@primitivedotdev/cli 0.34.0 → 0.35.1

package/dist/oclif/index.js

@@ -1,5 +1,5 @@
-import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl1, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl2, y as loadCliCredentials } from "../cli-config-D9nB6fOW.js";
-import { Args, Command, Errors, Flags } from "@oclif/core";
+import { A as createConfig, C as chatStatePath, D as saveActiveChatState, E as loadChatConversationByLocalId, O as PrimitiveApiClient, S as saveCliCredentials, T as loadActiveChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, k as createClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as deleteChatState, x as resolveCliAuth, y as loadCliCredentials } from "../cli-config-DREZ2BxT.js";
+import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
@@ -20,7 +20,7 @@ var __exportAll = (all, no_symbols) => {
 };
 //#endregion
 //#region ../packages/api-core/src/api/client.gen.ts
-const client = createClient(createConfig({ baseUrl: "https://www.primitive.dev/api/v1" }));
+const client = createClient(createConfig({ baseUrl: "https://api.primitive.dev/v1" }));
 //#endregion
 //#region ../packages/api-core/src/api/sdk.gen.ts
 var sdk_gen_exports = /* @__PURE__ */ __exportAll({
@@ -68,6 +68,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	resendCliSignupVerification: () => resendCliSignupVerification,
 	rotateWebhookSecret: () => rotateWebhookSecret,
 	searchEmails: () => searchEmails,
+	semanticSearch: () => semanticSearch,
 	sendEmail: () => sendEmail,
 	setFunctionSecret: () => setFunctionSecret,
 	startAgentSignup: () => startAgentSignup,
@@ -595,9 +596,9 @@ const downloadAttachments = (options) => (options.client ?? client).get({
 * derivation (Reply-To, then From, then bare sender), and the
 * `Re:` subject prefix are all derived server-side from the
 * stored inbound row. The request body carries only the message
-* body and optional `wait` flag; passing any header or recipient
-* override is rejected by the schema (`additionalProperties:
-* false`).
+* body, optional From override, optional attachments, and optional
+* `wait` flag; passing any header or recipient override is
+* rejected by the schema (`additionalProperties: false`).
 *
 * Forwards through the same gates as `/send-mail`: the response
 * status, error envelope, and `idempotent_replay` flag mirror
@@ -933,14 +934,13 @@ const getSendPermissions = (options) => (options?.client ?? client).get({
 * the request returns once the relay accepts the message for delivery.
 * Set `wait: true` to wait for the first downstream SMTP delivery outcome.
 *
-* **Host routing.** /send-mail is served by the attachments-
-* supporting host (`https://api.primitive.dev/v1`) so the
-* request body can carry inline attachments up to ~30 MiB raw.
-* The primary host (`https://www.primitive.dev/api/v1`) also
-* accepts /send-mail for attachment-free sends; sends WITH
-* attachments to the primary host return 413
-* `attachments_unsupported_on_this_endpoint`. The typed SDKs
-* route /send-mail to the attachments host automatically.
+* **Host routing.** /send-mail is served by the canonical API host
+* (`https://api.primitive.dev/v1`) so the request body can carry
+* inline attachments up to ~30 MiB raw. The legacy dashboard
+* compatibility host (`https://www.primitive.dev/api/v1`) also accepts
+* /send-mail, but Vercel request body limits apply before proxying.
+* The typed SDKs route /send-mail to the canonical API host
+* automatically.
 *
 */
 const sendEmail = (options) => (options.client ?? client).post({
@@ -956,6 +956,42 @@ const sendEmail = (options) => (options.client ?? client).post({
 	}
 });
 /**
+* Semantic search across received and sent mail
+*
+* Ranked search across both received and sent mail. The `mode`
+* field selects the ranking strategy:
+*
+* - `keyword`: lexical full-text matching only (no embeddings).
+* - `semantic`: meaning-based matching using vector embeddings.
+* - `hybrid` (default): blends the semantic and keyword signals.
+*
+* Results are ordered by a relevance `score`. Every row reports the
+* fields it matched (`matched_fields`), a match-centered excerpt per
+* field (`snippets`), and a `score_breakdown` whose components account
+* for the `score`. Page through results by passing the prior
+* response's `meta.cursor` back as `cursor`.
+*
+* Requires the Pro plan and the `semantic_search_enabled`
+* entitlement; callers without them receive `403`.
+*
+* Host routing: this operation is served only by the search host
+* (`https://api.primitive.dev/v1`). The typed SDKs route it there
+* automatically.
+*
+*/
+const semanticSearch = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/semantic-search",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
 * List outbound sent emails
 *
 * Returns a paginated list of OUTBOUND emails the caller's
@@ -1346,11 +1382,11 @@ const openapiDocument = {
 		}
 	},
 	"servers": [{
-		"url": "https://www.primitive.dev/api/v1",
-		"description": "Primary API host (PRIMITIVE_API_BASE_URL_1). Carries every operation\nexcept attachment-supporting send. Vercel-backed; request body is\ncapped at 4.5 MB by the platform.\n"
-	}, {
 		"url": "https://api.primitive.dev/v1",
-		"description": "Attachments-supporting send host (PRIMITIVE_API_BASE_URL_2).\nCloudflare Worker with a ~30 MiB raw request body cap (before\nbase64 encoding). Today only `/send-mail` is hosted here; future\nlarge-body operations will migrate here over time. SDK clients\nroute /send-mail to this server automatically.\n"
+		"description": "Canonical API host (PRIMITIVE_API_BASE_URL). Carries every public\nAPI operation. Cloudflare Workers-backed; attachment-capable send\noperations can carry up to ~30 MiB raw request bodies before base64\nencoding.\n"
+	}, {
+		"url": "https://www.primitive.dev/api/v1",
+		"description": "Legacy dashboard compatibility host. Requests are forwarded to the\ncanonical API host, but Vercel request body limits still apply before\nproxying. New integrations should use https://api.primitive.dev/v1.\n"
 	}],
 	"security": [{ "BearerAuth": [] }],
 	"tags": [
@@ -1378,6 +1414,10 @@ const openapiDocument = {
 			"name": "Emails",
 			"description": "List, inspect, and manage received emails"
 		},
+		{
+			"name": "Search",
+			"description": "Semantic and hybrid search across received and sent mail"
+		},
 		{
 			"name": "Sending",
 			"description": "Send outbound emails through the Primitive API"
@@ -2366,7 +2406,14 @@ const openapiDocument = {
 			"post": {
 				"operationId": "replyToEmail",
 				"summary": "Reply to an inbound email",
-				"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody and optional `wait` flag; passing any header or recipient\noverride is rejected by the schema (`additionalProperties:\nfalse`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
+				"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody, optional From override, optional attachments, and optional\n`wait` flag; passing any header or recipient override is\nrejected by the schema (`additionalProperties: false`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
+				"servers": [{
+					"url": "https://api.primitive.dev/v1",
+					"description": "Canonical API host (recommended)"
+				}, {
+					"url": "https://www.primitive.dev/api/v1",
+					"description": "Legacy compatibility host (Vercel body limit applies)"
+				}],
 				"tags": ["Sending"],
 				"requestBody": {
 					"required": true,
@@ -2774,13 +2821,13 @@ const openapiDocument = {
 		"/send-mail": { "post": {
 			"operationId": "sendEmail",
 			"summary": "Send outbound email",
-			"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the attachments-\nsupporting host (`https://api.primitive.dev/v1`) so the\nrequest body can carry inline attachments up to ~30 MiB raw.\nThe primary host (`https://www.primitive.dev/api/v1`) also\naccepts /send-mail for attachment-free sends; sends WITH\nattachments to the primary host return 413\n`attachments_unsupported_on_this_endpoint`. The typed SDKs\nroute /send-mail to the attachments host automatically.\n",
+			"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the canonical API host\n(`https://api.primitive.dev/v1`) so the request body can carry\ninline attachments up to ~30 MiB raw. The legacy dashboard\ncompatibility host (`https://www.primitive.dev/api/v1`) also accepts\n/send-mail, but Vercel request body limits apply before proxying.\nThe typed SDKs route /send-mail to the canonical API host\nautomatically.\n",
 			"servers": [{
 				"url": "https://api.primitive.dev/v1",
-				"description": "Attachments-supporting send host (recommended)"
+				"description": "Canonical API host (recommended)"
 			}, {
 				"url": "https://www.primitive.dev/api/v1",
-				"description": "Primary host (attachment-free sends only)"
+				"description": "Legacy compatibility host (Vercel body limit applies)"
 			}],
 			"tags": ["Sending"],
 			"parameters": [{
@@ -2816,6 +2863,42 @@ const openapiDocument = {
 				"503": { "$ref": "#/components/responses/ServiceUnavailable" }
 			}
 		} },
+		"/semantic-search": { "post": {
+			"operationId": "semanticSearch",
+			"summary": "Semantic search across received and sent mail",
+			"description": "Ranked search across both received and sent mail. The `mode`\nfield selects the ranking strategy:\n\n- `keyword`: lexical full-text matching only (no embeddings).\n- `semantic`: meaning-based matching using vector embeddings.\n- `hybrid` (default): blends the semantic and keyword signals.\n\nResults are ordered by a relevance `score`. Every row reports the\nfields it matched (`matched_fields`), a match-centered excerpt per\nfield (`snippets`), and a `score_breakdown` whose components account\nfor the `score`. Page through results by passing the prior\nresponse's `meta.cursor` back as `cursor`.\n\nRequires the Pro plan and the `semantic_search_enabled`\nentitlement; callers without them receive `403`.\n\nHost routing: this operation is served only by the search host\n(`https://api.primitive.dev/v1`). The typed SDKs route it there\nautomatically.\n",
+			"servers": [{
+				"url": "https://api.primitive.dev/v1",
+				"description": "Search host"
+			}],
+			"tags": ["Search"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/SemanticSearchInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Ranked search results",
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": {
+							"data": {
+								"type": "array",
+								"items": { "$ref": "#/components/schemas/SemanticSearchResult" }
+							},
+							"meta": { "$ref": "#/components/schemas/SemanticSearchMeta" }
+						},
+						"required": ["data", "meta"]
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"403": { "$ref": "#/components/responses/Forbidden" },
+				"429": { "$ref": "#/components/responses/RateLimited" },
+				"500": { "$ref": "#/components/responses/InternalError" },
+				"503": { "$ref": "#/components/responses/ServiceUnavailable" }
+			}
+		} },
 		"/sent-emails": { "get": {
 			"operationId": "listSentEmails",
 			"summary": "List outbound sent emails",
@@ -5660,6 +5743,236 @@ const openapiDocument = {
 					"body_size_bytes"
 				]
 			},
+			"SemanticSearchField": {
+				"type": "string",
+				"enum": [
+					"subject",
+					"headers",
+					"addresses",
+					"body"
+				],
+				"description": "A searchable email field."
+			},
+			"SemanticSearchInput": {
+				"type": "object",
+				"properties": {
+					"query": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 2048,
+						"description": "Free-text query. Required for `semantic` and `hybrid` modes;\noptional for `keyword` mode.\n"
+					},
+					"mode": {
+						"type": "string",
+						"enum": [
+							"hybrid",
+							"semantic",
+							"keyword"
+						],
+						"default": "hybrid",
+						"description": "Ranking strategy. `keyword` is lexical only, `semantic` is\nembedding-based, `hybrid` blends both.\n"
+					},
+					"corpus": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"enum": ["inbound", "outbound"]
+						},
+						"minItems": 1,
+						"maxItems": 2,
+						"description": "Which mail to search. Defaults to both received (`inbound`)\nand sent (`outbound`).\n"
+					},
+					"search_in": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchField" },
+						"description": "Restrict matching to these fields. Defaults to all."
+					},
+					"exclude": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchField" },
+						"description": "Exclude these fields from matching."
+					},
+					"date_from": {
+						"type": "string",
+						"format": "date-time",
+						"description": "Only include mail at or after this timestamp."
+					},
+					"date_to": {
+						"type": "string",
+						"format": "date-time",
+						"description": "Only include mail at or before this timestamp."
+					},
+					"include": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"enum": ["coverage"]
+						},
+						"description": "Opt-in extras. `coverage` adds an index-coverage snapshot to\n`meta`. Matched fields, snippets, and the score breakdown are\nalways returned regardless of this field.\n"
+					},
+					"limit": {
+						"type": "integer",
+						"minimum": 1,
+						"maximum": 100,
+						"default": 10,
+						"description": "Maximum number of results to return."
+					},
+					"cursor": {
+						"type": "string",
+						"description": "Opaque pagination cursor from a prior response's `meta.cursor`."
+					}
+				}
+			},
+			"SemanticSearchSnippet": {
+				"type": "object",
+				"properties": {
+					"field": {
+						"type": "string",
+						"description": "The field this excerpt came from."
+					},
+					"text": {
+						"type": "string",
+						"description": "Plain-text excerpt centered on the match (no markup)."
