@primitivedotdev/cli 0.35.0 → 0.35.1

package/dist/oclif/index.js

@@ -1,4 +1,4 @@
-import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl1, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl2, y as loadCliCredentials } from "../cli-config-SktG2dzR.js";
+import { A as createConfig, C as chatStatePath, D as saveActiveChatState, E as loadChatConversationByLocalId, O as PrimitiveApiClient, S as saveCliCredentials, T as loadActiveChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, k as createClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as deleteChatState, x as resolveCliAuth, y as loadCliCredentials } from "../cli-config-DREZ2BxT.js";
 import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
@@ -20,7 +20,7 @@ var __exportAll = (all, no_symbols) => {
 };
 //#endregion
 //#region ../packages/api-core/src/api/client.gen.ts
-const client = createClient(createConfig({ baseUrl: "https://www.primitive.dev/api/v1" }));
+const client = createClient(createConfig({ baseUrl: "https://api.primitive.dev/v1" }));
 //#endregion
 //#region ../packages/api-core/src/api/sdk.gen.ts
 var sdk_gen_exports = /* @__PURE__ */ __exportAll({
@@ -934,14 +934,13 @@ const getSendPermissions = (options) => (options?.client ?? client).get({
 * the request returns once the relay accepts the message for delivery.
 * Set `wait: true` to wait for the first downstream SMTP delivery outcome.
 *
-* **Host routing.** /send-mail is served by the attachments-
-* supporting host (`https://api.primitive.dev/v1`) so the
-* request body can carry inline attachments up to ~30 MiB raw.
-* The primary host (`https://www.primitive.dev/api/v1`) also
-* accepts /send-mail for attachment-free sends; sends WITH
-* attachments to the primary host return 413
-* `attachments_unsupported_on_this_endpoint`. The typed SDKs
-* route /send-mail to the attachments host automatically.
+* **Host routing.** /send-mail is served by the canonical API host
+* (`https://api.primitive.dev/v1`) so the request body can carry
+* inline attachments up to ~30 MiB raw. The legacy dashboard
+* compatibility host (`https://www.primitive.dev/api/v1`) also accepts
+* /send-mail, but Vercel request body limits apply before proxying.
+* The typed SDKs route /send-mail to the canonical API host
+* automatically.
 *
 */
 const sendEmail = (options) => (options.client ?? client).post({
@@ -1383,11 +1382,11 @@ const openapiDocument = {
 		}
 	},
 	"servers": [{
-		"url": "https://www.primitive.dev/api/v1",
-		"description": "Primary API host (PRIMITIVE_API_BASE_URL_1). Carries every operation\nexcept attachment-supporting send. Vercel-backed; request body is\ncapped at 4.5 MB by the platform.\n"
-	}, {
 		"url": "https://api.primitive.dev/v1",
-		"description": "Attachments-supporting send host (PRIMITIVE_API_BASE_URL_2).\nCloudflare Worker with a ~30 MiB raw request body cap (before\nbase64 encoding). Today only `/send-mail` is hosted here; future\nlarge-body operations will migrate here over time. SDK clients\nroute /send-mail to this server automatically.\n"
+		"description": "Canonical API host (PRIMITIVE_API_BASE_URL). Carries every public\nAPI operation. Cloudflare Workers-backed; attachment-capable send\noperations can carry up to ~30 MiB raw request bodies before base64\nencoding.\n"
+	}, {
+		"url": "https://www.primitive.dev/api/v1",
+		"description": "Legacy dashboard compatibility host. Requests are forwarded to the\ncanonical API host, but Vercel request body limits still apply before\nproxying. New integrations should use https://api.primitive.dev/v1.\n"
 	}],
 	"security": [{ "BearerAuth": [] }],
 	"tags": [
@@ -2410,10 +2409,10 @@ const openapiDocument = {
 				"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody, optional From override, optional attachments, and optional\n`wait` flag; passing any header or recipient override is\nrejected by the schema (`additionalProperties: false`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
 				"servers": [{
 					"url": "https://api.primitive.dev/v1",
-					"description": "Attachments-supporting send host (recommended)"
+					"description": "Canonical API host (recommended)"
 				}, {
 					"url": "https://www.primitive.dev/api/v1",
-					"description": "Primary host (attachment-free replies only)"
+					"description": "Legacy compatibility host (Vercel body limit applies)"
 				}],
 				"tags": ["Sending"],
 				"requestBody": {
@@ -2822,13 +2821,13 @@ const openapiDocument = {
 		"/send-mail": { "post": {
 			"operationId": "sendEmail",
 			"summary": "Send outbound email",
-			"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the attachments-\nsupporting host (`https://api.primitive.dev/v1`) so the\nrequest body can carry inline attachments up to ~30 MiB raw.\nThe primary host (`https://www.primitive.dev/api/v1`) also\naccepts /send-mail for attachment-free sends; sends WITH\nattachments to the primary host return 413\n`attachments_unsupported_on_this_endpoint`. The typed SDKs\nroute /send-mail to the attachments host automatically.\n",
+			"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the canonical API host\n(`https://api.primitive.dev/v1`) so the request body can carry\ninline attachments up to ~30 MiB raw. The legacy dashboard\ncompatibility host (`https://www.primitive.dev/api/v1`) also accepts\n/send-mail, but Vercel request body limits apply before proxying.\nThe typed SDKs route /send-mail to the canonical API host\nautomatically.\n",
 			"servers": [{
 				"url": "https://api.primitive.dev/v1",
-				"description": "Attachments-supporting send host (recommended)"
+				"description": "Canonical API host (recommended)"
 			}, {
 				"url": "https://www.primitive.dev/api/v1",
-				"description": "Primary host (attachment-free sends only)"
+				"description": "Legacy compatibility host (Vercel body limit applies)"
 			}],
