@primitivedotdev/cli 0.37.0 → 1.0.0

package/dist/{cli-config-D7wN_PBc.js → cli-config-B5hrwe8q.js}

@@ -949,6 +949,22 @@ function deleteCliCredentials(configDir) {
 	rmSync(credentialsPath(configDir), { force: true });
 	deleteChatState(configDir);
 }
+function saveSignupCredentials(params) {
+	deleteChatState(params.configDir);
+	saveCliCredentials(params.configDir, {
+		access_token: params.signup.access_token,
+		api_base_url: params.apiBaseUrl,
+		auth_method: "oauth",
+		created_at: (/* @__PURE__ */ new Date()).toISOString(),
+		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
+		oauth_client_id: params.signup.oauth_client_id,
+		oauth_grant_id: params.signup.oauth_grant_id,
+		org_id: params.signup.org_id,
+		org_name: params.signup.org_name,
+		refresh_token: params.signup.refresh_token,
+		token_type: params.signup.token_type
+	});
+}
 function deleteCliCredentialsLock(configDir) {
 	rmSync(credentialsLockPath(configDir), {
 		force: true,
@@ -1311,4 +1327,4 @@ function redactCliEnvironment(environment) {
 	};
 }
 //#endregion
-export { createClient as A, saveCliCredentials as C, loadChatConversationByLocalId as D, loadActiveChatState as E, saveActiveChatState as O, resolveCliAuth as S, deleteChatState as T, deleteCliCredentials as _, normalizeCliEnvironmentName as a, loadCliCredentials as b, resolveConfigEnvironment as c, validateCliHeaderName as d, validateCliHeaderValue as f, credentialsPath as g, credentialsLockPath as h, loadCliConfig as i, createConfig as j, PrimitiveApiClient as k, saveCliConfig as l, cliAccessTokenExpiresAt as m, deleteCliConfig as n, redactCliEnvironment as o, acquireCliCredentialsLock as p, emptyCliConfig as r, removeCliEnvironment as s, DEFAULT_ENVIRONMENT as t, upsertCliEnvironment as u, deleteCliCredentialsLock as v, chatStatePath as w, normalizeApiBaseUrl as x, detectPrimitiveKeyEnvMisname as y };
+export { PrimitiveApiClient as A, saveCliCredentials as C, loadActiveChatState as D, deleteChatState as E, createConfig as M, loadChatConversationByLocalId as O, resolveCliAuth as S, chatStatePath as T, deleteCliCredentials as _, normalizeCliEnvironmentName as a, loadCliCredentials as b, resolveConfigEnvironment as c, validateCliHeaderName as d, validateCliHeaderValue as f, credentialsPath as g, credentialsLockPath as h, loadCliConfig as i, createClient as j, saveActiveChatState as k, saveCliConfig as l, cliAccessTokenExpiresAt as m, deleteCliConfig as n, redactCliEnvironment as o, acquireCliCredentialsLock as p, emptyCliConfig as r, removeCliEnvironment as s, DEFAULT_ENVIRONMENT as t, upsertCliEnvironment as u, deleteCliCredentialsLock as v, saveSignupCredentials as w, normalizeApiBaseUrl as x, detectPrimitiveKeyEnvMisname as y };

package/dist/oclif/index.js

@@ -1,6 +1,6 @@
-import { A as createClient, C as saveCliCredentials, D as loadChatConversationByLocalId, E as loadActiveChatState, O as saveActiveChatState, S as resolveCliAuth, T as deleteChatState, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as loadCliCredentials, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createConfig, k as PrimitiveApiClient, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as chatStatePath, x as normalizeApiBaseUrl, y as detectPrimitiveKeyEnvMisname } from "../cli-config-D7wN_PBc.js";
+import { A as PrimitiveApiClient, C as saveCliCredentials, D as loadActiveChatState, E as deleteChatState, M as createConfig, O as loadChatConversationByLocalId, S as resolveCliAuth, T as chatStatePath, _ as deleteCliCredentials, a as normalizeCliEnvironmentName, b as loadCliCredentials, c as resolveConfigEnvironment, d as validateCliHeaderName, f as validateCliHeaderValue, g as credentialsPath, h as credentialsLockPath, i as loadCliConfig, j as createClient, k as saveActiveChatState, l as saveCliConfig, m as cliAccessTokenExpiresAt, n as deleteCliConfig, o as redactCliEnvironment, p as acquireCliCredentialsLock, r as emptyCliConfig, s as removeCliEnvironment, u as upsertCliEnvironment, v as deleteCliCredentialsLock, w as saveSignupCredentials, x as normalizeApiBaseUrl, y as detectPrimitiveKeyEnvMisname } from "../cli-config-B5hrwe8q.js";
 import { Args, Command, Errors, Flags, ux } from "@oclif/core";
-import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { chmodSync, closeSync, existsSync, mkdirSync, openSync, readFileSync, readdirSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, writeSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
 import { hostname } from "node:os";
@@ -14570,6 +14570,16 @@ const OPERATION_HINTS = {
 	verifyAgentSignup: "Tip: pass --verification-code <code> (or --code; both work). The response carries OAuth tokens but not your assigned inbox domain; run `primitive domains list` (or `primitive whoami`) after success to see the managed *.primitive.email address that routes to this account."
