@primitivedotdev/cli 0.36.0 → 0.38.0

package/dist/{cli-config-D7wN_PBc.js → cli-config-B5hrwe8q.js}

@@ -949,6 +949,22 @@ function deleteCliCredentials(configDir) {
 	rmSync(credentialsPath(configDir), { force: true });
 	deleteChatState(configDir);
 }
+function saveSignupCredentials(params) {
+	deleteChatState(params.configDir);
+	saveCliCredentials(params.configDir, {
+		access_token: params.signup.access_token,
+		api_base_url: params.apiBaseUrl,
+		auth_method: "oauth",
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
+		oauth_client_id: params.signup.oauth_client_id,
+		oauth_grant_id: params.signup.oauth_grant_id,
+		org_id: params.signup.org_id,
+		org_name: params.signup.org_name,
+		refresh_token: params.signup.refresh_token,
+		token_type: params.signup.token_type
+	});
+}
 function deleteCliCredentialsLock(configDir) {
 	rmSync(credentialsLockPath(configDir), {
 		force: true,
@@ -1311,4 +1327,4 @@ function redactCliEnvironment(environment) {
 	};
 }
 //#endregion
-export { createClient as A, saveCliCredentials as C, loadChatConversationByLocalId as D, loadActiveChatState as E, saveActiveChatState as O, resolveCliAuth as S, deleteChatState as T, deleteCliCredentials as _, normalizeCliEnvironmentName as a, loadCliCredentials as b, resolveConfigEnvironment as c, validateCliHeaderName as d, validateCliHeaderValue as f, credentialsPath as g, credentialsLockPath as h, loadCliConfig as i, createConfig as j, PrimitiveApiClient as k, saveCliConfig as l, cliAccessTokenExpiresAt as m, deleteCliConfig as n, redactCliEnvironment as o, acquireCliCredentialsLock as p, emptyCliConfig as r, removeCliEnvironment as s, DEFAULT_ENVIRONMENT as t, upsertCliEnvironment as u, deleteCliCredentialsLock as v, chatStatePath as w, normalizeApiBaseUrl as x, detectPrimitiveKeyEnvMisname as y };
+export { PrimitiveApiClient as A, saveCliCredentials as C, loadActiveChatState as D, deleteChatState as E, createConfig as M, loadChatConversationByLocalId as O, resolveCliAuth as S, chatStatePath as T, deleteCliCredentials as _, normalizeCliEnvironmentName as a, loadCliCredentials as b, resolveConfigEnvironment as c, validateCliHeaderName as d, validateCliHeaderValue as f, credentialsPath as g, credentialsLockPath as h, loadCliConfig as i, createClient as j, saveActiveChatState as k, saveCliConfig as l, cliAccessTokenExpiresAt as m, deleteCliConfig as n, redactCliEnvironment as o, acquireCliCredentialsLock as p, emptyCliConfig as r, removeCliEnvironment as s, DEFAULT_ENVIRONMENT as t, upsertCliEnvironment as u, deleteCliCredentialsLock as v, saveSignupCredentials as w, normalizeApiBaseUrl as x, detectPrimitiveKeyEnvMisname as y };