 			"tags": ["Sending"],
 			"parameters": [{
@@ -12805,7 +12804,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "send-email",
-		"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the attachments-\nsupporting host (`https://api.primitive.dev/v1`) so the\nrequest body can carry inline attachments up to ~30 MiB raw.\nThe primary host (`https://www.primitive.dev/api/v1`) also\naccepts /send-mail for attachment-free sends; sends WITH\nattachments to the primary host return 413\n`attachments_unsupported_on_this_endpoint`. The typed SDKs\nroute /send-mail to the attachments host automatically.\n",
+		"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the canonical API host\n(`https://api.primitive.dev/v1`) so the request body can carry\ninline attachments up to ~30 MiB raw. The legacy dashboard\ncompatibility host (`https://www.primitive.dev/api/v1`) also accepts\n/send-mail, but Vercel request body limits apply before proxying.\nThe typed SDKs route /send-mail to the canonical API host\nautomatically.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "sendEmail",
@@ -13302,19 +13301,15 @@ function cliApiHeadersFromEnv(env = process.env) {
 }
 function resolveCliApiRequestConfig(params) {
 	const currentEnvironment = resolveConfigEnvironment(loadCliConfig(params.configDir));
-	const configuredApiBaseUrl1 = currentEnvironment?.config.api_base_url_1;
-	const configuredApiBaseUrl2 = currentEnvironment?.config.api_base_url_2;
-	if (currentEnvironment !== null && currentEnvironment.name !== "default" && params.apiBaseUrl1 === void 0 && configuredApiBaseUrl1 === void 0) throw new Errors.CLIError(`The active Primitive CLI environment \`${currentEnvironment.name}\` does not specify an api_base_url_1. Set one with \`primitive config set --environment ${currentEnvironment.name} --api-base-url-1 https://...\`, or switch to a different environment with \`primitive config use <name>\`. Refusing to fall back to the production default for a non-default environment.`, { exit: 1 });
-	const apiBaseUrl1 = params.apiBaseUrl1 !== void 0 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : configuredApiBaseUrl1;
-	const apiBaseUrl2 = params.apiBaseUrl2 !== void 0 ? normalizeApiBaseUrl2(params.apiBaseUrl2) : configuredApiBaseUrl2;
+	const configuredApiBaseUrl = currentEnvironment?.config.api_base_url;
+	if (currentEnvironment !== null && currentEnvironment.name !== "default" && params.apiBaseUrl === void 0 && configuredApiBaseUrl === void 0) throw new Errors.CLIError(`The active Primitive CLI environment \`${currentEnvironment.name}\` does not specify an api_base_url. Set one with \`primitive config set --environment ${currentEnvironment.name} --api-base-url https://...\`, or switch to a different environment with \`primitive config use <name>\`. Refusing to fall back to the production default for a non-default environment.`, { exit: 1 });
+	const apiBaseUrl = params.apiBaseUrl !== void 0 ? normalizeApiBaseUrl(params.apiBaseUrl) : configuredApiBaseUrl;
 	return {
-		apiBaseUrl1,
-		apiBaseUrl2,
-		baseUrlOverridden: apiBaseUrl1 !== void 0 || apiBaseUrl2 !== void 0,
+		apiBaseUrl,
+		baseUrlOverridden: apiBaseUrl !== void 0,
 		environmentName: currentEnvironment?.name ?? null,
 		headers: mergeHeaders(currentEnvironment?.config.headers, cliApiHeadersFromEnv(params.env)),
-		resolvedApiBaseUrl1: normalizeApiBaseUrl1(apiBaseUrl1),
-		resolvedApiBaseUrl2: normalizeApiBaseUrl2(apiBaseUrl2)
+		resolvedApiBaseUrl: normalizeApiBaseUrl(apiBaseUrl)
 	};
 }
 function createCliApiClient(params) {
@@ -13322,15 +13317,14 @@ function createCliApiClient(params) {
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: params.apiKey,
-			apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
-			apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+			apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 			headers: requestConfig.headers
 		}),
 		requestConfig
 	};
 }
-function oauthTokenEndpoint(apiBaseUrl1) {
-	const url = new URL(apiBaseUrl1);
+function oauthTokenEndpoint(apiBaseUrl) {
+	const url = new URL(apiBaseUrl);
 	url.pathname = "/oauth/token";
 	url.search = "";
 	url.hash = "";
@@ -13378,7 +13372,7 @@ async function refreshStoredCliCredentials(params) {
 		});
 		let response;
 		try {
-			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl1), {
+			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl), {
 				body,
 				headers: {
 					...params.headers ?? {},
@@ -13418,13 +13412,12 @@ async function createAuthenticatedCliApiClient(params) {
 	const requestConfig = resolveCliApiRequestConfig(params);
 	let auth = resolveCliAuth({
 		apiKey: params.apiKey,
-		apiBaseUrl1: requestConfig.apiBaseUrl1,
-		apiBaseUrl2: requestConfig.apiBaseUrl2,
+		apiBaseUrl: requestConfig.apiBaseUrl,
 		configDir: params.configDir
 	});
 	if (auth.source === "stored" && auth.credentials) {
 		const refreshed = await refreshStoredCliCredentials({
-			apiBaseUrl1: auth.apiBaseUrl1,
+			apiBaseUrl: auth.apiBaseUrl,
 			configDir: params.configDir,
 			credentials: auth.credentials,
 			credentialsLockHeld: params.credentialsLockHeld,
@@ -13441,8 +13434,7 @@ async function createAuthenticatedCliApiClient(params) {
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2,
+			apiBaseUrl: auth.apiBaseUrl,
 			headers: requestConfig.headers
 		}),
 		auth,
@@ -13758,7 +13750,7 @@ const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
 	ETIMEDOUT: "Hint: the connection timed out. Check egress rules and proxy configuration; if you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. `primitive doctor` reports the local environment in one shot.",
-	EAI_AGAIN: "Hint: DNS lookup failed. Check /etc/resolv.conf inside containers, and try `curl -v https://www.primitive.dev/api/v1/account` to confirm the host resolves. `primitive doctor` reports the local environment in one shot."
