@primitivedotdev/cli 0.35.0 → 0.36.0

package/dist/oclif/index.js

@@ -1,4 +1,4 @@
-import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as normalizeApiBaseUrl1, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl2, y as loadCliCredentials } from "../cli-config-SktG2dzR.js";
+import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as loadCliCredentials, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl, y as detectPrimitiveKeyEnvMisname } from "../cli-config-D7wN_PBc.js";
 import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
@@ -20,7 +20,7 @@ var __exportAll = (all, no_symbols) => {
 };
 //#endregion
 //#region ../packages/api-core/src/api/client.gen.ts
-const client = createClient(createConfig({ baseUrl: "https://www.primitive.dev/api/v1" }));
+const client = createClient(createConfig({ baseUrl: "https://api.primitive.dev/v1" }));
 //#endregion
 //#region ../packages/api-core/src/api/sdk.gen.ts
 var sdk_gen_exports = /* @__PURE__ */ __exportAll({
@@ -44,8 +44,10 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	getConversation: () => getConversation,
 	getEmail: () => getEmail,
 	getFunction: () => getFunction,
+	getFunctionRouting: () => getFunctionRouting,
 	getFunctionTestRunTrace: () => getFunctionTestRunTrace,
 	getInboxStatus: () => getInboxStatus,
+	getOrgRoutingTopology: () => getOrgRoutingTopology,
 	getSendPermissions: () => getSendPermissions,
 	getSentEmail: () => getSentEmail,
 	getStorageStats: () => getStorageStats,
@@ -70,12 +72,14 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	searchEmails: () => searchEmails,
 	semanticSearch: () => semanticSearch,
 	sendEmail: () => sendEmail,
+	setFunctionRoute: () => setFunctionRoute,
 	setFunctionSecret: () => setFunctionSecret,
 	startAgentSignup: () => startAgentSignup,
 	startCliLogin: () => startCliLogin,
 	startCliSignup: () => startCliSignup,
 	testEndpoint: () => testEndpoint,
 	testFunction: () => testFunction,
+	unsetFunctionRoute: () => unsetFunctionRoute,
 	updateAccount: () => updateAccount,
 	updateDomain: () => updateDomain,
 	updateEndpoint: () => updateEndpoint,
@@ -934,14 +938,13 @@ const getSendPermissions = (options) => (options?.client ?? client).get({
 * the request returns once the relay accepts the message for delivery.
 * Set `wait: true` to wait for the first downstream SMTP delivery outcome.
 *
-* **Host routing.** /send-mail is served by the attachments-
-* supporting host (`https://api.primitive.dev/v1`) so the
-* request body can carry inline attachments up to ~30 MiB raw.
-* The primary host (`https://www.primitive.dev/api/v1`) also
-* accepts /send-mail for attachment-free sends; sends WITH
-* attachments to the primary host return 413
-* `attachments_unsupported_on_this_endpoint`. The typed SDKs
-* route /send-mail to the attachments host automatically.
+* **Host routing.** /send-mail is served by the canonical API host
+* (`https://api.primitive.dev/v1`) so the request body can carry
+* inline attachments up to ~30 MiB raw. The legacy dashboard
+* compatibility host (`https://www.primitive.dev/api/v1`) also accepts
+* /send-mail, but Vercel request body limits apply before proxying.
+* The typed SDKs route /send-mail to the canonical API host
+* automatically.
 *
 */
 const sendEmail = (options) => (options.client ?? client).post({
@@ -1103,11 +1106,13 @@ const listFunctions = (options) => (options?.client ?? client).get({
 * attempt, and sent to the runtime so stack traces can resolve to
 * original source files.
 *
-* **Auto-wiring.** On successful deploy, Primitive automatically
-* creates a webhook endpoint that delivers inbound mail to the
-* function. There is nothing to configure on the Endpoints API
-* for this to work; the internal runtime URL is not returned by
-* the API and is not a customer-facing integration surface.
+* **Routing.** On successful deploy, the function code is live
+* in the runtime, but inbound mail will not reach it until at
+* least one route is bound. Routes are managed from the Primitive
+* dashboard. A `deploy_status` of `deployed` means the script is
+* installed, not that the function is receiving mail. The
+* internal runtime URL is not returned by the API and is not a
+* customer-facing integration surface.
 *
 * **Secrets.** New functions ship with the managed secrets
 * (`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,
@@ -1132,7 +1137,7 @@ const createFunction = (options) => (options.client ?? client).post({
 * Delete a function
 *
 * Soft-deletes the function row, removes the script from the edge
-* runtime, and deactivates the auto-wired webhook endpoint so no
+* runtime, and deactivates any route bound to this function so no
 * further inbound mail is delivered. Past deploy history,
 * invocations, and logs are retained.
 *
@@ -1249,6 +1254,80 @@ const getFunctionTestRunTrace = (options) => (options.client ?? client).get({
 	...options
 });
 /**
+* Get the org's function routing topology
+*
+* Returns a single snapshot of how inbound mail is routed across
+* this org's active domains and functions: which active domain has
+* which function bound, the org's fallback function (if any), and
+* every deployed function with no route bound. Use this to answer
+* "which of my functions actually receive mail?" diagnostically.
+*
+*/
+const getOrgRoutingTopology = (options) => (options?.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/functions/routing-topology",
+	...options
+});
+/**
+* Get a function's current route binding
+*
+* Returns the endpoint binding for the function, or null when no
+* route is currently bound. The binding identifies whether the
+* function receives mail for a specific domain (scoped) or for any
+* active domain that has no scoped binding (fallback).
+*
+*/
+const getFunctionRouting = (options) => (options.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/functions/{id}/routing",
+	...options
+});
+/**
+* Unbind any route from a function
+*
+* Deactivates every active endpoint bound to this function. The
+* function stays deployed but stops receiving inbound mail. Safe
+* to call when no route is currently bound (no-op).
+*
+*/
+const unsetFunctionRoute = (options) => (options.client ?? client).delete({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/functions/{id}/route",
+	...options
+});
+/**
+* Bind a route to a function
+*
+* Binds inbound mail to this function. The route target is either
+* a specific verified domain (scoped) or the org's fallback (any
+* active domain with no scoped binding). If another function is
+* already bound at the target, returns a `conflict` envelope
+* describing the holder; re-issue with `takeover: true` to
+* deactivate that prior binding and install this one.
+*
+*/
+const setFunctionRoute = (options) => (options.client ?? client).put({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/functions/{id}/route",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
 * List a function's secrets
 *
 * Returns metadata for every secret bound to the function, with
@@ -1383,11 +1462,11 @@ const openapiDocument = {
 		}
 	},
 	"servers": [{
-		"url": "https://www.primitive.dev/api/v1",
-		"description": "Primary API host (PRIMITIVE_API_BASE_URL_1). Carries every operation\nexcept attachment-supporting send. Vercel-backed; request body is\ncapped at 4.5 MB by the platform.\n"
-	}, {
 		"url": "https://api.primitive.dev/v1",
-		"description": "Attachments-supporting send host (PRIMITIVE_API_BASE_URL_2).\nCloudflare Worker with a ~30 MiB raw request body cap (before\nbase64 encoding). Today only `/send-mail` is hosted here; future\nlarge-body operations will migrate here over time. SDK clients\nroute /send-mail to this server automatically.\n"
+		"description": "Canonical API host (PRIMITIVE_API_BASE_URL). Carries every public\nAPI operation. Cloudflare Workers-backed; attachment-capable send\noperations can carry up to ~30 MiB raw request bodies before base64\nencoding.\n"
+	}, {
+		"url": "https://www.primitive.dev/api/v1",
+		"description": "Legacy dashboard compatibility host. Requests are forwarded to the\ncanonical API host, but Vercel request body limits still apply before\nproxying. New integrations should use https://api.primitive.dev/v1.\n"
 	}],
 	"security": [{ "BearerAuth": [] }],
 	"tags": [
@@ -2410,10 +2489,10 @@ const openapiDocument = {
 				"description": "Sends an outbound reply to the inbound email identified by `id`.\nThreading headers (`In-Reply-To`, `References`), recipient\nderivation (Reply-To, then From, then bare sender), and the\n`Re:` subject prefix are all derived server-side from the\nstored inbound row. The request body carries only the message\nbody, optional From override, optional attachments, and optional\n`wait` flag; passing any header or recipient override is\nrejected by the schema (`additionalProperties: false`).\n\nForwards through the same gates as `/send-mail`: the response\nstatus, error envelope, and `idempotent_replay` flag mirror\nthe send-mail contract verbatim.\n",
 				"servers": [{
 					"url": "https://api.primitive.dev/v1",
-					"description": "Attachments-supporting send host (recommended)"
+					"description": "Canonical API host (recommended)"
 				}, {
 					"url": "https://www.primitive.dev/api/v1",
-					"description": "Primary host (attachment-free replies only)"
+					"description": "Legacy compatibility host (Vercel body limit applies)"
 				}],
 				"tags": ["Sending"],
 				"requestBody": {
@@ -2822,13 +2901,13 @@ const openapiDocument = {
 		"/send-mail": { "post": {
 			"operationId": "sendEmail",
 			"summary": "Send outbound email",
-			"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the attachments-\nsupporting host (`https://api.primitive.dev/v1`) so the\nrequest body can carry inline attachments up to ~30 MiB raw.\nThe primary host (`https://www.primitive.dev/api/v1`) also\naccepts /send-mail for attachment-free sends; sends WITH\nattachments to the primary host return 413\n`attachments_unsupported_on_this_endpoint`. The typed SDKs\nroute /send-mail to the attachments host automatically.\n",
+			"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the canonical API host\n(`https://api.primitive.dev/v1`) so the request body can carry\ninline attachments up to ~30 MiB raw. The legacy dashboard\ncompatibility host (`https://www.primitive.dev/api/v1`) also accepts\n/send-mail, but Vercel request body limits apply before proxying.\nThe typed SDKs route /send-mail to the canonical API host\nautomatically.\n",
 			"servers": [{
 				"url": "https://api.primitive.dev/v1",
-				"description": "Attachments-supporting send host (recommended)"
+				"description": "Canonical API host (recommended)"
 			}, {
 				"url": "https://www.primitive.dev/api/v1",
-				"description": "Primary host (attachment-free sends only)"
+				"description": "Legacy compatibility host (Vercel body limit applies)"
 			}],
 			"tags": ["Sending"],
 			"parameters": [{
@@ -3030,7 +3109,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "createFunction",
 				"summary": "Deploy a function",
-				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the internal runtime URL is not returned by\nthe API and is not a customer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
@@ -3109,7 +3188,7 @@ const openapiDocument = {
 			"delete": {
 				"operationId": "deleteFunction",
 				"summary": "Delete a function",
-				"description": "Soft-deletes the function row, removes the script from the edge\nruntime, and deactivates the auto-wired webhook endpoint so no\nfurther inbound mail is delivered. Past deploy history,\ninvocations, and logs are retained.\n\nReturns 502 if the runtime delete fails partway; the function\nrow stays in place and the call is safe to retry until it\nsucceeds.\n",
+				"description": "Soft-deletes the function row, removes the script from the edge\nruntime, and deactivates any route bound to this function so no\nfurther inbound mail is delivered. Past deploy history,\ninvocations, and logs are retained.\n\nReturns 502 if the runtime delete fails partway; the function\nrow stays in place and the call is safe to retry until it\nsucceeds.\n",
 				"tags": ["Functions"],
 				"responses": {
 					"200": { "$ref": "#/components/responses/Deleted" },
@@ -3194,6 +3273,92 @@ const openapiDocument = {
 				}
 			}
 		},
+		"/functions/routing-topology": { "get": {
+			"operationId": "getOrgRoutingTopology",
+			"summary": "Get the org's function routing topology",
+			"description": "Returns a single snapshot of how inbound mail is routed across\nthis org's active domains and functions: which active domain has\nwhich function bound, the org's fallback function (if any), and\nevery deployed function with no route bound. Use this to answer\n\"which of my functions actually receive mail?\" diagnostically.\n",
+			"tags": ["Functions"],
+			"responses": {
+				"200": {
+					"description": "Routing topology",
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/RoutingTopology" } }
+					}] } } }
+				},
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"403": { "$ref": "#/components/responses/Forbidden" }
+			}
+		} },
+		"/functions/{id}/routing": {
+			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
+			"get": {
+				"operationId": "getFunctionRouting",
+				"summary": "Get a function's current route binding",
+				"description": "Returns the endpoint binding for the function, or null when no\nroute is currently bound. The binding identifies whether the\nfunction receives mail for a specific domain (scoped) or for any\nactive domain that has no scoped binding (fallback).\n",
+				"tags": ["Functions"],
+				"responses": {
+					"200": {
+						"description": "Function routing",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "oneOf": [{ "$ref": "#/components/schemas/FunctionRouting" }, { "type": "null" }] } }
+						}] } } }
+					},
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			}
+		},
+		"/functions/{id}/route": {
+			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
+			"put": {
+				"operationId": "setFunctionRoute",
+				"summary": "Bind a route to a function",
+				"description": "Binds inbound mail to this function. The route target is either\na specific verified domain (scoped) or the org's fallback (any\nactive domain with no scoped binding). If another function is\nalready bound at the target, returns a `conflict` envelope\ndescribing the holder; re-issue with `takeover: true` to\ndeactivate that prior binding and install this one.\n",
+				"tags": ["Functions"],
+				"requestBody": {
+					"required": true,
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/FunctionRouteBody" } } }
+				},
+				"responses": {
+					"200": {
+						"description": "Route bound, or conflict requiring takeover",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/FunctionRouteResult" } }
+						}] } } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			},
+			"delete": {
+				"operationId": "unsetFunctionRoute",
+				"summary": "Unbind any route from a function",
+				"description": "Deactivates every active endpoint bound to this function. The\nfunction stays deployed but stops receiving inbound mail. Safe\nto call when no route is currently bound (no-op).\n",
+				"tags": ["Functions"],
+				"responses": {
+					"200": {
+						"description": "Route unbound",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": {
+								"type": "object",
+								"properties": { "unrouted": {
+									"type": "boolean",
+									"enum": [true]
+								} },
+								"required": ["unrouted"]
+							} }
+						}] } } }
+					},
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			}
+		},
 		"/functions/{id}/secrets": {
 			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
 			"get": {
@@ -6719,6 +6884,178 @@ const openapiDocument = {
 					"trace_url"
 				]
 			},
+			"FunctionRouting": {
+				"type": "object",
+				"description": "A single route binding for a function. `domain` is null when the\nbinding is the org's fallback (any active domain without a scoped\nbinding); otherwise it carries the scoped domain. `rules` is\nreserved for future routing predicates.\n",
+				"properties": {
+					"endpoint_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"enabled": { "type": "boolean" },
+					"domain": {
+						"type": ["object", "null"],
+						"properties": {
+							"id": {
+								"type": "string",
+								"format": "uuid"
+							},
+							"name": { "type": ["string", "null"] }
+						},
+						"required": ["id"]
+					},
+					"rules": {
+						"type": "object",
+						"description": "Future routing predicates. Currently empty."