 };
 const OPERATION_FLAG_ALIASES = { verifyAgentSignup: { verification_code: ["code"] } };
+const OPERATION_SUCCESS_HOOKS = { verifyAgentSignup: ({ envelope, configDir, apiBaseUrl, writeStderr }) => {
+	const data = envelope?.data;
+	if (!data?.access_token || !data?.refresh_token) return;
+	saveSignupCredentials({
+		apiBaseUrl,
+		configDir,
+		signup: data
+	});
+	writeStderr("Credentials saved to the CLI config; `primitive whoami` will work on the next call.\n");
+} };
 function createOperationCommand(operation) {
 	const { flags, bodyFieldFlagToProperty } = buildFlags(operation);
 	const baseDescription = operation.description !== null && operation.description !== void 0 ? canonicalizeCliReferences(operation.description) : `${operation.method} ${operation.path}`;
@@ -14663,6 +14673,20 @@ function createOperationCommand(operation) {
 				writeIdempotentReplayBannerIfReplay(envelope?.data, { write: (chunk) => {
 					process.stderr.write(chunk);
 				} });
+				const successHook = OPERATION_SUCCESS_HOOKS[operation.sdkName];
+				if (successHook) try {
+					successHook({
+						envelope,
+						configDir: this.config.configDir,
+						apiBaseUrl: auth.apiBaseUrl,
+						writeStderr: (chunk) => {
+							process.stderr.write(chunk);
+						}
+					});
+				} catch (hookError) {
+					const detail = hookError instanceof Error ? hookError.message : String(hookError);
+					process.stderr.write(`Warning: ${operation.sdkName} succeeded but its post-success hook threw (${detail}). The response below is still valid; act on it manually.\n`);
+				}
 				this.log(JSON.stringify(operationOutputPayload(envelope, parsedFlags.envelope === true), null, 2));
 				if (isIncompleteDomainVerification(operation, envelope)) {
 					writeIncompleteDomainVerificationHint();
@@ -14718,6 +14742,173 @@ function readAttachmentFiles(paths, readFile = readFileSync) {
 	});
 }
 //#endregion
+//#region src/oclif/chat-lock.ts
+/**
+* Filesystem mutex around the chat-state read → POST → save sequence.
+*
+* Why this exists. The chat reply flow is read-modify-write across an
+* RTT to the API: `loadActiveChatState` → `replyToEmail` → poll → save.
+* Two concurrent invocations (e.g. the user re-runs `primitive chat
+* reply` before the first cycle finishes its 5–12 s poll) read the
+* same stale `last_reply_email_id` and POST to it, producing a
+* duplicate /v1/emails/{id}/reply that the server deduplicates by
+* content_hash. The second invocation then polls forever for a reply
+* that arrived in response to the *first* send and has already been
+* surfaced by the *first* invocation.
+*
+* The lock is per-process-config-dir, not per-conversation: holding it
+* for a few seconds while one chat reply completes is a reasonable UX
+* constraint and clearly explained on contention. The lock is
+* re-entrant within a single Node process (ChatReplyCommand wraps
+* ChatCommand internally), but rejects cross-process contention.
+*
+* Liveness. The lock file stores the holder's PID. On EEXIST we probe
+* the holder with `process.kill(pid, 0)`; if the holder is gone (e.g.
+* a previous chat invocation crashed without releasing), we steal the
+* lock. This avoids needing a heartbeat or mtime-based stale check,
+* either of which has its own race surface.
+*
+* Releases. The returned function is idempotent. Callers must call it
+* in a finally block. We also register process-exit / signal handlers
+* so a Ctrl-C during the poll loop still cleans up.
+*/
+const LOCK_FILENAME = "chat-state.lock";
+let processHolder = null;
+/**
+* Whether we've installed our exit / signal listeners on the
+* `process` object. Done lazily on first acquire and never undone:
+* adding handlers per-acquire would let them accumulate (each
+* acquire registers four listeners, and `process.once` can't be
+* un-once'd), which is harmless in production but produces
+* `MaxListenersExceededWarning` + cascading no-op fires in tests
+* that acquire/release across many `it()` blocks. Greptile P2.
+*
+* The handlers consult the current `processHolder` and act only if
+* a lock is actually held, so leaving them installed across
+* release boundaries is safe: a released or never-acquired lock
+* makes them no-ops.
