
+		"html-file": Flags.string({ description: "Read the HTML message body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
+		"html-stdin": Flags.boolean({ description: "Read the HTML message body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
+		attachment: Flags.string({
+			description: "Attach a file to the email. Repeatable. Sends file bytes as a MIME attachment; use --body-file only for message body text.",
+			multiple: true
+		}),
+		"in-reply-to": Flags.string({ description: "Message-Id of the parent email when threading a reply on the wire. For replying to an inbound message you received, prefer `primitive reply --id <inbound-id>`." }),
+		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the message for delivery." }),
+		"wait-timeout-ms": Flags.integer({ description: "Maximum time to wait when --wait is set. Defaults to 30000ms." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
 	async run() {
-		const { args, flags } = await this.parse(SignupConfirmCommand);
-		let releaseCredentialsLock;
-		try {
-			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
-		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
-		}
-		try {
-			await runSignupConfirmWithCredentialLock({
-				code: args.code,
-				configDir: this.config.configDir,
-				email: args.email,
-				flags
-			});
-		} finally {
-			releaseCredentialsLock();
-		}
-	}
-};
-var SignupResendCommand = class SignupResendCommand extends Command {
-	static args = { email: Args.string({
-		description: "Email address used to start signup",
-		required: true
-	}) };
-	static description = "Resend the verification code for a pending signup.";
-	static summary = "Resend signup verification code";
-	static examples = ["<%= config.bin %> signup resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
-		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
-		hidden: true
-	}) };
-	async run() {
-		const { args, flags } = await this.parse(SignupResendCommand);
-		let releaseCredentialsLock;
-		try {
-			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
-		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
-		}
-		try {
-			await runSignupResendWithCredentialLock({
-				configDir: this.config.configDir,
-				email: args.email,
-				flags
+		const { flags } = await this.parse(SendCommand);
+		const bodies = resolveMessageBodies({
+			body: flags.body,
+			bodyFile: flags["body-file"],
+			bodyStdin: flags["body-stdin"],
+			html: flags.html,
+			htmlFile: flags["html-file"],
+			htmlStdin: flags["html-stdin"]
+		});
+		if (bodies.kind === "error") throw new Errors.CLIError(bodies.message);
+		const attachments = readAttachmentFiles(flags.attachment);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
 			});
-		} finally {
-			releaseCredentialsLock();
-		}
-	}
-};
-var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
-	static description = "Run the full signup flow in one interactive terminal session.";
-	static summary = "Run interactive account signup";
-	static examples = ["<%= config.bin %> signup interactive"];
-	static flags = commonStartFlags();
-	async run() {
-		const { flags } = await this.parse(SignupInteractiveCommand);
-		let releaseCredentialsLock;
-		try {
-			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
-		} catch (error) {
-			throw cliError$1(error instanceof Error ? error.message : String(error));
-		}
-		try {
-			await runSignupInteractiveWithCredentialLock({
-				configDir: this.config.configDir,
-				flags
+			const authFailureContext = {
+				auth,
+				baseUrlOverridden,
+				configDir: this.config.configDir
+			};
+			const from = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
+			const subject = flags.subject ?? (bodies.body ? deriveSubject(bodies.body) : "Message");
+			const result = await sendEmail({
+				body: {
+					from,
+					to: flags.to,
+					subject,
+					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
+					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
+					...attachments !== void 0 ? { attachments } : {},
+					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
+					...flags.wait !== void 0 ? { wait: flags.wait } : {},
+					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
+				},
+				client: apiClient._sendClient,
+				responseStyle: "fields"
 			});
-		} finally {
-			releaseCredentialsLock();
-		}
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					...authFailureContext,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data;
+			writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
+				process.stderr.write(chunk);
+			} });
+			this.log(JSON.stringify(envelope?.data ?? null, null, 2));
+		});
 	}
 };
 //#endregion
@@ -19496,6 +19763,34 @@ const SIGNIN_OTP_COPY = {