+					},
+					"delivery_count": { "type": "integer" },
+					"success_count": { "type": "integer" },
+					"failure_count": { "type": "integer" },
+					"consecutive_fails": { "type": "integer" },
+					"last_delivery_at": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					},
+					"last_success_at": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					},
+					"last_failure_at": {
+						"type": ["string", "null"],
+						"format": "date-time"
+					}
+				},
+				"required": [
+					"endpoint_id",
+					"enabled",
+					"domain",
+					"rules"
+				]
+			},
+			"RoutingTopology": {
+				"type": "object",
+				"description": "Org-wide map of function routing: which domain points at which\nfunction, the org's fallback binding (if any), and every\ndeployed function with no route currently bound.\n",
+				"properties": {
+					"domains": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"domain_id": {
+									"type": "string",
+									"format": "uuid"
+								},
+								"domain": { "type": "string" },
+								"routed_function": {
+									"type": ["object", "null"],
+									"properties": {
+										"id": {
+											"type": "string",
+											"format": "uuid"
+										},
+										"name": { "type": "string" }
+									},
+									"required": ["id", "name"]
+								},
+								"endpoint_enabled": { "type": ["boolean", "null"] }
+							},
+							"required": [
+								"domain_id",
+								"domain",
+								"routed_function",
+								"endpoint_enabled"
+							]
+						}
+					},
+					"fallback_function": {
+						"type": ["object", "null"],
+						"properties": {
+							"id": {
+								"type": "string",
+								"format": "uuid"
+							},
+							"name": { "type": "string" }
+						},
+						"required": ["id", "name"]
+					},
+					"fallback_enabled": { "type": ["boolean", "null"] },
+					"unrouted_functions": {
+						"type": "array",
+						"items": {
+							"type": "object",
+							"properties": {
+								"id": {
+									"type": "string",
+									"format": "uuid"
+								},
+								"name": { "type": "string" }
+							},
+							"required": ["id", "name"]
+						}
+					}
+				},
+				"required": [
+					"domains",
+					"fallback_function",
+					"fallback_enabled",
+					"unrouted_functions"
+				]
+			},
+			"FunctionRouteBody": {
+				"type": "object",
+				"description": "Target for a route binding. Either a specific verified domain\n(scoped) or the org-wide fallback. Pass `takeover: true` to\ndeactivate any conflicting binding before installing this one.\n",
+				"properties": {
+					"target": { "oneOf": [{
+						"type": "object",
+						"properties": {
+							"kind": {
+								"type": "string",
+								"enum": ["domain"]
+							},
+							"domainId": {
+								"type": "string",
+								"format": "uuid"
+							}
+						},
+						"required": ["kind", "domainId"]
+					}, {
+						"type": "object",
+						"properties": { "kind": {
+							"type": "string",
+							"enum": ["fallback"]
+						} },
+						"required": ["kind"]
+					}] },
+					"takeover": {
+						"type": "boolean",
+						"description": "When true, deactivate any conflicting binding before installing this one."
+					}
+				},
+				"required": ["target"]
+			},
+			"FunctionRouteResult": {
+				"type": "object",
+				"description": "On success, carries the new `routing`. On conflict, carries\n`conflict` describing the binding holder so the caller can\nre-issue with `takeover: true`.\n",
+				"properties": {
+					"routing": { "oneOf": [{ "$ref": "#/components/schemas/FunctionRouting" }, { "type": "null" }] },
+					"conflict": {
+						"type": "object",
+						"properties": {
+							"kind": {
+								"type": "string",
+								"enum": ["http", "function"]
+							},
+							"functionId": {
+								"type": ["string", "null"],
+								"format": "uuid"
+							},
+							"functionName": { "type": ["string", "null"] },
+							"url": { "type": ["string", "null"] }
+						},
+						"required": ["kind"]
+					}
+				}
+			},
 			"FunctionTestRunState": {
 				"type": "string",
 				"description": "High-level state for a function test run trace:\n  - `send_failed`: the initial test email send failed.\n  - `waiting_for_send`: the test run was created but no send result has been recorded yet.\n  - `waiting_for_inbound`: the test send was queued and the matching inbound email has not arrived yet.\n  - `waiting_for_function`: the inbound email arrived and webhook/function processing is still in flight.\n  - `completed`: the function webhook completed successfully.\n  - `failed`: webhook delivery exhausted retries.\n",
@@ -10434,7 +10771,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "create-function",
-		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Auto-wiring.** On successful deploy, Primitive automatically\ncreates a webhook endpoint that delivers inbound mail to the\nfunction. There is nothing to configure on the Endpoints API\nfor this to work; the internal runtime URL is not returned by\nthe API and is not a customer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "createFunction",
@@ -10570,7 +10907,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": false,
 		"command": "delete-function",
-		"description": "Soft-deletes the function row, removes the script from the edge\nruntime, and deactivates the auto-wired webhook endpoint so no\nfurther inbound mail is delivered. Past deploy history,\ninvocations, and logs are retained.\n\nReturns 502 if the runtime delete fails partway; the function\nrow stays in place and the call is safe to retry until it\nsucceeds.\n",
+		"description": "Soft-deletes the function row, removes the script from the edge\nruntime, and deactivates any route bound to this function so no\nfurther inbound mail is delivered. Past deploy history,\ninvocations, and logs are retained.\n\nReturns 502 if the runtime delete fails partway; the function\nrow stays in place and the call is safe to retry until it\nsucceeds.\n",
 		"hasJsonBody": false,
 		"method": "DELETE",
 		"operationId": "deleteFunction",
@@ -10694,57 +11031,128 @@ const operationManifest = [
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
-		"command": "get-function-test-run-trace",
-		"description": "Returns the current end-to-end trace for a function test run.\nThe trace is intentionally partial while the test is still in\nflight: callers can poll this endpoint and watch it fill in\nfrom send -> inbound -> webhook deliveries -> outbound\nrequests, logs, and replies.\n",
+		"command": "get-function-routing",
+		"description": "Returns the endpoint binding for the function, or null when no\nroute is currently bound. The binding identifies whether the\nfunction receives mail for a specific domain (scoped) or for any\nactive domain that has no scoped binding (fallback).\n",
 		"hasJsonBody": false,
 		"method": "GET",
-		"operationId": "getFunctionTestRunTrace",
-		"path": "/functions/{id}/test-runs/{run_id}/trace",
+		"operationId": "getFunctionRouting",
+		"path": "/functions/{id}/routing",
 		"pathParams": [{
 			"description": "Resource UUID",
 			"enum": null,
 			"name": "id",
 			"required": true,
 			"type": "string"
-		}, {
-			"description": "Function test run id returned by POST /functions/{id}/test.",
-			"enum": null,
-			"name": "run_id",
-			"required": true,
-			"type": "string"
 		}],
 		"queryParams": [],
 		"requestSchema": null,
-		"responseSchema": {
+		"responseSchema": { "oneOf": [{
 			"type": "object",
-			"description": "End-to-end trace for a `POST /functions/{id}/test` run. The\nshape is stable, but many nested sections are null or empty\nuntil the corresponding phase has happened.\n",
+			"description": "A single route binding for a function. `domain` is null when the\nbinding is the org's fallback (any active domain without a scoped\nbinding); otherwise it carries the scoped domain. `rules` is\nreserved for future routing predicates.\n",
 			"properties": {
-				"state": {
+				"endpoint_id": {
 					"type": "string",
-					"description": "High-level state for a function test run trace:\n  - `send_failed`: the initial test email send failed.\n  - `waiting_for_send`: the test run was created but no send result has been recorded yet.\n  - `waiting_for_inbound`: the test send was queued and the matching inbound email has not arrived yet.\n  - `waiting_for_function`: the inbound email arrived and webhook/function processing is still in flight.\n  - `completed`: the function webhook completed successfully.\n  - `failed`: webhook delivery exhausted retries.\n",
-					"enum": [
-						"send_failed",
-						"waiting_for_send",
-						"waiting_for_inbound",
-						"waiting_for_function",
-						"completed",
-						"failed"
-					]
+					"format": "uuid"
 				},
-				"test_run": {
-					"type": "object",
+				"enabled": { "type": "boolean" },
+				"domain": {
+					"type": ["object", "null"],
 					"properties": {
 						"id": {
 							"type": "string",
 							"format": "uuid"
 						},
-						"function_id": {
-							"type": "string",
-							"format": "uuid"
-						},
-						"inbound_domain": { "type": "string" },
-						"to": { "type": "string" },
-						"from": { "type": "string" },
+						"name": { "type": ["string", "null"] }
+					},
+					"required": ["id"]
+				},
+				"rules": {
+					"type": "object",
+					"description": "Future routing predicates. Currently empty."