+*/
+let exitListenersInstalled = false;
+function installExitListenersOnce() {
+	if (exitListenersInstalled) return;
+	exitListenersInstalled = true;
+	const cleanup = () => {
+		if (processHolder === null) return;
+		try {
+			unlinkSync(lockPath(processHolder.configDir));
+		} catch {}
+		processHolder = null;
+	};
+	process.on("exit", cleanup);
+	for (const signal of [
+		"SIGINT",
+		"SIGTERM",
+		"SIGHUP"
+	]) {
+		const handler = () => {
+			cleanup();
+			process.removeListener(signal, handler);
+			process.kill(process.pid, signal);
+		};
+		process.on(signal, handler);
+	}
+}
+function lockPath(configDir) {
+	return join(configDir, LOCK_FILENAME);
+}
+/**
+* `process.kill(pid, 0)` returns true if the process exists and we
+* have permission to signal it. Throws ESRCH when the pid is gone,
+* EPERM if it exists but isn't ours. Both "exists" cases mean we
+* should NOT steal the lock; only ESRCH proves the holder is dead.
+*/
+function pidIsAlive(pid) {
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch (err) {
+		if (err.code === "ESRCH") return false;
+		return true;
+	}
+}
+function readHolderPid(configDir) {
+	try {
+		const raw = readFileSync(lockPath(configDir), "utf8").trim();
+		const pid = Number.parseInt(raw, 10);
+		return Number.isFinite(pid) && pid > 0 ? pid : null;
+	} catch {
+		return null;
+	}
+}
+var ChatLockContentionError = class extends Error {
+	constructor(holderPid) {
+		super(`Another \`primitive chat\` invocation (pid ${holderPid}) is in progress. Wait for it to finish, or kill it before retrying.`);
+		this.holderPid = holderPid;
+		this.name = "ChatLockContentionError";
+	}
+};
+/**
+* Acquire the chat-state mutex for this configDir. Returns a release
+* function that is safe to call any number of times. Throws
+* `ChatLockContentionError` if another live process holds the lock.
+*/
+function acquireChatLock(configDir) {
+	if (processHolder?.configDir === configDir) {
+		processHolder.depth += 1;
+		let released = false;
+		return () => {
+			if (released) return;
+			released = true;
+			if (processHolder !== null) processHolder.depth -= 1;
+		};
+	}
+	mkdirSync(configDir, {
+		mode: 448,
+		recursive: true
+	});
+	for (let attempt = 0; attempt < 2; attempt++) {
+		let fd;
+		try {
+			fd = openSync(lockPath(configDir), "wx", 384);
+		} catch (err) {
+			if (err.code !== "EEXIST") throw err;
+			const holder = readHolderPid(configDir);
+			if (holder === null || !pidIsAlive(holder)) {
+				try {
+					unlinkSync(lockPath(configDir));
+				} catch (unlinkErr) {
+					if (unlinkErr.code !== "ENOENT") throw unlinkErr;
+				}
+				continue;
+			}
+			throw new ChatLockContentionError(holder);
+		}
+		writeSync(fd, `${process.pid}\n`);
+		closeSync(fd);
+		processHolder = {
+			configDir,
+			depth: 1
+		};
+		installExitListenersOnce();
+		let released = false;
+		return () => {
+			if (released) return;
+			released = true;
+			if (processHolder?.configDir === configDir) {
+				processHolder.depth -= 1;
+				if (processHolder.depth <= 0) {
+					try {
+						unlinkSync(lockPath(configDir));
+					} catch {}
+					processHolder = null;
+				}
+			}
+		};
+	}
+	/* v8 ignore next 4 -- the for-loop returns or throws on every iteration; the unreachable trailer keeps TS happy. */
+	throw new Error("acquireChatLock: exhausted retries (this is a bug — should not be reachable)");
+}
+//#endregion
 //#region src/oclif/outbound-defaults.ts
 const SUBJECT_MAX_LENGTH = 200;
 function deriveSubject(body) {
@@ -15031,7 +15222,7 @@ function matchDescription(strategy) {
 	return strategy === "strict" ? "strict, matched by reply_to_sent_email_id" : "fallback, matched by sender/time window";
 }
 function normalizeEmailAddress(value) {
-	return value.trim().toLowerCase();
+	return (value.match(/<([^>]+)>/)?.[1] ?? value).trim().toLowerCase();
 }
 function derivedReplySubject(parent) {
 	const subject = parent.subject?.trim();
@@ -15209,6 +15400,28 @@ function persistActiveChat(params) {
 		return null;
 	}
 }
+/**
+* Pick the email id to surface from the one-shot strict search we run
+* when the server returned `idempotent_replay: true`. The search has
+* no `since` filter (the existing reply, if any, predates this
+* attempt's `sentAtIso`), so we may receive multiple historical
+* inbounds matching `reply_to_sent_email_id = sent.id` if the user
+* has been hammering the same content. Prefer the most recent
+* accepted/completed row; reject pending/processing rows the way the
+* normal poll does.
