npm - @primitivedotdev/cli - Versions diffs - 0.34.0 → 0.35.0 - Mend

@primitivedotdev/cli 0.34.0 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +4 -0
package/dist/{cli-config-D9nB6fOW.js → cli-config-SktG2dzR.js} +9 -8
package/dist/oclif/index.js +1078 -158
package/dist/oclif/root-signup-hint.js +1 -1
package/package.json +7 -3

package/dist/oclif/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
-import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl1, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl2, y as loadCliCredentials } from "../cli-config-D9nB6fOW.js";
-import { Args, Command, Errors, Flags } from "@oclif/core";
+import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl1, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl2, y as loadCliCredentials } from "../cli-config-SktG2dzR.js";
+import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
@@ -68,6 +68,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	resendCliSignupVerification: () => resendCliSignupVerification,
 	rotateWebhookSecret: () => rotateWebhookSecret,
 	searchEmails: () => searchEmails,
+	semanticSearch: () => semanticSearch,
 	sendEmail: () => sendEmail,
 	setFunctionSecret: () => setFunctionSecret,
 	startAgentSignup: () => startAgentSignup,
@@ -595,9 +596,9 @@ const downloadAttachments = (options) => (options.client ?? client).get({
 * derivation (Reply-To, then From, then bare sender), and the
 * `Re:` subject prefix are all derived server-side from the
 * stored inbound row. The request body carries only the message
-* body and optional `wait` flag; passing any header or recipient
-* override is rejected by the schema (`additionalProperties:
-* false`).
+* body, optional From override, optional attachments, and optional
+* `wait` flag; passing any header or recipient override is
+* rejected by the schema (`additionalProperties: false`).
 *
 * Forwards through the same gates as `/send-mail`: the response
 * status, error envelope, and `idempotent_replay` flag mirror
@@ -956,6 +957,42 @@ const sendEmail = (options) => (options.client ?? client).post({
 	}
 });
 /**
+* Semantic search across received and sent mail
+*
+* Ranked search across both received and sent mail. The `mode`
+* field selects the ranking strategy:
+*
+* - `keyword`: lexical full-text matching only (no embeddings).
+* - `semantic`: meaning-based matching using vector embeddings.
+* - `hybrid` (default): blends the semantic and keyword signals.
+*
+* Results are ordered by a relevance `score`. Every row reports the
+* fields it matched (`matched_fields`), a match-centered excerpt per
+* field (`snippets`), and a `score_breakdown` whose components account
+* for the `score`. Page through results by passing the prior
+* response's `meta.cursor` back as `cursor`.
+*
+* Requires the Pro plan and the `semantic_search_enabled`
+* entitlement; callers without them receive `403`.
+*
+* Host routing: this operation is served only by the search host
+* (`https://api.primitive.dev/v1`). The typed SDKs route it there
+* automatically.
+*
+*/
+const semanticSearch = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/semantic-search",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
 * List outbound sent emails
 *
 * Returns a paginated list of OUTBOUND emails the caller's
@@ -1378,6 +1415,10 @@ const openapiDocument = {
 			"name": "Emails",
 			"description": "List, inspect, and manage received emails"
 		},
+		{
+			"name": "Search",
+			"description": "Semantic and hybrid search across received and sent mail"
+		},
 		{
 			"name": "Sending",
 			"description": "Send outbound emails through the Primitive API"
@@ -2366,7 +2407,14 @@ const openapiDocument = {
 			"post": {
 				"operationId": "replyToEmail",
 				"summary": "Reply to an inbound email",
-				"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody and optional `wait` flag; passing any header or recipient\noverride is rejected by the schema (`additionalProperties:\nfalse`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
+				"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody, optional From override, optional attachments, and optional\n`wait` flag; passing any header or recipient override is\nrejected by the schema (`additionalProperties: false`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
+				"servers": [{
+					"url": "https://api.primitive.dev/v1",
+					"description": "Attachments-supporting send host (recommended)"
+				}, {
+					"url": "https://www.primitive.dev/api/v1",
+					"description": "Primary host (attachment-free replies only)"
+				}],
 				"tags": ["Sending"],
 				"requestBody": {
 					"required": true,
@@ -2816,6 +2864,42 @@ const openapiDocument = {
 				"503": { "$ref": "#/components/responses/ServiceUnavailable" }
 			}
 		} },
+		"/semantic-search": { "post": {
+			"operationId": "semanticSearch",
+			"summary": "Semantic search across received and sent mail",
+			"description": "Ranked search across both received and sent mail. The `mode`\nfield selects the ranking strategy:\n\n- `keyword`: lexical full-text matching only (no embeddings).\n- `semantic`: meaning-based matching using vector embeddings.\n- `hybrid` (default): blends the semantic and keyword signals.\n\nResults are ordered by a relevance `score`. Every row reports the\nfields it matched (`matched_fields`), a match-centered excerpt per\nfield (`snippets`), and a `score_breakdown` whose components account\nfor the `score`. Page through results by passing the prior\nresponse's `meta.cursor` back as `cursor`.\n\nRequires the Pro plan and the `semantic_search_enabled`\nentitlement; callers without them receive `403`.\n\nHost routing: this operation is served only by the search host\n(`https://api.primitive.dev/v1`). The typed SDKs route it there\nautomatically.\n",
+			"servers": [{
+				"url": "https://api.primitive.dev/v1",
+				"description": "Search host"
+			}],
+			"tags": ["Search"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/SemanticSearchInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Ranked search results",
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": {
+							"data": {
+								"type": "array",
+								"items": { "$ref": "#/components/schemas/SemanticSearchResult" }
+							},
+							"meta": { "$ref": "#/components/schemas/SemanticSearchMeta" }
+						},
+						"required": ["data", "meta"]
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"403": { "$ref": "#/components/responses/Forbidden" },
+				"429": { "$ref": "#/components/responses/RateLimited" },
+				"500": { "$ref": "#/components/responses/InternalError" },
+				"503": { "$ref": "#/components/responses/ServiceUnavailable" }
+			}
+		} },
 		"/sent-emails": { "get": {
 			"operationId": "listSentEmails",
 			"summary": "List outbound sent emails",
@@ -5660,6 +5744,236 @@ const openapiDocument = {
 					"body_size_bytes"
 				]
 			},
+			"SemanticSearchField": {
+				"type": "string",
+				"enum": [
+					"subject",
+					"headers",
+					"addresses",
+					"body"
+				],
+				"description": "A searchable email field."
+			},
+			"SemanticSearchInput": {
+				"type": "object",
+				"properties": {
+					"query": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 2048,
+						"description": "Free-text query. Required for `semantic` and `hybrid` modes;\noptional for `keyword` mode.\n"
+					},
+					"mode": {
+						"type": "string",
+						"enum": [
+							"hybrid",
+							"semantic",
+							"keyword"
+						],
+						"default": "hybrid",
+						"description": "Ranking strategy. `keyword` is lexical only, `semantic` is\nembedding-based, `hybrid` blends both.\n"
+					},
+					"corpus": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"enum": ["inbound", "outbound"]
+						},
+						"minItems": 1,
+						"maxItems": 2,
+						"description": "Which mail to search. Defaults to both received (`inbound`)\nand sent (`outbound`).\n"
+					},
+					"search_in": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchField" },
+						"description": "Restrict matching to these fields. Defaults to all."
+					},
+					"exclude": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchField" },
+						"description": "Exclude these fields from matching."
+					},
+					"date_from": {
+						"type": "string",
+						"format": "date-time",
+						"description": "Only include mail at or after this timestamp."
+					},
+					"date_to": {
+						"type": "string",
+						"format": "date-time",
+						"description": "Only include mail at or before this timestamp."
+					},
+					"include": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"enum": ["coverage"]
+						},
+						"description": "Opt-in extras. `coverage` adds an index-coverage snapshot to\n`meta`. Matched fields, snippets, and the score breakdown are\nalways returned regardless of this field.\n"
+					},
+					"limit": {
+						"type": "integer",
+						"minimum": 1,
+						"maximum": 100,
+						"default": 10,
+						"description": "Maximum number of results to return."