+				},
+				"delivery_count": { "type": "integer" },
+				"success_count": { "type": "integer" },
+				"failure_count": { "type": "integer" },
+				"consecutive_fails": { "type": "integer" },
+				"last_delivery_at": {
+					"type": ["string", "null"],
+					"format": "date-time"
+				},
+				"last_success_at": {
+					"type": ["string", "null"],
+					"format": "date-time"
+				},
+				"last_failure_at": {
+					"type": ["string", "null"],
+					"format": "date-time"
+				}
+			},
+			"required": [
+				"endpoint_id",
+				"enabled",
+				"domain",
+				"rules"
+			]
+		}, { "type": "null" }] },
+		"sdkName": "getFunctionRouting",
+		"summary": "Get a function's current route binding",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "get-function-test-run-trace",
+		"description": "Returns the current end-to-end trace for a function test run.\nThe trace is intentionally partial while the test is still in\nflight: callers can poll this endpoint and watch it fill in\nfrom send -> inbound -> webhook deliveries -> outbound\nrequests, logs, and replies.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "getFunctionTestRunTrace",
+		"path": "/functions/{id}/test-runs/{run_id}/trace",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}, {
+			"description": "Function test run id returned by POST /functions/{id}/test.",
+			"enum": null,
+			"name": "run_id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "object",
+			"description": "End-to-end trace for a `POST /functions/{id}/test` run. The\nshape is stable, but many nested sections are null or empty\nuntil the corresponding phase has happened.\n",
+			"properties": {
+				"state": {
+					"type": "string",
+					"description": "High-level state for a function test run trace:\n  - `send_failed`: the initial test email send failed.\n  - `waiting_for_send`: the test run was created but no send result has been recorded yet.\n  - `waiting_for_inbound`: the test send was queued and the matching inbound email has not arrived yet.\n  - `waiting_for_function`: the inbound email arrived and webhook/function processing is still in flight.\n  - `completed`: the function webhook completed successfully.\n  - `failed`: webhook delivery exhausted retries.\n",
+					"enum": [
+						"send_failed",
+						"waiting_for_send",
+						"waiting_for_inbound",
+						"waiting_for_function",
+						"completed",
+						"failed"
+					]
+				},
+				"test_run": {
+					"type": "object",
+					"properties": {
+						"id": {
+							"type": "string",
+							"format": "uuid"
+						},
+						"function_id": {
+							"type": "string",
+							"format": "uuid"
+						},
+						"inbound_domain": { "type": "string" },
+						"to": { "type": "string" },
+						"from": { "type": "string" },
 						"subject": { "type": "string" },
 						"poll_since": {
 							"type": "string",
@@ -11124,6 +11532,92 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "get-org-routing-topology",
+		"description": "Returns a single snapshot of how inbound mail is routed across\nthis org's active domains and functions: which active domain has\nwhich function bound, the org's fallback function (if any), and\nevery deployed function with no route bound. Use this to answer\n\"which of my functions actually receive mail?\" diagnostically.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "getOrgRoutingTopology",
+		"path": "/functions/routing-topology",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "object",
+			"description": "Org-wide map of function routing: which domain points at which\nfunction, the org's fallback binding (if any), and every\ndeployed function with no route currently bound.\n",
+			"properties": {
+				"domains": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"properties": {
+							"domain_id": {
+								"type": "string",
+								"format": "uuid"
+							},
+							"domain": { "type": "string" },
+							"routed_function": {
+								"type": ["object", "null"],
+								"properties": {
+									"id": {
+										"type": "string",
+										"format": "uuid"
+									},
+									"name": { "type": "string" }
+								},
+								"required": ["id", "name"]
+							},
+							"endpoint_enabled": { "type": ["boolean", "null"] }
+						},
+						"required": [
+							"domain_id",
+							"domain",
+							"routed_function",
+							"endpoint_enabled"
+						]
+					}
+				},
+				"fallback_function": {
+					"type": ["object", "null"],
+					"properties": {
+						"id": {
+							"type": "string",
+							"format": "uuid"
+						},
+						"name": { "type": "string" }
+					},
+					"required": ["id", "name"]
+				},
+				"fallback_enabled": { "type": ["boolean", "null"] },
+				"unrouted_functions": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"properties": {
+							"id": {
+								"type": "string",
+								"format": "uuid"
+							},
+							"name": { "type": "string" }
+						},
+						"required": ["id", "name"]
+					}
+				}
+			},
+			"required": [
+				"domains",
+				"fallback_function",
+				"fallback_enabled",
+				"unrouted_functions"
+			]
+		},
+		"sdkName": "getOrgRoutingTopology",
+		"summary": "Get the org's function routing topology",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -11343,6 +11837,130 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "set-function-route",
+		"description": "Binds inbound mail to this function. The route target is either\na specific verified domain (scoped) or the org's fallback (any\nactive domain with no scoped binding). If another function is\nalready bound at the target, returns a `conflict` envelope\ndescribing the holder; re-issue with `takeover: true` to\ndeactivate that prior binding and install this one.\n",
+		"hasJsonBody": true,
+		"method": "PUT",
+		"operationId": "setFunctionRoute",
+		"path": "/functions/{id}/route",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"description": "Target for a route binding. Either a specific verified domain\n(scoped) or the org-wide fallback. Pass `takeover: true` to\ndeactivate any conflicting binding before installing this one.\n",
+			"properties": {
+				"target": { "oneOf": [{
+					"type": "object",
+					"properties": {
+						"kind": {
+							"type": "string",
+							"enum": ["domain"]
+						},
+						"domainId": {
+							"type": "string",
+							"format": "uuid"
+						}
+					},
+					"required": ["kind", "domainId"]
+				}, {
+					"type": "object",
+					"properties": { "kind": {
+						"type": "string",
+						"enum": ["fallback"]
+					} },
+					"required": ["kind"]
+				}] },
+				"takeover": {
+					"type": "boolean",
+					"description": "When true, deactivate any conflicting binding before installing this one."
+				}
+			},
+			"required": ["target"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"description": "On success, carries the new `routing`. On conflict, carries\n`conflict` describing the binding holder so the caller can\nre-issue with `takeover: true`.\n",
+			"properties": {
+				"routing": { "oneOf": [{
+					"type": "object",
+					"description": "A single route binding for a function. `domain` is null when the\nbinding is the org's fallback (any active domain without a scoped\nbinding); otherwise it carries the scoped domain. `rules` is\nreserved for future routing predicates.\n",
+					"properties": {
+						"endpoint_id": {
+							"type": "string",
+							"format": "uuid"
+						},
+						"enabled": { "type": "boolean" },
+						"domain": {
+							"type": ["object", "null"],
+							"properties": {
+								"id": {
+									"type": "string",
+									"format": "uuid"
+								},
+								"name": { "type": ["string", "null"] }
+							},
+							"required": ["id"]
+						},
+						"rules": {
+							"type": "object",
+							"description": "Future routing predicates. Currently empty."
+						},
+						"delivery_count": { "type": "integer" },
+						"success_count": { "type": "integer" },
+						"failure_count": { "type": "integer" },
+						"consecutive_fails": { "type": "integer" },
+						"last_delivery_at": {
+							"type": ["string", "null"],
+							"format": "date-time"
+						},
+						"last_success_at": {
+							"type": ["string", "null"],
+							"format": "date-time"
+						},
+						"last_failure_at": {
+							"type": ["string", "null"],
+							"format": "date-time"
+						}
+					},
+					"required": [
+						"endpoint_id",
+						"enabled",
+						"domain",
+						"rules"
+					]
+				}, { "type": "null" }] },
+				"conflict": {
+					"type": "object",
+					"properties": {
+						"kind": {
+							"type": "string",
+							"enum": ["http", "function"]
+						},
+						"functionId": {
+							"type": ["string", "null"],
+							"format": "uuid"
+						},
+						"functionName": { "type": ["string", "null"] },
+						"url": { "type": ["string", "null"] }
+					},
+					"required": ["kind"]
+				}
+			}
+		},
+		"sdkName": "setFunctionRoute",
+		"summary": "Bind a route to a function",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -11496,6 +12114,37 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "unset-function-route",
+		"description": "Deactivates every active endpoint bound to this function. The\nfunction stays deployed but stops receiving inbound mail. Safe\nto call when no route is currently bound (no-op).\n",
+		"hasJsonBody": false,
+		"method": "DELETE",
+		"operationId": "unsetFunctionRoute",
+		"path": "/functions/{id}/route",
+		"pathParams": [{
+			"description": "Resource UUID",
+			"enum": null,
+			"name": "id",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "object",
+			"properties": { "unrouted": {
+				"type": "boolean",
+				"enum": [true]
+			} },
+			"required": ["unrouted"]
+		},
+		"sdkName": "unsetFunctionRoute",
+		"summary": "Unbind any route from a function",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -12805,7 +13454,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "send-email",
-		"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the attachments-\nsupporting host (`https://api.primitive.dev/v1`) so the\nrequest body can carry inline attachments up to ~30 MiB raw.\nThe primary host (`https://www.primitive.dev/api/v1`) also\naccepts /send-mail for attachment-free sends; sends WITH\nattachments to the primary host return 413\n`attachments_unsupported_on_this_endpoint`. The typed SDKs\nroute /send-mail to the attachments host automatically.\n",
+		"description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n**Host routing.** /send-mail is served by the canonical API host\n(`https://api.primitive.dev/v1`) so the request body can carry\ninline attachments up to ~30 MiB raw. The legacy dashboard\ncompatibility host (`https://www.primitive.dev/api/v1`) also accepts\n/send-mail, but Vercel request body limits apply before proxying.\nThe typed SDKs route /send-mail to the canonical API host\nautomatically.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "sendEmail",
@@ -13302,19 +13951,15 @@ function cliApiHeadersFromEnv(env = process.env) {
 }
 function resolveCliApiRequestConfig(params) {
 	const currentEnvironment = resolveConfigEnvironment(loadCliConfig(params.configDir));
-	const configuredApiBaseUrl1 = currentEnvironment?.config.api_base_url_1;
-	const configuredApiBaseUrl2 = currentEnvironment?.config.api_base_url_2;
-	if (currentEnvironment !== null && currentEnvironment.name !== "default" && params.apiBaseUrl1 === void 0 && configuredApiBaseUrl1 === void 0) throw new Errors.CLIError(`The active Primitive CLI environment \`${currentEnvironment.name}\` does not specify an api_base_url_1. Set one with \`primitive config set --environment ${currentEnvironment.name} --api-base-url-1 https://...\`, or switch to a different environment with \`primitive config use <name>\`. Refusing to fall back to the production default for a non-default environment.`, { exit: 1 });
-	const apiBaseUrl1 = params.apiBaseUrl1 !== void 0 ? normalizeApiBaseUrl1(params.apiBaseUrl1) : configuredApiBaseUrl1;
-	const apiBaseUrl2 = params.apiBaseUrl2 !== void 0 ? normalizeApiBaseUrl2(params.apiBaseUrl2) : configuredApiBaseUrl2;
+	const configuredApiBaseUrl = currentEnvironment?.config.api_base_url;
+	if (currentEnvironment !== null && currentEnvironment.name !== "default" && params.apiBaseUrl === void 0 && configuredApiBaseUrl === void 0) throw new Errors.CLIError(`The active Primitive CLI environment \`${currentEnvironment.name}\` does not specify an api_base_url. Set one with \`primitive config set --environment ${currentEnvironment.name} --api-base-url https://...\`, or switch to a different environment with \`primitive config use <name>\`. Refusing to fall back to the production default for a non-default environment.`, { exit: 1 });
+	const apiBaseUrl = params.apiBaseUrl !== void 0 ? normalizeApiBaseUrl(params.apiBaseUrl) : configuredApiBaseUrl;
 	return {
-		apiBaseUrl1,
-		apiBaseUrl2,
-		baseUrlOverridden: apiBaseUrl1 !== void 0 || apiBaseUrl2 !== void 0,
+		apiBaseUrl,
+		baseUrlOverridden: apiBaseUrl !== void 0,
 		environmentName: currentEnvironment?.name ?? null,
 		headers: mergeHeaders(currentEnvironment?.config.headers, cliApiHeadersFromEnv(params.env)),
-		resolvedApiBaseUrl1: normalizeApiBaseUrl1(apiBaseUrl1),
-		resolvedApiBaseUrl2: normalizeApiBaseUrl2(apiBaseUrl2)
+		resolvedApiBaseUrl: normalizeApiBaseUrl(apiBaseUrl)
 	};
 }
 function createCliApiClient(params) {
@@ -13322,15 +13967,14 @@ function createCliApiClient(params) {
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: params.apiKey,
-			apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
-			apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+			apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 			headers: requestConfig.headers
 		}),
 		requestConfig
 	};
 }
-function oauthTokenEndpoint(apiBaseUrl1) {
-	const url = new URL(apiBaseUrl1);
+function oauthTokenEndpoint(apiBaseUrl) {
+	const url = new URL(apiBaseUrl);
 	url.pathname = "/oauth/token";
 	url.search = "";
 	url.hash = "";
@@ -13378,7 +14022,7 @@ async function refreshStoredCliCredentials(params) {
 		});
 		let response;
 		try {
-			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl1), {
+			response = await fetchImpl(oauthTokenEndpoint(params.apiBaseUrl), {
 				body,
 				headers: {
 					...params.headers ?? {},
@@ -13418,13 +14062,16 @@ async function createAuthenticatedCliApiClient(params) {
 	const requestConfig = resolveCliApiRequestConfig(params);
 	let auth = resolveCliAuth({
 		apiKey: params.apiKey,
-		apiBaseUrl1: requestConfig.apiBaseUrl1,
-		apiBaseUrl2: requestConfig.apiBaseUrl2,
+		apiBaseUrl: requestConfig.apiBaseUrl,
 		configDir: params.configDir
 	});
+	if (auth.apiKey === void 0) {
+		const hint = detectPrimitiveKeyEnvMisname(params.env ?? process.env);
+		if (hint) process.stderr.write(`${hint}\n`);
+	}
 	if (auth.source === "stored" && auth.credentials) {
 		const refreshed = await refreshStoredCliCredentials({
-			apiBaseUrl1: auth.apiBaseUrl1,
+			apiBaseUrl: auth.apiBaseUrl,
 			configDir: params.configDir,
 			credentials: auth.credentials,
 			credentialsLockHeld: params.credentialsLockHeld,
@@ -13441,8 +14088,7 @@ async function createAuthenticatedCliApiClient(params) {
 	return {
 		apiClient: new PrimitiveApiClient({
 			apiKey: auth.apiKey,
-			apiBaseUrl1: auth.apiBaseUrl1,
-			apiBaseUrl2: auth.apiBaseUrl2,
+			apiBaseUrl: auth.apiBaseUrl,
 			headers: requestConfig.headers
 		}),
 		auth,
@@ -13758,7 +14404,7 @@ const NETWORK_ERROR_HINTS = {
 	ENETUNREACH: "Hint: the network is unreachable. If you're behind a proxy and set HTTP(S)_PROXY, re-run with NODE_USE_ENV_PROXY=1 (Node 22+ ignores those env vars by default). `primitive doctor` reports the local environment in one shot.",
 	ECONNREFUSED: "Hint: the server refused the connection. Check that your firewall allows egress to *.primitive.dev, that your PRIMITIVE_API_BASE_URL_* overrides (if any) point at a reachable host, and re-run with NODE_USE_ENV_PROXY=1 if you're behind a proxy. `primitive doctor` reports the local environment in one shot.",
 	ETIMEDOUT: "Hint: the connection timed out. Check egress rules and proxy configuration; if you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. `primitive doctor` reports the local environment in one shot.",
-	EAI_AGAIN: "Hint: DNS lookup failed. Check /etc/resolv.conf inside containers, and try `curl -v https://www.primitive.dev/api/v1/account` to confirm the host resolves. `primitive doctor` reports the local environment in one shot."