 	resendCommand: (email) => `signin otp resend ${email}`,
 	startCommand: (email) => `signin otp ${email}`
 };
+const SIGNIN_EMAIL_COPY = {
+	actionNoun: "sign-in",
+	actionGerund: "signing in",
+	confirmCommand: (email) => `signin confirm ${email} <code>`,
+	resendCommand: (email) => `signin resend ${email}`,
+	startCommand: (email) => `signin ${email}`
+};
+const LOGIN_EMAIL_COPY = {
+	actionNoun: "login",
+	actionGerund: "logging in",
+	confirmCommand: (email) => `login confirm ${email} <code>`,
+	resendCommand: (email) => `login resend ${email}`,
+	startCommand: (email) => `login ${email}`
+};
+const LOGIN_OTP_COPY = {
+	actionNoun: "login",
+	actionGerund: "logging in",
+	confirmCommand: (email) => `login otp confirm ${email} <code>`,
+	resendCommand: (email) => `login otp resend ${email}`,
+	startCommand: (email) => `login otp ${email}`
+};
+const OTP_COPY = {
+	actionNoun: "email-code auth",
+	actionGerund: "authenticating",
+	confirmCommand: (email) => `otp confirm ${email} <code>`,
+	resendCommand: (email) => `otp resend ${email}`,
+	startCommand: (email) => `otp ${email}`
+};
 function acquireCredentialsLock(configDir) {
 	try {
 		return acquireCliCredentialsLock(configDir);
@@ -19514,31 +19809,91 @@ function commonOtpStartFlags() {
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
 		force: Flags.boolean({
 			char: "f",
-			description: "Replace saved credentials or pending sign-in state when needed"
+			description: "Replace saved credentials or pending email-code auth state when needed"
 		}),
 		"signup-code": Flags.string({
-			description: "Signup code required to start OTP sign-in",
+			description: "Signup code required to start email-code sign-in",
 			env: "PRIMITIVE_SIGNUP_CODE"
 		})
 	};
 }
-var SigninCommand = class extends LoginCommand {
-	static description = `Sign in to an existing Primitive account with browser approval and save an org-scoped OAuth session locally.
+var SigninCommand = class extends LoginCommand$1 {
+	static args = { email: Args.string({
+		description: "Email address for email-code sign-in. Omit it to use browser approval.",
+		required: false
+	}) };
+	static description = `Sign in or log in to an existing Primitive account and save an org-scoped OAuth session locally.
 
-This is the canonical sign-in command. It defaults to the same browser approval flow as \`primitive signin browser\`. For email-code sign-in, use \`primitive signin otp <email> --signup-code <code>\`, then \`primitive signin otp confirm <email> <code>\`. For new account creation, use \`primitive signup <email>\`.`;
+Run \`primitive signin <email> --signup-code <code> --accept-terms\` for email-code sign-in, then \`primitive signin confirm <email> <code>\`. Run \`primitive signin\` with no email to use browser approval; \`primitive signin browser\` is the explicit browser form. \`primitive login\` supports the same flows with login-shaped commands. \`primitive otp <email>\` is the shortest email-code auth form. For new account creation, use \`primitive signup <email>\`.`;
 	static summary = "Sign in to an existing account";
 	static examples = [
 		"<%= config.bin %> signin",
 		"<%= config.bin %> signin browser",
 		"<%= config.bin %> signin --no-browser",
+		"<%= config.bin %> signin user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> signin confirm user@example.com 123456",
 		"<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms",
 		"<%= config.bin %> signin otp confirm user@example.com 123456"
 	];
+	static flags = {
+		...LoginCommand$1.flags,
+		...commonOtpStartFlags(),
+		force: Flags.boolean({
+			char: "f",
+			description: "Replace saved credentials or pending email-code auth state when needed, without first verifying the existing session"
+		})
+	};
+	async run() {
+		const commandClass = this.constructor;
+		const { args, flags } = await this.parse(commandClass);
+		if (!args.email) {
+			if (flags["signup-code"] || flags["accept-terms"]) throw cliError(`Email-code auth needs an email address. Run \`primitive ${this.emailCodeCopy().startCommand("<email>")} --signup-code <code> --accept-terms\`.`);
+			await this.runBrowserLogin(flags, this.retryCommand());
+			return;
+		}
+		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
+		try {
+			await runSignupStartWithCredentialLock({
+				configDir: this.config.configDir,
+				copy: this.emailCodeCopy(),
+				email: args.email,
+				flags
+			});
+		} finally {
+			releaseCredentialsLock();
+		}
+	}
 	retryCommand() {
 		return "signin";
 	}
+	emailCodeCopy() {
+		return SIGNIN_EMAIL_COPY;
+	}
+};
+var LoginCommand = class extends SigninCommand {
+	static args = SigninCommand.args;
+	static description = `Log in or sign in to an existing Primitive account and save an org-scoped OAuth session locally.