+*/
+async function resolveIdempotentReplayReply(page) {
+	if (!page.ok || page.rows.length === 0) return null;
+	let latest = null;
+	for (const row of page.rows) {
+		if (row.status !== "accepted" && row.status !== "completed") continue;
+		if (latest === null || row.received_at.localeCompare(latest.receivedAt) > 0) latest = {
+			id: row.id,
+			receivedAt: row.received_at
+		};
+	}
+	return latest?.id ?? null;
+}
 function formatChatResponse(context) {
 	const accepted = context.sent.accepted.join(", ") || context.recipient;
 	const responseBody = resolveChatResponseBody(context.reply);
@@ -15423,181 +15636,243 @@ var ChatCommand = class ChatCommand extends Command {
 		const message = flags.reply !== void 0 ? flags.reply : args.message !== void 0 && args.message !== "" ? args.message : await readStdinToString();
 		if (!message.trim()) throw cliError$6(replyMode ? "Reply body is empty." : "Message body is empty.");
 		await runWithTiming(flags.time, async () => {
-			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
-				apiKey: flags["api-key"],
-				apiBaseUrl: flags["api-base-url"],
-				configDir: this.config.configDir
-			});
-			const authFailureContext = {
-				auth,
-				baseUrlOverridden,
-				configDir: this.config.configDir
-			};
-			const progress = flags.quiet ? null : new ChatProgressIndicator(process.stderr);
-			const attachments = readAttachmentFiles(flags.attachment);
-			let from;
-			let parentReply;
-			let subject;
-			if (replyMode) {
-				const replyContext = await (async () => {
-					let replyContextFailureMessage = "Could not load reply context.";
-					try {
-						if (flags["reply-to-email-id"] !== void 0) {
-							progress?.start(`Loading reply context for ${flags["reply-to-email-id"]}`);
-							const exactParentReply = await loadInboundEmailDetail({
+			let releaseLock;
+			try {
+				releaseLock = acquireChatLock(this.config.configDir);
+			} catch (err) {
+				if (err instanceof ChatLockContentionError) throw cliError$6(err.message);
+				throw err;
+			}
+			try {
+				const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+					apiKey: flags["api-key"],
+					apiBaseUrl: flags["api-base-url"],
+					configDir: this.config.configDir
+				});
+				const authFailureContext = {
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir
+				};
+				const progress = flags.quiet ? null : new ChatProgressIndicator(process.stderr);
+				const attachments = readAttachmentFiles(flags.attachment);
+				let from;
+				let parentReply;
+				let subject;
+				if (replyMode) {
+					const replyContext = await (async () => {
+						let replyContextFailureMessage = "Could not load reply context.";
+						try {
+							if (flags["reply-to-email-id"] !== void 0) {
+								progress?.start(`Loading reply context for ${flags["reply-to-email-id"]}`);
+								const exactParentReply = await loadInboundEmailDetail({
+									apiClient,
+									authFailureContext,
+									id: flags["reply-to-email-id"]
+								});
+								replyContextFailureMessage = `Inbound email ${flags["reply-to-email-id"]} does not match recipient ${args.recipient}.`;
+								assertParentMatchesRecipient(exactParentReply, args.recipient);
+								return {
+									from: flags.from ?? exactParentReply.to_email,
+									parentReply: exactParentReply
+								};
+							}
+							const replyFrom = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
+							progress?.start(`Finding latest inbound email from ${args.recipient}`);
+							const latestParentReply = await findLatestInboundFromRecipient({
 								apiClient,
 								authFailureContext,
-								id: flags["reply-to-email-id"]
+								from: replyFrom,
+								pageSize: flags["page-size"],
+								recipient: args.recipient
 							});
-							replyContextFailureMessage = `Inbound email ${flags["reply-to-email-id"]} does not match recipient ${args.recipient}.`;
-							assertParentMatchesRecipient(exactParentReply, args.recipient);
+							if (!latestParentReply) {
+								replyContextFailureMessage = "No prior inbound email found.";
+								throw cliError$6(`No prior inbound email from ${args.recipient} to ${replyFrom}. Start a new chat with \`primitive chat ${args.recipient} <message>\`, pass --from, or pass --reply-to-email-id <inbound-email-id>.`);
+							}
+							replyContextFailureMessage = `Inbound email ${latestParentReply.id} does not match recipient ${args.recipient}.`;
+							assertParentMatchesRecipient(latestParentReply, args.recipient);
 							return {
-								from: flags.from ?? exactParentReply.to_email,