+					}
+				},
+				"required": ["field", "text"]
+			},
+			"SemanticSearchScoreBreakdown": {
+				"type": "object",
+				"description": "Additive contributions to `score`. `semantic` and `keyword` are the\nraw signals times the mode's weight (null when not applicable);\nthese plus `field_boost` and `recency` sum to `score` before each\nvalue is independently rounded to 5 decimal places.\n",
+				"properties": {
+					"semantic": { "type": ["number", "null"] },
+					"keyword": { "type": ["number", "null"] },
+					"field_boost": { "type": "number" },
+					"recency": { "type": "number" }
+				},
+				"required": [
+					"semantic",
+					"keyword",
+					"field_boost",
+					"recency"
+				]
+			},
+			"SemanticSearchResult": {
+				"type": "object",
+				"properties": {
+					"source_type": {
+						"type": "string",
+						"enum": ["inbound_email", "sent_email"],
+						"description": "Whether this row is a received or sent message."
+					},
+					"id": {
+						"type": "string",
+						"description": "Message id. Combine with `api_url` to fetch the full record."
+					},
+					"subject": { "type": ["string", "null"] },
+					"from": { "type": ["string", "null"] },
+					"to": { "type": ["string", "null"] },
+					"timestamp": {
+						"type": "string",
+						"description": "Message timestamp (received_at for inbound, created_at for sent)."
+					},
+					"status": {
+						"type": "string",
+						"description": "Lifecycle status of the message."
+					},
+					"score": {
+						"type": "number",
+						"description": "Overall relevance score; the `score_breakdown` components account for it."
+					},
+					"semantic_score": {
+						"type": ["number", "null"],
+						"description": "Raw semantic similarity signal, or null when not applicable."
+					},
+					"keyword_score": {
+						"type": ["number", "null"],
+						"description": "Raw keyword (lexical) signal, or null when not applicable."
+					},
+					"matched_fields": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchField" },
+						"description": "Fields where the query matched."
+					},
+					"snippets": {
+						"type": "array",
+						"items": { "$ref": "#/components/schemas/SemanticSearchSnippet" },
+						"description": "Match-centered excerpts, one per matched field."
+					},
+					"score_breakdown": { "$ref": "#/components/schemas/SemanticSearchScoreBreakdown" },
+					"api_url": {
+						"type": ["string", "null"],
+						"description": "Relative API path to fetch the full message."
+					}
+				},
+				"required": [
+					"source_type",
+					"id",
+					"subject",
+					"from",
+					"to",
+					"timestamp",
+					"status",
+					"score",
+					"semantic_score",
+					"keyword_score",
+					"matched_fields",
+					"snippets",
+					"score_breakdown",
+					"api_url"
+				]
+			},
+			"SemanticSearchCoverage": {
+				"type": "object",
+				"description": "Index-coverage snapshot for the org, returned only when the `coverage` include option is requested.",
+				"properties": {
+					"embedded_chunks": { "type": "integer" },
+					"pending_chunks": { "type": "integer" },
+					"skipped_plan_chunks": { "type": "integer" },
+					"skipped_quota_chunks": { "type": "integer" },
+					"unsupported_attachment_chunks": { "type": "integer" },
+					"failed_chunks": { "type": "integer" }
+				},
+				"required": [
+					"embedded_chunks",
+					"pending_chunks",
+					"skipped_plan_chunks",
+					"skipped_quota_chunks",
+					"unsupported_attachment_chunks",
+					"failed_chunks"
+				]
+			},
+			"SemanticSearchMeta": {
+				"type": "object",
+				"properties": {
+					"limit": {
+						"type": "integer",
+						"description": "Page size used for this request."
+					},
+					"cursor": {
+						"type": ["string", "null"],
+						"description": "Cursor for the next page, or null if there are no more results."
+					},
+					"mode": {
+						"type": "string",
+						"enum": [
+							"hybrid",
+							"semantic",
+							"keyword"
+						],
+						"description": "Ranking mode used for this response."
+					},
+					"coverage": {
+						"oneOf": [{ "$ref": "#/components/schemas/SemanticSearchCoverage" }, { "type": "null" }],
+						"description": "Index-coverage snapshot, present only when requested via\n`include: [coverage]`; otherwise null.\n"
+					}
+				},
+				"required": [
+					"limit",
+					"cursor",
+					"mode",
+					"coverage"
+				]
+			},
 			"SentEmailDetail": {
 				"description": "Full sent-email record, including `body_text` and\n`body_html`. Returned by /sent-emails/{id}.\n",
 				"allOf": [{ "$ref": "#/components/schemas/SentEmailSummary" }, {
@@ -5698,6 +6011,12 @@ const openapiDocument = {
 					"wait": {
 						"type": "boolean",
 						"description": "When true, wait for the first downstream SMTP delivery outcome before returning, mirroring the send-mail `wait` semantics."
+					},
+					"attachments": {
+						"type": "array",
+						"maxItems": 100,
+						"description": "Inline attachments for this reply. Use https://api.primitive.dev/v1 for replies with attachments. Combined raw decoded attachment bytes must be at most 31457280.",
+						"items": { "$ref": "#/components/schemas/SendMailAttachment" }
 					}
 				}
 			},
@@ -11458,35 +11777,247 @@ const operationManifest = [
 	},
 	{
 		"binaryResponse": false,
-		"bodyRequired": false,
-		"command": "get-send-permissions",
-		"description": "Returns a flat list of rules describing every recipient the\ncaller may send to. Each rule has a `type`, a kind-specific\npayload, and a human-readable `description`. If any rule\nmatches the recipient, /send-mail will accept the send under\nthe recipient-scope check.\n\nThe endpoint is the answer to \"where can I send\" without\nexposing internal entitlement names. Agents that don't\nrecognize a `type` can still read the `description` prose\nand act on it.\n\nRule kinds, ordered broadest-first so an agent can stop\nscanning at the first match:\n\n  1. `any_recipient` (one entry, only when the org can send\n     anywhere): every other rule below it is redundant.\n  2. `managed_zone` (always emitted, one per Primitive-managed\n     zone): sends to any address at *.primitive.email or\n     *.email.works always succeed; no entitlement required.\n  3. `your_domain` (one per active verified outbound domain\n     owned by the org): sends to that domain are approved.\n  4. `address` (one per address that has authenticated\n     inbound mail to the org, capped at `meta.address_cap`):\n     sends to that exact address are approved.\n\nThe list is informational, not an authorization check.\n/send-mail remains the source of truth on whether an\nindividual send will succeed (it also enforces the\nfrom-address and the `send_mail` entitlement, which are\nnot recipient-scope concerns and are not represented here).\n",
-		"hasJsonBody": false,
-		"method": "GET",
-		"operationId": "getSendPermissions",
-		"path": "/send-permissions",
+		"bodyRequired": true,
+		"command": "semantic-search",
+		"description": "Ranked search across both received and sent mail. The `mode`\nfield selects the ranking strategy:\n\n- `keyword`: lexical full-text matching only (no embeddings).\n- `semantic`: meaning-based matching using vector embeddings.\n- `hybrid` (default): blends the semantic and keyword signals.\n\nResults are ordered by a relevance `score`. Every row reports the\nfields it matched (`matched_fields`), a match-centered excerpt per\nfield (`snippets`), and a `score_breakdown` whose components account\nfor the `score`. Page through results by passing the prior\nresponse's `meta.cursor` back as `cursor`.\n\nRequires the Pro plan and the `semantic_search_enabled`\nentitlement; callers without them receive `403`.\n\nHost routing: this operation is served only by the search host\n(`https://api.primitive.dev/v1`). The typed SDKs route it there\nautomatically.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "semanticSearch",
+		"path": "/semantic-search",
 		"pathParams": [],
 		"queryParams": [],
-		"requestSchema": null,
+		"requestSchema": {
+			"type": "object",
+			"properties": {
+				"query": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 2048,
+					"description": "Free-text query. Required for `semantic` and `hybrid` modes;\noptional for `keyword` mode.\n"
+				},
+				"mode": {
+					"type": "string",
+					"enum": [
+						"hybrid",
+						"semantic",
+						"keyword"
+					],
+					"default": "hybrid",
+					"description": "Ranking strategy. `keyword` is lexical only, `semantic` is\nembedding-based, `hybrid` blends both.\n"
+				},
+				"corpus": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["inbound", "outbound"]
+					},
+					"minItems": 1,
+					"maxItems": 2,
+					"description": "Which mail to search. Defaults to both received (`inbound`)\nand sent (`outbound`).\n"
+				},
+				"search_in": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": [
+							"subject",
+							"headers",
+							"addresses",
+							"body"
+						],
+						"description": "A searchable email field."
+					},
+					"description": "Restrict matching to these fields. Defaults to all."
+				},
+				"exclude": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": [
+							"subject",
+							"headers",
+							"addresses",
+							"body"
+						],
+						"description": "A searchable email field."
+					},
+					"description": "Exclude these fields from matching."
+				},
+				"date_from": {
+					"type": "string",
+					"format": "date-time",
+					"description": "Only include mail at or after this timestamp."
+				},
+				"date_to": {
+					"type": "string",
+					"format": "date-time",
+					"description": "Only include mail at or before this timestamp."
+				},
+				"include": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["coverage"]
+					},
+					"description": "Opt-in extras. `coverage` adds an index-coverage snapshot to\n`meta`. Matched fields, snippets, and the score breakdown are\nalways returned regardless of this field.\n"
+				},
+				"limit": {
+					"type": "integer",
+					"minimum": 1,
+					"maximum": 100,
+					"default": 10,
+					"description": "Maximum number of results to return."
+				},
+				"cursor": {
+					"type": "string",
+					"description": "Opaque pagination cursor from a prior response's `meta.cursor`."
+				}
+			}
+		},
 		"responseSchema": {
 			"type": "array",
 			"items": {
-				"description": "One recipient-scope rule describing a destination the caller\nmay send to. Discriminated on `type`. Each rule carries a\nhuman-prose `description` field intended for display.\n\nRule kinds are stable within an SDK release. A response\ncontaining a `type` value not enumerated in this schema\nmeans the server is running a newer version than the SDK;\nupgrade the SDK to the release that matches the server's\nschema. Strict-parsing SDKs (Go, Python) will raise a\ndecode error in that case rather than silently dropping\nthe unknown rule, since silent drops would let an outbound\nagent reason from an incomplete view of its own permissions.\n",
-				"discriminator": {
-					"propertyName": "type",
-					"mapping": {
-						"any_recipient": "#/components/schemas/SendPermissionAnyRecipient",
-						"managed_zone": "#/components/schemas/SendPermissionManagedZone",
-						"your_domain": "#/components/schemas/SendPermissionYourDomain",
-						"address": "#/components/schemas/SendPermissionAddress"
-					}
-				},
-				"oneOf": [
-					{
-						"type": "object",
-						"description": "The caller can send to any recipient. When this rule is\npresent, every other rule in the response is redundant.\n",
-						"properties": {
-							"type": {
+				"type": "object",
+				"properties": {
+					"source_type": {
+						"type": "string",
+						"enum": ["inbound_email", "sent_email"],
+						"description": "Whether this row is a received or sent message."
+					},
+					"id": {
+						"type": "string",
+						"description": "Message id. Combine with `api_url` to fetch the full record."
+					},
+					"subject": { "type": ["string", "null"] },
+					"from": { "type": ["string", "null"] },
+					"to": { "type": ["string", "null"] },
+					"timestamp": {
+						"type": "string",
+						"description": "Message timestamp (received_at for inbound, created_at for sent)."
+					},
+					"status": {
+						"type": "string",
+						"description": "Lifecycle status of the message."
+					},
+					"score": {
+						"type": "number",
+						"description": "Overall relevance score; the `score_breakdown` components account for it."
+					},
+					"semantic_score": {
+						"type": ["number", "null"],
+						"description": "Raw semantic similarity signal, or null when not applicable."
+					},
+					"keyword_score": {
+						"type": ["number", "null"],
+						"description": "Raw keyword (lexical) signal, or null when not applicable."
+					},
+					"matched_fields": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"enum": [
+								"subject",
+								"headers",
+								"addresses",
+								"body"
+							],
+							"description": "A searchable email field."
+						},
+						"description": "Fields where the query matched."
+					},
+					"snippets": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"field": {
+									"type": "string",
+									"description": "The field this excerpt came from."
+								},
+								"text": {
+									"type": "string",
+									"description": "Plain-text excerpt centered on the match (no markup)."
+								}
+							},
+							"required": ["field", "text"]
+						},
+						"description": "Match-centered excerpts, one per matched field."
+					},
+					"score_breakdown": {
+						"type": "object",
+						"description": "Additive contributions to `score`. `semantic` and `keyword` are the\nraw signals times the mode's weight (null when not applicable);\nthese plus `field_boost` and `recency` sum to `score` before each\nvalue is independently rounded to 5 decimal places.\n",
+						"properties": {
+							"semantic": { "type": ["number", "null"] },
+							"keyword": { "type": ["number", "null"] },
+							"field_boost": { "type": "number" },
+							"recency": { "type": "number" }
+						},
+						"required": [
+							"semantic",
+							"keyword",
+							"field_boost",
+							"recency"
+						]
+					},
+					"api_url": {
+						"type": ["string", "null"],
+						"description": "Relative API path to fetch the full message."