+	EAI_AGAIN: "Hint: DNS lookup failed. Check /etc/resolv.conf inside containers, and try `curl -v https://api.primitive.dev/v1/account` to confirm the host resolves. `primitive doctor` reports the local environment in one shot."
 };
 function writeErrorWithHints(payload) {
 	process.stderr.write(`${formatErrorPayload(payload)}\n`);
@@ -13787,8 +14433,8 @@ function writeErrorWithHints(payload) {
 */
 function surfaceUnauthorizedHint(params) {
 	if (extractErrorCode(params.payload) !== API_ERROR_CODES.unauthorized || params.auth.source !== "stored") return;
-	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl1 !== params.auth.credentials.api_base_url_1) {
-		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL_1, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
+	if (params.baseUrlOverridden && params.auth.credentials !== null && params.auth.apiBaseUrl !== params.auth.credentials.api_base_url) {
+		process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The saved credential is preserved; unset PRIMITIVE_API_BASE_URL, run `primitive config reset` to clear configured URL overrides, or run `primitive logout` to remove the stored credential.\n");
 		return;
 	}
 	process.stderr.write("Your saved Primitive CLI OAuth session was rejected. If the command was working a moment ago, please retry; brief retries often clear transient rejections. If it keeps failing, run `primitive logout && primitive signin` to mint a fresh session.\n");
@@ -13809,13 +14455,10 @@ async function runWithTiming(enabled, fn) {
 	}
 }
 const TIME_FLAG_DESCRIPTION = "Print the wall-clock duration of this command to stderr after it completes (e.g. `[time: 1.34s]`). Useful for measuring `--wait` send latency, comparing CLI overhead, or capturing timing in scripts.";
-const API_BASE_URL_1_FLAG_DESCRIPTION = "Override the primary API base URL. Internal testing only; not documented to customers.";
-const API_BASE_URL_2_FLAG_DESCRIPTION = "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.";
-const HOST_2_OPERATIONS = new Set(["sendEmail", "replyToEmail"]);
+const API_BASE_URL_FLAG_DESCRIPTION = "Override the API base URL. Internal testing only; not documented to customers.";
 const RESERVED_FLAG_NAMES = new Set([
 	"api-key",
-	"api-base-url-1",
-	"api-base-url-2",
+	"api-base-url",
 	"raw-body",
 	"body-file",
 	"envelope",
@@ -13847,14 +14490,9 @@ function buildFlags(operation) {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -13942,8 +14580,7 @@ function createOperationCommand(operation) {
 			await runWithTiming(parsedFlags.time === true, async () => {
 				const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 					apiKey: typeof parsedFlags["api-key"] === "string" ? parsedFlags["api-key"] : void 0,
-					apiBaseUrl1: typeof parsedFlags["api-base-url-1"] === "string" ? parsedFlags["api-base-url-1"] : void 0,
-					apiBaseUrl2: typeof parsedFlags["api-base-url-2"] === "string" ? parsedFlags["api-base-url-2"] : void 0,
+					apiBaseUrl: typeof parsedFlags["api-base-url"] === "string" ? parsedFlags["api-base-url"] : void 0,
 					configDir: this.config.configDir
 				});
 				let body;
@@ -13964,10 +14601,9 @@ function createOperationCommand(operation) {
 				}
 				if (operation.bodyRequired && body === void 0) throw new Errors.CLIError(`Operation ${operation.operationId} requires a body. Pass each field as a --flag (see --help) or supply JSON via --raw-body / --body-file.`);
 				const operationFn = sdk_gen_exports[operation.sdkName];
-				const targetClient = HOST_2_OPERATIONS.has(operation.sdkName) ? apiClient._sendClient : apiClient.client;
 				const result = await operationFn({
 					body,
-					client: targetClient,
+					client: apiClient.client,
 					parseAs: operation.binaryResponse ? "blob" : "auto",
 					path: collectValues(operation.pathParams, parsedFlags),
 					query: collectValues(operation.queryParams, parsedFlags),
@@ -14721,14 +15357,9 @@ var ChatCommand = class ChatCommand extends Command {
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		from: Flags.string({ description: "Sender address. Defaults to agent@<your-first-verified-outbound-domain>." }),
@@ -14787,8 +15418,7 @@ var ChatCommand = class ChatCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -14859,7 +15489,7 @@ var ChatCommand = class ChatCommand extends Command {
 					from,
 					...attachments !== void 0 ? { attachments } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				path: { id: parentReply.id },
 				responseStyle: "fields"
 			}) : await sendEmail({
@@ -14871,7 +15501,7 @@ var ChatCommand = class ChatCommand extends Command {
 					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
 					...attachments !== void 0 ? { attachments } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (sendResult.error) {
@@ -14996,14 +15626,9 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive signin` credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.integer({
@@ -15068,8 +15693,7 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 			String(state.local_id)
 		];
 		if (flags["api-key"] !== void 0) argv.push("--api-key", flags["api-key"]);
-		if (flags["api-base-url-1"] !== void 0) argv.push("--api-base-url-1", flags["api-base-url-1"]);
-		if (flags["api-base-url-2"] !== void 0) argv.push("--api-base-url-2", flags["api-base-url-2"]);
+		if (flags["api-base-url"] !== void 0) argv.push("--api-base-url", flags["api-base-url"]);
 		if (flags.json) argv.push("--json");
 		if (flags.quiet) argv.push("--quiet");
 		for (const attachment of flags.attachment ?? []) argv.push("--attachment", attachment);
@@ -15184,8 +15808,7 @@ function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
 	const previousActiveEnvironment = resolveConfigEnvironment(previousConfig);
 	const previousEnvironment = previousActiveEnvironment?.name ?? null;
 	const config = upsertCliEnvironment({
-		apiBaseUrl1: params.apiBaseUrl1,
-		apiBaseUrl2: params.apiBaseUrl2,
+		apiBaseUrl: params.apiBaseUrl,
 		config: previousConfig,
 		environmentName: params.environmentName,
 		headers: params.headers,
@@ -15193,7 +15816,7 @@ function upsertCliEnvironmentAndClearCredentialsIfSwitched(params) {
 	});
 	const activeEnvironment = resolveConfigEnvironment(config);
 	const environment = activeEnvironment?.name ?? null;
-	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url_1 !== activeEnvironment?.config.api_base_url_1);
+	const shouldClearCredentials = existsSync(credentialsPath(params.configDir)) && (previousEnvironment !== environment || previousActiveEnvironment?.config.api_base_url !== activeEnvironment?.config.api_base_url);
 	let removedCredentials = false;
 	if (shouldClearCredentials) {
 		const releaseLock = acquireCliCredentialsLock(params.configDir);
@@ -15243,10 +15866,9 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 	static flags = {
 		environment: Flags.string({
 			char: "e",
-			description: "Environment name to create or update"
+			description: "Environment name to create or update. Defaults to the active environment, or default when none is active."
 		}),
-		"api-base-url-1": Flags.string({ description: "Primary API base URL" }),
-		"api-base-url-2": Flags.string({ description: "Attachments-supporting API base URL" }),
+		"api-base-url": Flags.string({ description: "API base URL" }),
 		header: Flags.string({
 			description: "Request header in name=value form. Repeatable.",
 			multiple: true
@@ -15259,10 +15881,9 @@ var ConfigSetCommand = class ConfigSetCommand extends Command {
 	async run() {
 		const { flags } = await this.parse(ConfigSetCommand);
 		const headers = flags.header ?? [];
-		if (flags["api-base-url-1"] === void 0 && flags["api-base-url-2"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
+		if (flags["api-base-url"] === void 0 && headers.length === 0 && (flags["unset-header"] ?? []).length === 0) throw new Errors.CLIError("Nothing to set. Pass an API base URL, --header, or --unset-header.", { exit: 1 });
 		const { environment, removedCredentials } = upsertCliEnvironmentAndClearCredentialsIfSwitched({
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir,
 			environmentName: flags.environment,
 			headers,
@@ -15310,8 +15931,7 @@ var ConfigListCommand = class ConfigListCommand extends Command {
 			const active = activeEnvironment === name ? "*" : " ";
 			const headerNames = Object.keys(environment.headers ?? {});
 			this.log(`${active} ${name}`);
-			if (environment.api_base_url_1) this.log(`    api_base_url_1: ${environment.api_base_url_1}`);
-			if (environment.api_base_url_2) this.log(`    api_base_url_2: ${environment.api_base_url_2}`);
+			if (environment.api_base_url) this.log(`    api_base_url: ${environment.api_base_url}`);
 			this.log(`    headers: ${headerNames.length > 0 ? headerNames.join(", ") : "(none)"}`);
 		}
 	}
@@ -15408,9 +16028,7 @@ function checkApiKey(opts) {
 		message: "provided but does not start with prim_",
 		hint: "Verify the key is a Primitive API key, not a value from another service."
