@primitivedotdev/cli 1.0.1 → 1.2.0

package/README.md

@@ -48,7 +48,7 @@ Use `primitive signin <email> --signup-code <code> --accept-terms`, then `primit
 
 Use `primitive logout --force` to remove local CLI credentials, pending email-code auth state, and stale credential locks without contacting Primitive. This is the recovery command when an interrupted auth command leaves the CLI saying another credential operation is already in progress.
 
-Use `primitive signup <email>` for new account creation, then `primitive signup confirm <email> <code>` with the emailed verification code. Non-interactive signup is available with `--signup-code` and `--accept-terms`.
+Use `primitive signup <email>` for new account creation, then `primitive signup confirm <email> <code>` with the emailed verification code. Non-interactive signup is available with `--accept-terms` (pass `--signup-code <code>` too if you have one).
 
 ## Command style
 

package/dist/oclif/index.js

@@ -124,10 +124,11 @@ const pollCliLogin = (options) => (options.client ?? client).post({
 /**
 * Start CLI account signup
 *
-* Starts a terminal-native CLI signup. The API validates the signup code,
-* creates a pending signup session, sends an email verification code, and
-* returns an opaque signup token used by the resend and verify steps. This
-* endpoint does not require an API key.
+* Starts a terminal-native CLI signup. `signup_code` is optional;
+* omit it to sign up without one. The API creates a pending signup
+* session, sends an email verification code, and returns an opaque
+* signup token used by the resend and verify steps. This endpoint
+* does not require an API key.
 *
 */
 const startCliSignup = (options) => (options.client ?? client).post({
@@ -156,10 +157,12 @@ const resendCliSignupVerification = (options) => (options.client ?? client).post
 /**
 * Verify CLI signup and create OAuth session
 *
-* Verifies the email code for a CLI signup session, creates the account,
-* redeems the reserved signup code, creates an org-scoped OAuth CLI
-* session, and returns the token set exactly once. This endpoint does not
-* require an API key.
+* Verifies the email code for a CLI signup session and creates the
+* account. When the session was started with a `signup_code`, the
+* reserved code is redeemed; sessions started without a code skip
+* the redemption step. Either way an org-scoped OAuth CLI session
+* is created and the token set is returned exactly once. This
+* endpoint does not require an API key.
 *
 */
 const verifyCliSignup = (options) => (options.client ?? client).post({
@@ -173,10 +176,11 @@ const verifyCliSignup = (options) => (options.client ?? client).post({
 /**
 * Start agent account signup
 *
-* Starts an agent-native signup session. The API validates the signup code,
-* creates a pending signup session, sends an email verification code, and
-* returns an opaque signup token used by the resend and verify steps. This
-* endpoint does not require an API key.
+* Starts an agent-native signup session. `signup_code` is optional;
+* omit it to sign up without one. The API creates a pending signup
+* session, sends an email verification code, and returns an opaque
+* signup token used by the resend and verify steps. This endpoint
+* does not require an API key.
 *
 */
 const startAgentSignup = (options) => (options.client ?? client).post({
@@ -205,11 +209,15 @@ const resendAgentSignupVerification = (options) => (options.client ?? client).po
 /**
 * Verify agent signup and create OAuth tokens
 *
-* Verifies the email code for an agent signup session, creates the account
-* when needed, redeems the reserved signup code, mints an org-scoped OAuth
-* session for CLI authentication, and returns the raw tokens exactly once.
-* For existing users, the optional `org_id` selects which accessible
-* workspace should receive the new session.
+* Verifies the email code for an agent signup session and creates
+* the account when needed. When the session was started with a
+* `signup_code`, the reserved code is redeemed; sessions started
+* without a code skip the redemption step. An org-scoped OAuth
+* session for CLI authentication is minted and the raw tokens are
+* returned exactly once. For existing users, the optional `org_id`
+* selects which accessible workspace should receive the new
+* session (no signup-code redemption is performed for existing
+* users regardless of how the session was started).