+					}
+				},
+				"required": [
+					"source_type",
+					"id",
+					"subject",
+					"from",
+					"to",
+					"timestamp",
+					"status",
+					"score",
+					"semantic_score",
+					"keyword_score",
+					"matched_fields",
+					"snippets",
+					"score_breakdown",
+					"api_url"
+				]
+			}
+		},
+		"sdkName": "semanticSearch",
+		"summary": "Semantic search across received and sent mail",
+		"tag": "Search",
+		"tagCommand": "search"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "get-send-permissions",
+		"description": "Returns a flat list of rules describing every recipient the\ncaller may send to. Each rule has a `type`, a kind-specific\npayload, and a human-readable `description`. If any rule\nmatches the recipient, /send-mail will accept the send under\nthe recipient-scope check.\n\nThe endpoint is the answer to \"where can I send\" without\nexposing internal entitlement names. Agents that don't\nrecognize a `type` can still read the `description` prose\nand act on it.\n\nRule kinds, ordered broadest-first so an agent can stop\nscanning at the first match:\n\n  1. `any_recipient` (one entry, only when the org can send\n     anywhere): every other rule below it is redundant.\n  2. `managed_zone` (always emitted, one per Primitive-managed\n     zone): sends to any address at *.primitive.email or\n     *.email.works always succeed; no entitlement required.\n  3. `your_domain` (one per active verified outbound domain\n     owned by the org): sends to that domain are approved.\n  4. `address` (one per address that has authenticated\n     inbound mail to the org, capped at `meta.address_cap`):\n     sends to that exact address are approved.\n\nThe list is informational, not an authorization check.\n/send-mail remains the source of truth on whether an\nindividual send will succeed (it also enforces the\nfrom-address and the `send_mail` entitlement, which are\nnot recipient-scope concerns and are not represented here).\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "getSendPermissions",
+		"path": "/send-permissions",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "array",
+			"items": {
+				"description": "One recipient-scope rule describing a destination the caller\nmay send to. Discriminated on `type`. Each rule carries a\nhuman-prose `description` field intended for display.\n\nRule kinds are stable within an SDK release. A response\ncontaining a `type` value not enumerated in this schema\nmeans the server is running a newer version than the SDK;\nupgrade the SDK to the release that matches the server's\nschema. Strict-parsing SDKs (Go, Python) will raise a\ndecode error in that case rather than silently dropping\nthe unknown rule, since silent drops would let an outbound\nagent reason from an incomplete view of its own permissions.\n",
+				"discriminator": {
+					"propertyName": "type",
+					"mapping": {
+						"any_recipient": "#/components/schemas/SendPermissionAnyRecipient",
+						"managed_zone": "#/components/schemas/SendPermissionManagedZone",
+						"your_domain": "#/components/schemas/SendPermissionYourDomain",
+						"address": "#/components/schemas/SendPermissionAddress"
+					}
+				},
+				"oneOf": [
+					{
+						"type": "object",
+						"description": "The caller can send to any recipient. When this rule is\npresent, every other rule in the response is redundant.\n",
+						"properties": {
+							"type": {
 								"type": "string",
 								"enum": ["any_recipient"]
 							},
@@ -12108,7 +12639,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "reply-to-email",
-		"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody and optional `wait` flag; passing any header or recipient\noverride is rejected by the schema (`additionalProperties:\nfalse`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
+		"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody, optional From override, optional attachments, and optional\n`wait` flag; passing any header or recipient override is\nrejected by the schema (`additionalProperties: false`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "replyToEmail",
@@ -12143,6 +12674,36 @@ const operationManifest = [
 				"wait": {
 					"type": "boolean",
 					"description": "When true, wait for the first downstream SMTP delivery outcome before returning, mirroring the send-mail `wait` semantics."
+				},
+				"attachments": {
+					"type": "array",
+					"maxItems": 100,
+					"description": "Inline attachments for this reply. Use https://api.primitive.dev/v1 for replies with attachments. Combined raw decoded attachment bytes must be at most 31457280.",
+					"items": {
+						"type": "object",
+						"additionalProperties": false,
+						"properties": {
+							"filename": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Attachment filename. Control characters are rejected."
+							},
+							"content_type": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 255,
+								"description": "Optional MIME content type. Control characters are rejected."
+							},
+							"content_base64": {
+								"type": "string",
+								"minLength": 1,
+								"maxLength": 44040192,
+								"description": "Base64-encoded attachment bytes."
+							}
+						},
+						"required": ["filename", "content_base64"]
+					}
 				}
 			}
 		},
@@ -12243,7 +12804,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "send-email",
-		"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the attachments-\nsupporting host (`https://api.primitive.dev/v1`) so the\nrequest body can carry inline attachments up to ~30 MiB raw.\nThe primary host (`https://www.primitive.dev/api/v1`) also\naccepts /send-mail for attachment-free sends; sends WITH\nattachments to the primary host return 413\n`attachments_unsupported_on_this_endpoint`. The typed SDKs\nroute /send-mail to the attachments host automatically.\n",
+		"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the canonical API host\n(`https://api.primitive.dev/v1`) so the request body can carry\ninline attachments up to ~30 MiB raw. The legacy dashboard\ncompatibility host (`https://www.primitive.dev/api/v1`) also accepts\n/send-mail, but Vercel request body limits apply before proxying.\nThe typed SDKs route /send-mail to the canonical API host\nautomatically.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "sendEmail",
@@ -12740,19 +13301,15 @@ function cliApiHeadersFromEnv(env = process.env) {
 }
 function resolveCliApiRequestConfig(params) {
 	const currentEnvironment = resolveConfigEnvironment(loadCliConfig(params.configDir));
-	const configuredApiBaseUrl1 = currentEnvironment?.config.api_base_url_1;
-	const configuredApiBaseUrl2 = currentEnvironment?.config.api_base_url_2;
-	if (currentEnvironment !== null && currentEnvironment.name !== "default" && params.apiBaseUrl1 === void 0 && configuredApiBaseUrl1 === void 0) throw new Errors.CLIError(`The active Primitive CLI environment \`${currentEnvironment.name}\` does not specify an api_base_url_1. Set one with \`primitive config set --environment ${currentEnvironment.name} --api-base-url-1 https://...\`, or switch to a different environment with \`primitive config use <name>\`. Refusing to fall back to the production default for a non-default environment.`, { exit: 1 });
-	const apiBaseUrl1 = params.apiBaseUrl1 !== void 0 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : configuredApiBaseUrl1;
-	const apiBaseUrl2 = params.apiBaseUrl2 !== void 0 ? normalizeApiBaseUrl2(params.apiBaseUrl2) : configuredApiBaseUrl2;
+	const configuredApiBaseUrl = currentEnvironment?.config.api_base_url;
+	if (currentEnvironment !== null && currentEnvironment.name !== "default" && params.apiBaseUrl === void 0 && configuredApiBaseUrl === void 0) throw new Errors.CLIError(`The active Primitive CLI environment \`${currentEnvironment.name}\` does not specify an api_base_url. Set one with \`primitive config set --environment ${currentEnvironment.name} --api-base-url https://...\`, or switch to a different environment with \`primitive config use <name>\`. Refusing to fall back to the production default for a non-default environment.`, { exit: 1 });
+	const apiBaseUrl = params.apiBaseUrl !== void 0 ? normalizeApiBaseUrl(params.apiBaseUrl) : configuredApiBaseUrl;
 	return {
-		apiBaseUrl1,
-		apiBaseUrl2,
-		baseUrlOverridden: apiBaseUrl1 !== void 0 || apiBaseUrl2 !== void 0,
+		apiBaseUrl,
+		baseUrlOverridden: apiBaseUrl !== void 0,
 		environmentName: currentEnvironment?.name ?? null,
 		headers: mergeHeaders(currentEnvironment?.config.headers, cliApiHeadersFromEnv(params.env)),
-		resolvedApiBaseUrl1: normalizeApiBaseUrl1(apiBaseUrl1),
-		resolvedApiBaseUrl2: normalizeApiBaseUrl2(apiBaseUrl2)
+		resolvedApiBaseUrl: normalizeApiBaseUrl(apiBaseUrl)
 	};
 }
 function createCliApiClient(params) {
@@ -12760,15 +13317,14 @@ function createCliApiClient(params) {
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: params.apiKey,
-			apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
-			apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+			apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 			headers: requestConfig.headers
 		}),
 		requestConfig
 	};
 }
-function oauthTokenEndpoint(apiBaseUrl1) {
-	const url = new URL(apiBaseUrl1);
+function oauthTokenEndpoint(apiBaseUrl) {
+	const url = new URL(apiBaseUrl);
 	url.pathname = "/oauth/token";
 	url.search = "";
 	url.hash = "";
@@ -12816,7 +13372,7 @@ async function refreshStoredCliCredentials(params) {
 		});
 		let response;
 		try {
-			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl1), {
+			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl), {
 				body,
 				headers: {
 					...params.headers ?? {},
@@ -12856,13 +13412,12 @@ async function createAuthenticatedCliApiClient(params) {
 	const requestConfig = resolveCliApiRequestConfig(params);
 	let auth = resolveCliAuth({
 		apiKey: params.apiKey,
-		apiBaseUrl1: requestConfig.apiBaseUrl1,
-		apiBaseUrl2: requestConfig.apiBaseUrl2,
+		apiBaseUrl: requestConfig.apiBaseUrl,
 		configDir: params.configDir
 	});
 	if (auth.source === "stored" && auth.credentials) {
 		const refreshed = await refreshStoredCliCredentials({
-			apiBaseUrl1: auth.apiBaseUrl1,
+			apiBaseUrl: auth.apiBaseUrl,
 			configDir: params.configDir,
 			credentials: auth.credentials,
 			credentialsLockHeld: params.credentialsLockHeld,
@@ -12879,8 +13434,7 @@ async function createAuthenticatedCliApiClient(params) {
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2,
+			apiBaseUrl: auth.apiBaseUrl,
 			headers: requestConfig.headers
 		}),
 		auth,
@@ -13196,7 +13750,7 @@ const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
 	ETIMEDOUT: "Hint: the connection timed out. Check egress rules and proxy configuration; if you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. `primitive doctor` reports the local environment in one shot.",
-	EAI_AGAIN: "Hint: DNS lookup failed. Check /etc/resolv.conf inside containers, and try `curl -v https://www.primitive.dev/api/v1/account` to confirm the host resolves. `primitive doctor` reports the local environment in one shot."
+	EAI_AGAIN: "Hint: DNS lookup failed. Check /etc/resolv.conf inside containers, and try `curl -v https://api.primitive.dev/v1/account` to confirm the host resolves. `primitive doctor` reports the local environment in one shot."