package/dist/oclif/index.js

@@ -1,4 +1,4 @@
-import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as loadCliCredentials, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl, y as detectPrimitiveKeyEnvMisname } from "../cli-config-D7wN_PBc.js";
+import { A as PrimitiveApiClient, C as saveCliCredentials, D as loadActiveChatState, E as deleteChatState, M as createConfig, O as loadChatConversationByLocalId, S as resolveCliAuth, T as chatStatePath, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as loadCliCredentials, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createClient, k as saveActiveChatState, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as saveSignupCredentials, x as normalizeApiBaseUrl, y as detectPrimitiveKeyEnvMisname } from "../cli-config-B5hrwe8q.js";
 import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
@@ -14464,8 +14464,11 @@ const RESERVED_FLAG_NAMES = new Set([
 	"envelope",
 	"output"
 ]);
-function bodyFieldFlag(field) {
-	const common = { description: field.description || field.name };
+function bodyFieldFlag(field, aliases) {
+	const common = {
+		description: field.description || field.name,
+		...aliases && aliases.length > 0 ? { aliases } : {}
+	};
 	if (field.kind === "boolean") return Flags.boolean({
 		...common,
 		allowNo: true
@@ -14507,12 +14510,13 @@ function buildFlags(operation) {
 		flags["raw-body"] = Flags.string({ description: "Full request body as raw JSON. Escape hatch for nested or complex fields (e.g. arrays); prefer per-field flags (e.g. --to, --from, --body-text) when available." });
 		flags["body-file"] = Flags.string({ description: "Path to a JSON file used as the request body. Same role as --raw-body for callers passing a saved payload." });
 		const bodyFields = extractBodyFields(operation.requestSchema);
+		const aliasesForOperation = OPERATION_FLAG_ALIASES[operation.sdkName];
 		for (const field of bodyFields) {
 			if (field.kind === "complex") continue;
 			const name = flagName(field.name);
 			if (RESERVED_FLAG_NAMES.has(name)) continue;
 			if (flags[name] !== void 0) continue;
-			flags[name] = bodyFieldFlag(field);
+			flags[name] = bodyFieldFlag(field, aliasesForOperation?.[field.name]);
 			bodyFieldFlagToProperty.set(name, field.name);
 		}
 	}
@@ -14561,8 +14565,21 @@ const OPERATION_HINTS = {
 	createFunction: "Tip: prefer `primitive functions deploy --name <name> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	createFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
-	setFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON."
+	setFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
+	startAgentSignup: "Tip: also pass --signup-code <code> (request from Primitive; invite-only during the agent beta) and --terms-accepted. Capture the signup_token from the response and feed it to `primitive agent verify-agent-signup --signup-token <token> --verification-code <6-digit-code>` (the verify flag accepts --code as an alias). The high-level `primitive signup <email>` command walks an interactive user through both steps with friendlier prompts.",
+	verifyAgentSignup: "Tip: pass --verification-code <code> (or --code; both work). The response carries OAuth tokens but not your assigned inbox domain; run `primitive domains list` (or `primitive whoami`) after success to see the managed *.primitive.email address that routes to this account."
 };
+const OPERATION_FLAG_ALIASES = { verifyAgentSignup: { verification_code: ["code"] } };
+const OPERATION_SUCCESS_HOOKS = { verifyAgentSignup: ({ envelope, configDir, apiBaseUrl, writeStderr }) => {
+	const data = envelope?.data;
+	if (!data?.access_token || !data?.refresh_token) return;
+	saveSignupCredentials({
+		apiBaseUrl,
+		configDir,
+		signup: data
+	});
+	writeStderr("Credentials saved to the CLI config; `primitive whoami` will work on the next call.\n");
+} };
 function createOperationCommand(operation) {
 	const { flags, bodyFieldFlagToProperty } = buildFlags(operation);
 	const baseDescription = operation.description !== null && operation.description !== void 0 ? canonicalizeCliReferences(operation.description) : `${operation.method} ${operation.path}`;
@@ -14656,6 +14673,20 @@ function createOperationCommand(operation) {