 *
 */
 const verifyAgentSignup = (options) => (options.client ?? client).post({
@@ -1642,7 +1650,7 @@ const openapiDocument = {
 		"/cli/signup/start": { "post": {
 			"operationId": "startCliSignup",
 			"summary": "Start CLI account signup",
-			"description": "Starts a terminal-native CLI signup. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+			"description": "Starts a terminal-native CLI signup. `signup_code` is optional;\nomit it to sign up without one. The API creates a pending signup\nsession, sends an email verification code, and returns an opaque\nsignup token used by the resend and verify steps. This endpoint\ndoes not require an API key.\n",
 			"tags": ["CLI"],
 			"security": [],
 			"requestBody": {
@@ -1704,7 +1712,7 @@ const openapiDocument = {
 		"/cli/signup/verify": { "post": {
 			"operationId": "verifyCliSignup",
 			"summary": "Verify CLI signup and create OAuth session",
-			"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, creates an org-scoped OAuth CLI\nsession, and returns the token set exactly once. This endpoint does not\nrequire an API key.\n",
+			"description": "Verifies the email code for a CLI signup session and creates the\naccount. When the session was started with a `signup_code`, the\nreserved code is redeemed; sessions started without a code skip\nthe redemption step. Either way an org-scoped OAuth CLI session\nis created and the token set is returned exactly once. This\nendpoint does not require an API key.\n",
 			"tags": ["CLI"],
 			"security": [],
 			"requestBody": {
@@ -1733,7 +1741,7 @@ const openapiDocument = {
 		"/agent/signup/start": { "post": {
 			"operationId": "startAgentSignup",
 			"summary": "Start agent account signup",
-			"description": "Starts an agent-native signup session. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+			"description": "Starts an agent-native signup session. `signup_code` is optional;\nomit it to sign up without one. The API creates a pending signup\nsession, sends an email verification code, and returns an opaque\nsignup token used by the resend and verify steps. This endpoint\ndoes not require an API key.\n",
 			"tags": ["Agent"],
 			"security": [],
 			"requestBody": {
@@ -1795,7 +1803,7 @@ const openapiDocument = {
 		"/agent/signup/verify": { "post": {
 			"operationId": "verifyAgentSignup",
 			"summary": "Verify agent signup and create OAuth tokens",
-			"description": "Verifies the email code for an agent signup session, creates the account\nwhen needed, redeems the reserved signup code, mints an org-scoped OAuth\nsession for CLI authentication, and returns the raw tokens exactly once.\nFor existing users, the optional `org_id` selects which accessible\nworkspace should receive the new session.\n",
+			"description": "Verifies the email code for an agent signup session and creates\nthe account when needed. When the session was started with a\n`signup_code`, the reserved code is redeemed; sessions started\nwithout a code skip the redemption step. An org-scoped OAuth\nsession for CLI authentication is minted and the raw tokens are\nreturned exactly once. For existing users, the optional `org_id`\nselects which accessible workspace should receive the new\nsession (no signup-code redemption is performed for existing\nusers regardless of how the session was started).\n",
 			"tags": ["Agent"],
 			"security": [],
 			"requestBody": {
@@ -4045,7 +4053,8 @@ const openapiDocument = {
 					"signup_code": {
 						"type": "string",
 						"minLength": 1,
-						"maxLength": 128
+						"maxLength": 128,
+						"description": "Optional signup code. Omit if you do not have one."
 					},
 					"terms_accepted": {
 						"type": "boolean",
@@ -4064,11 +4073,7 @@ const openapiDocument = {
 						"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
 					}
 				},
-				"required": [
-					"email",
-					"signup_code",
-					"terms_accepted"
-				]
+				"required": ["email", "terms_accepted"]
 			},
 			"CliSignupStartResult": {
 				"type": "object",
@@ -4233,7 +4238,8 @@ const openapiDocument = {
 					"signup_code": {
 						"type": "string",
 						"minLength": 1,
-						"maxLength": 128
+						"maxLength": 128,
+						"description": "Optional signup code. Omit if you do not have one."
 					},
 					"terms_accepted": {
 						"type": "boolean",
@@ -4252,11 +4258,7 @@ const openapiDocument = {
 						"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
 					}
 				},
-				"required": [
-					"email",
-					"signup_code",
-					"terms_accepted"
-				]
+				"required": ["email", "terms_accepted"]
 			},
 			"AgentSignupStartResult": {
 				"type": "object",
@@ -7781,7 +7783,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "start-agent-signup",
-		"description": "Starts an agent-native signup session. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+		"description": "Starts an agent-native signup session. `signup_code` is optional;\nomit it to sign up without one. The API creates a pending signup\nsession, sends an email verification code, and returns an opaque\nsignup token used by the resend and verify steps. This endpoint\ndoes not require an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "startAgentSignup",
@@ -7800,7 +7802,8 @@ const operationManifest = [
 				"signup_code": {
 					"type": "string",
 					"minLength": 1,
-					"maxLength": 128
+					"maxLength": 128,
+					"description": "Optional signup code. Omit if you do not have one."
 				},
 				"terms_accepted": {
 					"type": "boolean",
@@ -7819,11 +7822,7 @@ const operationManifest = [
 					"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
 				}
 			},
-			"required": [
-				"email",
-				"signup_code",
-				"terms_accepted"
-			]
+			"required": ["email", "terms_accepted"]
 		},
 		"responseSchema": {
 			"type": "object",
@@ -7866,7 +7865,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "verify-agent-signup",
-		"description": "Verifies the email code for an agent signup session, creates the account\nwhen needed, redeems the reserved signup code, mints an org-scoped OAuth\nsession for CLI authentication, and returns the raw tokens exactly once.\nFor existing users, the optional `org_id` selects which accessible\nworkspace should receive the new session.\n",
+		"description": "Verifies the email code for an agent signup session and creates\nthe account when needed. When the session was started with a\n`signup_code`, the reserved code is redeemed; sessions started\nwithout a code skip the redemption step. An org-scoped OAuth\nsession for CLI authentication is minted and the raw tokens are\nreturned exactly once. For existing users, the optional `org_id`\nselects which accessible workspace should receive the new\nsession (no signup-code redemption is performed for existing\nusers regardless of how the session was started).\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "verifyAgentSignup",
@@ -8236,7 +8235,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "start-cli-signup",
-		"description": "Starts a terminal-native CLI signup. The API validates the signup code,\ncreates a pending signup session, sends an email verification code, and\nreturns an opaque signup token used by the resend and verify steps. This\nendpoint does not require an API key.\n",
+		"description": "Starts a terminal-native CLI signup. `signup_code` is optional;\nomit it to sign up without one. The API creates a pending signup\nsession, sends an email verification code, and returns an opaque\nsignup token used by the resend and verify steps. This endpoint\ndoes not require an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "startCliSignup",
@@ -8255,7 +8254,8 @@ const operationManifest = [
 				"signup_code": {
 					"type": "string",
 					"minLength": 1,
-					"maxLength": 128
+					"maxLength": 128,
+					"description": "Optional signup code. Omit if you do not have one."