 };
 function writeErrorWithHints(payload) {
 	process.stderr.write(`${formatErrorPayload(payload)}\n`);
@@ -13225,8 +13779,8 @@ function writeErrorWithHints(payload) {
 */
 function surfaceUnauthorizedHint(params) {
 	if (extractErrorCode(params.payload) !== API_ERROR_CODES.unauthorized || params.auth.source !== "stored") return;
-	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl1 !== params.auth.credentials.api_base_url_1) {
-		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
+	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl !== params.auth.credentials.api_base_url) {
+		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
 	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive signin` to mint a fresh session.\n");
@@ -13247,13 +13801,10 @@ async function runWithTiming(enabled, fn) {
 	}
 }
 const TIME_FLAG_DESCRIPTION = "Print the wall-clock duration of this command to stderr after it completes (e.g. `[time: 1.34s]`). Useful for measuring `--wait` send latency, comparing CLI overhead, or capturing timing in scripts.";
-const API_BASE_URL_1_FLAG_DESCRIPTION = "Override the primary API base URL. Internal testing only; not documented to customers.";
-const API_BASE_URL_2_FLAG_DESCRIPTION = "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.";
-const HOST_2_OPERATIONS = new Set(["sendEmail"]);
+const API_BASE_URL_FLAG_DESCRIPTION = "Override the API base URL. Internal testing only; not documented to customers.";
 const RESERVED_FLAG_NAMES = new Set([
 	"api-key",
-	"api-base-url-1",
-	"api-base-url-2",
+	"api-base-url",
 	"raw-body",
 	"body-file",
 	"envelope",
@@ -13285,14 +13836,9 @@ function buildFlags(operation) {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -13380,8 +13926,7 @@ function createOperationCommand(operation) {
 			await runWithTiming(parsedFlags.time === true, async () => {
 				const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
-					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
-					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
+					apiBaseUrl: typeof parsedFlags["api-base-url"] === "string" ? parsedFlags["api-base-url"] : void 0,
 					configDir: this.config.configDir
 				});
 				let body;
@@ -13402,10 +13947,9 @@ function createOperationCommand(operation) {
 				}
 				if (operation.bodyRequired && body === void 0) throw new Errors.CLIError(`Operation ${operation.operationId} requires a body. Pass each field as a --flag (see --help) or supply JSON via --raw-body / --body-file.`);
 				const operationFn = sdk_gen_exports[operation.sdkName];
-				const targetClient = HOST_2_OPERATIONS.has(operation.sdkName) ? apiClient._sendClient : apiClient.client;
 				const result = await operationFn({
 					body,
-					client: targetClient,
+					client: apiClient.client,
 					parseAs: operation.binaryResponse ? "blob" : "auto",
 					path: collectValues(operation.pathParams, parsedFlags),
 					query: collectValues(operation.queryParams, parsedFlags),
@@ -13480,6 +14024,39 @@ function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
 }
 //#endregion
+//#region src/oclif/attachments.ts
+function readAttachmentBytes(path, readFile) {
+	try {
+		return Buffer.from(readFile(path));
+	} catch (error) {
+		const detail = error instanceof Error ? error.message : String(error);
+		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
+	}
+}
+function hasControlCharacter(value) {
+	return Array.from(value).some((character) => {
+		const code = character.charCodeAt(0);
+		return code <= 31 || code >= 127 && code <= 159;
+	});
+}
+function validateAttachmentFilename(path, filename) {
+	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
+	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+}
+function readAttachmentFiles(paths, readFile = readFileSync) {
+	if (!paths || paths.length === 0) return void 0;
+	return paths.map((path) => {
+		const filename = basename(path);
+		validateAttachmentFilename(path, filename);
+		const bytes = readAttachmentBytes(path, readFile);
+		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
+		return {
+			content_base64: bytes.toString("base64"),
+			filename
+		};
+	});
+}
+//#endregion
 //#region src/oclif/outbound-defaults.ts
 const SUBJECT_MAX_LENGTH = 200;
 function deriveSubject(body) {
@@ -13630,6 +14207,30 @@ async function readStdinToString(missingMessage = "No message provided. Pass the
 	for await (const chunk of process.stdin) chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
 	return Buffer.concat(chunks).toString("utf8");
 }
+function chatColor(color, text) {
+	return ux.colorize(color, text);
+}
+function chatCommandText(command) {
+	return chatColor("cyan", command);
+}
+function chatDetailLine(line) {
+	return chatColor("dim", line);
+}
+function chatFailureText(message) {
+	return chatColor("red", message);
+}
+function chatHeading(text) {
+	return chatColor("bold", text);
+}
+function chatNoticeText(message) {
+	return chatColor("yellow", message);
+}
+function chatProgressText(message) {
+	return chatColor("cyan", message);
+}
+function chatSuccessText(message) {
+	return chatColor("greenBright", message);
+}
 var ChatProgressIndicator = class {
 	currentMessage = null;
 	frameIndex = 0;
@@ -13650,7 +14251,7 @@ var ChatProgressIndicator = class {
 			this.timer.unref?.();
 			return;
 		}
-		this.stream.write(`${message}\n`);
+		this.stream.write(`${chatProgressText(message)}\n`);
 	}
 	update(message, options = {}) {
 		this.currentMessage = message;
@@ -13663,10 +14264,10 @@ var ChatProgressIndicator = class {
 			return;
 		}
 		this.stopTimer();
-		this.stream.write(`${message}\n`);
+		this.stream.write(`${chatProgressText(message)}\n`);
 		if (options.heartbeatMs !== void 0) {
 			this.timer = setInterval(() => {
-				this.stream.write(`${formatWaitingHeartbeat(message, this.now() - this.startedAt, options.timeoutSeconds)}\n`);
+				this.stream.write(`${chatProgressText(formatWaitingHeartbeat(message, this.now() - this.startedAt, options.timeoutSeconds))}\n`);
 			}, options.heartbeatMs);
 			this.timer.unref?.();
 		}
@@ -13675,17 +14276,17 @@ var ChatProgressIndicator = class {
 		if (this.stream.isTTY) {
 			const currentMessage = this.currentMessage;
 			this.clearLine();
-			this.stream.write(`${message}\n`);
+			this.stream.write(`${chatNoticeText(message)}\n`);
 			if (currentMessage !== null && this.timer !== null) this.render(currentMessage);
 			return;
 		}
-		this.stream.write(`${message}\n`);
+		this.stream.write(`${chatNoticeText(message)}\n`);
 	}
 	succeed(message) {
-		this.finish(`${message} after ${formatElapsed(this.now() - this.startedAt)}.`);
+		this.finish(chatSuccessText(`${message} after ${formatElapsed(this.now() - this.startedAt)}.`));
 	}
 	fail(message) {
-		this.finish(message);
+		this.finish(chatFailureText(message));
 	}
 	finish(message) {
 		this.stopTimer();
@@ -13702,9 +14303,10 @@ var ChatProgressIndicator = class {
 		];
 		const frame = frames[this.frameIndex % frames.length];
 		this.frameIndex += 1;
-		const line = `${frame} ${message} (${formatElapsed(this.now() - this.startedAt)})`;
-		this.lastLineLength = Math.max(this.lastLineLength, line.length);
-		this.stream.write(`\r${line}`);
+		const elapsed = `(${formatElapsed(this.now() - this.startedAt)})`;
+		const plainLine = `${frame} ${message} ${elapsed}`;
+		this.lastLineLength = Math.max(this.lastLineLength, plainLine.length);
+		this.stream.write(`\r${chatProgressText(`${frame} ${message}`)} ${chatColor("dim", elapsed)}`);
 	}
 	clearLine() {
 		if (this.lastLineLength > 0) {
@@ -13950,45 +14552,46 @@ function formatChatResponse(context) {
 	const accepted = context.sent.accepted.join(", ") || context.recipient;
 	const responseBody = resolveChatResponseBody(context.reply);
 	const lines = [
-		"Reply received",
+		chatSuccessText("Reply received"),
 		"",
-		"Sent",
-		`  To: ${accepted}`,
-		`  From: ${context.sent.from || context.from}`,
-		`  Subject: ${context.subject}`,
-		`  Sent email id: ${context.sent.id}`,
-		`  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`,
+		chatHeading("Sent"),
+		chatDetailLine(`  To: ${accepted}`),
+		chatDetailLine(`  From: ${context.sent.from || context.from}`),
+		chatDetailLine(`  Subject: ${context.subject}`),
+		chatDetailLine(`  Sent email id: ${context.sent.id}`),
+		chatColor("green", `  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`),
 		"",
-		"Reply",
-		`  Email id: ${context.reply.id}`,
-		`  From: ${context.reply.from_email}`,
-		`  To: ${context.reply.to_email}`,
-		`  Subject: ${context.reply.subject ?? "(no subject)"}`,
-		`  Received: ${context.reply.received_at}`,
-		`  Match: ${matchDescription(context.matchStrategy)}`
+		chatHeading("Reply"),
+		chatDetailLine(`  Email id: ${context.reply.id}`),
+		chatDetailLine(`  From: ${context.reply.from_email}`),
+		chatDetailLine(`  To: ${context.reply.to_email}`),
+		chatDetailLine(`  Subject: ${context.reply.subject ?? "(no subject)"}`),
+		chatDetailLine(`  Received: ${context.reply.received_at}`),
+		chatDetailLine(`  Match: ${matchDescription(context.matchStrategy)}`)
 	];
-	if (context.reply.reply_to_sent_email_id) lines.push(`  Reply to sent email id: ${context.reply.reply_to_sent_email_id}`);
-	if (context.reply.message_id) lines.push(`  Message-Id: ${context.reply.message_id}`);
-	if (context.localChatId !== void 0) lines.push(`  Local chat id: ${context.localChatId}`);
-	lines.push("", "Helpful follow-up commands", "  Replace <message> before running commands that include it.", "  Commands are templates; use --json for parse-safe output.", "  When shown, --strict-only prefers timing out over matching the wrong reply.");
-	for (const { description, command } of buildChatFollowUpCommands(context)) lines.push(`  ${description}:`, `    ${command}`);
-	lines.push("", `Response body (${responseBody.format}; use --json for parsing)`, "----- BEGIN RESPONSE -----", responseBody.body || "(empty response)", "----- END RESPONSE -----");
+	if (context.reply.reply_to_sent_email_id) lines.push(chatDetailLine(`  Reply to sent email id: ${context.reply.reply_to_sent_email_id}`));
+	if (context.reply.message_id) lines.push(chatDetailLine(`  Message-Id: ${context.reply.message_id}`));
+	if (context.localChatId !== void 0) lines.push(chatDetailLine(`  Local chat id: ${context.localChatId}`));
+	lines.push("", chatHeading("Helpful follow-up commands"), chatDetailLine("  Replace <message> before running commands that include it."), chatDetailLine("  Commands are templates; use --json for parse-safe output."), chatDetailLine("  When shown, --strict-only prefers timing out over matching the wrong reply."));
+	for (const { description, command } of buildChatFollowUpCommands(context)) lines.push(chatHeading(`  ${description}:`), `    ${chatCommandText(command)}`);
+	lines.push("", chatHeading(`Response body (${responseBody.format}; use --json for parsing)`), "----- BEGIN RESPONSE -----", responseBody.body || "(empty response)", "----- END RESPONSE -----");
 	return lines.join("\n");
 }
 function formatChatRecoveryContext(context) {
+	const accepted = context.sent.accepted.join(", ") || context.recipient;
 	const lines = [
 		"",
-		"Sent message context",
-		`  To: ${context.sent.accepted.join(", ") || context.recipient}`,
-		`  From: ${context.sent.from || context.from}`,
-		`  Subject: ${context.subject}`,
-		`  Sent email id: ${context.sent.id}`,
-		`  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`,
-		`  Poll since: ${context.sentAtIso}`,
+		chatHeading("Sent message context"),
+		chatDetailLine(`  To: ${accepted}`),
+		chatDetailLine(`  From: ${context.sent.from || context.from}`),
+		chatDetailLine(`  Subject: ${context.subject}`),
+		chatDetailLine(`  Sent email id: ${context.sent.id}`),
+		chatColor("green", `  Delivery status: ${context.sent.delivery_status ?? context.sent.status}`),
+		chatDetailLine(`  Poll since: ${context.sentAtIso}`),
 		"",
-		"Helpful recovery commands"
+		chatHeading("Helpful recovery commands")
 	];
-	for (const { description, command } of buildChatRecoveryCommands(context)) lines.push(`  ${description}:`, `    ${command}`);
+	for (const { description, command } of buildChatRecoveryCommands(context)) lines.push(chatHeading(`  ${description}:`), `    ${chatCommandText(command)}`);
 	return lines.join("\n");
 }
 async function loadInboundEmailDetail(params) {
@@ -14081,8 +14684,10 @@ var ChatCommand = class ChatCommand extends Command {
 		"<%= config.bin %> chat help@agent.acme.dev 'how do I rotate my API key?'",
 		"cat error.log | <%= config.bin %> chat help@agent.acme.dev",
 		"<%= config.bin %> chat reply 'one more thing'",
+		"<%= config.bin %> chat reply 'see attached' --attachment ./report.pdf",
 		"<%= config.bin %> chat help@agent.acme.dev --reply 'one more thing'",
 		"<%= config.bin %> chat help@agent.acme.dev --reply 'one more thing' --reply-to-email-id <inbound-email-id>",
+		"<%= config.bin %> chat help@agent.acme.dev 'can you review this?' --attachment ./report.pdf",
 		"<%= config.bin %> chat help@agent.acme.dev 'follow up question' --json",
 		"<%= config.bin %> chat help@agent.acme.dev 'one more thing' --timeout 300"
 	];
@@ -14098,14 +14703,9 @@ var ChatCommand = class ChatCommand extends Command {
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
@@ -14116,6 +14716,11 @@ var ChatCommand = class ChatCommand extends Command {
 		reply: Flags.string({ description: "Reply body. Continues the latest inbound email from the recipient to your sender address; pass --reply-to-email-id for an exact thread." }),
 		"reply-to-email-id": Flags.string({ description: "Inbound email id to continue exactly. Uses Primitive's reply endpoint, so recipient, subject, and threading headers are derived from the inbound email." }),
 		"in-reply-to": Flags.string({ description: "Raw Message-Id of the parent email to thread a new send against. Prefer --reply-to-email-id with --reply when continuing an inbound email stored by Primitive." }),
+		attachment: Flags.string({
+			char: "a",
+			description: "Attach a file to this chat message. Repeat --attachment to attach multiple files.",
+			multiple: true
+		}),
 		"chat-local-id": Flags.integer({
 			description: "Local chat id to update after this command succeeds. Internal plumbing for `primitive chat reply`.",
 			hidden: true,
@@ -14159,8 +14764,7 @@ var ChatCommand = class ChatCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -14169,6 +14773,7 @@ var ChatCommand = class ChatCommand extends Command {
 				configDir: this.config.configDir
 			};
 			const progress = flags.quiet ? null : new ChatProgressIndicator(process.stderr);
+			const attachments = readAttachmentFiles(flags.attachment);
 			let from;
 			let parentReply;
 			let subject;
@@ -14227,7 +14832,8 @@ var ChatCommand = class ChatCommand extends Command {
 			const sendResult = parentReply !== void 0 ? await replyToEmail({
 				body: {
 					body_text: message,
-					from
+					from,
+					...attachments !== void 0 ? { attachments } : {}
 				},
 				client: apiClient.client,
 				path: { id: parentReply.id },
@@ -14238,9 +14844,10 @@ var ChatCommand = class ChatCommand extends Command {
 					to: args.recipient,
 					subject,
 					body_text: message,
-					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {}
+					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
+					...attachments !== void 0 ? { attachments } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (sendResult.error) {
@@ -14353,6 +14960,7 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 		"<%= config.bin %> chat reply 'one more thing'",
 		"<%= config.bin %> chat reply 0 'one more thing'",
 		"<%= config.bin %> chat reply --id 0 'one more thing'",
+		"<%= config.bin %> chat reply 'see attached' --attachment ./report.pdf",
 		"cat follow-up.txt | <%= config.bin %> chat reply"
 	];
 	static args = {
@@ -14364,14 +14972,9 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.integer({
@@ -14389,6 +14992,11 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			min: 1
 		}),
 		"strict-only": Flags.boolean({ description: "Disable the time-window fallback. If the active chat was saved from a strict match, this is already the default." }),
+		attachment: Flags.string({
+			char: "a",
+			description: "Attach a file to the reply. Repeat --attachment to attach multiple files.",
+			multiple: true
+		}),
 		interval: Flags.integer({
 			description: "Seconds between polls while waiting for the reply.",
 			min: 1
@@ -14431,10 +15039,10 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			String(state.local_id)
 		];
 		if (flags["api-key"] !== void 0) argv.push("--api-key", flags["api-key"]);
-		if (flags["api-base-url-1"] !== void 0) argv.push("--api-base-url-1", flags["api-base-url-1"]);
-		if (flags["api-base-url-2"] !== void 0) argv.push("--api-base-url-2", flags["api-base-url-2"]);
+		if (flags["api-base-url"] !== void 0) argv.push("--api-base-url", flags["api-base-url"]);
 		if (flags.json) argv.push("--json");
 		if (flags.quiet) argv.push("--quiet");
+		for (const attachment of flags.attachment ?? []) argv.push("--attachment", attachment);
 		if (state.strict_only || flags["strict-only"]) argv.push("--strict-only");
 		if (flags.time) argv.push("--time");
 		await ChatCommand.run(argv, { root: this.config.root });
@@ -14546,8 +15154,7 @@ function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
 	const previousActiveEnvironment = resolveConfigEnvironment(previousConfig);
 	const previousEnvironment = previousActiveEnvironment?.name ?? null;
 	const config = upsertCliEnvironment({
-		apiBaseUrl1: params.apiBaseUrl1,
-		apiBaseUrl2: params.apiBaseUrl2,
+		apiBaseUrl: params.apiBaseUrl,
 		config: previousConfig,
 		environmentName: params.environmentName,
 		headers: params.headers,
@@ -14555,7 +15162,7 @@ function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
 	});
 	const activeEnvironment = resolveConfigEnvironment(config);
 	const environment = activeEnvironment?.name ?? null;
-	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url_1 !== activeEnvironment?.config.api_base_url_1);
+	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url !== activeEnvironment?.config.api_base_url);
 	let removedCredentials = false;
 	if (shouldClearCredentials) {
 		const releaseLock = acquireCliCredentialsLock(params.configDir);
@@ -14605,10 +15212,9 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 	static flags = {
 		environment: Flags.string({
 			char: "e",
-			description: "Environment name to create or update"
+			description: "Environment name to create or update. Defaults to the active environment, or default when none is active."