+
+Run \`primitive login <email> --signup-code <code> --accept-terms\` for email-code login, then \`primitive login confirm <email> <code>\`. Run \`primitive login\` with no email to use browser approval; \`primitive login browser\` is the explicit browser form. \`primitive signin\` supports the same flows with signin-shaped commands. \`primitive otp <email>\` is the shortest email-code auth form. For new account creation, use \`primitive signup <email>\`.`;
+	static summary = "Log in to an existing account";
+	static examples = [
+		"<%= config.bin %> login",
+		"<%= config.bin %> login browser",
+		"<%= config.bin %> login --no-browser",
+		"<%= config.bin %> login user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> login confirm user@example.com 123456",
+		"<%= config.bin %> login otp user@example.com --signup-code invite-code --accept-terms",
+		"<%= config.bin %> login otp confirm user@example.com 123456"
+	];
+	static flags = SigninCommand.flags;
+	retryCommand() {
+		return "login";
+	}
+	emailCodeCopy() {
+		return LOGIN_EMAIL_COPY;
+	}
 };
-var SigninBrowserCommand = class extends LoginCommand {
+var SigninBrowserCommand = class extends LoginCommand$1 {
 	static description = "Sign in to an existing Primitive account by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
 	static summary = "Sign in with browser approval";
 	static examples = [
@@ -19551,7 +19906,20 @@ var SigninBrowserCommand = class extends LoginCommand {
 		return "signin browser";
 	}
 };
-var SigninOtpCommand = class SigninOtpCommand extends Command {
+var LoginBrowserCommand = class extends LoginCommand$1 {
+	static description = "Log in to an existing Primitive account by opening Primitive in your browser and saving an org-scoped OAuth session locally.";
+	static summary = "Log in with browser approval";
+	static examples = [
+		"<%= config.bin %> login browser",
+		"<%= config.bin %> login browser --device-name work-laptop",
+		"<%= config.bin %> login browser --no-browser",
+		"<%= config.bin %> login browser --force"
+	];
+	retryCommand() {
+		return "login browser";
+	}
+};
+var SigninOtpCommand = class extends Command {
 	static args = { email: Args.string({
 		description: "Email address to sign in with",
 		required: false
@@ -19561,12 +19929,13 @@ var SigninOtpCommand = class SigninOtpCommand extends Command {
 	static examples = ["<%= config.bin %> signin otp user@example.com --signup-code invite-code --accept-terms", "<%= config.bin %> signin otp confirm user@example.com 123456"];
 	static flags = commonOtpStartFlags();
 	async run() {
-		const { args, flags } = await this.parse(SigninOtpCommand);
+		const commandClass = this.constructor;
+		const { args, flags } = await this.parse(commandClass);
 		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
 		try {
 			await runSignupStartWithCredentialLock({
 				configDir: this.config.configDir,
-				copy: SIGNIN_OTP_COPY,
+				copy: this.emailCodeCopy(),
 				email: args.email,
 				flags
 			});
@@ -19574,8 +19943,31 @@ var SigninOtpCommand = class SigninOtpCommand extends Command {
 			releaseCredentialsLock();
 		}
 	}
+	emailCodeCopy() {
+		return SIGNIN_OTP_COPY;
+	}
 };
-var SigninOtpConfirmCommand = class SigninOtpConfirmCommand extends Command {
+var LoginOtpCommand = class extends SigninOtpCommand {
+	static args = SigninOtpCommand.args;
+	static description = "Start email-code login using Primitive's signup/auth OTP flow, send a verification code, and save the pending token locally. Requires a signup code.";
+	static summary = "Start OTP login";
+	static examples = ["<%= config.bin %> login otp user@example.com --signup-code invite-code --accept-terms", "<%= config.bin %> login otp confirm user@example.com 123456"];