+	EAI_AGAIN: "Hint: DNS lookup failed. Check /etc/resolv.conf inside containers, and try `curl -v https://api.primitive.dev/v1/account` to confirm the host resolves. `primitive doctor` reports the local environment in one shot."
 };
 function writeErrorWithHints(payload) {
 	process.stderr.write(`${formatErrorPayload(payload)}\n`);
@@ -13787,8 +13779,8 @@ function writeErrorWithHints(payload) {
 */
 function surfaceUnauthorizedHint(params) {
 	if (extractErrorCode(params.payload) !== API_ERROR_CODES.unauthorized || params.auth.source !== "stored") return;
-	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl1 !== params.auth.credentials.api_base_url_1) {
-		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
+	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl !== params.auth.credentials.api_base_url) {
+		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
 	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive signin` to mint a fresh session.\n");
@@ -13809,13 +13801,10 @@ async function runWithTiming(enabled, fn) {
 	}
 }
 const TIME_FLAG_DESCRIPTION = "Print the wall-clock duration of this command to stderr after it completes (e.g. `[time: 1.34s]`). Useful for measuring `--wait` send latency, comparing CLI overhead, or capturing timing in scripts.";
-const API_BASE_URL_1_FLAG_DESCRIPTION = "Override the primary API base URL. Internal testing only; not documented to customers.";
-const API_BASE_URL_2_FLAG_DESCRIPTION = "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.";
-const HOST_2_OPERATIONS = new Set(["sendEmail", "replyToEmail"]);
+const API_BASE_URL_FLAG_DESCRIPTION = "Override the API base URL. Internal testing only; not documented to customers.";
 const RESERVED_FLAG_NAMES = new Set([
 	"api-key",
-	"api-base-url-1",
-	"api-base-url-2",
+	"api-base-url",
 	"raw-body",
 	"body-file",
 	"envelope",
@@ -13847,14 +13836,9 @@ function buildFlags(operation) {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -13942,8 +13926,7 @@ function createOperationCommand(operation) {
 			await runWithTiming(parsedFlags.time === true, async () => {
 				const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
-					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
-					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
+					apiBaseUrl: typeof parsedFlags["api-base-url"] === "string" ? parsedFlags["api-base-url"] : void 0,
 					configDir: this.config.configDir
 				});
 				let body;
@@ -13964,10 +13947,9 @@ function createOperationCommand(operation) {
 				}
 				if (operation.bodyRequired && body === void 0) throw new Errors.CLIError(`Operation ${operation.operationId} requires a body. Pass each field as a --flag (see --help) or supply JSON via --raw-body / --body-file.`);
 				const operationFn = sdk_gen_exports[operation.sdkName];
-				const targetClient = HOST_2_OPERATIONS.has(operation.sdkName) ? apiClient._sendClient : apiClient.client;
 				const result = await operationFn({
 					body,
-					client: targetClient,
+					client: apiClient.client,
 					parseAs: operation.binaryResponse ? "blob" : "auto",
 					path: collectValues(operation.pathParams, parsedFlags),
 					query: collectValues(operation.queryParams, parsedFlags),
@@ -14721,14 +14703,9 @@ var ChatCommand = class ChatCommand extends Command {
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
@@ -14787,8 +14764,7 @@ var ChatCommand = class ChatCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -14859,7 +14835,7 @@ var ChatCommand = class ChatCommand extends Command {
 					from,
 					...attachments !== void 0 ? { attachments } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				path: { id: parentReply.id },
 				responseStyle: "fields"
 			}) : await sendEmail({
@@ -14871,7 +14847,7 @@ var ChatCommand = class ChatCommand extends Command {
 					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
 					...attachments !== void 0 ? { attachments } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (sendResult.error) {
@@ -14996,14 +14972,9 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.integer({
@@ -15068,8 +15039,7 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			String(state.local_id)
 		];
 		if (flags["api-key"] !== void 0) argv.push("--api-key", flags["api-key"]);
-		if (flags["api-base-url-1"] !== void 0) argv.push("--api-base-url-1", flags["api-base-url-1"]);
-		if (flags["api-base-url-2"] !== void 0) argv.push("--api-base-url-2", flags["api-base-url-2"]);
+		if (flags["api-base-url"] !== void 0) argv.push("--api-base-url", flags["api-base-url"]);
 		if (flags.json) argv.push("--json");
 		if (flags.quiet) argv.push("--quiet");
 		for (const attachment of flags.attachment ?? []) argv.push("--attachment", attachment);
@@ -15184,8 +15154,7 @@ function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
 	const previousActiveEnvironment = resolveConfigEnvironment(previousConfig);
 	const previousEnvironment = previousActiveEnvironment?.name ?? null;
 	const config = upsertCliEnvironment({
-		apiBaseUrl1: params.apiBaseUrl1,
-		apiBaseUrl2: params.apiBaseUrl2,
+		apiBaseUrl: params.apiBaseUrl,
 		config: previousConfig,
 		environmentName: params.environmentName,
 		headers: params.headers,
@@ -15193,7 +15162,7 @@ function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
 	});
 	const activeEnvironment = resolveConfigEnvironment(config);
 	const environment = activeEnvironment?.name ?? null;
-	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url_1 !== activeEnvironment?.config.api_base_url_1);
+	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url !== activeEnvironment?.config.api_base_url);
 	let removedCredentials = false;
 	if (shouldClearCredentials) {
 		const releaseLock = acquireCliCredentialsLock(params.configDir);
@@ -15243,10 +15212,9 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 	static flags = {
 		environment: Flags.string({
 			char: "e",
-			description: "Environment name to create or update"
+			description: "Environment name to create or update. Defaults to the active environment, or default when none is active."