 				},
 				"terms_accepted": {
 					"type": "boolean",
@@ -8274,11 +8274,7 @@ const operationManifest = [
 					"description": "Optional client metadata stored with the signup session; serialized JSON must be 2048 bytes or fewer"
 				}
 			},
-			"required": [
-				"email",
-				"signup_code",
-				"terms_accepted"
-			]
+			"required": ["email", "terms_accepted"]
 		},
 		"responseSchema": {
 			"type": "object",
@@ -8321,7 +8317,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "verify-cli-signup",
-		"description": "Verifies the email code for a CLI signup session, creates the account,\nredeems the reserved signup code, creates an org-scoped OAuth CLI\nsession, and returns the token set exactly once. This endpoint does not\nrequire an API key.\n",
+		"description": "Verifies the email code for a CLI signup session and creates the\naccount. When the session was started with a `signup_code`, the\nreserved code is redeemed; sessions started without a code skip\nthe redemption step. Either way an org-scoped OAuth CLI session\nis created and the token set is returned exactly once. This\nendpoint does not require an API key.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "verifyCliSignup",
@@ -14566,7 +14562,7 @@ const OPERATION_HINTS = {
 	updateFunction: "Tip: prefer `primitive functions redeploy --id <id> --file <bundle>` for file-input ergonomics. This raw command exists for callers passing JSON.",
 	createFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
 	setFunctionSecret: "Tip: prefer `primitive functions set-secret --id <id> --key <KEY> --value <value> [--redeploy]` for secret writes that also push the binding live. This raw command exists for callers passing JSON.",
-	startAgentSignup: "Tip: also pass --signup-code <code> (request from Primitive; invite-only during the agent beta) and --terms-accepted. Capture the signup_token from the response and feed it to `primitive agent verify-agent-signup --signup-token <token> --verification-code <6-digit-code>` (the verify flag accepts --code as an alias). The high-level `primitive signup <email>` command walks an interactive user through both steps with friendlier prompts.",
+	startAgentSignup: "Tip: pass --terms-accepted, and optionally --signup-code <code> if you have one. Capture the signup_token from the response and feed it to `primitive agent verify-agent-signup --signup-token <token> --verification-code <6-digit-code>` (the verify flag accepts --code as an alias). The high-level `primitive signup <email>` command walks an interactive user through both steps with friendlier prompts.",
 	verifyAgentSignup: "Tip: pass --verification-code <code> (or --code; both work). The response carries OAuth tokens but not your assigned inbox domain; run `primitive domains list` (or `primitive whoami`) after success to see the managed *.primitive.email address that routes to this account."
 };
 const OPERATION_FLAG_ALIASES = { verifyAgentSignup: { verification_code: ["code"] } };
@@ -16645,8 +16641,8 @@ var DomainsZoneFileCommand = class DomainsZoneFileCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/emails-latest.ts
-const DEFAULT_LIMIT$1 = 10;
-const MAX_LIMIT$1 = 100;
+const DEFAULT_LIMIT$2 = 10;
+const MAX_LIMIT$2 = 100;
 const SUBJECT_DISPLAY_WIDTH = 50;
 const ADDRESS_DISPLAY_WIDTH = 32;
 const ID_DISPLAY_WIDTH_SHORT = 8;
@@ -16696,10 +16692,10 @@ var EmailsLatestCommand = class EmailsLatestCommand extends Command {
 			hidden: true
 		}),
 		limit: Flags.integer({
-			description: `Number of rows to print (1-${MAX_LIMIT$1}, default ${DEFAULT_LIMIT$1}).`,
-			default: DEFAULT_LIMIT$1,
+			description: `Number of rows to print (1-${MAX_LIMIT$2}, default ${DEFAULT_LIMIT$2}).`,
+			default: DEFAULT_LIMIT$2,
 			min: 1,
-			max: MAX_LIMIT$1
+			max: MAX_LIMIT$2
 		}),
 		json: Flags.boolean({ description: "Print the raw response envelope (with full UUIDs and meta) as JSON on STDOUT instead of the text table. Useful for piping into `jq`, capturing ids for follow-up commands, or scripting." }),
 		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
@@ -17175,6 +17171,108 @@ async function runSourceDeploy(api, params) {
 		result: data
 	};
 }
+async function runSourceDeployWithSecrets(api, params) {
+	const listed = await api.listFunctions();
+	if (listed.error) return {
+		kind: "error",
+		payload: extractErrorPayload(listed.error),
+		stage: "lookup"
+	};
+	const foundId = (listed.data?.data ?? []).find((f) => f.name === params.name)?.id ?? null;
+	let functionId;
+	let createPayload;
+	if (foundId === null) {
+		const created = await api.createFunction({
+			files: params.files,
+			name: params.name
+		});
+		if (created.error) return {
+			kind: "error",
+			payload: extractErrorPayload(created.error),
+			stage: "create"
+		};
+		const data = created.data?.data;
+		if (!data) return {
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Create returned no data"
+			},
+			stage: "create"
+		};
+		functionId = data.id;
+		createPayload = data;