 	};
-	const primitiveKey = env.PRIMITIVE_KEY;
-	const primitiveApiKey = env.PRIMITIVE_API_KEY;
-	if ((primitiveKey?.length ?? 0) > 0 && (primitiveApiKey?.length ?? 0) === 0) return {
+	if (detectPrimitiveKeyEnvMisname(env)) return {
 		status: "fail",
 		message: "PRIMITIVE_KEY is set but the CLI reads PRIMITIVE_API_KEY",
 		hint: "Rename your env var, or re-run with PRIMITIVE_API_KEY=$PRIMITIVE_KEY."
@@ -15483,7 +16101,7 @@ async function checkAccount(client) {
 	} catch (error) {
 		const code = error instanceof Error && error.cause && typeof error.cause === "object" && typeof error.cause.code === "string" ? error.cause.code : void 0;
 		const message = error instanceof Error ? error.message : String(error);
-		const hint = code === "ENETUNREACH" || code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "EAI_AGAIN" ? "Network unreachable. If you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. If you're in a container, check that egress to *.primitive.dev is allowed." : "Inspect the error above. `curl https://www.primitive.dev/api/v1/account -H \"Authorization: Bearer $PRIMITIVE_API_KEY\"` is the fastest way to bisect CLI vs network.";
+		const hint = code === "ENETUNREACH" || code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "EAI_AGAIN" ? "Network unreachable. If you're behind a proxy, re-run with NODE_USE_ENV_PROXY=1 and HTTPS_PROXY set. If you're in a container, check that egress to *.primitive.dev is allowed." : "Inspect the error above. `curl https://api.primitive.dev/v1/account -H \"Authorization: Bearer $PRIMITIVE_API_KEY\"` is the fastest way to bisect CLI vs network.";
 		return {
 			outcome: {
 				status: "fail",
@@ -15537,14 +16155,9 @@ var DoctorCommand = class DoctorCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		})
 	};
@@ -15570,8 +16183,7 @@ var DoctorCommand = class DoctorCommand extends Command {
 		if (apiKeyCheck.status !== "fail") {
 			const { apiClient, auth } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			if (auth.apiKey !== void 0) {
@@ -15657,14 +16269,9 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		domain: Flags.string({ description: "Domain name to look up before downloading its zone file. Prefer --id when you have the domain id from `primitive domains add`." }),
@@ -15683,8 +16290,7 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			let domainId = flags.id;
@@ -15711,7 +16317,7 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 			if (!domainId) throw new Errors.CLIError("Could not resolve a domain id.", { exit: 1 });
 			let response;
 			try {
-				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl1, domainId, flags["outbound-only"]), { headers: {
+				response = await fetch(zoneFileUrl(requestConfig.resolvedApiBaseUrl, domainId, flags["outbound-only"]), { headers: {
 					...requestConfig.headers ?? {},
 					...auth.apiKey ? { authorization: `Bearer ${auth.apiKey}` } : {}
 				} });
@@ -15746,14 +16352,14 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-latest.ts
-const DEFAULT_LIMIT = 10;
-const MAX_LIMIT = 100;
+const DEFAULT_LIMIT$1 = 10;
+const MAX_LIMIT$1 = 100;
 const SUBJECT_DISPLAY_WIDTH = 50;
 const ADDRESS_DISPLAY_WIDTH = 32;
 const ID_DISPLAY_WIDTH_SHORT = 8;
 const ID_DISPLAY_WIDTH_FULL = 36;
 const RECEIVED_DISPLAY_WIDTH = 19;
-function truncate$1(value, width) {
+function truncate$2(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -15767,10 +16373,10 @@ function formatReceivedAt(value) {
 function pickIdWidth(isTty) {
 	return isTty ? ID_DISPLAY_WIDTH_SHORT : ID_DISPLAY_WIDTH_FULL;
 }
-function formatRow(email, idWidth) {
-	return `${truncate$1(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$1(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$1((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
+function formatRow$1(email, idWidth) {
+	return `${truncate$2(email.id.slice(0, idWidth), idWidth)}  ${formatReceivedAt(email.received_at)}  ${truncate$2(email.sender ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$2(email.recipient ?? "", ADDRESS_DISPLAY_WIDTH)}  ${truncate$2((email.subject ?? "").replace(/\s+/g, " "), SUBJECT_DISPLAY_WIDTH)}`;
 }
-function formatHeader(idWidth) {
+function formatHeader$1(idWidth) {
 	return `${"ID".padEnd(idWidth)}  ${"RECEIVED (UTC)".padEnd(RECEIVED_DISPLAY_WIDTH)}  ${"FROM".padEnd(ADDRESS_DISPLAY_WIDTH)}  ${"TO".padEnd(ADDRESS_DISPLAY_WIDTH)}  SUBJECT`;
 }
 var EmailsLatestCommand = class EmailsLatestCommand extends Command {
@@ -15791,21 +16397,16 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		limit: Flags.integer({
-			description: `Number of rows to print (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
-			default: DEFAULT_LIMIT,
+			description: `Number of rows to print (1-${MAX_LIMIT$1}, default ${DEFAULT_LIMIT$1}).`,
+			default: DEFAULT_LIMIT$1,
 			min: 1,
-			max: MAX_LIMIT
+			max: MAX_LIMIT$1
 		}),
 		json: Flags.boolean({ description: "Print the raw response envelope (with full UUIDs and meta) as JSON on STDOUT instead of the text table. Useful for piping into `jq`, capturing ids for follow-up commands, or scripting." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -15815,8 +16416,7 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await listEmails({
@@ -15847,8 +16447,8 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 				return;
 			}
 			const idWidth = pickIdWidth(Boolean(process.stdout.isTTY));
-			process.stderr.write(`${formatHeader(idWidth)}\n`);
-			for (const row of rows) this.log(formatRow(row, idWidth));
+			process.stderr.write(`${formatHeader$1(idWidth)}\n`);
+			for (const row of rows) this.log(formatRow$1(row, idWidth));
 		});
 	}
 };
@@ -15871,14 +16471,9 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		body: Flags.string({ description: "Full-text body filter" }),
@@ -15922,8 +16517,7 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 		const { flags } = await this.parse(EmailsWaitCommand);
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		let since;
@@ -15965,10 +16559,10 @@ var EmailsWaitCommand = class EmailsWaitCommand extends Command {
 			for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
 				if (flags.table) {
 					if (!headerPrinted) {
-						process.stderr.write(`${formatHeader(idWidth)}\n`);
+						process.stderr.write(`${formatHeader$1(idWidth)}\n`);
 						headerPrinted = true;
 					}
-					this.log(formatRow(email, idWidth));
+					this.log(formatRow$1(email, idWidth));
 				} else this.log(JSON.stringify(email));
 				matched += 1;
 				if (matched >= flags.number) return;
@@ -15999,14 +16593,9 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		body: Flags.string({ description: "Full-text body filter" }),
@@ -16046,8 +16635,7 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 		const { flags } = await this.parse(EmailsWatchCommand);
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		let since;
@@ -16090,10 +16678,10 @@ var EmailsWatchCommand = class EmailsWatchCommand extends Command {
 				if (flags.jsonl) this.log(JSON.stringify(email));
 				else {
 					if (!headerPrinted) {
-						process.stderr.write(`${formatHeader(idWidth)}\n`);
+						process.stderr.write(`${formatHeader$1(idWidth)}\n`);
 						headerPrinted = true;
 					}
-					this.log(formatRow(email, idWidth));
+					this.log(formatRow$1(email, idWidth));
 				}
 				printed += 1;
 				if (flags.number && printed >= flags.number) return;
@@ -16667,6 +17255,18 @@ const SECRET_SOURCE_FLAGS_DESCRIPTION = "Safe sources: --secret-from-env KEY rea
 const SINGLE_SECRET_VALUE_SOURCE_DESCRIPTION = "Instead of --value, use --value-from-env ENV_VAR, --value-file PATH, --value-from-env-file FILE[:KEY], or --stdin to avoid putting the secret value in shell history or process argv. If KEY is omitted from --value-from-env-file, the command's --key is used.";
 //#endregion
 //#region src/oclif/commands/functions-deploy.ts
+async function writeRouteStatusHint(apiClient, functionId) {
+	try {
+		const result = await getFunctionRouting({
+			client: apiClient.client,
+			path: { id: functionId },
+			responseStyle: "fields"
+		});
+		if (result.error) return;
+		if (result.data?.data) process.stderr.write("Route bound. Function will receive inbound mail.\n");
+		else process.stderr.write(`Deployed but no route is bound. Inbound mail will not reach this function until you bind one: primitive functions route-set --id ${functionId} --domain <domain-id>  (or --fallback)\n`);
+	} catch {}
+}
 async function runDeployWithSecrets(api, params) {
 	const createResult = await api.createFunction({
 		code: params.code,
@@ -16792,14 +17392,9 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		name: Flags.string({
@@ -16877,8 +17472,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -16972,10 +17566,11 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 					const detail = waitResult.function.deploy_error ? `: ${waitResult.function.deploy_error}` : ".";
 					process.stderr.write(`Function ${payload.id} deploy failed${detail}\n`);
 					process.exitCode = 1;
-				}
+				} else await writeRouteStatusHint(apiClient, payload.id);
 				return;
 			}
 			this.log(JSON.stringify(payload, null, 2));
+			await writeRouteStatusHint(apiClient, payload.id);
 		});
 	}
 	async runSourceMode(flags, sourceDir) {
@@ -16992,8 +17587,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		}
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		const authFailureContext = {
@@ -17068,10 +17662,11 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 				const detail = waitResult.function.deploy_error ? `: ${waitResult.function.deploy_error}` : ".";
 				process.stderr.write(`Function ${payload.id} deploy failed${detail}\n`);
 				process.exitCode = 1;
-			}
+			} else await writeRouteStatusHint(apiClient, payload.id);
 			return;
 		}
 		this.log(JSON.stringify(payload, null, 2));
+		await writeRouteStatusHint(apiClient, payload.id);
 	}
 };
 //#endregion
@@ -17082,8 +17677,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.35.0";
-const CLI_VERSION_RANGE = "^0.35.0";
+const SDK_VERSION_RANGE = "^0.36.0";
+const CLI_VERSION_RANGE = "^0.36.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -17240,7 +17835,7 @@ export default {
 
       const client = createPrimitiveClient({
         apiKey: env.PRIMITIVE_API_KEY,
-        apiBaseUrl1: env.PRIMITIVE_API_BASE_URL,
+        apiBaseUrl: env.PRIMITIVE_API_BASE_URL,
       });
 
       // To add an LLM or another API, store its key as a Function secret.
@@ -17264,7 +17859,7 @@ export default {
       // route "support@" to a ticketing flow and "sales@" to a lead
       // capture flow before calling client.reply.
 
-      // client.reply routes through POST /api/v1/emails/{id}/reply
+      // client.reply routes through POST /v1/emails/{id}/reply
       // (NOT /send-mail) so the server derives recipients, the
       // \`Re: <parent>\` subject, threading headers, and the
       // in_reply_to_email_id foreign key automatically. The FK is
@@ -17390,6 +17985,23 @@ After the first deploy, copy the returned function id into your shell:
 export PRIMITIVE_FUNCTION_ID=<fn-id>
 \`\`\`
 
+## Bind a route
+
+A deployed Function does not receive inbound mail until a route is
+bound to it. Without this step, the Function is installed in the
+runtime but unreachable, and \`functions test\` will refuse to send
+(returns 422 \`no_endpoint\`).
+
+\`\`\`
+primitive functions route-set --id "$PRIMITIVE_FUNCTION_ID" --domain <domain-id>
+\`\`\`
+
+Use \`--fallback\` instead of \`--domain\` to bind the Function as the
+org-wide fallback for any active domain that has no scoped binding.
+Run \`primitive functions route-get --id "$PRIMITIVE_FUNCTION_ID"\` to
+inspect the current binding, or \`primitive functions routing-topology\`
+for the org-wide view of which domain points at which Function.