 		}),
-		"api-base-url-1": Flags.string({ description: "Primary API base URL" }),
-		"api-base-url-2": Flags.string({ description: "Attachments-supporting API base URL" }),
+		"api-base-url": Flags.string({ description: "API base URL" }),
 		header: Flags.string({
 			description: "Request header in name=value form. Repeatable.",
 			multiple: true
@@ -15259,10 +15227,9 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(ConfigSetCommand);
 		const headers = flags.header ?? [];
-		if (flags["api-base-url-1"] === void 0 && flags["api-base-url-2"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
+		if (flags["api-base-url"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
 		const { environment, removedCredentials } = upsertCliEnvironmentAndClearCredentialsIfSwitched({
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir,
 			environmentName: flags.environment,
 			headers,
@@ -15310,8 +15277,7 @@ var ConfigListCommand = class ConfigListCommand extends Command {
 			const active = activeEnvironment === name ? "*" : " ";
 			const headerNames = Object.keys(environment.headers ?? {});
 			this.log(`${active} ${name}`);
-			if (environment.api_base_url_1) this.log(`    api_base_url_1: ${environment.api_base_url_1}`);
-			if (environment.api_base_url_2) this.log(`    api_base_url_2: ${environment.api_base_url_2}`);
+			if (environment.api_base_url) this.log(`    api_base_url: ${environment.api_base_url}`);
 			this.log(`    headers: ${headerNames.length > 0 ? headerNames.join(", ") : "(none)"}`);
 		}
 	}
@@ -15483,7 +15449,7 @@ async function checkAccount(client) {
 	} catch (error) {
 		const code = error instanceof Error && error.cause && typeof error.cause === "object" && typeof error.cause.code === "string" ? error.cause.code : void 0;
 		const message = error instanceof Error ? error.message : String(error);
-		const hint = code === "ENETUNREACH" || code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "EAI_AGAIN" ? "Network unreachable. If you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. If you're in a container, check that egress to *.primitive.dev is allowed." : "Inspect the error above. `curl https://www.primitive.dev/api/v1/account -H \"Authorization: Bearer $PRIMITIVE_API_KEY\"` is the fastest way to bisect CLI vs network.";
+		const hint = code === "ENETUNREACH" || code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "EAI_AGAIN" ? "Network unreachable. If you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. If you're in a container, check that egress to *.primitive.dev is allowed." : "Inspect the error above. `curl https://api.primitive.dev/v1/account -H \"Authorization: Bearer $PRIMITIVE_API_KEY\"` is the fastest way to bisect CLI vs network.";
 		return {
 			outcome: {
 				status: "fail",
@@ -15537,14 +15503,9 @@ var DoctorCommand = class DoctorCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		})
 	};
@@ -15570,8 +15531,7 @@ var DoctorCommand = class DoctorCommand extends Command {
 		if (apiKeyCheck.status !== "fail") {
 			const { apiClient, auth } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			if (auth.apiKey !== void 0) {
@@ -15657,14 +15617,9 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		domain: Flags.string({ description: "Domain name to look up before downloading its zone file. Prefer --id when you have the domain id from `primitive domains add`." }),
@@ -15683,8 +15638,7 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			let domainId = flags.id;
@@ -15711,7 +15665,7 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 			if (!domainId) throw new Errors.CLIError("Could not resolve a domain id.", { exit: 1 });
 			let response;
 			try {
-				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl1, domainId, flags["outbound-only"]), { headers: {
+				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl, domainId, flags["outbound-only"]), { headers: {
 					...requestConfig.headers ?? {},
 					...auth.apiKey ? { authorization: `Bearer ${auth.apiKey}` } : {}
 				} });
@@ -15746,14 +15700,14 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-latest.ts
-const DEFAULT_LIMIT = 10;
-const MAX_LIMIT = 100;
+const DEFAULT_LIMIT$1 = 10;
+const MAX_LIMIT$1 = 100;
 const SUBJECT_DISPLAY_WIDTH = 50;
 const ADDRESS_DISPLAY_WIDTH = 32;
 const ID_DISPLAY_WIDTH_SHORT = 8;
 const ID_DISPLAY_WIDTH_FULL = 36;
 const RECEIVED_DISPLAY_WIDTH = 19;
-function truncate$1(value, width) {
+function truncate$2(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -15767,10 +15721,10 @@ function formatReceivedAt(value) {
 function pickIdWidth(isTty) {
 	return isTty ? ID_DISPLAY_WIDTH_SHORT : ID_DISPLAY_WIDTH_FULL;
 }
-function formatRow(email, idWidth) {
-	return `${truncate$1(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$1(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
+function formatRow$1(email, idWidth) {
+	return `${truncate$2(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$2(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$2(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$2((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
 }
-function formatHeader(idWidth) {
+function formatHeader$1(idWidth) {
 	return `${"ID".padEnd(idWidth)}  ${"RECEIVED (UTC)".padEnd(RECEIVED_DISPLAY_WIDTH)}  ${"FROM".padEnd(ADDRESS_DISPLAY_WIDTH)}  ${"TO".padEnd(ADDRESS_DISPLAY_WIDTH)}  SUBJECT`;
 }
 var EmailsLatestCommand = class EmailsLatestCommand extends Command {
@@ -15791,21 +15745,16 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		limit: Flags.integer({
-			description: `Number of rows to print (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
-			default: DEFAULT_LIMIT,
+			description: `Number of rows to print (1-${MAX_LIMIT$1}, default ${DEFAULT_LIMIT$1}).`,
+			default: DEFAULT_LIMIT$1,
 			min: 1,
-			max: MAX_LIMIT
+			max: MAX_LIMIT$1
 		}),
 		json: Flags.boolean({ description: "Print the raw response envelope (with full UUIDs and meta) as JSON on STDOUT instead of the text table. Useful for piping into `jq`, capturing ids for follow-up commands, or scripting." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -15815,8 +15764,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await listEmails({
@@ -15847,8 +15795,8 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 				return;
 			}
 			const idWidth = pickIdWidth(Boolean(process.stdout.isTTY));
-			process.stderr.write(`${formatHeader(idWidth)}\n`);
-			for (const row of rows) this.log(formatRow(row, idWidth));
+			process.stderr.write(`${formatHeader$1(idWidth)}\n`);
+			for (const row of rows) this.log(formatRow$1(row, idWidth));
 		});
 	}
 };
@@ -15871,14 +15819,9 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		body: Flags.string({ description: "Full-text body filter" }),
@@ -15922,8 +15865,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		const { flags } = await this.parse(EmailsWaitCommand);
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		let since;