+					},
+					"cursor": {
+						"type": "string",
+						"description": "Opaque pagination cursor from a prior response's `meta.cursor`."
+					}
+				}
+			},
+			"SemanticSearchSnippet": {
+				"type": "object",
+				"properties": {
+					"field": {
+						"type": "string",
+						"description": "The field this excerpt came from."
+					},
+					"text": {
+						"type": "string",
+						"description": "Plain-text excerpt centered on the match (no markup)."
+					}
+				},
+				"required": ["field", "text"]
+			},
+			"SemanticSearchScoreBreakdown": {
+				"type": "object",
+				"description": "Additive contributions to `score`. `semantic` and `keyword` are the\nraw signals times the mode's weight (null when not applicable);\nthese plus `field_boost` and `recency` sum to `score` before each\nvalue is independently rounded to 5 decimal places.\n",
+				"properties": {
+					"semantic": { "type": ["number", "null"] },
+					"keyword": { "type": ["number", "null"] },
+					"field_boost": { "type": "number" },
+					"recency": { "type": "number" }
+				},
+				"required": [
+					"semantic",
+					"keyword",
+					"field_boost",
+					"recency"
+				]
+			},
+			"SemanticSearchResult": {
+				"type": "object",
+				"properties": {
+					"source_type": {
+						"type": "string",
+						"enum": ["inbound_email", "sent_email"],
+						"description": "Whether this row is a received or sent message."
+					},
+					"id": {
+						"type": "string",
+						"description": "Message id. Combine with `api_url` to fetch the full record."
+					},
+					"subject": { "type": ["string", "null"] },
+					"from": { "type": ["string", "null"] },
+					"to": { "type": ["string", "null"] },
+					"timestamp": {
+						"type": "string",
+						"description": "Message timestamp (received_at for inbound, created_at for sent)."
+					},
+					"status": {
+						"type": "string",
+						"description": "Lifecycle status of the message."
+					},
+					"score": {
+						"type": "number",
+						"description": "Overall relevance score; the `score_breakdown` components account for it."
+					},
+					"semantic_score": {
+						"type": ["number", "null"],
+						"description": "Raw semantic similarity signal, or null when not applicable."
+					},
+					"keyword_score": {
+						"type": ["number", "null"],
+						"description": "Raw keyword (lexical) signal, or null when not applicable."
+					},
+					"matched_fields": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchField" },
+						"description": "Fields where the query matched."
+					},
+					"snippets": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchSnippet" },
+						"description": "Match-centered excerpts, one per matched field."
+					},
+					"score_breakdown": { "$ref": "#/components/schemas/SemanticSearchScoreBreakdown" },
+					"api_url": {
+						"type": ["string", "null"],
+						"description": "Relative API path to fetch the full message."
+					}
+				},
+				"required": [
+					"source_type",
+					"id",
+					"subject",
+					"from",
+					"to",
+					"timestamp",
+					"status",
+					"score",
+					"semantic_score",
+					"keyword_score",
+					"matched_fields",
+					"snippets",
+					"score_breakdown",
+					"api_url"
+				]
+			},
+			"SemanticSearchCoverage": {
+				"type": "object",
+				"description": "Index-coverage snapshot for the org, returned only when the `coverage` include option is requested.",
+				"properties": {
+					"embedded_chunks": { "type": "integer" },
+					"pending_chunks": { "type": "integer" },
+					"skipped_plan_chunks": { "type": "integer" },
+					"skipped_quota_chunks": { "type": "integer" },
+					"unsupported_attachment_chunks": { "type": "integer" },
+					"failed_chunks": { "type": "integer" }
+				},
+				"required": [
+					"embedded_chunks",
+					"pending_chunks",
+					"skipped_plan_chunks",
+					"skipped_quota_chunks",
+					"unsupported_attachment_chunks",
+					"failed_chunks"
+				]
+			},
+			"SemanticSearchMeta": {
+				"type": "object",
+				"properties": {
+					"limit": {
+						"type": "integer",
+						"description": "Page size used for this request."
+					},
+					"cursor": {
+						"type": ["string", "null"],
+						"description": "Cursor for the next page, or null if there are no more results."
+					},
+					"mode": {
+						"type": "string",
+						"enum": [
+							"hybrid",
+							"semantic",
+							"keyword"
+						],
+						"description": "Ranking mode used for this response."
+					},
+					"coverage": {
+						"oneOf": [{ "$ref": "#/components/schemas/SemanticSearchCoverage" }, { "type": "null" }],
+						"description": "Index-coverage snapshot, present only when requested via\n`include: [coverage]`; otherwise null.\n"
+					}
+				},
+				"required": [
+					"limit",
+					"cursor",
+					"mode",
+					"coverage"
+				]
+			},
 			"SentEmailDetail": {
 				"description": "Full sent-email record, including `body_text` and\n`body_html`. Returned by /sent-emails/{id}.\n",
 				"allOf": [{ "$ref": "#/components/schemas/SentEmailSummary" }, {
@@ -5698,6 +6012,12 @@ const openapiDocument = {
 					"wait": {
 						"type": "boolean",
 						"description": "When true, wait for the first downstream SMTP delivery outcome before returning, mirroring the send-mail `wait` semantics."
+					},
+					"attachments": {
+						"type": "array",
+						"maxItems": 100,
+						"description": "Inline attachments for this reply. Use https://api.primitive.dev/v1 for replies with attachments. Combined raw decoded attachment bytes must be at most 31457280.",
+						"items": { "$ref": "#/components/schemas/SendMailAttachment" }
 					}
 				}
 			},
@@ -11458,70 +11778,282 @@ const operationManifest = [
 	},
 	{
 		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "get-send-permissions",
-		"description": "Returns a flat list of rules describing every recipient the\ncaller may send to. Each rule has a `type`, a kind-specific\npayload, and a human-readable `description`. If any rule\nmatches the recipient, /send-mail will accept the send under\nthe recipient-scope check.\n\nThe endpoint is the answer to \"where can I send\" without\nexposing internal entitlement names. Agents that don't\nrecognize a `type` can still read the `description` prose\nand act on it.\n\nRule kinds, ordered broadest-first so an agent can stop\nscanning at the first match:\n\n  1. `any_recipient` (one entry, only when the org can send\n     anywhere): every other rule below it is redundant.\n  2. `managed_zone` (always emitted, one per Primitive-managed\n     zone): sends to any address at *.primitive.email or\n     *.email.works always succeed; no entitlement required.\n  3. `your_domain` (one per active verified outbound domain\n     owned by the org): sends to that domain are approved.\n  4. `address` (one per address that has authenticated\n     inbound mail to the org, capped at `meta.address_cap`):\n     sends to that exact address are approved.\n\nThe list is informational, not an authorization check.\n/send-mail remains the source of truth on whether an\nindividual send will succeed (it also enforces the\nfrom-address and the `send_mail` entitlement, which are\nnot recipient-scope concerns and are not represented here).\n",
-		"hasJsonBody": false,
-		"method": "GET",
-		"operationId": "getSendPermissions",
-		"path": "/send-permissions",
+		"bodyRequired": true,
+		"command": "semantic-search",
+		"description": "Ranked search across both received and sent mail. The `mode`\nfield selects the ranking strategy:\n\n- `keyword`: lexical full-text matching only (no embeddings).\n- `semantic`: meaning-based matching using vector embeddings.\n- `hybrid` (default): blends the semantic and keyword signals.\n\nResults are ordered by a relevance `score`. Every row reports the\nfields it matched (`matched_fields`), a match-centered excerpt per\nfield (`snippets`), and a `score_breakdown` whose components account\nfor the `score`. Page through results by passing the prior\nresponse's `meta.cursor` back as `cursor`.\n\nRequires the Pro plan and the `semantic_search_enabled`\nentitlement; callers without them receive `403`.\n\nHost routing: this operation is served only by the search host\n(`https://api.primitive.dev/v1`). The typed SDKs route it there\nautomatically.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "semanticSearch",
+		"path": "/semantic-search",
 		"pathParams": [],
 		"queryParams": [],
-		"requestSchema": null,
-		"responseSchema": {
-			"type": "array",
-			"items": {
-				"description": "One recipient-scope rule describing a destination the caller\nmay send to. Discriminated on `type`. Each rule carries a\nhuman-prose `description` field intended for display.\n\nRule kinds are stable within an SDK release. A response\ncontaining a `type` value not enumerated in this schema\nmeans the server is running a newer version than the SDK;\nupgrade the SDK to the release that matches the server's\nschema. Strict-parsing SDKs (Go, Python) will raise a\ndecode error in that case rather than silently dropping\nthe unknown rule, since silent drops would let an outbound\nagent reason from an incomplete view of its own permissions.\n",
-				"discriminator": {
-					"propertyName": "type",
-					"mapping": {
-						"any_recipient": "#/components/schemas/SendPermissionAnyRecipient",
-						"managed_zone": "#/components/schemas/SendPermissionManagedZone",
-						"your_domain": "#/components/schemas/SendPermissionYourDomain",
-						"address": "#/components/schemas/SendPermissionAddress"
-					}
+		"requestSchema": {
+			"type": "object",
+			"properties": {
+				"query": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 2048,
+					"description": "Free-text query. Required for `semantic` and `hybrid` modes;\noptional for `keyword` mode.\n"
 				},
-				"oneOf": [
-					{
-						"type": "object",
-						"description": "The caller can send to any recipient. When this rule is\npresent, every other rule in the response is redundant.\n",
-						"properties": {
-							"type": {
-								"type": "string",
-								"enum": ["any_recipient"]
-							},
-							"description": {
-								"type": "string",
-								"description": "Human-prose summary of the rule."