-								parentReply: exactParentReply
+								from: replyFrom,
+								parentReply: latestParentReply
 							};
+						} catch (error) {
+							progress?.fail(replyContextFailureMessage);
+							throw error;
 						}
-						const replyFrom = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
-						progress?.start(`Finding latest inbound email from ${args.recipient}`);
-						const latestParentReply = await findLatestInboundFromRecipient({
-							apiClient,
-							authFailureContext,
-							from: replyFrom,
-							pageSize: flags["page-size"],
-							recipient: args.recipient
-						});
-						if (!latestParentReply) {
-							replyContextFailureMessage = "No prior inbound email found.";
-							throw cliError$6(`No prior inbound email from ${args.recipient} to ${replyFrom}. Start a new chat with \`primitive chat ${args.recipient} <message>\`, pass --from, or pass --reply-to-email-id <inbound-email-id>.`);
-						}
-						replyContextFailureMessage = `Inbound email ${latestParentReply.id} does not match recipient ${args.recipient}.`;
-						assertParentMatchesRecipient(latestParentReply, args.recipient);
-						return {
-							from: replyFrom,
-							parentReply: latestParentReply
-						};
-					} catch (error) {
-						progress?.fail(replyContextFailureMessage);
-						throw error;
-					}
-				})();
-				from = replyContext.from;
-				parentReply = replyContext.parentReply;
-				subject = derivedReplySubject(replyContext.parentReply);
-			} else {
-				from = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
-				subject = flags.subject ?? deriveSubject(message);
-			}
-			const sentAtIso = (/* @__PURE__ */ new Date()).toISOString();
-			if (replyMode) progress?.update(`Sending reply to ${args.recipient}`);
-			else progress?.start(`Sending message to ${args.recipient}`);
-			const sendResult = parentReply !== void 0 ? await replyToEmail({
-				body: {
-					body_text: message,
-					from,
-					...attachments !== void 0 ? { attachments } : {}
-				},
-				client: apiClient.client,
-				path: { id: parentReply.id },
-				responseStyle: "fields"
-			}) : await sendEmail({
-				body: {
-					from,
-					to: args.recipient,
-					subject,
-					body_text: message,
-					...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
-					...attachments !== void 0 ? { attachments } : {}
-				},
-				client: apiClient.client,
-				responseStyle: "fields"
-			});
-			if (sendResult.error) {
-				progress?.fail(replyMode ? "Reply send failed." : "Message send failed.");
-				const errorPayload = extractErrorPayload(sendResult.error);
-				writeErrorWithHints(errorPayload);
-				surfaceUnauthorizedHint({
-					...authFailureContext,
-					payload: errorPayload
+					})();
+					from = replyContext.from;
+					parentReply = replyContext.parentReply;
+					subject = derivedReplySubject(replyContext.parentReply);
+				} else {
+					from = flags.from ?? await pickDefaultFromAddress(apiClient, authFailureContext);
+					subject = flags.subject ?? deriveSubject(message);
+				}
+				const sentAtIso = (/* @__PURE__ */ new Date()).toISOString();
+				if (replyMode) progress?.update(`Sending reply to ${args.recipient}`);
+				else progress?.start(`Sending message to ${args.recipient}`);
+				const sendResult = parentReply !== void 0 ? await replyToEmail({
+					body: {
+						body_text: message,
+						from,
+						...attachments !== void 0 ? { attachments } : {}
+					},
+					client: apiClient.client,
+					path: { id: parentReply.id },
+					responseStyle: "fields"
+				}) : await sendEmail({
+					body: {
+						from,
+						to: args.recipient,
+						subject,
+						body_text: message,
+						...flags["in-reply-to"] !== void 0 ? { in_reply_to: flags["in-reply-to"] } : {},
+						...attachments !== void 0 ? { attachments } : {}
+					},
+					client: apiClient.client,
+					responseStyle: "fields"
 				});
-				process.exitCode = 1;
-				return;
-			}
-			const sent = sendResult.data?.data;
-			if (!sent) {
-				progress?.fail("Send succeeded but the API returned no data.");
-				throw cliError$6("Send succeeded but the API returned no data.");
-			}
-			const replyAddress = sent.from || from;
-			progress?.update(`${replyMode ? "Reply" : "Message"} sent; waiting for reply from ${args.recipient}`, {
-				heartbeatMs: 15e3,
-				timeoutSeconds: flags.timeout
-			});
-			const baseContext = {
-				from: replyAddress,
-				json: flags.json,
-				parentReply,
-				quiet: flags.quiet,
-				recipient: args.recipient,
-				sent,
-				sentAtIso,