@@ -15965,10 +15907,10 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 			for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
 				if (flags.table) {
 					if (!headerPrinted) {
-						process.stderr.write(`${formatHeader(idWidth)}\n`);
+						process.stderr.write(`${formatHeader$1(idWidth)}\n`);
 						headerPrinted = true;
 					}
-					this.log(formatRow(email, idWidth));
+					this.log(formatRow$1(email, idWidth));
 				} else this.log(JSON.stringify(email));
 				matched += 1;
 				if (matched >= flags.number) return;
@@ -15999,14 +15941,9 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		body: Flags.string({ description: "Full-text body filter" }),
@@ -16046,8 +15983,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		const { flags } = await this.parse(EmailsWatchCommand);
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		let since;
@@ -16090,10 +16026,10 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 				if (flags.jsonl) this.log(JSON.stringify(email));
 				else {
 					if (!headerPrinted) {
-						process.stderr.write(`${formatHeader(idWidth)}\n`);
+						process.stderr.write(`${formatHeader$1(idWidth)}\n`);
 						headerPrinted = true;
 					}
-					this.log(formatRow(email, idWidth));
+					this.log(formatRow$1(email, idWidth));
 				}
 				printed += 1;
 				if (flags.number && printed >= flags.number) return;
@@ -16792,14 +16728,9 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		name: Flags.string({
@@ -16877,8 +16808,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -16992,8 +16922,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		}
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		const authFailureContext = {
@@ -17082,8 +17011,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.35.0";
-const CLI_VERSION_RANGE = "^0.35.0";
+const SDK_VERSION_RANGE = "^0.35.1";
+const CLI_VERSION_RANGE = "^0.35.1";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -17240,7 +17169,7 @@ export default {
 
       const client = createPrimitiveClient({
         apiKey: env.PRIMITIVE_API_KEY,
-        apiBaseUrl1: env.PRIMITIVE_API_BASE_URL,
+        apiBaseUrl: env.PRIMITIVE_API_BASE_URL,
       });
 
       // To add an LLM or another API, store its key as a Function secret.
@@ -17264,7 +17193,7 @@ export default {
       // route "support@" to a ticketing flow and "sales@" to a lead
       // capture flow before calling client.reply.
 
-      // client.reply routes through POST /api/v1/emails/{id}/reply
+      // client.reply routes through POST /v1/emails/{id}/reply
       // (NOT /send-mail) so the server derives recipients, the
       // \`Re: <parent>\` subject, threading headers, and the
       // in_reply_to_email_id foreign key automatically. The FK is
@@ -17645,14 +17574,9 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17683,8 +17607,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const seenIds = /* @__PURE__ */ new Set();
@@ -17843,14 +17766,9 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17919,8 +17837,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -18103,14 +18020,9 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -18134,8 +18046,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -18332,14 +18243,9 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -18367,8 +18273,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const shouldShowSends = flags["show-sends"];
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		await runWithTiming(flags.time, async () => {
@@ -18479,7 +18384,7 @@ function formatInboxDate(value) {
 	const pad = (n) => String(n).padStart(2, "0");
 	return `${d.getUTCFullYear()}-${pad(d.getUTCMonth() + 1)}-${pad(d.getUTCDate())} ${pad(d.getUTCHours())}:${pad(d.getUTCMinutes())}:${pad(d.getUTCSeconds())} UTC`;
 }
-function truncate(value, width) {
+function truncate$1(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -18529,7 +18434,7 @@ function formatDomainHeader() {
 }
 function formatDomainRow(domain) {
 	return [
-		truncate(domain.domain, DOMAIN_DISPLAY_WIDTH),
+		truncate$1(domain.domain, DOMAIN_DISPLAY_WIDTH),
 		statusText(domain.status).padEnd(STATUS_DISPLAY_WIDTH),
 		yesNo(domain.receiving_ready).padEnd(BOOL_DISPLAY_WIDTH),
 		yesNo(domain.processing_ready).padEnd(BOOL_DISPLAY_WIDTH),
@@ -18575,14 +18480,9 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		domain: Flags.string({ description: "Focus domain readiness and recent email fields on one domain returned by the inbox status API." }),
@@ -18594,8 +18494,7 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getInboxStatus({
@@ -18750,14 +18649,9 @@ var InboxSetupCommand = class InboxSetupCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print structured readiness, receive address, commands, proof metadata, and raw status as JSON." }),
@@ -18768,8 +18662,7 @@ var InboxSetupCommand = class InboxSetupCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getInboxStatus({
@@ -18836,14 +18729,14 @@ function retryAfterSeconds$1(result) {
 }
 async function checkExistingLogin(params) {
 	const requestConfig = resolveCliApiRequestConfig({
-		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl: params.apiBaseUrl,
 		configDir: params.configDir
 	});
-	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
+	const probeApiBaseUrl = requestConfig.apiBaseUrl ?? params.credentials.api_base_url;
 	let credentials = params.credentials;
 	try {
 		credentials = await refreshStoredCliCredentials({
-			apiBaseUrl1: probeApiBaseUrl1,
+			apiBaseUrl: probeApiBaseUrl,
 			configDir: params.configDir,
 			credentials,
 			credentialsLockHeld: params.credentialsLockHeld,
@@ -18859,8 +18752,7 @@ async function checkExistingLogin(params) {
 	}
 	const apiClient = new PrimitiveApiClient({
 		apiKey: credentials.access_token,
-		apiBaseUrl1: probeApiBaseUrl1,
-		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+		apiBaseUrl: probeApiBaseUrl,
 		headers: requestConfig.headers
 	});
 	const result = await (params.checkAccount ?? ((client) => getAccount({
@@ -18870,7 +18762,7 @@ async function checkExistingLogin(params) {
 	if (!result.error) return { status: "valid" };
 	const payload = extractErrorPayload(result.error);
 	const code = extractErrorCode(payload);
-	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl1 !== params.credentials.api_base_url_1;
+	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl !== params.credentials.api_base_url;
 	if (code === API_ERROR_CODES.unauthorized && !baseUrlDiffersFromSaved) {
 		deleteCliCredentials(params.configDir);
 		process.stderr.write("Removed saved Primitive CLI OAuth credentials because the existing session was rejected during login. Continuing with a fresh login.\n");
@@ -18891,9 +18783,9 @@ var LoginCommand$1 = class extends Command {
 		"<%= config.bin %> login --force"
 	];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name shown in the browser approval screen" }),