+	static flags = SigninOtpCommand.flags;
+	emailCodeCopy() {
+		return LOGIN_OTP_COPY;
+	}
+};
+var OtpCommand = class extends SigninOtpCommand {
+	static args = SigninOtpCommand.args;
+	static description = "Start email-code authentication, send a verification code, and save the pending token locally. Requires a signup code.";
+	static summary = "Start email-code auth";
+	static examples = ["<%= config.bin %> otp user@example.com --signup-code invite-code --accept-terms", "<%= config.bin %> otp confirm user@example.com 123456"];
+	static flags = SigninOtpCommand.flags;
+	emailCodeCopy() {
+		return OTP_COPY;
+	}
+};
+var SigninOtpConfirmCommand = class extends Command {
 	static args = {
 		email: Args.string({
 			description: "Email address used to start OTP sign-in",
@@ -19602,13 +19994,14 @@ var SigninOtpConfirmCommand = class SigninOtpConfirmCommand extends Command {
 		"org-id": Flags.string({ description: "Workspace id to target when the email belongs to multiple workspaces" })
 	};
 	async run() {
-		const { args, flags } = await this.parse(SigninOtpConfirmCommand);
+		const commandClass = this.constructor;
+		const { args, flags } = await this.parse(commandClass);
 		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
 		try {
 			await runSignupConfirmWithCredentialLock({
 				code: args.code,
 				configDir: this.config.configDir,
-				copy: SIGNIN_OTP_COPY,
+				copy: this.emailCodeCopy(),
 				email: args.email,
 				flags
 			});
@@ -19616,8 +20009,51 @@ var SigninOtpConfirmCommand = class SigninOtpConfirmCommand extends Command {
 			releaseCredentialsLock();
 		}
 	}
+	emailCodeCopy() {
+		return SIGNIN_OTP_COPY;
+	}
+};
+var SigninConfirmCommand = class extends SigninOtpConfirmCommand {
+	static args = SigninOtpConfirmCommand.args;
+	static description = "Confirm a pending email-code sign-in, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm email-code sign-in";
+	static examples = ["<%= config.bin %> signin confirm user@example.com 123456", "<%= config.bin %> signin confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = SigninOtpConfirmCommand.flags;
+	emailCodeCopy() {
+		return SIGNIN_EMAIL_COPY;
+	}
 };
-var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
+var LoginConfirmCommand = class extends SigninOtpConfirmCommand {
+	static args = SigninOtpConfirmCommand.args;
+	static description = "Confirm a pending email-code login, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm email-code login";
+	static examples = ["<%= config.bin %> login confirm user@example.com 123456", "<%= config.bin %> login confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = SigninOtpConfirmCommand.flags;
+	emailCodeCopy() {
+		return LOGIN_EMAIL_COPY;
+	}
+};
+var LoginOtpConfirmCommand = class extends SigninOtpConfirmCommand {
+	static args = SigninOtpConfirmCommand.args;
+	static description = "Confirm a pending OTP login, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm OTP login";
+	static examples = ["<%= config.bin %> login otp confirm user@example.com 123456", "<%= config.bin %> login otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = SigninOtpConfirmCommand.flags;
+	emailCodeCopy() {
+		return LOGIN_OTP_COPY;
+	}
+};
+var OtpConfirmCommand = class extends SigninOtpConfirmCommand {
+	static args = SigninOtpConfirmCommand.args;
+	static description = "Confirm pending email-code authentication, create an OAuth session, and save CLI credentials locally.";
+	static summary = "Confirm email-code auth";