-				strictOnly: flags["strict-only"],
-				strictPhaseSeconds: flags["strict-phase-seconds"],
-				subject,
-				timeoutSeconds: flags.timeout
-			};
-			let replyResult;
-			try {
-				replyResult = await waitForReply({
-					apiClient,
-					authFailureContext,
+				if (sendResult.error) {
+					progress?.fail(replyMode ? "Reply send failed." : "Message send failed.");
+					const errorPayload = extractErrorPayload(sendResult.error);
+					writeErrorWithHints(errorPayload);
+					surfaceUnauthorizedHint({
+						...authFailureContext,
+						payload: errorPayload
+					});
+					process.exitCode = 1;
+					return;
+				}
+				const sent = sendResult.data?.data;
+				if (!sent) {
+					progress?.fail("Send succeeded but the API returned no data.");
+					throw cliError$6("Send succeeded but the API returned no data.");
+				}
+				const replyAddress = sent.from || from;
+				const baseContext = {
 					from: replyAddress,
-					interval: flags.interval,
-					notice: (message) => {
-						if (progress) {
-							progress.notice(message);
-							return;
-						}
-						process.stderr.write(`${message}\n`);
-					},
-					pageSize: flags["page-size"],
+					json: flags.json,
+					parentReply,
+					quiet: flags.quiet,
 					recipient: args.recipient,
+					sent,
 					sentAtIso,
-					sentId: sent.id,
 					strictOnly: flags["strict-only"],
 					strictPhaseSeconds: flags["strict-phase-seconds"],
+					subject,
+					timeoutSeconds: flags.timeout
+				};
+				if (sent.idempotent_replay) {
+					progress?.update("Server returned idempotent_replay: looking up the existing reply");
+					const replyId = await resolveIdempotentReplayReply(await fetchEmailSearchPage({
+						apiClient,
+						cursor: null,
+						filters: { replyToSentEmailId: sent.id },
+						pageSize: flags["page-size"]
+					}));
+					if (replyId) {
+						const full = await getEmail({
+							client: apiClient.client,
+							path: { id: replyId },
+							responseStyle: "fields"
+						});
+						if (full.error) {
+							const payload = extractErrorPayload(full.error);
+							writeErrorWithHints(payload);
+							surfaceUnauthorizedHint({
+								...authFailureContext,
+								payload
+							});
+							throw cliError$6(`Idempotent replay: existing reply found but fetching it failed (id=${replyId}).`);
+						}
+						const envelope = full.data;
+						const detail = envelope?.data ?? envelope ?? null;
+						if (!detail) throw cliError$6(`Idempotent replay: existing reply body could not be loaded (id=${replyId}).`);
+						progress?.succeed(`Idempotent replay; surfacing existing reply from ${detail.from_email ?? args.recipient}`);
+						let outputContext = {
+							...baseContext,
+							matchStrategy: "strict",
+							reply: detail
+						};
+						const localChatId = persistActiveChat({
+							configDir: this.config.configDir,
+							context: outputContext,
+							preferredLocalId: flags["chat-local-id"],
+							writeWarning: (message) => process.stderr.write(message)
+						});
+						if (localChatId !== null) outputContext = {
+							...outputContext,
+							localChatId
+						};
+						if (flags.json) this.log(JSON.stringify(buildChatJsonEnvelope(outputContext), null, 2));
+						else this.log(formatChatResponse(outputContext));
+						return;
+					}
+					progress?.fail("Server deduplicated this send (idempotent_replay: true).");
+					process.stderr.write(`${chatNoticeText(`The server detected this exact content was sent earlier and did not put a new message on the wire. The original send (sent.id=${sent.id}) has not received a reply yet. Vary the body — or change the parent (reply to a different inbound) — to retry with a fresh send.`)}\n`);
+					process.exitCode = 1;
+					return;
+				}
+				progress?.update(`${replyMode ? "Reply" : "Message"} sent; waiting for reply from ${args.recipient}`, {
+					heartbeatMs: 15e3,
 					timeoutSeconds: flags.timeout
 				});
-			} catch (error) {
-				progress?.fail("Reply polling failed.");
-				process.stderr.write(`${formatChatRecoveryContext(baseContext)}\n`);
-				throw error;
-			}
-			if (replyResult === null) {
-				const timeoutMessage = `Timed out after ${flags.timeout}s waiting for a reply from ${args.recipient}.`;
-				progress?.fail(timeoutMessage);
-				if (progress === null) process.stderr.write(`${timeoutMessage}\n`);
-				process.stderr.write(`${formatChatRecoveryContext(baseContext)}\n`);
-				process.exitCode = 1;
-				return;
+				let replyResult;
+				try {
+					replyResult = await waitForReply({
+						apiClient,