@@ -18926,10 +18818,10 @@ var LoginCommand$1 = class extends Command {
 	}
 	async runWithCredentialLock(flags, retryCommand) {
 		const { apiClient, requestConfig } = createCliApiClient({
-			apiBaseUrl1: flags["api-base-url-1"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
-		const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+		const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
 		let existing;
 		try {
 			existing = loadCliCredentials(this.config.configDir);
@@ -18942,7 +18834,7 @@ var LoginCommand$1 = class extends Command {
 		if (existing && flags.force) process.stderr.write("Replacing saved Primitive CLI credentials after browser approval because --force was set.\n");
 		else if (existing) {
 			const existingStatus = await checkExistingLogin({
-				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir,
 				credentials: existing,
 				credentialsLockHeld: true
@@ -18988,7 +18880,7 @@ var LoginCommand$1 = class extends Command {
 				deleteChatState(this.config.configDir);
 				saveCliCredentials(this.config.configDir, {
 					access_token: login.access_token,
-					api_base_url_1: apiBaseUrl1,
+					api_base_url: apiBaseUrl,
 					auth_method: "oauth",
 					created_at: (/* @__PURE__ */ new Date()).toISOString(),
 					expires_at: cliAccessTokenExpiresAt(login.expires_in),
@@ -19052,9 +18944,11 @@ function normalizeEmail(email) {
 }
 function pendingSignupFromJson(value) {
 	if (!isRecord(value)) return null;
-	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	const apiBaseUrl = value.api_base_url ?? value.api_base_url_1;
+	if (typeof apiBaseUrl !== "string") return null;
 	return {
-		api_base_url_1: value.api_base_url_1,
+		api_base_url: apiBaseUrl,
 		created_at: value.created_at,
 		email: value.email,
 		expires_at: value.expires_at,
@@ -19070,20 +18964,20 @@ function pendingSignupPath(configDir) {
 function deletePendingAgentSignup(configDir) {
 	rmSync(pendingSignupPath(configDir), { force: true });
 }
-function pendingSignupFromStart(start, apiBaseUrl1) {
+function pendingSignupFromStart(start, apiBaseUrl) {
 	return {
 		...start,
-		api_base_url_1: apiBaseUrl1,
+		api_base_url: apiBaseUrl,
 		created_at: (/* @__PURE__ */ new Date()).toISOString(),
 		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
 	};
 }
-function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
+function savePendingAgentSignup(configDir, start, apiBaseUrl) {
 	mkdirSync(configDir, {
 		mode: 448,
 		recursive: true
 	});
-	const pending = pendingSignupFromStart(start, apiBaseUrl1);
+	const pending = pendingSignupFromStart(start, apiBaseUrl);
 	const path = pendingSignupPath(configDir);
 	const tempPath = join(configDir, `${PENDING_SIGNUP_FILE}.${process$1.pid}.${randomUUID()}.tmp`);
 	try {
@@ -19097,7 +18991,7 @@ function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
 		throw error;
 	}
 }
-function loadPendingAgentSignup(configDir, apiBaseUrl1) {
+function loadPendingAgentSignup(configDir, apiBaseUrl) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -19116,7 +19010,7 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		deletePendingAgentSignup(configDir);
 		return null;
 	}
-	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	if (pending.api_base_url !== apiBaseUrl) return null;
 	if (new Date(pending.expires_at).getTime() <= Date.now()) {
 		deletePendingAgentSignup(configDir);
 		return null;
@@ -19126,7 +19020,7 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
 	};
 }
-function readPendingAgentSignupState(configDir, apiBaseUrl1) {
+function readPendingAgentSignupState(configDir, apiBaseUrl) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -19145,7 +19039,7 @@ function readPendingAgentSignupState(configDir, apiBaseUrl1) {
 		deletePendingAgentSignup(configDir);
 		return null;
 	}
-	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	if (pending.api_base_url !== apiBaseUrl) return null;
 	return pending;
 }
 function pendingSignupStartCommand(email) {
@@ -19153,7 +19047,7 @@ function pendingSignupStartCommand(email) {
 }
 function buildSignupStatus(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const pending = readPendingAgentSignupState(params.configDir, params.apiBaseUrl1);
+	const pending = readPendingAgentSignupState(params.configDir, params.apiBaseUrl);
 	if (!pending) return {
 		code_length: null,
 		confirm_command: null,
@@ -19200,11 +19094,11 @@ function writeSignupStatus(status) {
 }
 function runSignupStatus(params) {
 	const { requestConfig } = createCliApiClient({
-		apiBaseUrl1: params.flags["api-base-url-1"],
+		apiBaseUrl: params.flags["api-base-url"],
 		configDir: params.configDir
 	});
 	const status = buildSignupStatus({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		configDir: params.configDir,
 		copy: params.copy,
 		email: params.email
@@ -19217,7 +19111,7 @@ function runSignupStatus(params) {
 }
 function requirePendingSignupForEmail(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl);
 	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive signup status ${params.email}\` to inspect pending state, or \`primitive ${copy.startCommand(params.email)}\` first.`);
 	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
@@ -19280,7 +19174,7 @@ async function checkExistingCredentials(params) {
 	}
 	if (!existing) return;
 	const existingStatus = await checkExistingLoginFn({
-		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl: params.apiBaseUrl,
 		configDir: params.configDir,
 		credentials: existing,
 		credentialsLockHeld: true
@@ -19299,7 +19193,7 @@ function saveSignupCredentials(params) {
 	deleteChatState(params.configDir);
 	saveCliCredentials(params.configDir, {
 		access_token: params.signup.access_token,
-		api_base_url_1: params.apiBaseUrl1,
+		api_base_url: params.apiBaseUrl,
 		auth_method: "oauth",
 		created_at: (/* @__PURE__ */ new Date()).toISOString(),
 		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
@@ -19318,7 +19212,7 @@ function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 }
 async function startSignup(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl);
 	if (existingPending && !params.flags.force) {
 		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
 			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
@@ -19353,7 +19247,7 @@ async function startSignup(params) {
 	const startResult = unwrapData$1(started.data);
 	if (!startResult) throw cliError$2("Primitive API returned an empty agent signup response.");
 	return {
-		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
+		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl),
 		started: true
 	};
 }
@@ -19373,7 +19267,7 @@ async function resendVerificationCode(params) {
 			verification_code_length: resend.verification_code_length
 		} : params.start;
 		return {
-			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl1),
+			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl),
 			resent: true