+
 ## Prove it works
 
 \`\`\`
@@ -17645,14 +18257,9 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17683,8 +18290,7 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const seenIds = /* @__PURE__ */ new Set();
@@ -17843,14 +18449,9 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -17919,8 +18520,7 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 			emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -18012,6 +18612,239 @@ var FunctionsRedeployCommand = class FunctionsRedeployCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/functions-route-get.ts
+var FunctionsRouteGetCommand = class FunctionsRouteGetCommand extends Command {
+	static description = `Show the current route binding for a function. Returns the binding (domain or fallback, with delivery counters) or null when no route is bound.`;
+	static summary = "Show a function's current route binding";
+	static examples = ["<%= config.bin %> functions route-get --id <fn-id>"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		id: Flags.string({
+			description: "Function id (UUID) whose route binding to show.",
+			required: true
+		}),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(FunctionsRouteGetCommand);
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+			apiKey: flags["api-key"],
+			apiBaseUrl: flags["api-base-url"],
+			configDir: this.config.configDir
+		});
+		await runWithTiming(flags.time, async () => {
+			const result = await getFunctionRouting({
+				client: apiClient.client,
+				path: { id: flags.id },
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const payload = extractErrorPayload(result.error);
+				writeErrorWithHints(payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			this.log(JSON.stringify(result.data.data, null, 2));
+		});
+	}
+};
+//#endregion
+//#region src/oclif/commands/functions-route-set.ts
+var FunctionsRouteSetCommand = class FunctionsRouteSetCommand extends Command {
+	static description = `Bind inbound mail to a function by setting its route target.
+
+  Exactly one of --domain or --fallback is required. --domain scopes the
+  binding to a single verified inbound domain. --fallback binds the
+  function to any active domain that has no scoped binding of its own.
+
+  If another function is already bound at the target, the API returns a
+  conflict envelope rather than overwriting; re-run with --takeover to
+  deactivate the prior binding before installing this one.`;
+	static summary = "Bind inbound mail to a function";
+	static examples = [
+		"<%= config.bin %> functions route-set --id <fn-id> --domain <domain-id>",
+		"<%= config.bin %> functions route-set --id <fn-id> --fallback",
+		"<%= config.bin %> functions route-set --id <fn-id> --domain <domain-id> --takeover"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		id: Flags.string({
+			description: "Function id (UUID) to bind a route to.",
+			required: true
+		}),
+		domain: Flags.string({
+			description: "Verified inbound domain id (UUID) to scope this function to. Mutually exclusive with --fallback.",
+			exclusive: ["fallback"]
+		}),
+		fallback: Flags.boolean({
+			description: "Bind this function as the org fallback (any active domain without a scoped binding). Mutually exclusive with --domain.",
+			exclusive: ["domain"]
+		}),
+		takeover: Flags.boolean({ description: "Deactivate any conflicting binding before installing this one. Without this flag, the API returns a `conflict` envelope when another function is already bound at the target." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(FunctionsRouteSetCommand);
+		if (!flags.domain && !flags.fallback) {
+			process.stderr.write("Provide exactly one of --domain (scoped binding) or --fallback (org fallback).\n");
+			process.exitCode = 1;
+			return;
+		}
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+			apiKey: flags["api-key"],
+			apiBaseUrl: flags["api-base-url"],
+			configDir: this.config.configDir
+		});
+		await runWithTiming(flags.time, async () => {
+			const target = flags.domain ? {
+				kind: "domain",
+				domainId: flags.domain
+			} : { kind: "fallback" };
+			const result = await setFunctionRoute({
+				client: apiClient.client,
+				path: { id: flags.id },
+				body: {
+					target,
+					...flags.takeover ? { takeover: true } : {}
+				},
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const payload = extractErrorPayload(result.error);
+				writeErrorWithHints(payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			this.log(JSON.stringify(result.data.data, null, 2));
+		});
+	}
+};
+//#endregion
+//#region src/oclif/commands/functions-route-unset.ts
+var FunctionsRouteUnsetCommand = class FunctionsRouteUnsetCommand extends Command {
+	static description = `Unbind every active route from a function. The function stays deployed but stops receiving inbound mail. Safe to call when no route is currently bound.`;
+	static summary = "Unbind any route from a function";
+	static examples = ["<%= config.bin %> functions route-unset --id <fn-id>"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		id: Flags.string({
+			description: "Function id (UUID) whose routes should be unbound.",
+			required: true
+		}),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(FunctionsRouteUnsetCommand);
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+			apiKey: flags["api-key"],
+			apiBaseUrl: flags["api-base-url"],
+			configDir: this.config.configDir
+		});
+		await runWithTiming(flags.time, async () => {
+			const result = await unsetFunctionRoute({
+				client: apiClient.client,
+				path: { id: flags.id },
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const payload = extractErrorPayload(result.error);
+				writeErrorWithHints(payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			this.log(JSON.stringify(result.data.data, null, 2));
+		});
+	}
+};
+//#endregion
+//#region src/oclif/commands/functions-routing-topology.ts
+var FunctionsRoutingTopologyCommand = class FunctionsRoutingTopologyCommand extends Command {
+	static description = `Show the org-wide function routing topology. Lists every active domain with its bound function (if any), the org fallback function (if any), and every deployed function with no route currently bound.`;
+	static summary = "Show the org-wide function routing topology";
+	static examples = ["<%= config.bin %> functions routing-topology"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(FunctionsRoutingTopologyCommand);
+		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+			apiKey: flags["api-key"],
+			apiBaseUrl: flags["api-base-url"],
+			configDir: this.config.configDir
+		});
+		await runWithTiming(flags.time, async () => {
+			const result = await getOrgRoutingTopology({
+				client: apiClient.client,
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const payload = extractErrorPayload(result.error);
+				writeErrorWithHints(payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			this.log(JSON.stringify(result.data.data, null, 2));
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/functions-set-secret.ts
 async function runSetSecret(api, params) {
 	const setResult = await api.setSecret({
@@ -18103,14 +18936,9 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -18134,8 +18962,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -18195,6 +19022,7 @@ var FunctionsSetSecretCommand = class FunctionsSetSecretCommand extends Command
 				return;
 			}
 			this.log(JSON.stringify(outcome.result, null, 2));
+			if (outcome.result.redeploy === void 0) process.stderr.write(`Secret ${flags.key} saved. Not live until redeploy. Re-run with --redeploy, or run \`primitive functions redeploy --id ${flags.id} --file <bundle.js>\`.\n`);
 		});
 	}
 };
@@ -18319,7 +19147,7 @@ async function maybeWriteEndpointNoiseWarning(params) {
 	} catch {}
 }
 var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Command {
-	static description = "Send a real test email through MX to trigger this function. With --wait, blocks until the function has processed the inbound; with --show-sends, also prints any outbound sends the function emitted in response.";
+	static description = "Send a real test email through MX to trigger this function. The function must have an active route bound (see `functions route-set`); without one the API returns a 422 immediately so no doomed test send is queued. With --wait, blocks until the function has processed the inbound; with --show-sends, also prints any outbound sends the function emitted in response.";
 	static summary = "Trigger a test invocation; with --wait, watch it land";
 	static examples = [
 		"<%= config.bin %> functions test --id <fn-id>",
@@ -18332,14 +19160,9 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -18367,8 +19190,7 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 		const shouldShowSends = flags["show-sends"];
 		const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 			apiKey: flags["api-key"],
-			apiBaseUrl1: flags["api-base-url-1"],
-			apiBaseUrl2: flags["api-base-url-2"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
 		await runWithTiming(flags.time, async () => {
@@ -18431,13 +19253,35 @@ var FunctionsTestFunctionCommand = class FunctionsTestFunctionCommand extends Co
 					return;
 				}
 				const fetched = result.data.data;
+				if (fetched.inbound_email && Array.isArray(fetched.deliveries) && fetched.deliveries.length === 0 && Date.now() - startedAt > 15e3) {
+					writeFunctionTestProgress(`Inbound email arrived but no route matched. Bind one with: primitive functions route-set --id ${flags.id} --domain <domain-id> (or --fallback), then retry.`);
+					process.exitCode = 1;
+					return;
+				}
 				if (TERMINAL_TEST_TRACE_STATES.has(fetched.state)) {
 					trace = fetched;
 					break;
 				}
 				await sleep$1(pollIntervalMs);
 			}
-			if (!trace) this.error(`Timed out after ${flags.timeout}s waiting for function test run ${invocation.test_run_id} to complete. Browse ${invocation.watch_url} for the live view, or inspect ${invocation.trace_url}.`, { exit: 2 });
+			if (!trace) {
+				const finalTrace = ((await getFunctionTestRunTrace({
+					client: apiClient.client,
+					path: {
+						id: flags.id,
+						run_id: invocation.test_run_id
+					},
+					responseStyle: "fields"
+				}).catch(() => null))?.data)?.data;
+				const inboundLanded = Boolean(finalTrace?.inbound_email);
+				const deliveryCount = finalTrace?.deliveries?.length ?? 0;
+				const logCount = finalTrace?.logs?.length ?? 0;
+				const replyCount = finalTrace?.replies?.length ?? 0;
+				const webhookStatus = finalTrace?.inbound_email?.webhook_status ?? "n/a";
+				writeFunctionTestProgress(`Timed out after ${flags.timeout}s. Trace summary: inbound_landed=${inboundLanded} deliveries=${deliveryCount} logs=${logCount} replies=${replyCount} webhook_status=${webhookStatus}. Browse ${invocation.watch_url} for the live view, or inspect ${invocation.trace_url}.`);
+				process.exitCode = 2;
+				return;
+			}
 			const outcome = buildFunctionTestOutcome({
 				elapsedSeconds: Math.round((Date.now() - startedAt) / 1e3),
 				functionId: flags.id,
@@ -18479,7 +19323,7 @@ function formatInboxDate(value) {
 	const pad = (n) => String(n).padStart(2, "0");
 	return `${d.getUTCFullYear()}-${pad(d.getUTCMonth() + 1)}-${pad(d.getUTCDate())} ${pad(d.getUTCHours())}:${pad(d.getUTCMinutes())}:${pad(d.getUTCSeconds())} UTC`;
 }
-function truncate(value, width) {
+function truncate$1(value, width) {
 	if (value.length <= width) return value.padEnd(width);
 	return `${value.slice(0, width - 3)}...`;
 }
@@ -18529,7 +19373,7 @@ function formatDomainHeader() {
 }
 function formatDomainRow(domain) {
 	return [
-		truncate(domain.domain, DOMAIN_DISPLAY_WIDTH),
+		truncate$1(domain.domain, DOMAIN_DISPLAY_WIDTH),
 		statusText(domain.status).padEnd(STATUS_DISPLAY_WIDTH),
 		yesNo(domain.receiving_ready).padEnd(BOOL_DISPLAY_WIDTH),
 		yesNo(domain.processing_ready).padEnd(BOOL_DISPLAY_WIDTH),
@@ -18575,14 +19419,9 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		domain: Flags.string({ description: "Focus domain readiness and recent email fields on one domain returned by the inbox status API." }),
@@ -18594,8 +19433,7 @@ var InboxStatusCommand = class InboxStatusCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getInboxStatus({
@@ -18750,14 +19588,9 @@ var InboxSetupCommand = class InboxSetupCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print structured readiness, receive address, commands, proof metadata, and raw status as JSON." }),