 		}),
-		"api-base-url-1": Flags.string({ description: "Primary API base URL" }),
-		"api-base-url-2": Flags.string({ description: "Attachments-supporting API base URL" }),
+		"api-base-url": Flags.string({ description: "API base URL" }),
 		header: Flags.string({
 			description: "Request header in name=value form. Repeatable.",
 			multiple: true
@@ -14621,10 +15227,9 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(ConfigSetCommand);
 		const headers = flags.header ?? [];
-		if (flags["api-base-url-1"] === void 0 && flags["api-base-url-2"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
+		if (flags["api-base-url"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
 		const { environment, removedCredentials } = upsertCliEnvironmentAndClearCredentialsIfSwitched({
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir,
 			environmentName: flags.environment,
 			headers,
@@ -14672,8 +15277,7 @@ var ConfigListCommand = class ConfigListCommand extends Command {
 			const active = activeEnvironment === name ? "*" : " ";
 			const headerNames = Object.keys(environment.headers ?? {});
 			this.log(`${active} ${name}`);
-			if (environment.api_base_url_1) this.log(`    api_base_url_1: ${environment.api_base_url_1}`);
-			if (environment.api_base_url_2) this.log(`    api_base_url_2: ${environment.api_base_url_2}`);
+			if (environment.api_base_url) this.log(`    api_base_url: ${environment.api_base_url}`);
 			this.log(`    headers: ${headerNames.length > 0 ? headerNames.join(", ") : "(none)"}`);
 		}
 	}
@@ -14845,7 +15449,7 @@ async function checkAccount(client) {
 	} catch (error) {
 		const code = error instanceof Error && error.cause && typeof error.cause === "object" && typeof error.cause.code === "string" ? error.cause.code : void 0;
 		const message = error instanceof Error ? error.message : String(error);
-		const hint = code === "ENETUNREACH" || code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "EAI_AGAIN" ? "Network unreachable. If you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. If you're in a container, check that egress to *.primitive.dev is allowed." : "Inspect the error above. `curl https://www.primitive.dev/api/v1/account -H \"Authorization: Bearer $PRIMITIVE_API_KEY\"` is the fastest way to bisect CLI vs network.";
+		const hint = code === "ENETUNREACH" || code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "EAI_AGAIN" ? "Network unreachable. If you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. If you're in a container, check that egress to *.primitive.dev is allowed." : "Inspect the error above. `curl https://api.primitive.dev/v1/account -H \"Authorization: Bearer $PRIMITIVE_API_KEY\"` is the fastest way to bisect CLI vs network.";
 		return {
 			outcome: {
 				status: "fail",
@@ -14899,14 +15503,9 @@ var DoctorCommand = class DoctorCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		})
 	};
@@ -14932,8 +15531,7 @@ var DoctorCommand = class DoctorCommand extends Command {
 		if (apiKeyCheck.status !== "fail") {
 			const { apiClient, auth } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			if (auth.apiKey !== void 0) {
@@ -15019,14 +15617,9 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		domain: Flags.string({ description: "Domain name to look up before downloading its zone file. Prefer --id when you have the domain id from `primitive domains add`." }),
@@ -15045,8 +15638,7 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			let domainId = flags.id;
@@ -15073,7 +15665,7 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 			if (!domainId) throw new Errors.CLIError("Could not resolve a domain id.", { exit: 1 });
 			let response;
 			try {
-				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl1, domainId, flags["outbound-only"]), { headers: {
+				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl, domainId, flags["outbound-only"]), { headers: {
 					...requestConfig.headers ?? {},
 					...auth.apiKey ? { authorization: `Bearer ${auth.apiKey}` } : {}
 				} });
@@ -15108,14 +15700,14 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-latest.ts
-const DEFAULT_LIMIT = 10;
-const MAX_LIMIT = 100;
+const DEFAULT_LIMIT$1 = 10;
+const MAX_LIMIT$1 = 100;
 const SUBJECT_DISPLAY_WIDTH = 50;
 const ADDRESS_DISPLAY_WIDTH = 32;
 const ID_DISPLAY_WIDTH_SHORT = 8;
 const ID_DISPLAY_WIDTH_FULL = 36;
 const RECEIVED_DISPLAY_WIDTH = 19;
-function truncate$1(value, width) {
+function truncate$2(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -15129,10 +15721,10 @@ function formatReceivedAt(value) {
 function pickIdWidth(isTty) {
 	return isTty ? ID_DISPLAY_WIDTH_SHORT : ID_DISPLAY_WIDTH_FULL;
 }
-function formatRow(email, idWidth) {
-	return `${truncate$1(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$1(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
+function formatRow$1(email, idWidth) {
+	return `${truncate$2(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$2(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$2(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$2((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
 }
-function formatHeader(idWidth) {
+function formatHeader$1(idWidth) {
 	return `${"ID".padEnd(idWidth)}  ${"RECEIVED (UTC)".padEnd(RECEIVED_DISPLAY_WIDTH)}  ${"FROM".padEnd(ADDRESS_DISPLAY_WIDTH)}  ${"TO".padEnd(ADDRESS_DISPLAY_WIDTH)}  SUBJECT`;
 }
 var EmailsLatestCommand = class EmailsLatestCommand extends Command {
@@ -15153,21 +15745,16 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		limit: Flags.integer({
-			description: `Number of rows to print (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
-			default: DEFAULT_LIMIT,
+			description: `Number of rows to print (1-${MAX_LIMIT$1}, default ${DEFAULT_LIMIT$1}).`,
+			default: DEFAULT_LIMIT$1,
 			min: 1,
-			max: MAX_LIMIT
+			max: MAX_LIMIT$1
 		}),
 		json: Flags.boolean({ description: "Print the raw response envelope (with full UUIDs and meta) as JSON on STDOUT instead of the text table. Useful for piping into `jq`, capturing ids for follow-up commands, or scripting." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -15177,8 +15764,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await listEmails({
@@ -15209,8 +15795,8 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 				return;
 			}
 			const idWidth = pickIdWidth(Boolean(process.stdout.isTTY));
-			process.stderr.write(`${formatHeader(idWidth)}\n`);
-			for (const row of rows) this.log(formatRow(row, idWidth));
+			process.stderr.write(`${formatHeader$1(idWidth)}\n`);
+			for (const row of rows) this.log(formatRow$1(row, idWidth));
 		});
 	}
 };
@@ -15233,14 +15819,9 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		body: Flags.string({ description: "Full-text body filter" }),
@@ -15284,8 +15865,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		const { flags } = await this.parse(EmailsWaitCommand);
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		let since;
@@ -15327,10 +15907,10 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 			for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
 				if (flags.table) {
 					if (!headerPrinted) {
-						process.stderr.write(`${formatHeader(idWidth)}\n`);
+						process.stderr.write(`${formatHeader$1(idWidth)}\n`);
 						headerPrinted = true;
 					}
-					this.log(formatRow(email, idWidth));
+					this.log(formatRow$1(email, idWidth));
 				} else this.log(JSON.stringify(email));
 				matched += 1;
 				if (matched >= flags.number) return;
@@ -15361,14 +15941,9 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		body: Flags.string({ description: "Full-text body filter" }),
@@ -15408,8 +15983,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		const { flags } = await this.parse(EmailsWatchCommand);
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		let since;
@@ -15452,10 +16026,10 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 				if (flags.jsonl) this.log(JSON.stringify(email));
 				else {
 					if (!headerPrinted) {
-						process.stderr.write(`${formatHeader(idWidth)}\n`);
+						process.stderr.write(`${formatHeader$1(idWidth)}\n`);
 						headerPrinted = true;
 					}
-					this.log(formatRow(email, idWidth));
+					this.log(formatRow$1(email, idWidth));
 				}
 				printed += 1;
 				if (flags.number && printed >= flags.number) return;
@@ -16154,14 +16728,9 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		name: Flags.string({
@@ -16239,8 +16808,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -16354,8 +16922,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		}
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		const authFailureContext = {
@@ -16444,8 +17011,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.34.0";
-const CLI_VERSION_RANGE = "^0.34.0";
+const SDK_VERSION_RANGE = "^0.35.1";
+const CLI_VERSION_RANGE = "^0.35.1";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -16602,7 +17169,7 @@ export default {
 
       const client = createPrimitiveClient({
         apiKey: env.PRIMITIVE_API_KEY,
-        apiBaseUrl1: env.PRIMITIVE_API_BASE_URL,
+        apiBaseUrl: env.PRIMITIVE_API_BASE_URL,
       });
 
       // To add an LLM or another API, store its key as a Function secret.
@@ -16626,7 +17193,7 @@ export default {
       // route "support@" to a ticketing flow and "sales@" to a lead
       // capture flow before calling client.reply.