-							}
-						},
-						"required": ["type", "description"]
+				"mode": {
+					"type": "string",
+					"enum": [
+						"hybrid",
+						"semantic",
+						"keyword"
+					],
+					"default": "hybrid",
+					"description": "Ranking strategy. `keyword` is lexical only, `semantic` is\nembedding-based, `hybrid` blends both.\n"
+				},
+				"corpus": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["inbound", "outbound"]
 					},
-					{
-						"type": "object",
-						"description": "The caller can send to any address at the named\nPrimitive-managed zone. Always emitted (no entitlement\nrequired) because Primitive owns the zone and every mailbox\nbelongs to a Primitive customer by construction.\n",
-						"properties": {
-							"type": {
-								"type": "string",
-								"enum": ["managed_zone"]
-							},
-							"zone": {
-								"type": "string",
-								"description": "The managed apex domain. Sends are accepted to any\naddress at the apex itself or any subdomain (e.g.\n`alice@primitive.email` and `alice@acme.primitive.email`\nboth match the `primitive.email` zone rule).\n"
-							},
-							"description": {
-								"type": "string",
-								"description": "Human-prose summary of the rule."
-							}
-						},
-						"required": [
-							"type",
-							"zone",
-							"description"
-						]
+					"minItems": 1,
+					"maxItems": 2,
+					"description": "Which mail to search. Defaults to both received (`inbound`)\nand sent (`outbound`).\n"
+				},
+				"search_in": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": [
+							"subject",
+							"headers",
+							"addresses",
+							"body"
+						],
+						"description": "A searchable email field."
 					},
-					{
-						"type": "object",
+					"description": "Restrict matching to these fields. Defaults to all."
+				},
+				"exclude": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": [
+							"subject",
+							"headers",
+							"addresses",
+							"body"
+						],
+						"description": "A searchable email field."
+					},
+					"description": "Exclude these fields from matching."
+				},
+				"date_from": {
+					"type": "string",
+					"format": "date-time",
+					"description": "Only include mail at or after this timestamp."
+				},
+				"date_to": {
+					"type": "string",
+					"format": "date-time",
+					"description": "Only include mail at or before this timestamp."
+				},
+				"include": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["coverage"]
+					},
+					"description": "Opt-in extras. `coverage` adds an index-coverage snapshot to\n`meta`. Matched fields, snippets, and the score breakdown are\nalways returned regardless of this field.\n"
+				},
+				"limit": {
+					"type": "integer",
+					"minimum": 1,
+					"maximum": 100,
+					"default": 10,
+					"description": "Maximum number of results to return."
+				},
+				"cursor": {
+					"type": "string",
+					"description": "Opaque pagination cursor from a prior response's `meta.cursor`."
+				}
+			}
+		},
+		"responseSchema": {
+			"type": "array",
+			"items": {
+				"type": "object",
+				"properties": {
+					"source_type": {
+						"type": "string",
+						"enum": ["inbound_email", "sent_email"],
+						"description": "Whether this row is a received or sent message."
+					},
+					"id": {
+						"type": "string",
+						"description": "Message id. Combine with `api_url` to fetch the full record."
+					},
+					"subject": { "type": ["string", "null"] },
+					"from": { "type": ["string", "null"] },
+					"to": { "type": ["string", "null"] },
+					"timestamp": {
+						"type": "string",
+						"description": "Message timestamp (received_at for inbound, created_at for sent)."
+					},
+					"status": {
+						"type": "string",
+						"description": "Lifecycle status of the message."
+					},
+					"score": {
+						"type": "number",
+						"description": "Overall relevance score; the `score_breakdown` components account for it."
+					},
+					"semantic_score": {
+						"type": ["number", "null"],
+						"description": "Raw semantic similarity signal, or null when not applicable."
+					},
+					"keyword_score": {
+						"type": ["number", "null"],
+						"description": "Raw keyword (lexical) signal, or null when not applicable."
+					},
+					"matched_fields": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"enum": [
+								"subject",
+								"headers",
+								"addresses",
+								"body"
+							],
+							"description": "A searchable email field."
+						},
+						"description": "Fields where the query matched."
+					},
+					"snippets": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"field": {
+									"type": "string",
+									"description": "The field this excerpt came from."
+								},
+								"text": {
+									"type": "string",
+									"description": "Plain-text excerpt centered on the match (no markup)."
+								}
+							},
+							"required": ["field", "text"]
+						},
+						"description": "Match-centered excerpts, one per matched field."
+					},
+					"score_breakdown": {
+						"type": "object",
+						"description": "Additive contributions to `score`. `semantic` and `keyword` are the\nraw signals times the mode's weight (null when not applicable);\nthese plus `field_boost` and `recency` sum to `score` before each\nvalue is independently rounded to 5 decimal places.\n",
+						"properties": {
+							"semantic": { "type": ["number", "null"] },
+							"keyword": { "type": ["number", "null"] },
+							"field_boost": { "type": "number" },
+							"recency": { "type": "number" }
+						},
+						"required": [
+							"semantic",
+							"keyword",
+							"field_boost",
+							"recency"
+						]
+					},
+					"api_url": {
+						"type": ["string", "null"],
+						"description": "Relative API path to fetch the full message."