+	} else functionId = foundId;
+	const writtenSecrets = [];
+	const succeededKeys = [];
+	for (let i = 0; i < params.secrets.length; i++) {
+		const pair = params.secrets[i];
+		const pendingKeys = params.secrets.slice(i + 1).map((p) => p.key);
+		const setResult = await api.setSecret({
+			id: functionId,
+			key: pair.key,
+			value: pair.value
+		});
+		if (setResult.error) return {
+			...createPayload ? { created: createPayload } : {},
+			failedKey: pair.key,
+			functionId,
+			kind: "error",
+			payload: extractErrorPayload(setResult.error),
+			pendingKeys,
+			stage: "set-secret",
+			succeededKeys
+		};
+		const secret = setResult.data?.data;
+		if (!secret) return {
+			...createPayload ? { created: createPayload } : {},
+			failedKey: pair.key,
+			functionId,
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Secret write returned no data"
+			},
+			pendingKeys,
+			stage: "set-secret",
+			succeededKeys
+		};
+		writtenSecrets.push(secret);
+		succeededKeys.push(pair.key);
+	}
+	const updated = await api.updateFunction({
+		files: params.files,
+		id: functionId
+	});
+	if (updated.error) return {
+		...createPayload ? { created: createPayload } : {},
+		functionId,
+		kind: "error",
+		payload: extractErrorPayload(updated.error),
+		stage: "secret-redeploy",
+		succeededKeys
+	};
+	const redeployed = updated.data?.data;
+	if (!redeployed) return {
+		...createPayload ? { created: createPayload } : {},
+		functionId,
+		kind: "error",
+		payload: {
+			code: "client_error",
+			message: "Redeploy returned no data"
+		},
+		stage: "secret-redeploy",
+		succeededKeys
+	};
+	return {
+		kind: "ok",
+		result: {
+			action: foundId === null ? "created" : "redeployed",
+			redeploy: redeployed,
+			secrets: writtenSecrets
+		}
+	};
+}
 function renderBuildFailure(payload, write) {
 	if (typeof payload !== "object" || payload === null) return false;
 	const error = payload.error ?? payload;
@@ -17661,14 +17759,23 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 
   Pass secret source flags to seed bindings in the same command. Keys
   must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters, digits,
-  underscores; first character is a letter or underscore). With one
-  or more secrets the deploy fans out to multiple API calls:
-  create-function, set-secret per pair, then a final update-function
-  with the same bundle so the running handler picks up the bindings.
-  If a secret write fails after the create step the function exists
-  with whatever secrets succeeded and the redeploy has NOT fired;
-  re-run \`primitive functions set-secret\` for the missing keys, then
-  \`primitive functions redeploy\` to push them live. ${SECRET_SOURCE_FLAGS_DESCRIPTION}`;
+  underscores; first character is a letter or underscore).
+
+  With one or more secrets the deploy fans out to multiple API calls.
+  For --file (and for --source when no function with the given name
+  exists yet): create-function, set-secret per pair, then a final
+  update-function so the running handler picks up the bindings. For
+  --source against an existing function name: the create-function step
+  is replaced by an id lookup, then set-secret per pair, then a single
+  update-function that binds the new code and the new secret env in
+  one step (avoiding an intermediate redeploy that would briefly run
+  the new code with the previous secret bindings).
+
+  If a secret write fails before the final redeploy, the function row
+  carries whatever bindings landed but the running handler has NOT yet
+  picked them up. Re-run \`primitive functions set-secret\` for the
+  missing keys, then re-run \`primitive functions deploy\` (or
+  \`functions redeploy\`) to push them live. ${SECRET_SOURCE_FLAGS_DESCRIPTION}`;
 	static summary = "Deploy a new function from a bundled handler file";
 	static examples = [
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js",
@@ -17678,6 +17785,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-env OPENAI_KEY --secret-from-env-file .env.local:OWNER_EMAIL",
+		"<%= config.bin %> functions deploy --name triage --source . --secret-from-env ANTHROPIC_API_KEY",
 		"printf '%s' \"$OPENAI_KEY\" | <%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-stdin OPENAI_KEY"
 	];
 	static flags = {
@@ -17867,8 +17975,15 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		});
 	}
 	async runSourceMode(flags, sourceDir) {
-		if ((flags.secret?.length ?? 0) > 0 || (flags["secret-from-env"]?.length ?? 0) > 0 || (flags["secret-from-file"]?.length ?? 0) > 0 || (flags["secret-from-env-file"]?.length ?? 0) > 0 || flags["secret-from-stdin"] !== void 0) {
-			process.stderr.write("Secret flags are not supported with --source yet. Deploy from source first, then set secrets with `primitive functions set-secret` and redeploy.\n");
+		const parsedSecrets = resolveSecretFlags({
+			fromEnv: flags["secret-from-env"] ?? [],
+			fromEnvFile: flags["secret-from-env-file"] ?? [],
+			fromFile: flags["secret-from-file"] ?? [],