 
-      // client.reply routes through POST /api/v1/emails/{id}/reply
+      // client.reply routes through POST /v1/emails/{id}/reply
       // (NOT /send-mail) so the server derives recipients, the
       // \`Re: <parent>\` subject, threading headers, and the
       // in_reply_to_email_id foreign key automatically. The FK is
@@ -17007,14 +17574,9 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17045,8 +17607,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const seenIds = /* @__PURE__ */ new Set();
@@ -17205,14 +17766,9 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17281,8 +17837,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -17465,14 +18020,9 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17496,8 +18046,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -17694,14 +18243,9 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17729,8 +18273,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const shouldShowSends = flags["show-sends"];
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		await runWithTiming(flags.time, async () => {
@@ -17818,6 +18361,7 @@ const DOMAIN_DISPLAY_WIDTH = 34;
 const STATUS_DISPLAY_WIDTH = 12;
 const BOOL_DISPLAY_WIDTH = 7;
 const NUM_DISPLAY_WIDTH = 6;
+const DEFAULT_PRIMITIVE_LOCAL_PART = "agent";
 function plural(count, singular, pluralValue = `${singular}s`) {
 	return `${count} ${count === 1 ? singular : pluralValue}`;
 }
@@ -17840,7 +18384,7 @@ function formatInboxDate(value) {
 	const pad = (n) => String(n).padStart(2, "0");
 	return `${d.getUTCFullYear()}-${pad(d.getUTCMonth() + 1)}-${pad(d.getUTCDate())} ${pad(d.getUTCHours())}:${pad(d.getUTCMinutes())}:${pad(d.getUTCSeconds())} UTC`;
 }
-function truncate(value, width) {
+function truncate$1(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -17853,6 +18397,14 @@ function domainSummary(domain) {
 		default: return `${domain.domain} has status ${String(domain.status)}.`;
 	}
 }
+function findSuggestedPrimitiveAddress(domains) {
+	const domain = domains.find((entry) => entry.managed && entry.active && entry.receiving_ready);
+	if (!domain) return null;
+	return {
+		address: `${DEFAULT_PRIMITIVE_LOCAL_PART}@${domain.domain}`,
+		domain: domain.domain
+	};
+}
 function focusInboxStatus(status, domainName) {
 	const normalized = domainName.toLowerCase();
 	const domain = status.domains.find((entry) => entry.domain.toLowerCase() === normalized);
@@ -17882,7 +18434,7 @@ function formatDomainHeader() {
 }
 function formatDomainRow(domain) {
 	return [
-		truncate(domain.domain, DOMAIN_DISPLAY_WIDTH),
+		truncate$1(domain.domain, DOMAIN_DISPLAY_WIDTH),
 		statusText(domain.status).padEnd(STATUS_DISPLAY_WIDTH),
 		yesNo(domain.receiving_ready).padEnd(BOOL_DISPLAY_WIDTH),
 		yesNo(domain.processing_ready).padEnd(BOOL_DISPLAY_WIDTH),
@@ -17899,12 +18451,14 @@ function formatInboxStatus(status) {
 		"",
 		"Domains"
 	];
+	const suggestedAddress = findSuggestedPrimitiveAddress(status.domains);
 	if (status.domains.length === 0) lines.push("No domains configured.");
 	else {
 		lines.push(formatDomainHeader());
 		for (const domain of status.domains) lines.push(formatDomainRow(domain));
 	}
 	lines.push("", `Endpoints: ${status.endpoints.enabled}/${status.endpoints.total} enabled (${status.endpoints.fallback_enabled} fallback, ${status.endpoints.domain_scoped_enabled} domain-scoped, ${status.endpoints.function_enabled} function)`, `Functions: ${status.functions.deployed}/${status.functions.total} deployed (${status.functions.pending} pending, ${status.functions.failed} failed)`, `Recent inbound: ${plural(status.recent_emails.total, "email")} latest ${formatInboxDate(status.recent_emails.latest_received_at)}`);
+	if (suggestedAddress) lines.push("", `Primitive address: ${suggestedAddress.address}`, `  Any local-part at ${suggestedAddress.domain} can receive mail.`, `  Try: primitive send --to ${suggestedAddress.address} --subject "hello" --body "test"`);
 	if (status.next_actions.length > 0) {
 		lines.push("", "Next actions");
 		for (const action of status.next_actions) lines.push(formatNextAction(action));
@@ -17926,14 +18480,9 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		domain: Flags.string({ description: "Focus domain readiness and recent email fields on one domain returned by the inbox status API." }),
@@ -17945,8 +18494,7 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getInboxStatus({
@@ -17981,6 +18529,174 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/inbox-setup.ts
+const DEFAULT_FUNCTION_NAME = "inbound-reply";
+const DEFAULT_LOCAL_PART = "inbox";
+const FUNCTION_ID_PLACEHOLDER = "<function-id>";
+function firstUsableManagedDomain(status) {
+	return status.domains.find((domain) => domain.managed && domain.receiving_ready && domain.active) ?? status.domains.find((domain) => domain.managed && domain.receiving_ready) ?? null;
+}
+function buildInboxSetupCommands(functionName = DEFAULT_FUNCTION_NAME) {
+	return {
+		scaffold: [
+			`primitive functions init ${functionName}`,
+			`cd ${functionName}`,
+			"npm install",
+			"npm run build",
+			`primitive functions deploy --name ${functionName} --file ./dist/handler.js --wait`,
+			`primitive functions test --id ${FUNCTION_ID_PLACEHOLDER} --wait --show-sends`
+		],
+		logs: `primitive functions logs --id ${FUNCTION_ID_PLACEHOLDER}`,
+		status: "primitive inbox status"
+	};
+}
+function buildInboxSetupProof(commands) {
+	return {
+		after_test: [
+			"inbound id for the generated test email",
+			"function id matching the deployed Function",
+			"invocation status completed, failed, or send_failed",
+			"reply/send result emitted by the handler"
+		],
+		logs_command: commands.logs
+	};
+}
+function buildInboxSetupGuide(status) {
+	const domain = firstUsableManagedDomain(status);
+	const commands = buildInboxSetupCommands();
+	const mode = !status.receiving_ready ? "not_receiving" : status.processing_ready ? "actively_processed" : "stored_only";
+	return {
+		readiness: {
+			ready: status.ready,
+			receiving_ready: status.receiving_ready,
+			processing_ready: status.processing_ready,
+			mode,
+			summary: status.summary
+		},
+		receive: {
+			address: domain ? `${DEFAULT_LOCAL_PART}@${domain.domain}` : null,
+			domain: domain?.domain ?? null,
+			managed: domain?.managed ?? false,
+			placeholder_local_part: domain ? DEFAULT_LOCAL_PART : null
+		},
+		processing: {
+			stored_only: status.receiving_ready && !status.processing_ready,
+			active: status.processing_ready,
+			enabled_endpoints: status.endpoints.enabled,
+			deployed_functions: status.functions.deployed
+		},
+		commands,
+		proof: buildInboxSetupProof(commands),
+		status
+	};
+}
+function formatReadiness(guide) {
+	const readiness = guide.readiness.ready ? "ready" : "not ready";
+	const receiving = guide.readiness.receiving_ready ? "yes" : "no";
+	const processing = guide.readiness.processing_ready ? "yes" : "no";
+	const mode = guide.readiness.mode === "actively_processed" ? "actively processed" : guide.readiness.mode === "stored_only" ? "stored-only" : "not receiving";
+	return [
+		`Readiness: ${readiness}`,
+		`Receiving: ${receiving}`,
+		`Processing: ${processing}`,
+		`Mode: ${mode}`
+	].join("\n");
+}
+function formatReceiveAddress(guide) {
+	if (!guide.receive.domain || !guide.receive.address) return "Receive address: none found on a receiving-ready Primitive-managed domain";
+	return [`Receive address: ${guide.receive.address}`, `Receive domain: ${guide.receive.domain} (Primitive-managed)`].join("\n");
+}
+function formatDomainDetails(status) {
+	if (status.domains.length === 0) return ["Domains: none configured"];
+	return status.domains.map((domain) => `- ${domain.domain}: ${statusText(domain.status)}, receive ${domain.receiving_ready ? "yes" : "no"}, process ${domain.processing_ready ? "yes" : "no"}, routes ${domain.processing_route_count}`);
+}
+function formatScaffoldCommands(commands) {
+	return commands.scaffold.map((command) => `  ${command}`);
+}
+function formatInboxSetupGuide(guide) {
+	const lines = [
+		"Inbound setup",
+		"",
+		guide.readiness.summary,
+		"",
+		formatReadiness(guide),
+		"",
+		formatReceiveAddress(guide),
+		"",
+		"Domains",
+		...formatDomainDetails(guide.status),
+		"",
+		`Processing routes: ${guide.processing.enabled_endpoints} enabled endpoint(s), ${guide.processing.deployed_functions} deployed Function(s)`
+	];
+	if (guide.readiness.mode === "not_receiving") lines.push("", "Next actions", "Make a receiving-ready domain available, then re-run:", `  ${guide.commands.status}`);
+	else if (!guide.processing.active) lines.push("", "Next actions", "No processing route is enabled. Scaffold, deploy, and test an email Function:", ...formatScaffoldCommands(guide.commands));
+	else lines.push("", "Next actions", "Inbound mail has an active processing route. Run a Function test when you know the Function id:", `  primitive functions test --id ${FUNCTION_ID_PLACEHOLDER} --wait --show-sends`);
+	if (guide.status.next_actions.length > 0) {
+		lines.push("", "API suggested actions");
+		for (const action of guide.status.next_actions) lines.push(action.command ? `- ${action.message}\n  ${action.command}` : `- ${action.message}`);
+	}
+	lines.push("", "Proof after functions test", "- Inbound id: the generated test email should have an inbound id.", "- Function id: the run should point at the Function id you deployed.", "- Invocation status: expect completed; failed or send_failed identifies the failing stage.", "- Reply/send result: --show-sends should show the handler's outbound result when it replies or sends.", "- Logs:", `  ${guide.proof.logs_command}`);
+	return lines.join("\n");
+}
+var InboxSetupCommand = class InboxSetupCommand extends Command {
+	static description = `Guide inbound email setup from the server-owned inbox status API.