+					}
+				},
+				"required": [
+					"source_type",
+					"id",
+					"subject",
+					"from",
+					"to",
+					"timestamp",
+					"status",
+					"score",
+					"semantic_score",
+					"keyword_score",
+					"matched_fields",
+					"snippets",
+					"score_breakdown",
+					"api_url"
+				]
+			}
+		},
+		"sdkName": "semanticSearch",
+		"summary": "Semantic search across received and sent mail",
+		"tag": "Search",
+		"tagCommand": "search"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "get-send-permissions",
+		"description": "Returns a flat list of rules describing every recipient the\ncaller may send to. Each rule has a `type`, a kind-specific\npayload, and a human-readable `description`. If any rule\nmatches the recipient, /send-mail will accept the send under\nthe recipient-scope check.\n\nThe endpoint is the answer to \"where can I send\" without\nexposing internal entitlement names. Agents that don't\nrecognize a `type` can still read the `description` prose\nand act on it.\n\nRule kinds, ordered broadest-first so an agent can stop\nscanning at the first match:\n\n  1. `any_recipient` (one entry, only when the org can send\n     anywhere): every other rule below it is redundant.\n  2. `managed_zone` (always emitted, one per Primitive-managed\n     zone): sends to any address at *.primitive.email or\n     *.email.works always succeed; no entitlement required.\n  3. `your_domain` (one per active verified outbound domain\n     owned by the org): sends to that domain are approved.\n  4. `address` (one per address that has authenticated\n     inbound mail to the org, capped at `meta.address_cap`):\n     sends to that exact address are approved.\n\nThe list is informational, not an authorization check.\n/send-mail remains the source of truth on whether an\nindividual send will succeed (it also enforces the\nfrom-address and the `send_mail` entitlement, which are\nnot recipient-scope concerns and are not represented here).\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "getSendPermissions",
+		"path": "/send-permissions",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "array",
+			"items": {
+				"description": "One recipient-scope rule describing a destination the caller\nmay send to. Discriminated on `type`. Each rule carries a\nhuman-prose `description` field intended for display.\n\nRule kinds are stable within an SDK release. A response\ncontaining a `type` value not enumerated in this schema\nmeans the server is running a newer version than the SDK;\nupgrade the SDK to the release that matches the server's\nschema. Strict-parsing SDKs (Go, Python) will raise a\ndecode error in that case rather than silently dropping\nthe unknown rule, since silent drops would let an outbound\nagent reason from an incomplete view of its own permissions.\n",
+				"discriminator": {
+					"propertyName": "type",
+					"mapping": {
+						"any_recipient": "#/components/schemas/SendPermissionAnyRecipient",
+						"managed_zone": "#/components/schemas/SendPermissionManagedZone",
+						"your_domain": "#/components/schemas/SendPermissionYourDomain",
+						"address": "#/components/schemas/SendPermissionAddress"
+					}
+				},
+				"oneOf": [
+					{
+						"type": "object",
+						"description": "The caller can send to any recipient. When this rule is\npresent, every other rule in the response is redundant.\n",
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["any_recipient"]
+							},
+							"description": {
+								"type": "string",
+								"description": "Human-prose summary of the rule."
+							}
+						},
+						"required": ["type", "description"]
+					},
+					{
+						"type": "object",
+						"description": "The caller can send to any address at the named\nPrimitive-managed zone. Always emitted (no entitlement\nrequired) because Primitive owns the zone and every mailbox\nbelongs to a Primitive customer by construction.\n",
+						"properties": {
+							"type": {
+								"type": "string",
+								"enum": ["managed_zone"]
+							},
+							"zone": {
+								"type": "string",
+								"description": "The managed apex domain. Sends are accepted to any\naddress at the apex itself or any subdomain (e.g.\n`alice@primitive.email` and `alice@acme.primitive.email`\nboth match the `primitive.email` zone rule).\n"
+							},
+							"description": {
+								"type": "string",
+								"description": "Human-prose summary of the rule."
+							}
+						},
+						"required": [
+							"type",
+							"zone",
+							"description"
+						]
+					},
+					{
+						"type": "object",
 						"description": "The caller can send to any address at one of their own\nverified outbound domains. Emitted once per active row in\nthe org's `domains` table.\n",
 						"properties": {
 							"type": {
@@ -12108,7 +12640,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "reply-to-email",
-		"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody and optional `wait` flag; passing any header or recipient\noverride is rejected by the schema (`additionalProperties:\nfalse`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
+		"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody, optional From override, optional attachments, and optional\n`wait` flag; passing any header or recipient override is\nrejected by the schema (`additionalProperties: false`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "replyToEmail",
@@ -12143,6 +12675,36 @@ const operationManifest = [
 				"wait": {
 					"type": "boolean",
 					"description": "When true, wait for the first downstream SMTP delivery outcome before returning, mirroring the send-mail `wait` semantics."
+				},
+				"attachments": {
+					"type": "array",
+					"maxItems": 100,
+					"description": "Inline attachments for this reply. Use https://api.primitive.dev/v1 for replies with attachments. Combined raw decoded attachment bytes must be at most 31457280.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"filename": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Attachment filename. Control characters are rejected."
+							},
+							"content_type": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Optional MIME content type. Control characters are rejected."
+							},
+							"content_base64": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 44040192,
+								"description": "Base64-encoded attachment bytes."
+							}
+						},
+						"required": ["filename", "content_base64"]
+					}
 				}
 			}
 		},
@@ -13249,7 +13811,7 @@ async function runWithTiming(enabled, fn) {
 const TIME_FLAG_DESCRIPTION = "Print the wall-clock duration of this command to stderr after it completes (e.g. `[time: 1.34s]`). Useful for measuring `--wait` send latency, comparing CLI overhead, or capturing timing in scripts.";
 const API_BASE_URL_1_FLAG_DESCRIPTION = "Override the primary API base URL. Internal testing only; not documented to customers.";
 const API_BASE_URL_2_FLAG_DESCRIPTION = "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.";
-const HOST_2_OPERATIONS = new Set(["sendEmail"]);
+const HOST_2_OPERATIONS = new Set(["sendEmail", "replyToEmail"]);
 const RESERVED_FLAG_NAMES = new Set([
 	"api-key",
 	"api-base-url-1",
@@ -13480,6 +14042,39 @@ function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
 }
 //#endregion
+//#region src/oclif/attachments.ts
+function readAttachmentBytes(path, readFile) {
+	try {
+		return Buffer.from(readFile(path));
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
+	}
+}
+function hasControlCharacter(value) {
+	return Array.from(value).some((character) => {
+		const code = character.charCodeAt(0);
+		return code <= 31 || code >= 127 && code <= 159;
+	});
+}
+function validateAttachmentFilename(path, filename) {
+	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
+	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+}
+function readAttachmentFiles(paths, readFile = readFileSync) {
+	if (!paths || paths.length === 0) return void 0;
+	return paths.map((path) => {
+		const filename = basename(path);
+		validateAttachmentFilename(path, filename);
+		const bytes = readAttachmentBytes(path, readFile);
+		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
+		return {
+			content_base64: bytes.toString("base64"),
+			filename
+		};
+	});
+}
+//#endregion
 //#region src/oclif/outbound-defaults.ts
 const SUBJECT_MAX_LENGTH = 200;
 function deriveSubject(body) {
@@ -13630,6 +14225,30 @@ async function readStdinToString(missingMessage = "No message provided. Pass the
 	for await (const chunk of process.stdin) chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