 				writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
 					process.stderr.write(chunk);
 				} });
+				const successHook = OPERATION_SUCCESS_HOOKS[operation.sdkName];
+				if (successHook) try {
+					successHook({
+						envelope,
+						configDir: this.config.configDir,
+						apiBaseUrl: auth.apiBaseUrl,
+						writeStderr: (chunk) => {
+							process.stderr.write(chunk);
+						}
+					});
+				} catch (hookError) {
+					const detail = hookError instanceof Error ? hookError.message : String(hookError);
+					process.stderr.write(`Warning: ${operation.sdkName} succeeded but its post-success hook threw (${detail}). The response below is still valid; act on it manually.\n`);
+				}
 				this.log(JSON.stringify(operationOutputPayload(envelope, parsedFlags.envelope === true), null, 2));
 				if (isIncompleteDomainVerification(operation, envelope)) {
 					writeIncompleteDomainVerificationHint();
@@ -17677,8 +17708,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.36.0";
-const CLI_VERSION_RANGE = "^0.36.0";
+const SDK_VERSION_RANGE = "^0.38.0";
+const CLI_VERSION_RANGE = "^0.38.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -17753,22 +17784,50 @@ function inboundRecipientDomains(event: EmailReceivedEvent): Set<string> {
 // SMTP recipients instead.
 //
 // The default check skips:
+//   - bounce notifications, which RFC 5321 requires to use an empty
+//     SMTP envelope sender (MAIL FROM:<>). Replying to a null sender
+//     is forbidden and would itself bounce, producing a
+//     bounce-of-bounce chain. The body header on a bounce typically
+//     reads "From: MAILER-DAEMON@..." which a naive From-only check
+//     would treat as a normal sender, so we gate on the envelope here.
 //   - direct self-mail where From equals one of the inbound recipients;
-//   - mailer-daemon/postmaster bounces from the same domain as the inbound;
+//   - mailer-daemon/postmaster bounces from the same domain as the
+//     inbound, as a backup for bounces that arrive with a non-empty
+//     envelope sender;
 //   - any address explicitly listed in EXTRA_SELF_ADDRESSES.
 //
-// Extend this helper if you need stricter detection. Common additions:
-//   - Honor RFC 3834 auto-response headers: skip when
-//     event.email.headers["auto-submitted"] is anything other than "no",
-//     or when a List-Unsubscribe / Precedence: bulk header is present.
+// Anything with no identifiable sender at all (envelope + From both
+// empty) is treated as a loop terminator: better to drop one ambiguous
+// message than to reply blindly and loop on a bounce.
+//
+// Extend this helper if you need stricter detection. Common additions
+// not implemented here today:
+//   - Honor RFC 3834 auto-response headers: skip when an
+//     auto-submitted header is anything other than "no", or when a
+//     list-unsubscribe / precedence: bulk header is present. The
+//     EmailReceivedEvent.email.headers shape does not currently surface
+//     these, so detection requires either a parsed-headers field on
+//     the event or a parse of the raw RFC 822 body.
 //   - Track Message-ID / In-Reply-To chains to break ping-pong loops
 //     between two cooperating handlers on different domains.
+//   - Rate-limit replies per sender per hour as a safety net.
 export function isLoop(event: EmailReceivedEvent): boolean {
+  // RFC 5321: bounce notifications use the null MAIL FROM (envelope
+  // sender = empty string). Some MTAs report this as "<>" verbatim.
+  // Treat either as an unambiguous bounce signal.
+  const envelopeSender = (event.email.smtp.mail_from || "").trim();
+  if (envelopeSender === "" || envelopeSender === "<>") return true;
+
   const fromAddresses = [
     ...extractEmailAddresses(event.email.headers.from),
     ...extractEmailAddresses(event.email.smtp.mail_from),
   ];
-  if (fromAddresses.length === 0) return false;
+  // No identifiable sender across either envelope or header: treat as
+  // a loop terminator. Was return false in the original template; that
+  // returned mail with empty headers straight back into the handler
+  // and let bounces with malformed bodies slip past the bounce guard
+  // above.
+  if (fromAddresses.length === 0) return true;
 