+
+  This command does not scaffold, deploy, or run tests. It verifies auth, fetches inbox readiness, shows the first usable Primitive-managed receive address/domain, explains whether inbound mail is stored-only or actively processed, and prints the exact commands to add a Function processing route when one is missing.`;
+	static summary = "Guide inbound email setup";
+	static examples = ["<%= config.bin %> inbox setup", "<%= config.bin %> inbox setup --json"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		json: Flags.boolean({ description: "Print structured readiness, receive address, commands, proof metadata, and raw status as JSON." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(InboxSetupCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const result = await getInboxStatus({
+				client: apiClient.client,
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data ?? {};
+			const status = envelope.data;
+			if (!status) throw new Errors.CLIError("Primitive API returned no inbox status.", { exit: 1 });
+			const guide = buildInboxSetupGuide(status);
+			if (flags.json) {
+				this.log(JSON.stringify({
+					...envelope,
+					data: guide
+				}, null, 2));
+				return;
+			}
+			this.log(formatInboxSetupGuide(guide));
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/login.ts
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
 function cliError$3(message) {
@@ -18013,14 +18729,14 @@ function retryAfterSeconds$1(result) {
 }
 async function checkExistingLogin(params) {
 	const requestConfig = resolveCliApiRequestConfig({
-		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl: params.apiBaseUrl,
 		configDir: params.configDir
 	});
-	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
+	const probeApiBaseUrl = requestConfig.apiBaseUrl ?? params.credentials.api_base_url;
 	let credentials = params.credentials;
 	try {
 		credentials = await refreshStoredCliCredentials({
-			apiBaseUrl1: probeApiBaseUrl1,
+			apiBaseUrl: probeApiBaseUrl,
 			configDir: params.configDir,
 			credentials,
 			credentialsLockHeld: params.credentialsLockHeld,
@@ -18036,8 +18752,7 @@ async function checkExistingLogin(params) {
 	}
 	const apiClient = new PrimitiveApiClient({
 		apiKey: credentials.access_token,
-		apiBaseUrl1: probeApiBaseUrl1,
-		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+		apiBaseUrl: probeApiBaseUrl,
 		headers: requestConfig.headers
 	});
 	const result = await (params.checkAccount ?? ((client) => getAccount({
@@ -18047,7 +18762,7 @@ async function checkExistingLogin(params) {
 	if (!result.error) return { status: "valid" };
 	const payload = extractErrorPayload(result.error);
 	const code = extractErrorCode(payload);
-	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl1 !== params.credentials.api_base_url_1;
+	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl !== params.credentials.api_base_url;
 	if (code === API_ERROR_CODES.unauthorized && !baseUrlDiffersFromSaved) {
 		deleteCliCredentials(params.configDir);
 		process.stderr.write("Removed saved Primitive CLI OAuth credentials because the existing session was rejected during login. Continuing with a fresh login.\n");
@@ -18068,9 +18783,9 @@ var LoginCommand$1 = class extends Command {
 		"<%= config.bin %> login --force"
 	];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name shown in the browser approval screen" }),
@@ -18103,10 +18818,10 @@ var LoginCommand$1 = class extends Command {
 	}
 	async runWithCredentialLock(flags, retryCommand) {
 		const { apiClient, requestConfig } = createCliApiClient({
-			apiBaseUrl1: flags["api-base-url-1"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
-		const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+		const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
 		let existing;
 		try {
 			existing = loadCliCredentials(this.config.configDir);
@@ -18119,7 +18834,7 @@ var LoginCommand$1 = class extends Command {
 		if (existing && flags.force) process.stderr.write("Replacing saved Primitive CLI credentials after browser approval because --force was set.\n");
 		else if (existing) {
 			const existingStatus = await checkExistingLogin({
-				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir,
 				credentials: existing,
 				credentialsLockHeld: true
@@ -18165,7 +18880,7 @@ var LoginCommand$1 = class extends Command {
 				deleteChatState(this.config.configDir);
 				saveCliCredentials(this.config.configDir, {
 					access_token: login.access_token,
-					api_base_url_1: apiBaseUrl1,
+					api_base_url: apiBaseUrl,
 					auth_method: "oauth",
 					created_at: (/* @__PURE__ */ new Date()).toISOString(),
 					expires_at: cliAccessTokenExpiresAt(login.expires_in),
@@ -18229,9 +18944,11 @@ function normalizeEmail(email) {
 }
 function pendingSignupFromJson(value) {
 	if (!isRecord(value)) return null;
-	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	const apiBaseUrl = value.api_base_url ?? value.api_base_url_1;
+	if (typeof apiBaseUrl !== "string") return null;
 	return {
-		api_base_url_1: value.api_base_url_1,
+		api_base_url: apiBaseUrl,
 		created_at: value.created_at,
 		email: value.email,
 		expires_at: value.expires_at,
@@ -18247,20 +18964,20 @@ function pendingSignupPath(configDir) {
 function deletePendingAgentSignup(configDir) {
 	rmSync(pendingSignupPath(configDir), { force: true });
 }
-function pendingSignupFromStart(start, apiBaseUrl1) {
+function pendingSignupFromStart(start, apiBaseUrl) {
 	return {
 		...start,
-		api_base_url_1: apiBaseUrl1,
+		api_base_url: apiBaseUrl,
 		created_at: (/* @__PURE__ */ new Date()).toISOString(),
 		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
 	};
 }
-function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
+function savePendingAgentSignup(configDir, start, apiBaseUrl) {
 	mkdirSync(configDir, {
 		mode: 448,
 		recursive: true
 	});
-	const pending = pendingSignupFromStart(start, apiBaseUrl1);
+	const pending = pendingSignupFromStart(start, apiBaseUrl);
 	const path = pendingSignupPath(configDir);
 	const tempPath = join(configDir, `${PENDING_SIGNUP_FILE}.${process$1.pid}.${randomUUID()}.tmp`);
 	try {
@@ -18274,7 +18991,7 @@ function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
 		throw error;
 	}
 }
-function loadPendingAgentSignup(configDir, apiBaseUrl1) {
+function loadPendingAgentSignup(configDir, apiBaseUrl) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -18293,7 +19010,7 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		deletePendingAgentSignup(configDir);
 		return null;
 	}
-	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	if (pending.api_base_url !== apiBaseUrl) return null;
 	if (new Date(pending.expires_at).getTime() <= Date.now()) {
 		deletePendingAgentSignup(configDir);
 		return null;
@@ -18303,11 +19020,100 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
 	};
 }
+function readPendingAgentSignupState(configDir, apiBaseUrl) {
+	const path = pendingSignupPath(configDir);
+	let contents;
+	try {
+		contents = readFileSync(path, "utf8");
+	} catch (error) {
+		if (error && typeof error === "object" && error.code === "ENOENT") return null;
+		throw error;
+	}
+	let pending;
+	try {
+		pending = pendingSignupFromJson(JSON.parse(contents));
+	} catch {
+		pending = null;
+	}
+	if (!pending) {
+		deletePendingAgentSignup(configDir);
+		return null;
+	}
+	if (pending.api_base_url !== apiBaseUrl) return null;
+	return pending;
+}
+function pendingSignupStartCommand(email) {
+	return `primitive signup ${email ?? "<email>"} --signup-code <invite-code> --accept-terms`;
+}
+function buildSignupStatus(params) {
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
+	const pending = readPendingAgentSignupState(params.configDir, params.apiBaseUrl);
+	if (!pending) return {
+		code_length: null,
+		confirm_command: null,
+		email: null,
+		expired: false,
+		expires_at: null,
+		expires_in: null,
+		pending: false,
+		resend_after: null,
+		resend_command: null,
+		signup_command: pendingSignupStartCommand(params.email)
+	};
+	if (params.email && normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive signup status\` without an email argument to inspect it.`);
+	const expiresAtMs = new Date(pending.expires_at).getTime();
+	const expiresIn = Number.isFinite(expiresAtMs) ? Math.ceil((expiresAtMs - Date.now()) / 1e3) : null;
+	return {
+		code_length: pending.verification_code_length,
+		confirm_command: `primitive ${copy.confirmCommand(pending.email)}`,
+		email: pending.email,
+		expired: expiresIn !== null && expiresIn <= 0,
+		expires_at: pending.expires_at,
+		expires_in: expiresIn === null ? null : Math.max(0, expiresIn),
+		pending: true,
+		resend_after: pending.resend_after,
+		resend_command: `primitive ${copy.resendCommand(pending.email)}`
+	};
+}
+function writeSignupStatus(status) {
+	if (!status.pending) {
+		process$1.stdout.write("No pending Primitive signup found.\n");
+		process$1.stdout.write(`Start one with \`${status.signup_command ?? pendingSignupStartCommand()}\`.\n`);
+		return;
+	}
+	process$1.stdout.write(`Pending Primitive signup for ${status.email}.\n`);
+	if (status.code_length !== null) process$1.stdout.write(`Verification code length: ${status.code_length}\n`);
+	if (status.expires_at) if (status.expired) process$1.stdout.write(`Expired at: ${status.expires_at}\n`);
+	else {
+		process$1.stdout.write(`Expires at: ${status.expires_at}\n`);
+		process$1.stdout.write(`Expires in: ${formatSignupSeconds(status.expires_in)}\n`);
+	}
+	if (status.resend_after !== null) process$1.stdout.write(`Resend after: ${formatSignupSeconds(status.resend_after)}\n`);
+	if (status.confirm_command) process$1.stdout.write(`Confirm: ${status.confirm_command}\n`);
+	if (status.resend_command) process$1.stdout.write(`Resend: ${status.resend_command}\n`);
+}
+function runSignupStatus(params) {
+	const { requestConfig } = createCliApiClient({
+		apiBaseUrl: params.flags["api-base-url"],
+		configDir: params.configDir
+	});
+	const status = buildSignupStatus({
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
+		configDir: params.configDir,
+		copy: params.copy,
+		email: params.email
+	});
+	if (params.flags.json) {
+		process$1.stdout.write(`${JSON.stringify(status, null, 2)}\n`);
+		return;
+	}
+	writeSignupStatus(status);
+}
 function requirePendingSignupForEmail(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
-	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive ${copy.startCommand(params.email)}\` first.`);
-	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl);
+	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive signup status ${params.email}\` to inspect pending state, or \`primitive ${copy.startCommand(params.email)}\` first.`);
+	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
 }
 function retryAfterSeconds(result) {
@@ -18368,7 +19174,7 @@ async function checkExistingCredentials(params) {
 	}
 	if (!existing) return;
 	const existingStatus = await checkExistingLoginFn({
-		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl: params.apiBaseUrl,
 		configDir: params.configDir,
 		credentials: existing,
 		credentialsLockHeld: true
@@ -18387,7 +19193,7 @@ function saveSignupCredentials(params) {
 	deleteChatState(params.configDir);
 	saveCliCredentials(params.configDir, {
 		access_token: params.signup.access_token,
-		api_base_url_1: params.apiBaseUrl1,
+		api_base_url: params.apiBaseUrl,
 		auth_method: "oauth",
 		created_at: (/* @__PURE__ */ new Date()).toISOString(),
 		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
@@ -18406,17 +19212,17 @@ function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 }
 async function startSignup(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl);
 	if (existingPending && !params.flags.force) {
 		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
 			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
-			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, or \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code.\n`);
+			process$1.stderr.write(`Run \`primitive ${copy.confirmCommand(existingPending.email)}\` to finish, \`primitive ${copy.resendCommand(existingPending.email)}\` to send a new code, or \`primitive signup status\` to inspect it.\n`);
 			return {
 				pending: existingPending,
 				started: false
 			};
 		}
-		throw cliError$2(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
+		throw cliError$2(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
 	if (params.flags.force) deletePendingAgentSignup(params.configDir);
 	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
@@ -18441,7 +19247,7 @@ async function startSignup(params) {
 	const startResult = unwrapData$1(started.data);
 	if (!startResult) throw cliError$2("Primitive API returned an empty agent signup response.");
 	return {
-		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
+		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl),
 		started: true
 	};
 }
@@ -18461,7 +19267,7 @@ async function resendVerificationCode(params) {
 			verification_code_length: resend.verification_code_length
 		} : params.start;
 		return {
-			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl1),
+			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl),
 			resent: true
 		};
 	}
@@ -18485,18 +19291,18 @@ async function runSignupStartWithCredentialLock(params) {
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
 	const email = params.email ?? await promptRequiredFn("Email: ");
 	await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		copy: params.copy,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
 	const start = await startSignup({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		apiClient,
 		configDir,
 		copy: params.copy,
@@ -18510,19 +19316,19 @@ async function runSignupConfirmWithCredentialLock(params) {
 	const { configDir, flags } = params;
 	const deps = params.deps ?? {};
 	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		copy: params.copy,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
-	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+	const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
 	const pending = requirePendingSignupForEmail({
-		apiBaseUrl1,
+		apiBaseUrl,
 		copy: params.copy,
 		configDir,
 		email: params.email
@@ -18540,7 +19346,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 		const signup = unwrapData$1(verified.data);
 		if (!signup) throw cliError$2("Primitive API returned an empty agent signup verification response.");
 		saveSignupCredentials({
-			apiBaseUrl1,
+			apiBaseUrl,
 			configDir,
 			signup
 		});
@@ -18552,25 +19358,27 @@ async function runSignupConfirmWithCredentialLock(params) {
 	}
 	const payload = extractErrorPayload(verified.error);
 	const code = extractErrorCode(payload);
-	if (code === INVALID_VERIFICATION_CODE) throw cliError$2(`Invalid verification code. Try again or run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}.`);
+	if (code === INVALID_VERIFICATION_CODE) throw cliError$2(`Invalid verification code. Try again, run ${(params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY).resendCommand(params.email)}, or run primitive signup status.`);
 	if (code === EXPIRED_TOKEN || code === INVALID_SIGNUP_TOKEN) deletePendingAgentSignup(configDir);
 	writeErrorWithHints(payload);
 	throw cliError$2("Primitive agent signup failed while verifying the account.");
 }
 async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
+	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: params.flags["api-base-url-1"],
+		apiBaseUrl: params.flags["api-base-url"],
 		configDir: params.configDir
 	});
-	const pending = requirePendingSignupForEmail({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
-		copy: params.copy,
+	const pending = params.email ? requirePendingSignupForEmail({
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
+		copy,
 		configDir: params.configDir,
 		email: params.email
-	});
+	}) : loadPendingAgentSignup(params.configDir, requestConfig.resolvedApiBaseUrl);
+	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} found. Run \`primitive signup status\` to inspect pending state, or start one with \`${pendingSignupStartCommand()}\`.`);
 	const resend = await resendVerificationCode({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		apiClient,
 		configDir: params.configDir,
 		deps,
@@ -18583,20 +19391,20 @@ async function runSignupInteractiveWithCredentialLock(params) {
 	const deps = params.deps ?? {};
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
 	await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
-	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
-	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl1);
+	const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
+	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl);
 	if (start) process$1.stderr.write(`Continuing pending Primitive signup for ${start.email}.\n`);
 	else start = (await startSignup({
-		apiBaseUrl1,
+		apiBaseUrl,
 		apiClient,
 		configDir,
 		deps,
@@ -18610,7 +19418,7 @@ async function runSignupInteractiveWithCredentialLock(params) {
 		const verificationCode = await promptRequiredFn(`Verification code (${start.verification_code_length} digits): `);
 		if (verificationCode.toLowerCase() === "resend") {
 			const resend = await resendVerificationCode({
-				apiBaseUrl1,
+				apiBaseUrl,
 				apiClient,
 				configDir,
 				deps,
@@ -18627,7 +19435,7 @@ async function runSignupInteractiveWithCredentialLock(params) {
 				deps,
 				email: start.email,
 				flags: {
-					"api-base-url-1": flags["api-base-url-1"],
+					"api-base-url": flags["api-base-url"],
 					force: true
 				},
 				skipExistingCredentialCheck: true
@@ -18645,9 +19453,9 @@ async function runSignupInteractiveWithCredentialLock(params) {
 function commonStartFlags() {
 	return {
 		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
@@ -18708,9 +19516,9 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	static summary = "Confirm account signup";
 	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -18741,15 +19549,15 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 };
 var SignupResendCommand = class SignupResendCommand extends Command {
 	static args = { email: Args.string({
-		description: "Email address used to start signup",
-		required: true
+		description: "Email address used to start signup. Defaults to the saved pending signup.",
+		required: false
 	}) };
 	static description = "Resend the verification code for a pending signup.";
 	static summary = "Resend signup verification code";
-	static examples = ["<%= config.bin %> signup resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
+	static examples = ["<%= config.bin %> signup resend", "<%= config.bin %> signup resend user@example.com"];
+	static flags = { "api-base-url": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
+		env: "PRIMITIVE_API_BASE_URL",
 		hidden: true
 	}) };
 	async run() {
@@ -18771,6 +19579,35 @@ var SignupResendCommand = class SignupResendCommand extends Command {
 		}
 	}
 };
+var SignupStatusCommand = class SignupStatusCommand extends Command {
+	static args = { email: Args.string({
+		description: "Email address expected in the pending signup",
+		required: false
+	}) };
+	static description = "Inspect the locally saved pending Primitive signup state.";
+	static summary = "Show pending signup status";
+	static examples = [
+		"<%= config.bin %> signup status",
+		"<%= config.bin %> signup status user@example.com",
+		"<%= config.bin %> signup status --json"
+	];
+	static flags = {
+		"api-base-url": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		json: Flags.boolean({ description: "Print pending signup status as JSON" })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SignupStatusCommand);
+		runSignupStatus({
+			configDir: this.config.configDir,
+			email: args.email,
+			flags
+		});
+	}
+};
 var SignupInteractiveCommand = class SignupInteractiveCommand extends Command {
 	static description = "Run the full signup flow in one interactive terminal session.";
 	static summary = "Run interactive account signup";
@@ -18825,7 +19662,7 @@ async function runLogoutWithCredentialLock(params) {
 	let authenticated;
 	try {
 		authenticated = await deps.createAuthenticatedCliApiClient({
-			apiBaseUrl1: params.flags["api-base-url-1"],
+			apiBaseUrl: params.flags["api-base-url"],
 			configDir: params.configDir,
 			credentialsLockHeld: true
 		});
@@ -18889,9 +19726,9 @@ var LogoutCommand = class LogoutCommand extends Command {
 	static summary = "Log out and revoke the saved CLI OAuth grant";
 	static examples = ["<%= config.bin %> logout", "<%= config.bin %> logout --force"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -19031,6 +19868,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 	static examples = [
 		"<%= config.bin %> reply --id <inbound-email-id> --body 'Thanks, got it.'",
 		"<%= config.bin %> reply --id <inbound-email-id> --body-file ./reply.txt",
+		"<%= config.bin %> reply --id <inbound-email-id> --body 'See attached.' --attachment ./report.pdf",
 		"<%= config.bin %> reply --id <inbound-email-id> --html '<p>Thanks, got it.</p>' --wait",
 		"<%= config.bin %> reply --id <inbound-email-id> --from 'Support <support@example.com>' --body 'Thanks!'"