 	return Buffer.concat(chunks).toString("utf8");
 }
+function chatColor(color, text) {
+	return ux.colorize(color, text);
+}
+function chatCommandText(command) {
+	return chatColor("cyan", command);
+}
+function chatDetailLine(line) {
+	return chatColor("dim", line);
+}
+function chatFailureText(message) {
+	return chatColor("red", message);
+}
+function chatHeading(text) {
+	return chatColor("bold", text);
+}
+function chatNoticeText(message) {
+	return chatColor("yellow", message);
+}
+function chatProgressText(message) {
+	return chatColor("cyan", message);
+}
+function chatSuccessText(message) {
+	return chatColor("greenBright", message);
+}
 var ChatProgressIndicator = class {
 	currentMessage = null;
 	frameIndex = 0;
@@ -13650,7 +14269,7 @@ var ChatProgressIndicator = class {
 			this.timer.unref?.();
 			return;
 		}
-		this.stream.write(`${message}\n`);
+		this.stream.write(`${chatProgressText(message)}\n`);
 	}
 	update(message, options = {}) {
 		this.currentMessage = message;
@@ -13663,10 +14282,10 @@ var ChatProgressIndicator = class {
 			return;
 		}
 		this.stopTimer();
-		this.stream.write(`${message}\n`);
+		this.stream.write(`${chatProgressText(message)}\n`);
 		if (options.heartbeatMs !== void 0) {
 			this.timer = setInterval(() => {
-				this.stream.write(`${formatWaitingHeartbeat(message, this.now() - this.startedAt, options.timeoutSeconds)}\n`);
+				this.stream.write(`${chatProgressText(formatWaitingHeartbeat(message, this.now() - this.startedAt, options.timeoutSeconds))}\n`);
 			}, options.heartbeatMs);
 			this.timer.unref?.();
 		}
@@ -13675,17 +14294,17 @@ var ChatProgressIndicator = class {
 		if (this.stream.isTTY) {
 			const currentMessage = this.currentMessage;
 			this.clearLine();
-			this.stream.write(`${message}\n`);
+			this.stream.write(`${chatNoticeText(message)}\n`);
 			if (currentMessage !== null && this.timer !== null) this.render(currentMessage);
 			return;
 		}
-		this.stream.write(`${message}\n`);
+		this.stream.write(`${chatNoticeText(message)}\n`);
 	}
 	succeed(message) {
-		this.finish(`${message} after ${formatElapsed(this.now() - this.startedAt)}.`);
+		this.finish(chatSuccessText(`${message} after ${formatElapsed(this.now() - this.startedAt)}.`));
 	}
 	fail(message) {
-		this.finish(message);
+		this.finish(chatFailureText(message));
 	}
 	finish(message) {
 		this.stopTimer();
@@ -13702,9 +14321,10 @@ var ChatProgressIndicator = class {
 		];
 		const frame = frames[this.frameIndex % frames.length];
 		this.frameIndex += 1;
-		const line = `${frame} ${message} (${formatElapsed(this.now() - this.startedAt)})`;
-		this.lastLineLength = Math.max(this.lastLineLength, line.length);
-		this.stream.write(`\r${line}`);
+		const elapsed = `(${formatElapsed(this.now() - this.startedAt)})`;
+		const plainLine = `${frame} ${message} ${elapsed}`;
+		this.lastLineLength = Math.max(this.lastLineLength, plainLine.length);
+		this.stream.write(`\r${chatProgressText(`${frame} ${message}`)} ${chatColor("dim", elapsed)}`);
 	}
 	clearLine() {
 		if (this.lastLineLength > 0) {
@@ -13950,45 +14570,46 @@ function formatChatResponse(context) {
 	const accepted = context.sent.accepted.join(", ") || context.recipient;
 	const responseBody = resolveChatResponseBody(context.reply);
 	const lines = [
-		"Reply received",
+		chatSuccessText("Reply received"),
 		"",
-		"Sent",
-		`  To: ${accepted}`,
-		`  From: ${context.sent.from || context.from}`,
-		`  Subject: ${context.subject}`,
-		`  Sent email id: ${context.sent.id}`,
-		`  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`,
+		chatHeading("Sent"),
+		chatDetailLine(`  To: ${accepted}`),
+		chatDetailLine(`  From: ${context.sent.from || context.from}`),
+		chatDetailLine(`  Subject: ${context.subject}`),
+		chatDetailLine(`  Sent email id: ${context.sent.id}`),
+		chatColor("green", `  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`),
 		"",
-		"Reply",
-		`  Email id: ${context.reply.id}`,
-		`  From: ${context.reply.from_email}`,
-		`  To: ${context.reply.to_email}`,
-		`  Subject: ${context.reply.subject ?? "(no subject)"}`,
-		`  Received: ${context.reply.received_at}`,
-		`  Match: ${matchDescription(context.matchStrategy)}`
+		chatHeading("Reply"),
+		chatDetailLine(`  Email id: ${context.reply.id}`),
+		chatDetailLine(`  From: ${context.reply.from_email}`),
+		chatDetailLine(`  To: ${context.reply.to_email}`),
+		chatDetailLine(`  Subject: ${context.reply.subject ?? "(no subject)"}`),
+		chatDetailLine(`  Received: ${context.reply.received_at}`),
+		chatDetailLine(`  Match: ${matchDescription(context.matchStrategy)}`)
 	];
-	if (context.reply.reply_to_sent_email_id) lines.push(`  Reply to sent email id: ${context.reply.reply_to_sent_email_id}`);
-	if (context.reply.message_id) lines.push(`  Message-Id: ${context.reply.message_id}`);
-	if (context.localChatId !== void 0) lines.push(`  Local chat id: ${context.localChatId}`);
-	lines.push("", "Helpful follow-up commands", "  Replace <message> before running commands that include it.", "  Commands are templates; use --json for parse-safe output.", "  When shown, --strict-only prefers timing out over matching the wrong reply.");
-	for (const { description, command } of buildChatFollowUpCommands(context)) lines.push(`  ${description}:`, `    ${command}`);
-	lines.push("", `Response body (${responseBody.format}; use --json for parsing)`, "----- BEGIN RESPONSE -----", responseBody.body || "(empty response)", "----- END RESPONSE -----");
+	if (context.reply.reply_to_sent_email_id) lines.push(chatDetailLine(`  Reply to sent email id: ${context.reply.reply_to_sent_email_id}`));
+	if (context.reply.message_id) lines.push(chatDetailLine(`  Message-Id: ${context.reply.message_id}`));
+	if (context.localChatId !== void 0) lines.push(chatDetailLine(`  Local chat id: ${context.localChatId}`));
+	lines.push("", chatHeading("Helpful follow-up commands"), chatDetailLine("  Replace <message> before running commands that include it."), chatDetailLine("  Commands are templates; use --json for parse-safe output."), chatDetailLine("  When shown, --strict-only prefers timing out over matching the wrong reply."));
+	for (const { description, command } of buildChatFollowUpCommands(context)) lines.push(chatHeading(`  ${description}:`), `    ${chatCommandText(command)}`);
+	lines.push("", chatHeading(`Response body (${responseBody.format}; use --json for parsing)`), "----- BEGIN RESPONSE -----", responseBody.body || "(empty response)", "----- END RESPONSE -----");
 	return lines.join("\n");
 }
 function formatChatRecoveryContext(context) {
+	const accepted = context.sent.accepted.join(", ") || context.recipient;
 	const lines = [
 		"",
-		"Sent message context",
-		`  To: ${context.sent.accepted.join(", ") || context.recipient}`,
-		`  From: ${context.sent.from || context.from}`,
-		`  Subject: ${context.subject}`,
-		`  Sent email id: ${context.sent.id}`,
-		`  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`,
-		`  Poll since: ${context.sentAtIso}`,
+		chatHeading("Sent message context"),
+		chatDetailLine(`  To: ${accepted}`),
+		chatDetailLine(`  From: ${context.sent.from || context.from}`),
+		chatDetailLine(`  Subject: ${context.subject}`),
+		chatDetailLine(`  Sent email id: ${context.sent.id}`),
+		chatColor("green", `  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`),
+		chatDetailLine(`  Poll since: ${context.sentAtIso}`),
 		"",
-		"Helpful recovery commands"
+		chatHeading("Helpful recovery commands")
 	];
-	for (const { description, command } of buildChatRecoveryCommands(context)) lines.push(`  ${description}:`, `    ${command}`);
+	for (const { description, command } of buildChatRecoveryCommands(context)) lines.push(chatHeading(`  ${description}:`), `    ${chatCommandText(command)}`);
 	return lines.join("\n");
 }
 async function loadInboundEmailDetail(params) {
@@ -14081,8 +14702,10 @@ var ChatCommand = class ChatCommand extends Command {
 		"<%= config.bin %> chat help@agent.acme.dev 'how do I rotate my API key?'",
 		"cat error.log | <%= config.bin %> chat help@agent.acme.dev",
 		"<%= config.bin %> chat reply 'one more thing'",
+		"<%= config.bin %> chat reply 'see attached' --attachment ./report.pdf",
 		"<%= config.bin %> chat help@agent.acme.dev --reply 'one more thing'",
 		"<%= config.bin %> chat help@agent.acme.dev --reply 'one more thing' --reply-to-email-id <inbound-email-id>",
+		"<%= config.bin %> chat help@agent.acme.dev 'can you review this?' --attachment ./report.pdf",
 		"<%= config.bin %> chat help@agent.acme.dev 'follow up question' --json",
 		"<%= config.bin %> chat help@agent.acme.dev 'one more thing' --timeout 300"