@@ -18768,8 +19601,7 @@ var InboxSetupCommand = class InboxSetupCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getInboxStatus({
@@ -18836,14 +19668,14 @@ function retryAfterSeconds$1(result) {
 }
 async function checkExistingLogin(params) {
 	const requestConfig = resolveCliApiRequestConfig({
-		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl: params.apiBaseUrl,
 		configDir: params.configDir
 	});
-	const probeApiBaseUrl1 = requestConfig.apiBaseUrl1 ?? params.credentials.api_base_url_1;
+	const probeApiBaseUrl = requestConfig.apiBaseUrl ?? params.credentials.api_base_url;
 	let credentials = params.credentials;
 	try {
 		credentials = await refreshStoredCliCredentials({
-			apiBaseUrl1: probeApiBaseUrl1,
+			apiBaseUrl: probeApiBaseUrl,
 			configDir: params.configDir,
 			credentials,
 			credentialsLockHeld: params.credentialsLockHeld,
@@ -18859,8 +19691,7 @@ async function checkExistingLogin(params) {
 	}
 	const apiClient = new PrimitiveApiClient({
 		apiKey: credentials.access_token,
-		apiBaseUrl1: probeApiBaseUrl1,
-		apiBaseUrl2: requestConfig.resolvedApiBaseUrl2,
+		apiBaseUrl: probeApiBaseUrl,
 		headers: requestConfig.headers
 	});
 	const result = await (params.checkAccount ?? ((client) => getAccount({
@@ -18870,7 +19701,7 @@ async function checkExistingLogin(params) {
 	if (!result.error) return { status: "valid" };
 	const payload = extractErrorPayload(result.error);
 	const code = extractErrorCode(payload);
-	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl1 !== params.credentials.api_base_url_1;
+	const baseUrlDiffersFromSaved = requestConfig.baseUrlOverridden && requestConfig.apiBaseUrl !== params.credentials.api_base_url;
 	if (code === API_ERROR_CODES.unauthorized && !baseUrlDiffersFromSaved) {
 		deleteCliCredentials(params.configDir);
 		process.stderr.write("Removed saved Primitive CLI OAuth credentials because the existing session was rejected during login. Continuing with a fresh login.\n");
@@ -18891,9 +19722,9 @@ var LoginCommand$1 = class extends Command {
 		"<%= config.bin %> login --force"
 	];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name shown in the browser approval screen" }),
@@ -18926,10 +19757,10 @@ var LoginCommand$1 = class extends Command {
 	}
 	async runWithCredentialLock(flags, retryCommand) {
 		const { apiClient, requestConfig } = createCliApiClient({
-			apiBaseUrl1: flags["api-base-url-1"],
+			apiBaseUrl: flags["api-base-url"],
 			configDir: this.config.configDir
 		});
-		const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+		const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
 		let existing;
 		try {
 			existing = loadCliCredentials(this.config.configDir);
@@ -18942,7 +19773,7 @@ var LoginCommand$1 = class extends Command {
 		if (existing && flags.force) process.stderr.write("Replacing saved Primitive CLI credentials after browser approval because --force was set.\n");
 		else if (existing) {
 			const existingStatus = await checkExistingLogin({
-				apiBaseUrl1: flags["api-base-url-1"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir,
 				credentials: existing,
 				credentialsLockHeld: true
@@ -18988,7 +19819,7 @@ var LoginCommand$1 = class extends Command {
 				deleteChatState(this.config.configDir);
 				saveCliCredentials(this.config.configDir, {
 					access_token: login.access_token,
-					api_base_url_1: apiBaseUrl1,
+					api_base_url: apiBaseUrl,
 					auth_method: "oauth",
 					created_at: (/* @__PURE__ */ new Date()).toISOString(),
 					expires_at: cliAccessTokenExpiresAt(login.expires_in),
@@ -19052,9 +19883,11 @@ function normalizeEmail(email) {
 }
 function pendingSignupFromJson(value) {
 	if (!isRecord(value)) return null;
-	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.api_base_url_1 !== "string" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	if (typeof value.signup_token !== "string" || typeof value.email !== "string" || typeof value.expires_in !== "number" || typeof value.resend_after !== "number" || typeof value.verification_code_length !== "number" || typeof value.created_at !== "string" || typeof value.expires_at !== "string") return null;
+	const apiBaseUrl = value.api_base_url ?? value.api_base_url_1;
+	if (typeof apiBaseUrl !== "string") return null;
 	return {
-		api_base_url_1: value.api_base_url_1,
+		api_base_url: apiBaseUrl,
 		created_at: value.created_at,
 		email: value.email,
 		expires_at: value.expires_at,
@@ -19070,20 +19903,20 @@ function pendingSignupPath(configDir) {
 function deletePendingAgentSignup(configDir) {
 	rmSync(pendingSignupPath(configDir), { force: true });
 }
-function pendingSignupFromStart(start, apiBaseUrl1) {
+function pendingSignupFromStart(start, apiBaseUrl) {
 	return {
 		...start,
-		api_base_url_1: apiBaseUrl1,
+		api_base_url: apiBaseUrl,
 		created_at: (/* @__PURE__ */ new Date()).toISOString(),
 		expires_at: new Date(Date.now() + start.expires_in * 1e3).toISOString()
 	};
 }
-function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
+function savePendingAgentSignup(configDir, start, apiBaseUrl) {
 	mkdirSync(configDir, {
 		mode: 448,
 		recursive: true
 	});
-	const pending = pendingSignupFromStart(start, apiBaseUrl1);
+	const pending = pendingSignupFromStart(start, apiBaseUrl);
 	const path = pendingSignupPath(configDir);
 	const tempPath = join(configDir, `${PENDING_SIGNUP_FILE}.${process$1.pid}.${randomUUID()}.tmp`);
 	try {
@@ -19097,7 +19930,7 @@ function savePendingAgentSignup(configDir, start, apiBaseUrl1) {
 		throw error;
 	}
 }
-function loadPendingAgentSignup(configDir, apiBaseUrl1) {
+function loadPendingAgentSignup(configDir, apiBaseUrl) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -19116,7 +19949,7 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		deletePendingAgentSignup(configDir);
 		return null;
 	}
-	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	if (pending.api_base_url !== apiBaseUrl) return null;
 	if (new Date(pending.expires_at).getTime() <= Date.now()) {
 		deletePendingAgentSignup(configDir);
 		return null;
@@ -19126,7 +19959,7 @@ function loadPendingAgentSignup(configDir, apiBaseUrl1) {
 		expires_in: Math.max(0, Math.ceil((new Date(pending.expires_at).getTime() - Date.now()) / 1e3))
 	};
 }
-function readPendingAgentSignupState(configDir, apiBaseUrl1) {
+function readPendingAgentSignupState(configDir, apiBaseUrl) {
 	const path = pendingSignupPath(configDir);
 	let contents;
 	try {
@@ -19145,7 +19978,7 @@ function readPendingAgentSignupState(configDir, apiBaseUrl1) {
 		deletePendingAgentSignup(configDir);
 		return null;
 	}
-	if (pending.api_base_url_1 !== apiBaseUrl1) return null;
+	if (pending.api_base_url !== apiBaseUrl) return null;
 	return pending;
 }
 function pendingSignupStartCommand(email) {
@@ -19153,7 +19986,7 @@ function pendingSignupStartCommand(email) {
 }
 function buildSignupStatus(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const pending = readPendingAgentSignupState(params.configDir, params.apiBaseUrl1);
+	const pending = readPendingAgentSignupState(params.configDir, params.apiBaseUrl);
 	if (!pending) return {
 		code_length: null,
 		confirm_command: null,
@@ -19200,11 +20033,11 @@ function writeSignupStatus(status) {
 }
 function runSignupStatus(params) {
 	const { requestConfig } = createCliApiClient({
-		apiBaseUrl1: params.flags["api-base-url-1"],
+		apiBaseUrl: params.flags["api-base-url"],
 		configDir: params.configDir
 	});
 	const status = buildSignupStatus({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		configDir: params.configDir,
 		copy: params.copy,
 		email: params.email
@@ -19217,7 +20050,7 @@ function runSignupStatus(params) {
 }
 function requirePendingSignupForEmail(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	const pending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl);
 	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} for ${params.email}. Run \`primitive signup status ${params.email}\` to inspect pending state, or \`primitive ${copy.startCommand(params.email)}\` first.`);
 	if (normalizeEmail(pending.email) !== normalizeEmail(params.email)) throw cliError$2(`Pending ${copy.actionNoun} is for ${pending.email}, not ${params.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	return pending;
@@ -19280,7 +20113,7 @@ async function checkExistingCredentials(params) {
 	}
 	if (!existing) return;
 	const existingStatus = await checkExistingLoginFn({
-		apiBaseUrl1: params.apiBaseUrl1,
+		apiBaseUrl: params.apiBaseUrl,
 		configDir: params.configDir,
 		credentials: existing,
 		credentialsLockHeld: true
@@ -19299,7 +20132,7 @@ function saveSignupCredentials(params) {
 	deleteChatState(params.configDir);
 	saveCliCredentials(params.configDir, {
 		access_token: params.signup.access_token,
-		api_base_url_1: params.apiBaseUrl1,
+		api_base_url: params.apiBaseUrl,
 		auth_method: "oauth",
 		created_at: (/* @__PURE__ */ new Date()).toISOString(),
 		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
@@ -19318,7 +20151,7 @@ function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 }
 async function startSignup(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
-	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl1);
+	const existingPending = loadPendingAgentSignup(params.configDir, params.apiBaseUrl);
 	if (existingPending && !params.flags.force) {
 		if (normalizeEmail(existingPending.email) === normalizeEmail(params.email)) {
 			process$1.stderr.write(`Continuing pending Primitive ${copy.actionNoun} for ${existingPending.email}.\n`);
@@ -19353,7 +20186,7 @@ async function startSignup(params) {
 	const startResult = unwrapData$1(started.data);
 	if (!startResult) throw cliError$2("Primitive API returned an empty agent signup response.");
 	return {
-		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl1),
+		pending: savePendingAgentSignup(params.configDir, startResult, params.apiBaseUrl),
 		started: true
 	};
 }
@@ -19373,7 +20206,7 @@ async function resendVerificationCode(params) {
 			verification_code_length: resend.verification_code_length
 		} : params.start;
 		return {
-			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl1),
+			pending: savePendingAgentSignup(params.configDir, next, params.apiBaseUrl),
 			resent: true
 		};
 	}
@@ -19397,18 +20230,18 @@ async function runSignupStartWithCredentialLock(params) {
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
 	const email = params.email ?? await promptRequiredFn("Email: ");
 	await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		copy: params.copy,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
 	const start = await startSignup({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		apiClient,
 		configDir,
 		copy: params.copy,
@@ -19422,19 +20255,19 @@ async function runSignupConfirmWithCredentialLock(params) {
 	const { configDir, flags } = params;
 	const deps = params.deps ?? {};
 	if (!params.skipExistingCredentialCheck) await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		copy: params.copy,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
-	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
+	const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
 	const pending = requirePendingSignupForEmail({
-		apiBaseUrl1,
+		apiBaseUrl,
 		copy: params.copy,
 		configDir,
 		email: params.email
@@ -19452,7 +20285,7 @@ async function runSignupConfirmWithCredentialLock(params) {
 		const signup = unwrapData$1(verified.data);
 		if (!signup) throw cliError$2("Primitive API returned an empty agent signup verification response.");
 		saveSignupCredentials({
-			apiBaseUrl1,
+			apiBaseUrl,
 			configDir,
 			signup
 		});
@@ -19473,18 +20306,18 @@ async function runSignupResendWithCredentialLock(params) {
 	const deps = params.deps ?? {};
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: params.flags["api-base-url-1"],
+		apiBaseUrl: params.flags["api-base-url"],
 		configDir: params.configDir
 	});
 	const pending = params.email ? requirePendingSignupForEmail({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		copy,
 		configDir: params.configDir,
 		email: params.email
-	}) : loadPendingAgentSignup(params.configDir, requestConfig.resolvedApiBaseUrl1);
+	}) : loadPendingAgentSignup(params.configDir, requestConfig.resolvedApiBaseUrl);
 	if (!pending) throw cliError$2(`No pending ${copy.actionNoun} found. Run \`primitive signup status\` to inspect pending state, or start one with \`${pendingSignupStartCommand()}\`.`);