 		};
 	}
@@ -19397,18 +19291,18 @@ async function runSignupStartWithCredentialLock(params) {
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
 	const email = params.email ?? await promptRequiredFn("Email: ");
 	await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		copy: params.copy,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
 	const start = await startSignup({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		apiClient,
 		configDir,
 		copy: params.copy,
@@ -19422,19 +19316,19 @@ async function runSignupConfirmWithCredentialLock(params) {
 	const { configDir, flags } = params;
 	const deps = params.deps ?? {};
 	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		copy: params.copy,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
-	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+	const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
 	const pending = requirePendingSignupForEmail({
-		apiBaseUrl1,
+		apiBaseUrl,
 		copy: params.copy,
 		configDir,
 		email: params.email
@@ -19452,7 +19346,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 		const signup = unwrapData$1(verified.data);
 		if (!signup) throw cliError$2("Primitive API returned an empty agent signup verification response.");
 		saveSignupCredentials({
-			apiBaseUrl1,
+			apiBaseUrl,
 			configDir,
 			signup
 		});
@@ -19473,18 +19367,18 @@ async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: params.flags["api-base-url-1"],
+		apiBaseUrl: params.flags["api-base-url"],
 		configDir: params.configDir
 	});
 	const pending = params.email ? requirePendingSignupForEmail({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		copy,
 		configDir: params.configDir,
 		email: params.email
-	}) : loadPendingAgentSignup(params.configDir, requestConfig.resolvedApiBaseUrl1);
+	}) : loadPendingAgentSignup(params.configDir, requestConfig.resolvedApiBaseUrl);
 	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} found. Run \`primitive signup status\` to inspect pending state, or start one with \`${pendingSignupStartCommand()}\`.`);
 	const resend = await resendVerificationCode({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		apiClient,
 		configDir: params.configDir,
 		deps,
@@ -19497,20 +19391,20 @@ async function runSignupInteractiveWithCredentialLock(params) {
 	const deps = params.deps ?? {};
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
 	await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
-	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
-	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl1);
+	const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
+	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl);
 	if (start) process$1.stderr.write(`Continuing pending Primitive signup for ${start.email}.\n`);
 	else start = (await startSignup({
-		apiBaseUrl1,
+		apiBaseUrl,
 		apiClient,
 		configDir,
 		deps,
@@ -19524,7 +19418,7 @@ async function runSignupInteractiveWithCredentialLock(params) {
 		const verificationCode = await promptRequiredFn(`Verification code (${start.verification_code_length} digits): `);
 		if (verificationCode.toLowerCase() === "resend") {
 			const resend = await resendVerificationCode({
-				apiBaseUrl1,
+				apiBaseUrl,
 				apiClient,
 				configDir,
 				deps,
@@ -19541,7 +19435,7 @@ async function runSignupInteractiveWithCredentialLock(params) {
 				deps,
 				email: start.email,
 				flags: {
-					"api-base-url-1": flags["api-base-url-1"],
+					"api-base-url": flags["api-base-url"],
 					force: true
 				},
 				skipExistingCredentialCheck: true
@@ -19559,9 +19453,9 @@ async function runSignupInteractiveWithCredentialLock(params) {
 function commonStartFlags() {
 	return {
 		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
@@ -19622,9 +19516,9 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	static summary = "Confirm account signup";
 	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -19661,9 +19555,9 @@ var SignupResendCommand = class SignupResendCommand extends Command {
 	static description = "Resend the verification code for a pending signup.";
 	static summary = "Resend signup verification code";
 	static examples = ["<%= config.bin %> signup resend", "<%= config.bin %> signup resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
+	static flags = { "api-base-url": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
+		env: "PRIMITIVE_API_BASE_URL",
 		hidden: true
 	}) };
 	async run() {
@@ -19698,9 +19592,9 @@ var SignupStatusCommand = class SignupStatusCommand extends Command {
 		"<%= config.bin %> signup status --json"
 	];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print pending signup status as JSON" })
@@ -19768,7 +19662,7 @@ async function runLogoutWithCredentialLock(params) {
 	let authenticated;
 	try {
 		authenticated = await deps.createAuthenticatedCliApiClient({
-			apiBaseUrl1: params.flags["api-base-url-1"],
+			apiBaseUrl: params.flags["api-base-url"],
 			configDir: params.configDir,
 			credentialsLockHeld: true
 		});
@@ -19832,9 +19726,9 @@ var LogoutCommand = class LogoutCommand extends Command {
 	static summary = "Log out and revoke the saved CLI OAuth grant";
 	static examples = ["<%= config.bin %> logout", "<%= config.bin %> logout --force"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -19983,14 +19877,9 @@ var ReplyCommand = class ReplyCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -20026,8 +19915,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const attachments = readAttachmentFiles(flags.attachment);
@@ -20039,7 +19927,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 					...attachments !== void 0 ? { attachments } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				path: { id: flags.id },
 				responseStyle: "fields"
 			});
@@ -20064,6 +19952,134 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/semantic-search.ts
+const DEFAULT_LIMIT = 10;
+const MAX_LIMIT = 100;
+const SCORE_WIDTH = 7;
+const SOURCE_WIDTH = 4;
+const SUBJECT_WIDTH = 40;
+const FROM_WIDTH = 26;
+const SNIPPET_WIDTH = 60;
+function truncate(value, width) {
+	if (value.length <= width) return value.padEnd(width);
+	return `${value.slice(0, width - 3)}...`;
+}
+function sourceLabel(t) {
+	return t === "inbound_email" ? "in" : "out";
+}
+function formatRow(r) {
+	return `${r.score.toFixed(3).padStart(SCORE_WIDTH)}  ${sourceLabel(r.source_type).padEnd(SOURCE_WIDTH)}  ${truncate((r.subject ?? "").replace(/\s+/g, " "), SUBJECT_WIDTH)}  ${truncate(r.from ?? "", FROM_WIDTH)}  ${truncate((r.snippets[0]?.text ?? "").replace(/\s+/g, " "), SNIPPET_WIDTH)}`;
+}
+function formatHeader() {
+	return `${"SCORE".padStart(SCORE_WIDTH)}  ${"SRC".padEnd(SOURCE_WIDTH)}  ${"SUBJECT".padEnd(SUBJECT_WIDTH)}  ${"FROM".padEnd(FROM_WIDTH)}  EXCERPT`;
+}
+var SemanticSearchCommand = class SemanticSearchCommand extends Command {
+	static description = `Search received and sent mail by meaning or keywords.