 	];
@@ -14116,6 +14739,11 @@ var ChatCommand = class ChatCommand extends Command {
 		reply: Flags.string({ description: "Reply body. Continues the latest inbound email from the recipient to your sender address; pass --reply-to-email-id for an exact thread." }),
 		"reply-to-email-id": Flags.string({ description: "Inbound email id to continue exactly. Uses Primitive's reply endpoint, so recipient, subject, and threading headers are derived from the inbound email." }),
 		"in-reply-to": Flags.string({ description: "Raw Message-Id of the parent email to thread a new send against. Prefer --reply-to-email-id with --reply when continuing an inbound email stored by Primitive." }),
+		attachment: Flags.string({
+			char: "a",
+			description: "Attach a file to this chat message. Repeat --attachment to attach multiple files.",
+			multiple: true
+		}),
 		"chat-local-id": Flags.integer({
 			description: "Local chat id to update after this command succeeds. Internal plumbing for `primitive chat reply`.",
 			hidden: true,
@@ -14169,6 +14797,7 @@ var ChatCommand = class ChatCommand extends Command {
 				configDir: this.config.configDir
 			};
 			const progress = flags.quiet ? null : new ChatProgressIndicator(process.stderr);
+			const attachments = readAttachmentFiles(flags.attachment);
 			let from;
 			let parentReply;
 			let subject;
@@ -14227,9 +14856,10 @@ var ChatCommand = class ChatCommand extends Command {
 			const sendResult = parentReply !== void 0 ? await replyToEmail({
 				body: {
 					body_text: message,
-					from
+					from,
+					...attachments !== void 0 ? { attachments } : {}
 				},
-				client: apiClient.client,
+				client: apiClient._sendClient,
 				path: { id: parentReply.id },
 				responseStyle: "fields"
 			}) : await sendEmail({
@@ -14238,7 +14868,8 @@ var ChatCommand = class ChatCommand extends Command {
 					to: args.recipient,
 					subject,
 					body_text: message,
-					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {}
+					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
+					...attachments !== void 0 ? { attachments } : {}
 				},
 				client: apiClient._sendClient,
 				responseStyle: "fields"
@@ -14353,6 +14984,7 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 		"<%= config.bin %> chat reply 'one more thing'",
 		"<%= config.bin %> chat reply 0 'one more thing'",
 		"<%= config.bin %> chat reply --id 0 'one more thing'",
+		"<%= config.bin %> chat reply 'see attached' --attachment ./report.pdf",
 		"cat follow-up.txt | <%= config.bin %> chat reply"
 	];
 	static args = {
@@ -14389,6 +15021,11 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			min: 1
 		}),
 		"strict-only": Flags.boolean({ description: "Disable the time-window fallback. If the active chat was saved from a strict match, this is already the default." }),
+		attachment: Flags.string({
+			char: "a",
+			description: "Attach a file to the reply. Repeat --attachment to attach multiple files.",
+			multiple: true
+		}),
 		interval: Flags.integer({
 			description: "Seconds between polls while waiting for the reply.",
 			min: 1
@@ -14435,6 +15072,7 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 		if (flags["api-base-url-2"] !== void 0) argv.push("--api-base-url-2", flags["api-base-url-2"]);
 		if (flags.json) argv.push("--json");
 		if (flags.quiet) argv.push("--quiet");
+		for (const attachment of flags.attachment ?? []) argv.push("--attachment", attachment);
 		if (state.strict_only || flags["strict-only"]) argv.push("--strict-only");
 		if (flags.time) argv.push("--time");
 		await ChatCommand.run(argv, { root: this.config.root });
@@ -16444,8 +17082,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.34.0";
-const CLI_VERSION_RANGE = "^0.34.0";
+const SDK_VERSION_RANGE = "^0.35.0";
+const CLI_VERSION_RANGE = "^0.35.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -17818,6 +18456,7 @@ const DOMAIN_DISPLAY_WIDTH = 34;
 const STATUS_DISPLAY_WIDTH = 12;
 const BOOL_DISPLAY_WIDTH = 7;
 const NUM_DISPLAY_WIDTH = 6;
+const DEFAULT_PRIMITIVE_LOCAL_PART = "agent";
 function plural(count, singular, pluralValue = `${singular}s`) {
 	return `${count} ${count === 1 ? singular : pluralValue}`;
 }
@@ -17853,6 +18492,14 @@ function domainSummary(domain) {
 		default: return `${domain.domain} has status ${String(domain.status)}.`;
 	}
 }
+function findSuggestedPrimitiveAddress(domains) {
+	const domain = domains.find((entry) => entry.managed && entry.active && entry.receiving_ready);
+	if (!domain) return null;
+	return {
+		address: `${DEFAULT_PRIMITIVE_LOCAL_PART}@${domain.domain}`,
+		domain: domain.domain
+	};
+}
 function focusInboxStatus(status, domainName) {
 	const normalized = domainName.toLowerCase();
 	const domain = status.domains.find((entry) => entry.domain.toLowerCase() === normalized);
@@ -17899,12 +18546,14 @@ function formatInboxStatus(status) {
 		"",
 		"Domains"
 	];
+	const suggestedAddress = findSuggestedPrimitiveAddress(status.domains);
 	if (status.domains.length === 0) lines.push("No domains configured.");
 	else {
 		lines.push(formatDomainHeader());
 		for (const domain of status.domains) lines.push(formatDomainRow(domain));
 	}
 	lines.push("", `Endpoints: ${status.endpoints.enabled}/${status.endpoints.total} enabled (${status.endpoints.fallback_enabled} fallback, ${status.endpoints.domain_scoped_enabled} domain-scoped, ${status.endpoints.function_enabled} function)`, `Functions: ${status.functions.deployed}/${status.functions.total} deployed (${status.functions.pending} pending, ${status.functions.failed} failed)`, `Recent inbound: ${plural(status.recent_emails.total, "email")} latest ${formatInboxDate(status.recent_emails.latest_received_at)}`);
+	if (suggestedAddress) lines.push("", `Primitive address: ${suggestedAddress.address}`, `  Any local-part at ${suggestedAddress.domain} can receive mail.`, `  Try: primitive send --to ${suggestedAddress.address} --subject "hello" --body "test"`);
 	if (status.next_actions.length > 0) {
 		lines.push("", "Next actions");
 		for (const action of status.next_actions) lines.push(formatNextAction(action));
@@ -17981,6 +18630,180 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/inbox-setup.ts
+const DEFAULT_FUNCTION_NAME = "inbound-reply";
+const DEFAULT_LOCAL_PART = "inbox";
+const FUNCTION_ID_PLACEHOLDER = "<function-id>";
+function firstUsableManagedDomain(status) {
+	return status.domains.find((domain) => domain.managed && domain.receiving_ready && domain.active) ?? status.domains.find((domain) => domain.managed && domain.receiving_ready) ?? null;
+}
+function buildInboxSetupCommands(functionName = DEFAULT_FUNCTION_NAME) {
+	return {
+		scaffold: [
+			`primitive functions init ${functionName}`,
+			`cd ${functionName}`,
+			"npm install",
+			"npm run build",
+			`primitive functions deploy --name ${functionName} --file ./dist/handler.js --wait`,
+			`primitive functions test --id ${FUNCTION_ID_PLACEHOLDER} --wait --show-sends`
+		],
+		logs: `primitive functions logs --id ${FUNCTION_ID_PLACEHOLDER}`,
+		status: "primitive inbox status"
+	};
+}
+function buildInboxSetupProof(commands) {
+	return {
+		after_test: [
+			"inbound id for the generated test email",
+			"function id matching the deployed Function",
+			"invocation status completed, failed, or send_failed",
+			"reply/send result emitted by the handler"
+		],
+		logs_command: commands.logs
+	};
+}
+function buildInboxSetupGuide(status) {
+	const domain = firstUsableManagedDomain(status);
+	const commands = buildInboxSetupCommands();
+	const mode = !status.receiving_ready ? "not_receiving" : status.processing_ready ? "actively_processed" : "stored_only";
+	return {
+		readiness: {
+			ready: status.ready,
+			receiving_ready: status.receiving_ready,
+			processing_ready: status.processing_ready,
+			mode,
+			summary: status.summary
+		},
+		receive: {
+			address: domain ? `${DEFAULT_LOCAL_PART}@${domain.domain}` : null,
+			domain: domain?.domain ?? null,
+			managed: domain?.managed ?? false,
+			placeholder_local_part: domain ? DEFAULT_LOCAL_PART : null
+		},
+		processing: {
+			stored_only: status.receiving_ready && !status.processing_ready,
+			active: status.processing_ready,
+			enabled_endpoints: status.endpoints.enabled,
+			deployed_functions: status.functions.deployed
+		},
+		commands,
+		proof: buildInboxSetupProof(commands),
+		status
+	};
+}
+function formatReadiness(guide) {
+	const readiness = guide.readiness.ready ? "ready" : "not ready";
+	const receiving = guide.readiness.receiving_ready ? "yes" : "no";
+	const processing = guide.readiness.processing_ready ? "yes" : "no";