+			fromStdin: flags["secret-from-stdin"],
+			inline: flags.secret ?? []
+		});
+		if (parsedSecrets.kind === "error") {
+			process.stderr.write(`${parsedSecrets.message}\n`);
 			process.exitCode = 1;
 			return;
 		}
@@ -17888,7 +18003,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			baseUrlOverridden,
 			configDir: this.config.configDir
 		};
-		const outcome = await runSourceDeploy({
+		const apiSurface = {
 			createFunction: (p) => createFunction({
 				body: {
 					files: p.files,
@@ -17901,27 +18016,80 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 				client: apiClient.client,
 				responseStyle: "fields"
 			}),
+			setSecret: (p) => setFunctionSecret({
+				body: { value: p.value },
+				client: apiClient.client,
+				path: {
+					id: p.id,
+					key: p.key
+				},
+				responseStyle: "fields"
+			}),
 			updateFunction: (p) => updateFunction({
 				body: { files: p.files },
 				client: apiClient.client,
 				path: { id: p.id },
 				responseStyle: "fields"
 			})
-		}, {
+		};
+		if (parsedSecrets.secrets.length === 0) {
+			const outcome = await runSourceDeploy(apiSurface, {
+				files: collected.files,
+				name: flags.name
+			});
+			if (outcome.kind === "error") {
+				renderBuildFailure(outcome.payload, (chunk) => process.stderr.write(chunk));
+				writeErrorWithHints(outcome.payload);
+				surfaceUnauthorizedHint({
+					...authFailureContext,
+					payload: outcome.payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			await this.finishSourceDeploy({
+				apiClient,
+				authFailureContext,
+				flags,
+				payload: outcome.result
+			});
+			return;
+		}
+		const secretsOutcome = await runSourceDeployWithSecrets(apiSurface, {
 			files: collected.files,
-			name: flags.name
+			name: flags.name,
+			secrets: parsedSecrets.secrets
 		});
-		if (outcome.kind === "error") {
-			renderBuildFailure(outcome.payload, (chunk) => process.stderr.write(chunk));
-			writeErrorWithHints(outcome.payload);
+		if (secretsOutcome.kind === "error") {
+			if (secretsOutcome.stage === "set-secret") {
+				const succeeded = secretsOutcome.succeededKeys.length > 0 ? secretsOutcome.succeededKeys.join(", ") : "(none)";
+				const pending = secretsOutcome.pendingKeys.length > 0 ? secretsOutcome.pendingKeys.join(", ") : "(none)";
+				const allMissing = [secretsOutcome.failedKey, ...secretsOutcome.pendingKeys].join(", ");
+				const createdClause = secretsOutcome.created ? `Function ${secretsOutcome.created.name} (${secretsOutcome.functionId}) was created` : `Function ${flags.name} (${secretsOutcome.functionId}) already existed`;
+				const stagingWarning = secretsOutcome.succeededKeys.length > 0 ? ` Note: [${succeeded}] are now staged on the function row and will bind on the next deploy of this function (including one that does not pass --secret).` : "";
+				process.stderr.write(`${createdClause}, but writing secret ${secretsOutcome.failedKey} failed; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The redeploy is NOT yet live. Re-run \`primitive functions set-secret\` for each of [${allMissing}], then \`primitive functions deploy --source ${sourceDir} --name ${flags.name}\` to push them live.${stagingWarning}\n`);
+			} else if (secretsOutcome.stage === "secret-redeploy") {
+				const succeeded = secretsOutcome.succeededKeys.length > 0 ? secretsOutcome.succeededKeys.join(", ") : "(none)";
+				const createdClause = secretsOutcome.created ? `Function ${secretsOutcome.created.name} (${secretsOutcome.functionId}) was created and` : `Function ${flags.name} (${secretsOutcome.functionId}) already existed and`;
+				process.stderr.write(`${createdClause} secrets [${succeeded}] were written, but the final redeploy failed; the new bindings are NOT yet live. Re-run \`primitive functions deploy --source ${sourceDir} --name ${flags.name}\` once the cause is fixed.\n`);
+			} else renderBuildFailure(secretsOutcome.payload, (chunk) => process.stderr.write(chunk));
+			writeErrorWithHints(secretsOutcome.payload);
 			surfaceUnauthorizedHint({
 				...authFailureContext,
-				payload: outcome.payload
+				payload: secretsOutcome.payload
 			});
 			process.exitCode = 1;
 			return;
 		}
-		const payload = outcome.result;
+		await this.finishSourceDeploy({
+			apiClient,
+			authFailureContext,
+			flags,
+			payload: secretsOutcome.result.redeploy
+		});
+	}
+	async finishSourceDeploy(args) {
+		const { apiClient, authFailureContext, flags, payload } = args;
 		if (flags.wait) {
 			const waitResult = await waitForFunctionDeploy({
 				getFunction: (p) => getFunction({
@@ -17970,8 +18138,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^1.0.1";
-const CLI_VERSION_RANGE = "^1.0.1";
+const SDK_VERSION_RANGE = "^1.2.0";
+const CLI_VERSION_RANGE = "^1.2.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -20214,7 +20382,8 @@ const DEFAULT_SIGNUP_COMMAND_COPY = {
 	actionGerund: "creating a new account",
 	confirmCommand: (email) => `signup confirm ${email} <code>`,
 	resendCommand: (email) => `signup resend ${email}`,