+
+  Returns ranked rows. Each row carries a relevance score, the fields it
+  matched, and a match-centered excerpt. Defaults to hybrid mode (blends
+  semantic and keyword signals); use \`--mode keyword\` for plain
+  full-text matching and \`--mode semantic\` for embedding-only.
+
+  Requires the Pro plan with the semantic_search_enabled entitlement.`;
+	static summary = "Semantic / hybrid / keyword search across received and sent mail";
+	static examples = [
+		"<%= config.bin %> semantic-search \"invoice from acme\"",
+		"<%= config.bin %> semantic-search \"shipping update\" --mode keyword",
+		"<%= config.bin %> semantic-search \"kickoff\" --corpus inbound --limit 25",
+		"<%= config.bin %> semantic-search renewal --json | jq '.data[].id'"
+	];
+	static args = { query: Args.string({
+		description: "The search query.",
+		required: true
+	}) };
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		mode: Flags.string({
+			description: "Ranking strategy.",
+			options: [
+				"hybrid",
+				"semantic",
+				"keyword"
+			],
+			default: "hybrid"
+		}),
+		corpus: Flags.string({
+			description: "Restrict to inbound or outbound. Pass twice to include both (the default).",
+			options: ["inbound", "outbound"],
+			multiple: true
+		}),
+		"date-from": Flags.string({ description: "Only include mail at or after this ISO-8601 timestamp." }),
+		"date-to": Flags.string({ description: "Only include mail at or before this ISO-8601 timestamp." }),
+		limit: Flags.integer({
+			description: `Maximum results to return (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
+			default: DEFAULT_LIMIT,
+			min: 1,
+			max: MAX_LIMIT
+		}),
+		cursor: Flags.string({ description: "Opaque pagination cursor from a prior response's meta.cursor." }),
+		json: Flags.boolean({ description: "Print the raw response envelope as JSON on STDOUT instead of the text table." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SemanticSearchCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const result = await semanticSearch({
+				client: apiClient.client,
+				body: {
+					query: args.query,
+					mode: flags.mode,
+					...flags.corpus ? { corpus: flags.corpus } : {},
+					...flags["date-from"] ? { date_from: flags["date-from"] } : {},
+					...flags["date-to"] ? { date_to: flags["date-to"] } : {},
+					limit: flags.limit,
+					...flags.cursor ? { cursor: flags.cursor } : {}
+				},
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data;
+			if (flags.json) {
+				this.log(JSON.stringify(envelope ?? null, null, 2));
+				return;
+			}
+			const rows = envelope?.data ?? [];
+			if (rows.length === 0) {
+				process.stderr.write("No matching mail.\n");
+				return;
+			}
+			process.stderr.write(`${formatHeader()}\n`);
+			for (const row of rows) this.log(formatRow(row));
+			const nextCursor = envelope?.meta?.cursor ?? null;
+			if (nextCursor) process.stderr.write(`\nNext page: pass --cursor ${nextCursor}\n`);
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
@@ -20089,14 +20105,9 @@ var SendCommand = class SendCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		to: Flags.string({
@@ -20135,8 +20146,7 @@ var SendCommand = class SendCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -20158,7 +20168,7 @@ var SendCommand = class SendCommand extends Command {
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (result.error) {
@@ -20229,9 +20239,9 @@ function acquireCredentialsLock(configDir) {
 function commonOtpStartFlags() {
 	return {
 		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
@@ -20410,9 +20420,9 @@ var SigninOtpConfirmCommand = class extends Command {
 	static summary = "Confirm OTP sign-in";
 	static examples = ["<%= config.bin %> signin otp confirm user@example.com 123456", "<%= config.bin %> signin otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -20489,9 +20499,9 @@ var SigninOtpResendCommand = class extends Command {
 	static description = "Resend the verification code for a pending OTP sign-in.";
 	static summary = "Resend OTP sign-in code";
 	static examples = ["<%= config.bin %> signin otp resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
+	static flags = { "api-base-url": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
+		env: "PRIMITIVE_API_BASE_URL",
 		hidden: true
 	}) };
 	async run() {
@@ -20577,14 +20587,9 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print the full account JSON response. Default output hides setup and billing internals." }),
@@ -20595,8 +20600,7 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getAccount({
@@ -20927,6 +20931,7 @@ const COMMANDS = {
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	"semantic-search": SemanticSearchCommand,
 	"domains:zone-file": DomainsZoneFileCommand,
 	"domains:download-domain-zone-file": DomainsZoneFileCommand,
 	"inbox:setup": InboxSetupCommand,