+	const mode = guide.readiness.mode === "actively_processed" ? "actively processed" : guide.readiness.mode === "stored_only" ? "stored-only" : "not receiving";
+	return [
+		`Readiness: ${readiness}`,
+		`Receiving: ${receiving}`,
+		`Processing: ${processing}`,
+		`Mode: ${mode}`
+	].join("\n");
+}
+function formatReceiveAddress(guide) {
+	if (!guide.receive.domain || !guide.receive.address) return "Receive address: none found on a receiving-ready Primitive-managed domain";
+	return [`Receive address: ${guide.receive.address}`, `Receive domain: ${guide.receive.domain} (Primitive-managed)`].join("\n");
+}
+function formatDomainDetails(status) {
+	if (status.domains.length === 0) return ["Domains: none configured"];
+	return status.domains.map((domain) => `- ${domain.domain}: ${statusText(domain.status)}, receive ${domain.receiving_ready ? "yes" : "no"}, process ${domain.processing_ready ? "yes" : "no"}, routes ${domain.processing_route_count}`);
+}
+function formatScaffoldCommands(commands) {
+	return commands.scaffold.map((command) => `  ${command}`);
+}
+function formatInboxSetupGuide(guide) {
+	const lines = [
+		"Inbound setup",
+		"",
+		guide.readiness.summary,
+		"",
+		formatReadiness(guide),
+		"",
+		formatReceiveAddress(guide),
+		"",
+		"Domains",
+		...formatDomainDetails(guide.status),
+		"",
+		`Processing routes: ${guide.processing.enabled_endpoints} enabled endpoint(s), ${guide.processing.deployed_functions} deployed Function(s)`
+	];
+	if (guide.readiness.mode === "not_receiving") lines.push("", "Next actions", "Make a receiving-ready domain available, then re-run:", `  ${guide.commands.status}`);
+	else if (!guide.processing.active) lines.push("", "Next actions", "No processing route is enabled. Scaffold, deploy, and test an email Function:", ...formatScaffoldCommands(guide.commands));
+	else lines.push("", "Next actions", "Inbound mail has an active processing route. Run a Function test when you know the Function id:", `  primitive functions test --id ${FUNCTION_ID_PLACEHOLDER} --wait --show-sends`);
+	if (guide.status.next_actions.length > 0) {
+		lines.push("", "API suggested actions");
+		for (const action of guide.status.next_actions) lines.push(action.command ? `- ${action.message}\n  ${action.command}` : `- ${action.message}`);
+	}
+	lines.push("", "Proof after functions test", "- Inbound id: the generated test email should have an inbound id.", "- Function id: the run should point at the Function id you deployed.", "- Invocation status: expect completed; failed or send_failed identifies the failing stage.", "- Reply/send result: --show-sends should show the handler's outbound result when it replies or sends.", "- Logs:", `  ${guide.proof.logs_command}`);
+	return lines.join("\n");
+}
+var InboxSetupCommand = class InboxSetupCommand extends Command {
+	static description = `Guide inbound email setup from the server-owned inbox status API.
+  This command does not scaffold, deploy, or run tests. It verifies auth, fetches inbox readiness, shows the first usable Primitive-managed receive address/domain, explains whether inbound mail is stored-only or actively processed, and prints the exact commands to add a Function processing route when one is missing.`;
+	static summary = "Guide inbound email setup";
+	static examples = ["<%= config.bin %> inbox setup", "<%= config.bin %> inbox setup --json"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url-1": Flags.string({
+			description: API_BASE_URL_1_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		"api-base-url-2": Flags.string({
+			description: API_BASE_URL_2_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL_2",
+			hidden: true
+		}),
+		json: Flags.boolean({ description: "Print structured readiness, receive address, commands, proof metadata, and raw status as JSON." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(InboxSetupCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl2: flags["api-base-url-2"],
+				configDir: this.config.configDir
+			});
+			const result = await getInboxStatus({
+				client: apiClient.client,
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data ?? {};
+			const status = envelope.data;
+			if (!status) throw new Errors.CLIError("Primitive API returned no inbox status.", { exit: 1 });
+			const guide = buildInboxSetupGuide(status);
+			if (flags.json) {
+				this.log(JSON.stringify({
+					...envelope,
+					data: guide
+				}, null, 2));
+				return;
+			}
+			this.log(formatInboxSetupGuide(guide));
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
 function cliError$3(message) {
@@ -18303,11 +19126,100 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
 	};
 }
+function readPendingAgentSignupState(configDir, apiBaseUrl1) {
+	const path = pendingSignupPath(configDir);
+	let contents;
+	try {
+		contents = readFileSync(path, "utf8");
+	} catch (error) {
+		if (error && typeof error === "object" && error.code === "ENOENT") return null;
+		throw error;
+	}
+	let pending;
+	try {
+		pending = pendingSignupFromJson(JSON.parse(contents));
+	} catch {
+		pending = null;
+	}
+	if (!pending) {
+		deletePendingAgentSignup(configDir);
+		return null;
+	}
+	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	return pending;
+}
+function pendingSignupStartCommand(email) {
+	return `primitive signup ${email ?? "<email>"} --signup-code <invite-code> --accept-terms`;
+}
+function buildSignupStatus(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
+	const pending = readPendingAgentSignupState(params.configDir, params.apiBaseUrl1);
+	if (!pending) return {
+		code_length: null,
+		confirm_command: null,
+		email: null,
+		expired: false,
+		expires_at: null,
+		expires_in: null,
+		pending: false,
+		resend_after: null,
+		resend_command: null,
+		signup_command: pendingSignupStartCommand(params.email)
+	};
+	if (params.email && normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive signup status\` without an email argument to inspect it.`);
+	const expiresAtMs = new Date(pending.expires_at).getTime();
+	const expiresIn = Number.isFinite(expiresAtMs) ? Math.ceil((expiresAtMs - Date.now()) / 1e3) : null;
+	return {
+		code_length: pending.verification_code_length,
+		confirm_command: `primitive ${copy.confirmCommand(pending.email)}`,
+		email: pending.email,
+		expired: expiresIn !== null && expiresIn <= 0,
+		expires_at: pending.expires_at,
+		expires_in: expiresIn === null ? null : Math.max(0, expiresIn),
+		pending: true,
+		resend_after: pending.resend_after,
+		resend_command: `primitive ${copy.resendCommand(pending.email)}`
+	};
+}
+function writeSignupStatus(status) {
+	if (!status.pending) {
+		process$1.stdout.write("No pending Primitive signup found.\n");
+		process$1.stdout.write(`Start one with \`${status.signup_command ?? pendingSignupStartCommand()}\`.\n`);
+		return;
+	}
+	process$1.stdout.write(`Pending Primitive signup for ${status.email}.\n`);
+	if (status.code_length !== null) process$1.stdout.write(`Verification code length: ${status.code_length}\n`);
+	if (status.expires_at) if (status.expired) process$1.stdout.write(`Expired at: ${status.expires_at}\n`);
+	else {
+		process$1.stdout.write(`Expires at: ${status.expires_at}\n`);
+		process$1.stdout.write(`Expires in: ${formatSignupSeconds(status.expires_in)}\n`);
+	}
+	if (status.resend_after !== null) process$1.stdout.write(`Resend after: ${formatSignupSeconds(status.resend_after)}\n`);
+	if (status.confirm_command) process$1.stdout.write(`Confirm: ${status.confirm_command}\n`);
+	if (status.resend_command) process$1.stdout.write(`Resend: ${status.resend_command}\n`);
+}
+function runSignupStatus(params) {
+	const { requestConfig } = createCliApiClient({
+		apiBaseUrl1: params.flags["api-base-url-1"],
+		configDir: params.configDir
+	});
+	const status = buildSignupStatus({
+		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		configDir: params.configDir,
+		copy: params.copy,
+		email: params.email
+	});
+	if (params.flags.json) {
+		process$1.stdout.write(`${JSON.stringify(status, null, 2)}\n`);
+		return;
+	}
+	writeSignupStatus(status);
+}
 function requirePendingSignupForEmail(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
-	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
-	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive signup status ${params.email}\` to inspect pending state, or \`primitive ${copy.startCommand(params.email)}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
 }
 function retryAfterSeconds(result) {
@@ -18410,13 +19322,13 @@ async function startSignup(params) {
 	if (existingPending && !params.flags.force) {