+	static examples = ["<%= config.bin %> otp confirm user@example.com 123456", "<%= config.bin %> otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static flags = SigninOtpConfirmCommand.flags;
+	emailCodeCopy() {
+		return OTP_COPY;
+	}
+};
+var SigninOtpResendCommand = class extends Command {
 	static args = { email: Args.string({
 		description: "Email address used to start OTP sign-in",
 		required: true
@@ -19631,12 +20067,13 @@ var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
 		hidden: true
 	}) };
 	async run() {
-		const { args, flags } = await this.parse(SigninOtpResendCommand);
+		const commandClass = this.constructor;
+		const { args, flags } = await this.parse(commandClass);
 		const releaseCredentialsLock = acquireCredentialsLock(this.config.configDir);
 		try {
 			await runSignupResendWithCredentialLock({
 				configDir: this.config.configDir,
-				copy: SIGNIN_OTP_COPY,
+				copy: this.emailCodeCopy(),
 				email: args.email,
 				flags
 			});
@@ -19644,6 +20081,49 @@ var SigninOtpResendCommand = class SigninOtpResendCommand extends Command {
 			releaseCredentialsLock();
 		}
 	}
+	emailCodeCopy() {
+		return SIGNIN_OTP_COPY;
+	}
+};
+var SigninResendCommand = class extends SigninOtpResendCommand {
+	static args = SigninOtpResendCommand.args;
+	static description = "Resend the verification code for a pending email-code sign-in.";
+	static summary = "Resend email-code sign-in code";
+	static examples = ["<%= config.bin %> signin resend user@example.com"];
+	static flags = SigninOtpResendCommand.flags;
+	emailCodeCopy() {
+		return SIGNIN_EMAIL_COPY;
+	}
+};
+var LoginResendCommand = class extends SigninOtpResendCommand {
+	static args = SigninOtpResendCommand.args;
+	static description = "Resend the verification code for a pending email-code login.";
+	static summary = "Resend email-code login code";
+	static examples = ["<%= config.bin %> login resend user@example.com"];
+	static flags = SigninOtpResendCommand.flags;
+	emailCodeCopy() {
+		return LOGIN_EMAIL_COPY;
+	}
+};
+var LoginOtpResendCommand = class extends SigninOtpResendCommand {
+	static args = SigninOtpResendCommand.args;
+	static description = "Resend the verification code for a pending OTP login.";
+	static summary = "Resend OTP login code";
+	static examples = ["<%= config.bin %> login otp resend user@example.com"];
+	static flags = SigninOtpResendCommand.flags;
+	emailCodeCopy() {
+		return LOGIN_OTP_COPY;
+	}
+};
+var OtpResendCommand = class extends SigninOtpResendCommand {
+	static args = SigninOtpResendCommand.args;
+	static description = "Resend the verification code for pending email-code authentication.";
+	static summary = "Resend email-code auth code";
+	static examples = ["<%= config.bin %> otp resend user@example.com"];
+	static flags = SigninOtpResendCommand.flags;
+	emailCodeCopy() {
+		return OTP_COPY;
+	}
 };
 //#endregion
 //#region src/oclif/commands/whoami.ts
@@ -19990,11 +20470,22 @@ const COMMANDS = {
 	reply: ReplyCommand,
 	chat: ChatCommand,
 	login: LoginCommand,
+	"login:browser": LoginBrowserCommand,
+	"login:confirm": LoginConfirmCommand,
+	"login:otp": LoginOtpCommand,
+	"login:otp:confirm": LoginOtpConfirmCommand,
+	"login:otp:resend": LoginOtpResendCommand,
+	"login:resend": LoginResendCommand,
+	otp: OtpCommand,
+	"otp:confirm": OtpConfirmCommand,
+	"otp:resend": OtpResendCommand,
 	signin: SigninCommand,
 	"signin:browser": SigninBrowserCommand,
+	"signin:confirm": SigninConfirmCommand,
 	"signin:otp": SigninOtpCommand,
 	"signin:otp:confirm": SigninOtpConfirmCommand,
 	"signin:otp:resend": SigninOtpResendCommand,
+	"signin:resend": SigninResendCommand,
 	signup: SignupCommand,
 	"signup:confirm": SignupConfirmCommand,
 	"signup:interactive": SignupInteractiveCommand,