+						authFailureContext,
+						from: replyAddress,
+						interval: flags.interval,
+						notice: (message) => {
+							if (progress) {
+								progress.notice(message);
+								return;
+							}
+							process.stderr.write(`${message}\n`);
+						},
+						pageSize: flags["page-size"],
+						recipient: args.recipient,
+						sentAtIso,
+						sentId: sent.id,
+						strictOnly: flags["strict-only"],
+						strictPhaseSeconds: flags["strict-phase-seconds"],
+						timeoutSeconds: flags.timeout
+					});
+				} catch (error) {
+					progress?.fail("Reply polling failed.");
+					process.stderr.write(`${formatChatRecoveryContext(baseContext)}\n`);
+					throw error;
+				}
+				if (replyResult === null) {
+					const timeoutMessage = `Timed out after ${flags.timeout}s waiting for a reply from ${args.recipient}.`;
+					progress?.fail(timeoutMessage);
+					if (progress === null) process.stderr.write(`${timeoutMessage}\n`);
+					process.stderr.write(`${formatChatRecoveryContext(baseContext)}\n`);
+					process.exitCode = 1;
+					return;
+				}
+				progress?.succeed(`Reply received from ${replyResult.reply.from_email}`);
+				let outputContext = {
+					...baseContext,
+					matchStrategy: replyResult.matchStrategy,
+					reply: replyResult.reply
+				};
+				const localChatId = persistActiveChat({
+					configDir: this.config.configDir,
+					context: outputContext,
+					preferredLocalId: flags["chat-local-id"],
+					writeWarning: (message) => process.stderr.write(message)
+				});
+				if (localChatId !== null) outputContext = {
+					...outputContext,
+					localChatId
+				};
+				if (flags.json) this.log(JSON.stringify(buildChatJsonEnvelope(outputContext), null, 2));
+				else this.log(formatChatResponse(outputContext));
+			} finally {
+				releaseLock();
 			}
-			progress?.succeed(`Reply received from ${replyResult.reply.from_email}`);
-			let outputContext = {
-				...baseContext,
-				matchStrategy: replyResult.matchStrategy,
-				reply: replyResult.reply
-			};
-			const localChatId = persistActiveChat({
-				configDir: this.config.configDir,
-				context: outputContext,
-				preferredLocalId: flags["chat-local-id"],
-				writeWarning: (message) => process.stderr.write(message)
-			});
-			if (localChatId !== null) outputContext = {
-				...outputContext,
-				localChatId
-			};
-			if (flags.json) this.log(JSON.stringify(buildChatJsonEnvelope(outputContext), null, 2));
-			else this.log(formatChatResponse(outputContext));
 		});
 	}
 };
@@ -15675,38 +15950,49 @@ var ChatReplyCommand = class ChatReplyCommand extends Command {
 		const positionalLocalId = flags.id === void 0 && args.message !== void 0 ? parseLocalChatIdArg(args.idOrMessage) : void 0;
 		if (flags.id === void 0 && args.message !== void 0 && positionalLocalId === null) throw cliError$6("When passing two positional arguments to `primitive chat reply`, the first must be a local chat id. Use `primitive chat reply '<message>'` for the active chat or `primitive chat reply --id <id> '<message>'` for a specific chat.");
 		if (flags.id !== void 0 && args.message !== void 0) throw cliError$6("With --id, pass the reply body as a single positional argument or pipe it via stdin.");
-		const localId = flags.id ?? (typeof positionalLocalId === "number" ? positionalLocalId : void 0);
-		const state = localId === void 0 ? loadActiveChatState(this.config.configDir) : loadChatConversationByLocalId(this.config.configDir, localId);
-		if (!state) throw cliError$6(localId === void 0 ? "No open chat. Start one with `primitive chat <email> '<message>'`." : `No local chat ${localId}. Start one with \`primitive chat <email> '<message>'\` or omit --id to use the active chat.`);
-		const message = args.message !== void 0 ? args.message : args.idOrMessage !== void 0 && args.idOrMessage !== "" ? args.idOrMessage : await readStdinToString("No reply body provided. Pass the reply body as a positional argument or pipe it via stdin.");
-		if (!message.trim()) throw cliError$6("Reply body is empty.");
-		const argv = [
-			state.recipient,
-			"--reply",
-			message,
-			"--from",
-			state.from,
-			"--reply-to-email-id",
-			state.last_reply_email_id,
-			"--timeout",
-			String(flags.timeout ?? state.timeout_seconds),
-			"--strict-phase-seconds",
-			String(flags["strict-phase-seconds"] ?? state.strict_phase_seconds),
-			"--interval",
-			String(flags.interval ?? 2),
-			"--page-size",
-			String(flags["page-size"] ?? 50),
-			"--chat-local-id",
-			String(state.local_id)
-		];
-		if (flags["api-key"] !== void 0) argv.push("--api-key", flags["api-key"]);