 		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
 			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
-			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, or \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code.\n`);
+			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code, or \`primitive signup status\` to inspect it.\n`);
 			return {
 				pending: existingPending,
 				started: false
 			};
 		}
-		throw cliError$2(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+		throw cliError$2(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
 	if (params.flags.force) deletePendingAgentSignup(params.configDir);
 	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
@@ -18552,23 +19464,25 @@ async function runSignupConfirmWithCredentialLock(params) {
 	}
 	const payload = extractErrorPayload(verified.error);
 	const code = extractErrorCode(payload);
-	if (code === INVALID_VERIFICATION_CODE) throw cliError$2(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
+	if (code === INVALID_VERIFICATION_CODE) throw cliError$2(`Invalid verification code. Try again, run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}, or run primitive signup status.`);
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
 	writeErrorWithHints(payload);
 	throw cliError$2("Primitive agent signup failed while verifying the account.");
 }
 async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const { apiClient, requestConfig } = createCliApiClient({
 		apiBaseUrl1: params.flags["api-base-url-1"],
 		configDir: params.configDir
 	});
-	const pending = requirePendingSignupForEmail({
+	const pending = params.email ? requirePendingSignupForEmail({
 		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
-		copy: params.copy,
+		copy,
 		configDir: params.configDir,
 		email: params.email
-	});
+	}) : loadPendingAgentSignup(params.configDir, requestConfig.resolvedApiBaseUrl1);
+	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} found. Run \`primitive signup status\` to inspect pending state, or start one with \`${pendingSignupStartCommand()}\`.`);
 	const resend = await resendVerificationCode({
 		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
 		apiClient,
@@ -18741,12 +19655,12 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 };
 var SignupResendCommand = class SignupResendCommand extends Command {
 	static args = { email: Args.string({
-		description: "Email address used to start signup",
-		required: true
+		description: "Email address used to start signup. Defaults to the saved pending signup.",
+		required: false
 	}) };
 	static description = "Resend the verification code for a pending signup.";
 	static summary = "Resend signup verification code";
-	static examples = ["<%= config.bin %> signup resend user@example.com"];
+	static examples = ["<%= config.bin %> signup resend", "<%= config.bin %> signup resend user@example.com"];
 	static flags = { "api-base-url-1": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 		env: "PRIMITIVE_API_BASE_URL_1",
@@ -18771,6 +19685,35 @@ var SignupResendCommand = class SignupResendCommand extends Command {
 		}
 	}
 };
+var SignupStatusCommand = class SignupStatusCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address expected in the pending signup",
+		required: false
+	}) };
+	static description = "Inspect the locally saved pending Primitive signup state.";
+	static summary = "Show pending signup status";
+	static examples = [
+		"<%= config.bin %> signup status",
+		"<%= config.bin %> signup status user@example.com",
+		"<%= config.bin %> signup status --json"
+	];
+	static flags = {
+		"api-base-url-1": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL_1",
+			hidden: true
+		}),
+		json: Flags.boolean({ description: "Print pending signup status as JSON" })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SignupStatusCommand);
+		runSignupStatus({
+			configDir: this.config.configDir,
+			email: args.email,
+			flags
+		});
+	}
+};
 var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
 	static description = "Run the full signup flow in one interactive terminal session.";
 	static summary = "Run interactive account signup";
@@ -19031,6 +19974,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 	static examples = [
 		"<%= config.bin %> reply --id <inbound-email-id> --body 'Thanks, got it.'",
 		"<%= config.bin %> reply --id <inbound-email-id> --body-file ./reply.txt",
+		"<%= config.bin %> reply --id <inbound-email-id> --body 'See attached.' --attachment ./report.pdf",
 		"<%= config.bin %> reply --id <inbound-email-id> --html '<p>Thanks, got it.</p>' --wait",
 		"<%= config.bin %> reply --id <inbound-email-id> --from 'Support <support@example.com>' --body 'Thanks!'"
 	];
@@ -19054,12 +19998,17 @@ var ReplyCommand = class ReplyCommand extends Command {
 			required: true
 		}),
 		body: Flags.string({ description: "Plain-text reply body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file; this does not attach the file. Use --attachment for attachments. Mutually exclusive with --body and --body-stdin." }),
 		"body-stdin": Flags.boolean({ description: "Read the plain-text reply body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML reply body. Either --body or --html (or both) is required." }),
-		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
+		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file; this does not attach the file. Use --attachment for attachments. Mutually exclusive with --html and --html-stdin." }),
 		"html-stdin": Flags.boolean({ description: "Read the HTML reply body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
 		from: Flags.string({ description: "Optional From header override. Defaults to the inbound recipient." }),
+		attachment: Flags.string({
+			char: "a",
+			description: "Attach a file to the reply. Repeat --attachment to attach multiple files.",
+			multiple: true
+		}),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the reply for delivery." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
@@ -19081,14 +20030,16 @@ var ReplyCommand = class ReplyCommand extends Command {
 				apiBaseUrl2: flags["api-base-url-2"],
 				configDir: this.config.configDir
 			});
+			const attachments = readAttachmentFiles(flags.attachment);
 			const result = await replyToEmail({
 				body: {
 					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
 					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
 					...flags.from !== void 0 ? { from: flags.from } : {},
+					...attachments !== void 0 ? { attachments } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {}
 				},
-				client: apiClient.client,
+				client: apiClient._sendClient,
 				path: { id: flags.id },
 				responseStyle: "fields"
 			});
@@ -19113,39 +20064,6 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
-//#region src/oclif/attachments.ts
-function readAttachmentBytes(path, readFile) {
-	try {
-		return Buffer.from(readFile(path));
-	} catch (error) {
-		const detail = error instanceof Error ? error.message : String(error);
-		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
-	}
-}
-function hasControlCharacter(value) {
-	return Array.from(value).some((character) => {
-		const code = character.charCodeAt(0);
-		return code <= 31 || code >= 127 && code <= 159;
-	});
-}
-function validateAttachmentFilename(path, filename) {
-	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
-	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
-}
-function readAttachmentFiles(paths, readFile = readFileSync) {
-	if (!paths || paths.length === 0) return void 0;
-	return paths.map((path) => {
-		const filename = basename(path);
-		validateAttachmentFilename(path, filename);
-		const bytes = readAttachmentBytes(path, readFile);
-		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
-		return {
-			content_base64: bytes.toString("base64"),
-			filename
-		};
-	});
-}
-//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
@@ -20002,6 +20920,7 @@ const COMMANDS = {
 	"signup:confirm": SignupConfirmCommand,
 	"signup:interactive": SignupInteractiveCommand,
 	"signup:resend": SignupResendCommand,
+	"signup:status": SignupStatusCommand,
 	logout: LogoutCommand,
 	whoami: WhoamiCommand,
 	doctor: DoctorCommand,
@@ -20010,6 +20929,7 @@ const COMMANDS = {
 	"emails:wait": EmailsWaitCommand,
 	"domains:zone-file": DomainsZoneFileCommand,
 	"domains:download-domain-zone-file": DomainsZoneFileCommand,
+	"inbox:setup": InboxSetupCommand,
 	"inbox:status": InboxStatusCommand,
 	"inbox:get-inbox-status": InboxStatusCommand,
 	"functions:init": FunctionsInitCommand,