 	const resend = await resendVerificationCode({
-		apiBaseUrl1: requestConfig.resolvedApiBaseUrl1,
+		apiBaseUrl: requestConfig.resolvedApiBaseUrl,
 		apiClient,
 		configDir: params.configDir,
 		deps,
@@ -19497,20 +20330,20 @@ async function runSignupInteractiveWithCredentialLock(params) {
 	const deps = params.deps ?? {};
 	const promptRequiredFn = deps.promptRequired ?? promptRequired;
 	await checkExistingCredentials({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir,
 		deps,
 		flags
 	});
 	const { apiClient, requestConfig } = createCliApiClient({
-		apiBaseUrl1: flags["api-base-url-1"],
+		apiBaseUrl: flags["api-base-url"],
 		configDir
 	});
-	const apiBaseUrl1 = requestConfig.resolvedApiBaseUrl1;
-	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl1);
+	const apiBaseUrl = requestConfig.resolvedApiBaseUrl;
+	let start = flags.force ? null : loadPendingAgentSignup(configDir, apiBaseUrl);
 	if (start) process$1.stderr.write(`Continuing pending Primitive signup for ${start.email}.\n`);
 	else start = (await startSignup({
-		apiBaseUrl1,
+		apiBaseUrl,
 		apiClient,
 		configDir,
 		deps,
@@ -19524,7 +20357,7 @@ async function runSignupInteractiveWithCredentialLock(params) {
 		const verificationCode = await promptRequiredFn(`Verification code (${start.verification_code_length} digits): `);
 		if (verificationCode.toLowerCase() === "resend") {
 			const resend = await resendVerificationCode({
-				apiBaseUrl1,
+				apiBaseUrl,
 				apiClient,
 				configDir,
 				deps,
@@ -19541,7 +20374,7 @@ async function runSignupInteractiveWithCredentialLock(params) {
 				deps,
 				email: start.email,
 				flags: {
-					"api-base-url-1": flags["api-base-url-1"],
+					"api-base-url": flags["api-base-url"],
 					force: true
 				},
 				skipExistingCredentialCheck: true
@@ -19559,9 +20392,9 @@ async function runSignupInteractiveWithCredentialLock(params) {
 function commonStartFlags() {
 	return {
 		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
@@ -19622,9 +20455,9 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	static summary = "Confirm account signup";
 	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -19661,9 +20494,9 @@ var SignupResendCommand = class SignupResendCommand extends Command {
 	static description = "Resend the verification code for a pending signup.";
 	static summary = "Resend signup verification code";
 	static examples = ["<%= config.bin %> signup resend", "<%= config.bin %> signup resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
+	static flags = { "api-base-url": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
+		env: "PRIMITIVE_API_BASE_URL",
 		hidden: true
 	}) };
 	async run() {
@@ -19698,9 +20531,9 @@ var SignupStatusCommand = class SignupStatusCommand extends Command {
 		"<%= config.bin %> signup status --json"
 	];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print pending signup status as JSON" })
@@ -19768,7 +20601,7 @@ async function runLogoutWithCredentialLock(params) {
 	let authenticated;
 	try {
 		authenticated = await deps.createAuthenticatedCliApiClient({
-			apiBaseUrl1: params.flags["api-base-url-1"],
+			apiBaseUrl: params.flags["api-base-url"],
 			configDir: params.configDir,
 			credentialsLockHeld: true
 		});
@@ -19832,9 +20665,9 @@ var LogoutCommand = class LogoutCommand extends Command {
 	static summary = "Log out and revoke the saved CLI OAuth grant";
 	static examples = ["<%= config.bin %> logout", "<%= config.bin %> logout --force"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -19983,14 +20816,9 @@ var ReplyCommand = class ReplyCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		id: Flags.string({
@@ -20026,8 +20854,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const attachments = readAttachmentFiles(flags.attachment);
@@ -20039,7 +20866,7 @@ var ReplyCommand = class ReplyCommand extends Command {
 					...attachments !== void 0 ? { attachments } : {},
 					...flags.wait !== void 0 ? { wait: flags.wait } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				path: { id: flags.id },
 				responseStyle: "fields"
 			});
@@ -20064,6 +20891,134 @@ var ReplyCommand = class ReplyCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/semantic-search.ts
+const DEFAULT_LIMIT = 10;
+const MAX_LIMIT = 100;
+const SCORE_WIDTH = 7;
+const SOURCE_WIDTH = 4;
+const SUBJECT_WIDTH = 40;
+const FROM_WIDTH = 26;
+const SNIPPET_WIDTH = 60;
+function truncate(value, width) {
+	if (value.length <= width) return value.padEnd(width);
+	return `${value.slice(0, width - 3)}...`;
+}
+function sourceLabel(t) {
+	return t === "inbound_email" ? "in" : "out";
+}
+function formatRow(r) {
+	return `${r.score.toFixed(3).padStart(SCORE_WIDTH)}  ${sourceLabel(r.source_type).padEnd(SOURCE_WIDTH)}  ${truncate((r.subject ?? "").replace(/\s+/g, " "), SUBJECT_WIDTH)}  ${truncate(r.from ?? "", FROM_WIDTH)}  ${truncate((r.snippets[0]?.text ?? "").replace(/\s+/g, " "), SNIPPET_WIDTH)}`;
+}
+function formatHeader() {
+	return `${"SCORE".padStart(SCORE_WIDTH)}  ${"SRC".padEnd(SOURCE_WIDTH)}  ${"SUBJECT".padEnd(SUBJECT_WIDTH)}  ${"FROM".padEnd(FROM_WIDTH)}  EXCERPT`;
+}
+var SemanticSearchCommand = class SemanticSearchCommand extends Command {
+	static description = `Search received and sent mail by meaning or keywords.
+
+  Returns ranked rows. Each row carries a relevance score, the fields it
+  matched, and a match-centered excerpt. Defaults to hybrid mode (blends
+  semantic and keyword signals); use \`--mode keyword\` for plain
+  full-text matching and \`--mode semantic\` for embedding-only.
+
+  Requires the Pro plan with the semantic_search_enabled entitlement.`;
+	static summary = "Semantic / hybrid / keyword search across received and sent mail";
+	static examples = [
+		"<%= config.bin %> semantic-search \"invoice from acme\"",
+		"<%= config.bin %> semantic-search \"shipping update\" --mode keyword",
+		"<%= config.bin %> semantic-search \"kickoff\" --corpus inbound --limit 25",
+		"<%= config.bin %> semantic-search renewal --json | jq '.data[].id'"
+	];
+	static args = { query: Args.string({
+		description: "The search query.",
+		required: true
+	}) };
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		mode: Flags.string({
+			description: "Ranking strategy.",
+			options: [
+				"hybrid",
+				"semantic",
+				"keyword"
+			],
+			default: "hybrid"
+		}),
+		corpus: Flags.string({
+			description: "Restrict to inbound or outbound. Pass twice to include both (the default).",
+			options: ["inbound", "outbound"],
+			multiple: true
+		}),
+		"date-from": Flags.string({ description: "Only include mail at or after this ISO-8601 timestamp." }),
+		"date-to": Flags.string({ description: "Only include mail at or before this ISO-8601 timestamp." }),
+		limit: Flags.integer({
+			description: `Maximum results to return (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
+			default: DEFAULT_LIMIT,
+			min: 1,
+			max: MAX_LIMIT
+		}),
+		cursor: Flags.string({ description: "Opaque pagination cursor from a prior response's meta.cursor." }),
+		json: Flags.boolean({ description: "Print the raw response envelope as JSON on STDOUT instead of the text table." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SemanticSearchCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const result = await semanticSearch({
+				client: apiClient.client,
+				body: {
+					query: args.query,
+					mode: flags.mode,
+					...flags.corpus ? { corpus: flags.corpus } : {},
+					...flags["date-from"] ? { date_from: flags["date-from"] } : {},
+					...flags["date-to"] ? { date_to: flags["date-to"] } : {},
+					limit: flags.limit,
+					...flags.cursor ? { cursor: flags.cursor } : {}
+				},
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				const errorPayload = extractErrorPayload(result.error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			const envelope = result.data;
+			if (flags.json) {
+				this.log(JSON.stringify(envelope ?? null, null, 2));
+				return;
+			}
+			const rows = envelope?.data ?? [];
+			if (rows.length === 0) {
+				process.stderr.write("No matching mail.\n");
+				return;
+			}
+			process.stderr.write(`${formatHeader()}\n`);
+			for (const row of rows) this.log(formatRow(row));
+			const nextCursor = envelope?.meta?.cursor ?? null;
+			if (nextCursor) process.stderr.write(`\nNext page: pass --cursor ${nextCursor}\n`);
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
@@ -20089,14 +21044,9 @@ var SendCommand = class SendCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: "Override the API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		to: Flags.string({
@@ -20135,8 +21085,7 @@ var SendCommand = class SendCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const authFailureContext = {
@@ -20158,7 +21107,7 @@ var SendCommand = class SendCommand extends Command {
 					...flags.wait !== void 0 ? { wait: flags.wait } : {},
 					...flags["wait-timeout-ms"] !== void 0 ? { wait_timeout_ms: flags["wait-timeout-ms"] } : {}
 				},
-				client: apiClient._sendClient,
+				client: apiClient.client,
 				responseStyle: "fields"
 			});
 			if (result.error) {
@@ -20229,9 +21178,9 @@ function acquireCredentialsLock(configDir) {
 function commonOtpStartFlags() {
 	return {
 		"accept-terms": Flags.boolean({ description: "Confirm acceptance of Primitive's Terms of Service and Privacy Policy" }),
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		"device-name": Flags.string({ description: "Device name used for the created CLI OAuth session" }),
@@ -20410,9 +21359,9 @@ var SigninOtpConfirmCommand = class extends Command {
 	static summary = "Confirm OTP sign-in";
 	static examples = ["<%= config.bin %> signin otp confirm user@example.com 123456", "<%= config.bin %> signin otp confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
 	static flags = {
-		"api-base-url-1": Flags.string({
+		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-			env: "PRIMITIVE_API_BASE_URL_1",
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		force: Flags.boolean({
@@ -20489,9 +21438,9 @@ var SigninOtpResendCommand = class extends Command {
 	static description = "Resend the verification code for a pending OTP sign-in.";
 	static summary = "Resend OTP sign-in code";
 	static examples = ["<%= config.bin %> signin otp resend user@example.com"];
-	static flags = { "api-base-url-1": Flags.string({
+	static flags = { "api-base-url": Flags.string({
 		description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-		env: "PRIMITIVE_API_BASE_URL_1",
+		env: "PRIMITIVE_API_BASE_URL",
 		hidden: true
 	}) };
 	async run() {
@@ -20577,14 +21526,9 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
 			env: "PRIMITIVE_API_KEY"
 		}),
-		"api-base-url-1": Flags.string({
-			description: API_BASE_URL_1_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_1",
-			hidden: true
-		}),
-		"api-base-url-2": Flags.string({
-			description: API_BASE_URL_2_FLAG_DESCRIPTION,
-			env: "PRIMITIVE_API_BASE_URL_2",
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
 		json: Flags.boolean({ description: "Print the full account JSON response. Default output hides setup and billing internals." }),
@@ -20595,8 +21539,7 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 		await runWithTiming(flags.time, async () => {
 			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
 				apiKey: flags["api-key"],
-				apiBaseUrl1: flags["api-base-url-1"],
-				apiBaseUrl2: flags["api-base-url-2"],
+				apiBaseUrl: flags["api-base-url"],
 				configDir: this.config.configDir
 			});
 			const result = await getAccount({
@@ -20927,6 +21870,7 @@ const COMMANDS = {
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	"semantic-search": SemanticSearchCommand,
 	"domains:zone-file": DomainsZoneFileCommand,
 	"domains:download-domain-zone-file": DomainsZoneFileCommand,
 	"inbox:setup": InboxSetupCommand,
@@ -20939,6 +21883,10 @@ const COMMANDS = {
 	"functions:set-secret": FunctionsSetSecretCommand,
 	"functions:test": FunctionsTestFunctionCommand,
 	"functions:test-function": FunctionsTestFunctionCommand,
+	"functions:route-set": FunctionsRouteSetCommand,
+	"functions:route-unset": FunctionsRouteUnsetCommand,
+	"functions:route-get": FunctionsRouteGetCommand,
+	"functions:routing-topology": FunctionsRoutingTopologyCommand,
 	...Object.fromEntries(Object.entries(CANONICAL_OPERATION_ALIASES).map(([alias, target]) => {
 		const command = generatedCommands[target];
 		if (!command) throw new Error(`Missing generated command target for alias ${alias}`);