   const inboundAddresses = new Set(inboundRecipientAddresses(event));
   const inboundDomains = inboundRecipientDomains(event);
@@ -18244,6 +18303,25 @@ function emitLogRows(rows, jsonl) {
 		process.stdout.write(`${line}\n`);
 	}
 }
+async function readFunctionInvocations(client, id) {
+	try {
+		const result = await getFunction({
+			client,
+			path: { id },
+			responseStyle: "fields",
+			signal: AbortSignal.timeout(3e3)
+		});
+		if (result.error) return null;
+		const fn = result.data?.data;
+		if (!fn) return null;
+		return {
+			invocations_total: typeof fn.invocations_total === "number" ? fn.invocations_total : 0,
+			invocations_24h: typeof fn.invocations_24h === "number" ? fn.invocations_24h : 0
+		};
+	} catch {
+		return null;
+	}
+}
 var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 	static description = "List or follow function execution logs. Defaults to compact text output; use --jsonl for one JSON object per log row.";
 	static summary = "List or follow a function's execution logs";
@@ -18342,7 +18420,14 @@ var FunctionsLogsCommand = class FunctionsLogsCommand extends Command {
 					cursor = page.next_cursor;
 				}
 				if (rows.length === 0 && !wroteEmptyHint) {
-					process.stderr.write(flags.follow ? hasObservedLogs ? "Waiting for new function logs...\n" : "No function logs yet. Waiting for new rows...\n" : "No function logs yet. Trigger the function, then run this command again.\n");
+					let emptyHint;
+					if (flags.follow) emptyHint = hasObservedLogs ? "Waiting for new function logs...\n" : "No function logs yet. Waiting for new rows...\n";
+					else if (flags.cursor) emptyHint = "No more function logs after this cursor.\n";
+					else {
+						const fnInvocations = await readFunctionInvocations(apiClient.client, flags.id);
+						emptyHint = fnInvocations && fnInvocations.invocations_total > 0 ? `No function logs yet, but this function has been invoked ${fnInvocations.invocations_total} time(s) (${fnInvocations.invocations_24h} in the last 24h). Your handler likely has no console.log/console.error calls on the path that fired. Add logging and redeploy to surface details.\n` : "No function logs yet. Trigger the function, then run this command again.\n";
+					}
+					process.stderr.write(emptyHint);
 					wroteEmptyHint = true;
 				}
 				emitLogRows(rows, flags.jsonl);
@@ -20128,22 +20213,6 @@ async function checkExistingCredentials(params) {
 	}
 	throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
 }
-function saveSignupCredentials(params) {
-	deleteChatState(params.configDir);
-	saveCliCredentials(params.configDir, {
-		access_token: params.signup.access_token,
-		api_base_url: params.apiBaseUrl,
-		auth_method: "oauth",
-		created_at: (/* @__PURE__ */ new Date()).toISOString(),
-		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
-		oauth_client_id: params.signup.oauth_client_id,
-		oauth_grant_id: params.signup.oauth_grant_id,
-		org_id: params.signup.org_id,
-		org_name: params.signup.org_name,
-		refresh_token: params.signup.refresh_token,
-		token_type: params.signup.token_type
-	});
-}
 function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 	process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
 	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);
@@ -21504,12 +21573,14 @@ var OtpResendCommand = class extends SigninOtpResendCommand {
 };
 //#endregion
 //#region src/oclif/commands/whoami.ts
-function formatWhoamiSummary(account) {
-	return [
+function formatWhoamiSummary(account, managedInboxDomain) {
+	const lines = [
 		`Authenticated as ${account.email}`,
 		`Account id: ${account.id}`,
 		`Plan: ${account.plan}`
-	].join("\n");
+	];
+	if (managedInboxDomain) lines.push(`Managed inbox: any-local-part@${managedInboxDomain}`);
+	return lines.join("\n");
 }
 var WhoamiCommand = class WhoamiCommand extends Command {
 	static description = `Print the account currently authenticated by saved OAuth credentials or an explicit API key. Useful as a credentials smoke test: confirms auth is live and shows which account it belongs to.
@@ -21563,11 +21634,22 @@ var WhoamiCommand = class WhoamiCommand extends Command {
 				process.stderr.write("Server returned an empty account body; this should not happen for a valid key.\n");
 				throw new Errors.CLIError("unexpected empty response");
 			}
+			let managedInboxDomain = null;
+			try {
+				const domainsResult = await listDomains({
+					client: apiClient.client,
+					responseStyle: "fields"
+				});
+				if (!domainsResult.error) managedInboxDomain = (domainsResult.data?.data ?? []).find((row) => row.verified && row.managed_zone !== null)?.domain ?? null;
+			} catch {}
 			if (flags.json) {
-				this.log(JSON.stringify(account, null, 2));
+				this.log(JSON.stringify({
+					...account,
+					managed_inbox_domain: managedInboxDomain
+				}, null, 2));
 				return;
 			}
-			this.log(formatWhoamiSummary(account));
+			this.log(formatWhoamiSummary(account, managedInboxDomain));
 		});
 	}
 };

package/dist/oclif/root-signup-hint.js

@@ -1,4 +1,4 @@
-import { c as resolveConfigEnvironment, i as loadCliConfig, x as normalizeApiBaseUrl } from "../cli-config-D7wN_PBc.js";
+import { c as resolveConfigEnvironment, i as loadCliConfig, x as normalizeApiBaseUrl } from "../cli-config-B5hrwe8q.js";
 import { existsSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { homedir } from "node:os";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "0.36.0",
+  "version": "0.38.0",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,