-	startCommand: (email) => `signup ${email}`
+	startCommand: (email) => `signup ${email}`,
+	codeRequired: false
 };
 function cliError$2(message) {
 	return new Errors.CLIError(message, { exit: 1 });
@@ -20329,7 +20498,7 @@ function readPendingAgentSignupState(configDir, apiBaseUrl) {
 	return pending;
 }
 function pendingSignupStartCommand(email) {
-	return `primitive signup ${email ?? "<email>"} --signup-code <invite-code> --accept-terms`;
+	return `primitive signup ${email ?? "<email>"} --accept-terms`;
 }
 function buildSignupStatus(params) {
 	const copy = params.copy ?? DEFAULT_SIGNUP_COMMAND_COPY;
@@ -20495,16 +20664,17 @@ async function startSignup(params) {
 		throw cliError$2(`Pending ${copy.actionNoun} is for ${existingPending.email}. Run \`primitive signup status\` to inspect it, or \`primitive ${copy.startCommand(params.email)} --force\` to replace it.`);
 	}
 	if (params.flags.force) deletePendingAgentSignup(params.configDir);
-	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
 	const confirmTermsFn = params.deps.confirmTerms ?? confirmTerms;
+	const promptRequiredFn = params.deps.promptRequired ?? promptRequired;
 	const startFn = params.deps.startAgentSignup ?? startAgentSignup;
-	const signupCode = params.flags["signup-code"] ?? await promptRequiredFn("Signup code: ");
+	const rawSignupCode = params.flags["signup-code"];
+	const signupCode = (rawSignupCode && rawSignupCode.trim().length > 0 ? rawSignupCode : void 0) ?? (copy.codeRequired ? await promptRequiredFn("Signup code: ") : void 0);
 	if (!params.flags["accept-terms"]) await confirmTermsFn();
 	const started = await startFn({
 		body: {
 			device_name: params.flags["device-name"] ?? hostname(),
 			email: params.email,
-			signup_code: signupCode,
+			...signupCode ? { signup_code: signupCode } : {},
 			terms_accepted: true
 		},
 		client: params.apiClient.client,
@@ -20734,7 +20904,7 @@ function commonStartFlags() {
 			description: "Replace saved credentials or pending signup state when needed"
 		}),
 		"signup-code": Flags.string({
-			description: "Signup code required to create an account",
+			description: "Optional signup code. Omit if you do not have one.",
 			env: "PRIMITIVE_SIGNUP_CODE"
 		})
 	};
@@ -20748,6 +20918,7 @@ var SignupCommand = class SignupCommand extends Command {
 	static summary = "Start account signup";
 	static examples = [
 		"<%= config.bin %> signup user@example.com",
+		"<%= config.bin %> signup user@example.com --accept-terms",
 		"<%= config.bin %> signup user@example.com --signup-code invite-code --accept-terms",
 		"<%= config.bin %> signup confirm user@example.com 123456"
 	];
@@ -21223,8 +21394,8 @@ var ReplyCommand = class ReplyCommand extends Command {
 };
 //#endregion
 //#region src/oclif/commands/semantic-search.ts
-const DEFAULT_LIMIT = 10;
-const MAX_LIMIT = 100;
+const DEFAULT_LIMIT$1 = 10;
+const MAX_LIMIT$1 = 100;
 const SCORE_WIDTH = 7;
 const SOURCE_WIDTH = 4;
 const SUBJECT_WIDTH = 40;
@@ -21290,10 +21461,10 @@ var SemanticSearchCommand = class SemanticSearchCommand extends Command {
 		"date-from": Flags.string({ description: "Only include mail at or after this ISO-8601 timestamp." }),
 		"date-to": Flags.string({ description: "Only include mail at or before this ISO-8601 timestamp." }),
 		limit: Flags.integer({
-			description: `Maximum results to return (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
-			default: DEFAULT_LIMIT,
+			description: `Maximum results to return (1-${MAX_LIMIT$1}, default ${DEFAULT_LIMIT$1}).`,
+			default: DEFAULT_LIMIT$1,
 			min: 1,
-			max: MAX_LIMIT
+			max: MAX_LIMIT$1
 		}),
 		cursor: Flags.string({ description: "Opaque pagination cursor from a prior response's meta.cursor." }),
 		json: Flags.boolean({ description: "Print the raw response envelope as JSON on STDOUT instead of the text table." }),
@@ -21350,6 +21521,230 @@ var SemanticSearchCommand = class SemanticSearchCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/search.ts
+const DEFAULT_LIMIT = 10;
+const MAX_LIMIT = 100;
+const LEXICAL_ONLY_FLAGS = [
+	"from",
+	"to",
+	"subject",
+	"body",
+	"domain",
+	"domain-id",
+	"has-attachment",
+	"status",
+	"sort",
+	"snippet",
+	"include-facets"
+];
+var SearchCommand = class SearchCommand extends Command {
+	static description = `Search received (default) or both received and sent mail (with --mode).
+
+  Default behavior is lexical full-text matching: the positional query is sent as \`q=<query>\` to the inbound search endpoint, which matches against subject, body, sender, and recipient in a single pass. Structured filters (--from, --to, --subject, --body, --domain, --has-attachment, --date-from, --date-to, --status) AND with the text query.
+
+  Pass --mode to switch to the cross-corpus semantic backend (covers inbound and outbound). \`--mode keyword\` is plain full-text; \`--mode semantic\` is embedding-only; \`--mode hybrid\` blends both. Semantic modes require the Pro plan with the semantic_search_enabled entitlement.