-		if (flags["api-base-url"] !== void 0) argv.push("--api-base-url", flags["api-base-url"]);
-		if (flags.json) argv.push("--json");
-		if (flags.quiet) argv.push("--quiet");
-		for (const attachment of flags.attachment ?? []) argv.push("--attachment", attachment);
-		if (state.strict_only || flags["strict-only"]) argv.push("--strict-only");
-		if (flags.time) argv.push("--time");
-		await ChatCommand.run(argv, { root: this.config.root });
+		let release;
+		try {
+			release = acquireChatLock(this.config.configDir);
+		} catch (err) {
+			if (err instanceof ChatLockContentionError) throw cliError$6(err.message);
+			throw err;
+		}
+		try {
+			const localId = flags.id ?? (typeof positionalLocalId === "number" ? positionalLocalId : void 0);
+			const state = localId === void 0 ? loadActiveChatState(this.config.configDir) : loadChatConversationByLocalId(this.config.configDir, localId);
+			if (!state) throw cliError$6(localId === void 0 ? "No open chat. Start one with `primitive chat <email> '<message>'`." : `No local chat ${localId}. Start one with \`primitive chat <email> '<message>'\` or omit --id to use the active chat.`);
+			const message = args.message !== void 0 ? args.message : args.idOrMessage !== void 0 && args.idOrMessage !== "" ? args.idOrMessage : await readStdinToString("No reply body provided. Pass the reply body as a positional argument or pipe it via stdin.");
+			if (!message.trim()) throw cliError$6("Reply body is empty.");
+			const argv = [
+				state.recipient,
+				"--reply",
+				message,
+				"--from",
+				state.from,
+				"--reply-to-email-id",
+				state.last_reply_email_id,
+				"--timeout",
+				String(flags.timeout ?? state.timeout_seconds),
+				"--strict-phase-seconds",
+				String(flags["strict-phase-seconds"] ?? state.strict_phase_seconds),
+				"--interval",
+				String(flags.interval ?? 2),
+				"--page-size",
+				String(flags["page-size"] ?? 50),
+				"--chat-local-id",
+				String(state.local_id)
+			];
+			if (flags["api-key"] !== void 0) argv.push("--api-key", flags["api-key"]);
+			if (flags["api-base-url"] !== void 0) argv.push("--api-base-url", flags["api-base-url"]);
+			if (flags.json) argv.push("--json");
+			if (flags.quiet) argv.push("--quiet");
+			for (const attachment of flags.attachment ?? []) argv.push("--attachment", attachment);
+			if (state.strict_only || flags["strict-only"]) argv.push("--strict-only");
+			if (flags.time) argv.push("--time");
+			await ChatCommand.run(argv, { root: this.config.root });
+		} finally {
+			release();
+		}
 	}
 };
 async function waitForReply(params) {
@@ -17684,8 +17970,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^0.37.0";
-const CLI_VERSION_RANGE = "^0.37.0";
+const SDK_VERSION_RANGE = "^1.0.0";
+const CLI_VERSION_RANGE = "^1.0.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -20189,22 +20475,6 @@ async function checkExistingCredentials(params) {
 	}
 	throw cliError$2(`Already logged in${existing.org_name ? ` for ${existing.org_name}` : ""}. Run \`primitive logout\` before ${copy.actionGerund}.`);
 }
-function saveSignupCredentials(params) {
-	deleteChatState(params.configDir);
-	saveCliCredentials(params.configDir, {
-		access_token: params.signup.access_token,
-		api_base_url: params.apiBaseUrl,
-		auth_method: "oauth",
-		created_at: (/* @__PURE__ */ new Date()).toISOString(),
-		expires_at: cliAccessTokenExpiresAt(params.signup.expires_in),
-		oauth_client_id: params.signup.oauth_client_id,
-		oauth_grant_id: params.signup.oauth_grant_id,
-		org_id: params.signup.org_id,
-		org_name: params.signup.org_name,
-		refresh_token: params.signup.refresh_token,
-		token_type: params.signup.token_type
-	});
-}
 function writeStartInstructions(start, copy = DEFAULT_SIGNUP_COMMAND_COPY) {
 	process$1.stderr.write(`Sent a ${start.verification_code_length}-digit verification code to ${start.email}.\n`);
 	process$1.stderr.write(`The code expires in ${formatSignupSeconds(start.expires_in)}.\n`);

package/dist/oclif/root-signup-hint.js

@@ -1,4 +1,4 @@
-import { c as resolveConfigEnvironment, i as loadCliConfig, x as normalizeApiBaseUrl } from "../cli-config-D7wN_PBc.js";
+import { c as resolveConfigEnvironment, i as loadCliConfig, x as normalizeApiBaseUrl } from "../cli-config-B5hrwe8q.js";
 import { existsSync, readFileSync } from "node:fs";
 import { join } from "node:path";
 import { homedir } from "node:os";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "0.37.0",
+  "version": "1.0.0",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,