 	];
@@ -19039,14 +19877,9 @@ var ReplyCommand = class ReplyCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -19054,12 +19887,17 @@ var ReplyCommand = class ReplyCommand extends Command {
 			required: true
 		}),
 		body: Flags.string({ description: "Plain-text reply body. Either --body or --html (or both) is required." }),
-		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file. Mutually exclusive with --body and --body-stdin." }),
+		"body-file": Flags.string({ description: "Read the plain-text reply body from a UTF-8 file; this does not attach the file. Use --attachment for attachments. Mutually exclusive with --body and --body-stdin." }),
 		"body-stdin": Flags.boolean({ description: "Read the plain-text reply body from stdin. Mutually exclusive with --body and --body-file. Stdin can only be consumed once." }),
 		html: Flags.string({ description: "HTML reply body. Either --body or --html (or both) is required." }),
-		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file. Mutually exclusive with --html and --html-stdin." }),
+		"html-file": Flags.string({ description: "Read the HTML reply body from a UTF-8 file; this does not attach the file. Use --attachment for attachments. Mutually exclusive with --html and --html-stdin." }),
 		"html-stdin": Flags.boolean({ description: "Read the HTML reply body from stdin. Mutually exclusive with --html and --html-file. Stdin can only be consumed once." }),
 		from: Flags.string({ description: "Optional From header override. Defaults to the inbound recipient." }),
+		attachment: Flags.string({
+			char: "a",
+			description: "Attach a file to the reply. Repeat --attachment to attach multiple files.",
+			multiple: true
+		}),
 		wait: Flags.boolean({ description: "Block until the receiving MTA returns an outcome. Without --wait, the call returns once Primitive has accepted the reply for delivery." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
 	};
@@ -19077,15 +19915,16 @@ var ReplyCommand = class ReplyCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
+			const attachments = readAttachmentFiles(flags.attachment);
 			const result = await replyToEmail({
 				body: {
 					...bodies.body !== void 0 ? { body_text: bodies.body } : {},
 					...bodies.html !== void 0 ? { body_html: bodies.html } : {},
 					...flags.from !== void 0 ? { from: flags.from } : {},
+					...attachments !== void 0 ? { attachments } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {}
 				},
 				client: apiClient.client,
@@ -19113,38 +19952,133 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
-//#region src/oclif/attachments.ts
-function readAttachmentBytes(path, readFile) {
-	try {
-		return Buffer.from(readFile(path));
-	} catch (error) {
-		const detail = error instanceof Error ? error.message : String(error);
-		throw new Errors.CLIError(`Could not read --attachment ${path}: ${detail}`, { exit: 1 });
-	}
+//#region src/oclif/commands/semantic-search.ts
+const DEFAULT_LIMIT = 10;
+const MAX_LIMIT = 100;
+const SCORE_WIDTH = 7;
+const SOURCE_WIDTH = 4;
+const SUBJECT_WIDTH = 40;
+const FROM_WIDTH = 26;
+const SNIPPET_WIDTH = 60;
+function truncate(value, width) {
+	if (value.length <= width) return value.padEnd(width);
+	return `${value.slice(0, width - 3)}...`;
 }
-function hasControlCharacter(value) {
-	return Array.from(value).some((character) => {
-		const code = character.charCodeAt(0);
-		return code <= 31 || code >= 127 && code <= 159;
-	});
+function sourceLabel(t) {
+	return t === "inbound_email" ? "in" : "out";
 }
-function validateAttachmentFilename(path, filename) {
-	if (!filename) throw new Errors.CLIError(`Could not derive an attachment filename from ${path}. Pass a file path.`, { exit: 1 });
-	if (hasControlCharacter(filename)) throw new Errors.CLIError(`Attachment filename ${filename} contains control characters.`, { exit: 1 });
+function formatRow(r) {
+	return `${r.score.toFixed(3).padStart(SCORE_WIDTH)}  ${sourceLabel(r.source_type).padEnd(SOURCE_WIDTH)}  ${truncate((r.subject ?? "").replace(/\s+/g, " "), SUBJECT_WIDTH)}  ${truncate(r.from ?? "", FROM_WIDTH)}  ${truncate((r.snippets[0]?.text ?? "").replace(/\s+/g, " "), SNIPPET_WIDTH)}`;
 }
-function readAttachmentFiles(paths, readFile = readFileSync) {
-	if (!paths || paths.length === 0) return void 0;
-	return paths.map((path) => {
-		const filename = basename(path);
-		validateAttachmentFilename(path, filename);
-		const bytes = readAttachmentBytes(path, readFile);
-		if (bytes.length === 0) throw new Errors.CLIError(`Attachment file ${path} is empty. Attachments must contain at least one byte.`, { exit: 1 });
-		return {
-			content_base64: bytes.toString("base64"),
-			filename
-		};
-	});
+function formatHeader() {
+	return `${"SCORE".padStart(SCORE_WIDTH)}  ${"SRC".padEnd(SOURCE_WIDTH)}  ${"SUBJECT".padEnd(SUBJECT_WIDTH)}  ${"FROM".padEnd(FROM_WIDTH)}  EXCERPT`;
 }
+var SemanticSearchCommand = class SemanticSearchCommand extends Command {
+	static description = `Search received and sent mail by meaning or keywords.
+
+  Returns ranked rows. Each row carries a relevance score, the fields it
+  matched, and a match-centered excerpt. Defaults to hybrid mode (blends
+  semantic and keyword signals); use \`--mode keyword\` for plain
+  full-text matching and \`--mode semantic\` for embedding-only.
+
+  Requires the Pro plan with the semantic_search_enabled entitlement.`;
+	static summary = "Semantic / hybrid / keyword search across received and sent mail";
+	static examples = [
+		"<%= config.bin %> semantic-search \"invoice from acme\"",
+		"<%= config.bin %> semantic-search \"shipping update\" --mode keyword",
+		"<%= config.bin %> semantic-search \"kickoff\" --corpus inbound --limit 25",
+		"<%= config.bin %> semantic-search renewal --json | jq '.data[].id'"
+	];
+	static args = { query: Args.string({
+		description: "The search query.",
+		required: true
+	}) };
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		mode: Flags.string({
+			description: "Ranking strategy.",
+			options: [
+				"hybrid",
+				"semantic",
+				"keyword"
+			],
+			default: "hybrid"
+		}),
+		corpus: Flags.string({
+			description: "Restrict to inbound or outbound. Pass twice to include both (the default).",
+			options: ["inbound", "outbound"],
+			multiple: true
+		}),
+		"date-from": Flags.string({ description: "Only include mail at or after this ISO-8601 timestamp." }),
+		"date-to": Flags.string({ description: "Only include mail at or before this ISO-8601 timestamp." }),
+		limit: Flags.integer({
+			description: `Maximum results to return (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
+			default: DEFAULT_LIMIT,
+			min: 1,
+			max: MAX_LIMIT
+		}),
+		cursor: Flags.string({ description: "Opaque pagination cursor from a prior response's meta.cursor." }),
+		json: Flags.boolean({ description: "Print the raw response envelope as JSON on STDOUT instead of the text table." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SemanticSearchCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const result = await semanticSearch({
+				client: apiClient.client,
+				body: {
+					query: args.query,
+					mode: flags.mode,
+					...flags.corpus ? { corpus: flags.corpus } : {},
+					...flags["date-from"] ? { date_from: flags["date-from"] } : {},
+					...flags["date-to"] ? { date_to: flags["date-to"] } : {},
+					limit: flags.limit,
+					...flags.cursor ? { cursor: flags.cursor } : {}
+				},
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data;
+			if (flags.json) {
+				this.log(JSON.stringify(envelope ?? null, null, 2));
+				return;
+			}
+			const rows = envelope?.data ?? [];
+			if (rows.length === 0) {
+				process.stderr.write("No matching mail.\n");
+				return;
+			}
+			process.stderr.write(`${formatHeader()}\n`);
+			for (const row of rows) this.log(formatRow(row));
+			const nextCursor = envelope?.meta?.cursor ?? null;
+			if (nextCursor) process.stderr.write(`\nNext page: pass --cursor ${nextCursor}\n`);
+		});
+	}
+};
 //#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
@@ -19171,14 +20105,9 @@ var SendCommand = class SendCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		to: Flags.string({
@@ -19217,8 +20146,7 @@ var SendCommand = class SendCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -19240,7 +20168,7 @@ var SendCommand = class SendCommand extends Command {
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (result.error) {
@@ -19311,9 +20239,9 @@ function acquireCredentialsLock(configDir) {
 function commonOtpStartFlags() {
 	return {
 		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
@@ -19492,9 +20420,9 @@ var SigninOtpConfirmCommand = class extends Command {
 	static summary = "Confirm OTP sign-in";
 	static examples = ["<%= config.bin %> signin otp confirm user@example.com 123456", "<%= config.bin %> signin otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -19571,9 +20499,9 @@ var SigninOtpResendCommand = class extends Command {
 	static description = "Resend the verification code for a pending OTP sign-in.";
 	static summary = "Resend OTP sign-in code";
 	static examples = ["<%= config.bin %> signin otp resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
+	static flags = { "api-base-url": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
+		env: "PRIMITIVE_API_BASE_URL",
 		hidden: true
 	}) };
 	async run() {
@@ -19659,14 +20587,9 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print the full account JSON response. Default output hides setup and billing internals." }),
@@ -19677,8 +20600,7 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getAccount({
@@ -20002,14 +20924,17 @@ const COMMANDS = {
 	"signup:confirm": SignupConfirmCommand,
 	"signup:interactive": SignupInteractiveCommand,
 	"signup:resend": SignupResendCommand,
+	"signup:status": SignupStatusCommand,
 	logout: LogoutCommand,
 	whoami: WhoamiCommand,
 	doctor: DoctorCommand,
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	"semantic-search": SemanticSearchCommand,
 	"domains:zone-file": DomainsZoneFileCommand,
 	"domains:download-domain-zone-file": DomainsZoneFileCommand,
+	"inbox:setup": InboxSetupCommand,
 	"inbox:status": InboxStatusCommand,
 	"inbox:get-inbox-status": InboxStatusCommand,
 	"functions:init": FunctionsInitCommand,