+
+  Output is a fixed-width text table by default (header on STDERR so rows stay grep/awk-friendly). Use --json for the raw envelope.`;
+	static summary = "Search mail (lexical by default; --mode for semantic)";
+	static examples = [
+		"<%= config.bin %> search \"invoice\"",
+		"<%= config.bin %> search \"renewal\" --from acme.com",
+		"<%= config.bin %> search \"kickoff\" --mode hybrid",
+		"<%= config.bin %> search \"shipping\" --mode keyword --corpus outbound",
+		"<%= config.bin %> search \"needle\" --json | jq '.data[0].id'"
+	];
+	static args = { query: Args.string({
+		description: "The search query. Matched against every indexed field (subject, body, sender, recipient) when lexical; against the embedding when semantic.",
+		required: true
+	}) };
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: API_BASE_URL_FLAG_DESCRIPTION,
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		mode: Flags.string({
+			description: "Switch to the cross-corpus semantic backend. Omit for the default lexical backend.",
+			options: [
+				"hybrid",
+				"semantic",
+				"keyword"
+			]
+		}),
+		from: Flags.string({ description: "Lexical only. Filter by sender address or sender domain." }),
+		to: Flags.string({ description: "Lexical only. Filter by recipient address or recipient domain." }),
+		subject: Flags.string({ description: "Lexical only. Full-text search restricted to the subject." }),
+		body: Flags.string({ description: "Lexical only. Full-text search restricted to the parsed text body." }),
+		domain: Flags.string({ description: "Lexical only. Filter by the recipient's mail domain." }),
+		"domain-id": Flags.string({ description: "Lexical only. Filter by domain ID." }),
+		"has-attachment": Flags.string({
+			description: "Lexical only. Filter by whether the email has one or more attachments.",
+			options: ["true", "false"]
+		}),
+		status: Flags.string({
+			description: "Lexical only. Filter by parse status.",
+			options: [
+				"pending",
+				"accepted",
+				"completed",
+				"rejected"
+			]
+		}),
+		sort: Flags.string({
+			description: "Lexical only. Result ordering.",
+			options: [
+				"relevance",
+				"received_at_desc",
+				"received_at_asc"
+			]
+		}),
+		snippet: Flags.string({
+			description: "Lexical only. Include match-centered subject/body highlights on each row.",
+			options: ["true", "false"]
+		}),
+		"include-facets": Flags.string({
+			description: "Lexical only. Include facet counts for sender, domain, status, and attachment presence.",
+			options: ["true", "false"]
+		}),
+		corpus: Flags.string({
+			description: "Semantic only. Restrict to inbound or outbound mail. Pass twice to include both (the default).",
+			options: ["inbound", "outbound"],
+			multiple: true
+		}),
+		"date-from": Flags.string({ description: "Only include mail at or after this ISO-8601 timestamp." }),
+		"date-to": Flags.string({ description: "Only include mail at or before this ISO-8601 timestamp." }),
+		limit: Flags.integer({
+			description: `Maximum results to return (1-${MAX_LIMIT}, default ${DEFAULT_LIMIT}).`,
+			default: DEFAULT_LIMIT,
+			min: 1,
+			max: MAX_LIMIT
+		}),
+		cursor: Flags.string({ description: "Opaque pagination cursor from a prior response's meta.cursor." }),
+		json: Flags.boolean({ description: "Print the raw response envelope as JSON on STDOUT instead of the text table." }),
+		envelope: Flags.boolean({ description: "Lexical text-table only. Surface the next pagination cursor (if any) on STDERR below the table. Has no effect with --json; --json already prints the full envelope including meta." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { args, flags } = await this.parse(SearchCommand);
+		await runWithTiming(flags.time, async () => {
+			const { apiClient, auth, baseUrlOverridden } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const handleError = (error) => {
+				const errorPayload = extractErrorPayload(error);
+				writeErrorWithHints(errorPayload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: errorPayload
+				});
+				process.exitCode = 1;
+			};
+			if (flags.mode) {
+				if (flags.envelope) {
+					process.stderr.write("--envelope only applies to lexical mode. Use --json for the raw semantic envelope.\n");
+					process.exitCode = 2;
+					return;
+				}
+				const incompatible = LEXICAL_ONLY_FLAGS.filter((name) => flags[name] !== void 0);
+				if (incompatible.length > 0) {
+					const isOne = incompatible.length === 1;
+					process.stderr.write(`Flag${isOne ? "" : "s"} --${incompatible.join(", --")} only ${isOne ? "applies" : "apply"} to the lexical backend. Omit --mode to use ${isOne ? "it" : "them"}.\n`);
+					process.exitCode = 2;
+					return;
+				}
+				const result = await semanticSearch({
+					client: apiClient.client,
+					body: {
+						query: args.query,
+						mode: flags.mode,
+						...flags.corpus ? { corpus: flags.corpus } : {},
+						...flags["date-from"] ? { date_from: flags["date-from"] } : {},
+						...flags["date-to"] ? { date_to: flags["date-to"] } : {},
+						limit: flags.limit,
+						...flags.cursor ? { cursor: flags.cursor } : {}
+					},
+					responseStyle: "fields"
+				});
+				if (result.error) {
+					handleError(result.error);
+					return;
+				}
+				const envelope = result.data;
+				if (flags.json) {
+					this.log(JSON.stringify(envelope ?? null, null, 2));
+					return;
+				}
+				const rows = envelope?.data ?? [];
+				if (rows.length === 0) {
+					process.stderr.write("No matching mail.\n");
+					return;
+				}
+				process.stderr.write(`${formatHeader()}\n`);
+				for (const row of rows) this.log(formatRow(row));
+				const nextCursor = envelope?.meta?.cursor ?? null;
+				if (nextCursor) process.stderr.write(`\nNext page: pass --cursor ${nextCursor}\n`);
+				return;
+			}
+			if (flags.corpus && flags.corpus.length > 0) {
+				process.stderr.write("--corpus only applies to semantic mode. Pass --mode keyword|semantic|hybrid to enable it.\n");
+				process.exitCode = 2;
+				return;
+			}
+			const query = {
+				q: flags.domain ? `${args.query} domain:${quoteDslValue(flags.domain)}` : args.query,
+				limit: flags.limit
+			};
+			if (flags.from) query.from = flags.from;
+			if (flags.to) query.to = flags.to;
+			if (flags.subject) query.subject = flags.subject;
+			if (flags.body) query.body = flags.body;
+			if (flags["domain-id"]) query.domain_id = flags["domain-id"];
+			if (flags["has-attachment"]) query.has_attachment = flags["has-attachment"];
+			if (flags.status) query.status = flags.status;
+			if (flags.sort) query.sort = flags.sort;
+			if (flags.snippet) query.snippet = flags.snippet;
+			if (flags["include-facets"]) query.include_facets = flags["include-facets"];
+			if (flags["date-from"]) query.date_from = flags["date-from"];
+			if (flags["date-to"]) query.date_to = flags["date-to"];
+			if (flags.cursor) query.cursor = flags.cursor;
+			const result = await searchEmails({
+				client: apiClient.client,
+				query,
+				responseStyle: "fields"
+			});
+			if (result.error) {
+				handleError(result.error);
+				return;
+			}
+			const envelope = result.data;
+			if (flags.json) {
+				this.log(JSON.stringify(envelope ?? null, null, 2));
+				return;
+			}
+			const rows = envelope?.data ?? [];
+			if (rows.length === 0) {
+				process.stderr.write("No matching mail.\n");
+				return;
+			}
+			const idWidth = pickIdWidth(Boolean(process.stdout.isTTY));
+			process.stderr.write(`${formatHeader$1(idWidth)}\n`);
+			for (const row of rows) this.log(formatRow$1(row, idWidth));
+			if (flags.envelope) {
+				const nextCursor = envelope?.meta?.cursor ?? null;
+				if (nextCursor) process.stderr.write(`\nNext page: pass --cursor ${nextCursor}\n`);
+			}
+		});
+	}
+};
+//#endregion
 //#region src/oclif/commands/send.ts
 var SendCommand = class SendCommand extends Command {
 	static description = `Send an outbound email. Agent-grade shortcut for \`sending send\` with sensible defaults.
@@ -21469,35 +21864,40 @@ const SIGNIN_OTP_COPY = {
 	actionGerund: "signing in",
 	confirmCommand: (email) => `signin otp confirm ${email} <code>`,
 	resendCommand: (email) => `signin otp resend ${email}`,
-	startCommand: (email) => `signin otp ${email}`
+	startCommand: (email) => `signin otp ${email}`,
+	codeRequired: true
 };
 const SIGNIN_EMAIL_COPY = {
 	actionNoun: "sign-in",
 	actionGerund: "signing in",
 	confirmCommand: (email) => `signin confirm ${email} <code>`,
 	resendCommand: (email) => `signin resend ${email}`,
-	startCommand: (email) => `signin ${email}`
+	startCommand: (email) => `signin ${email}`,
+	codeRequired: true
 };
 const LOGIN_EMAIL_COPY = {
 	actionNoun: "login",
 	actionGerund: "logging in",
 	confirmCommand: (email) => `login confirm ${email} <code>`,
 	resendCommand: (email) => `login resend ${email}`,
-	startCommand: (email) => `login ${email}`
+	startCommand: (email) => `login ${email}`,
+	codeRequired: true
 };
 const LOGIN_OTP_COPY = {
 	actionNoun: "login",
 	actionGerund: "logging in",
 	confirmCommand: (email) => `login otp confirm ${email} <code>`,
 	resendCommand: (email) => `login otp resend ${email}`,
-	startCommand: (email) => `login otp ${email}`
+	startCommand: (email) => `login otp ${email}`,
+	codeRequired: true
 };
 const OTP_COPY = {
 	actionNoun: "email-code auth",
 	actionGerund: "authenticating",
 	confirmCommand: (email) => `otp confirm ${email} <code>`,
 	resendCommand: (email) => `otp resend ${email}`,
-	startCommand: (email) => `otp ${email}`
+	startCommand: (email) => `otp ${email}`,
+	codeRequired: true
 };
 function acquireCredentialsLock(configDir) {
 	try {
@@ -22170,7 +22570,8 @@ function resolveOperationAlias(id) {
 const OVERRIDDEN_OPERATION_IDS = new Set([
 	"domains:download-domain-zone-file",
 	"functions:test-function",
-	"inbox:get-inbox-status"
+	"inbox:get-inbox-status",
+	"search:semantic-search"
 ]);
 const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(operationId(operation))).map((operation) => [operationId(operation), createOperationCommand(operation)]));
 const COMMANDS = {
@@ -22214,7 +22615,9 @@ const COMMANDS = {
 	"emails:latest": EmailsLatestCommand,
 	"emails:watch": EmailsWatchCommand,
 	"emails:wait": EmailsWaitCommand,
+	search: SearchCommand,
 	"semantic-search": SemanticSearchCommand,
+	"search:semantic-search": SemanticSearchCommand,
 	"domains:zone-file": DomainsZoneFileCommand,
 	"domains:download-domain-zone-file": DomainsZoneFileCommand,
 	"inbox:setup": InboxSetupCommand,

package/dist/oclif/root-signup-hint.js

@@ -113,8 +113,9 @@ function loggedOutSignupHint() {
 	return [
 		"New to Primitive?",
 		"  You or your user don't have an account yet?",
-		"  Run `primitive signup <email> --signup-code <invite-code> --accept-terms`",
-		"  to create an account, get your own domain, and get started now.",
+		"  Run `primitive signup <email> --accept-terms`",
+		"  to create an account and get started.",
+		"  Add `--signup-code <code>` if you have one.",
 		""
 	].join("\n");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "1.0.1",
+  "version": "1.2.0",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,
@@ -62,7 +62,8 @@
         "description": "List, inspect, and wait for received emails. Prefer task aliases like `primitive emails list`, `primitive emails get`, `primitive emails latest`, `primitive emails wait`, and `primitive emails watch`; generated API names remain available for compatibility."
       },
       "search": {
-        "description": "Semantic, hybrid, and keyword search across received and sent mail. Use `primitive semantic-search <query>`."
+        "description": "Cross-corpus semantic search. Prefer `primitive search <query>` for lexical inbound search and `primitive semantic-search <query>` for meaning-aware ranking across inbound and outbound.",
+        "hidden": true
       },
       "sending": {
         "description": "Send outbound emails. Prefer `primitive send` for fresh sends and `primitive reply --id <inbound-id>` for replies. Use `primitive domains list` or `primitive inbox status` to find usable sender domains for --from; `primitive sending permissions` lists recipient-scope destinations you may send to."