@primitivedotdev/cli 1.1.0 → 1.2.0

package/dist/oclif/index.js

@@ -17171,6 +17171,108 @@ async function runSourceDeploy(api, params) {
 		result: data
 	};
 }
+async function runSourceDeployWithSecrets(api, params) {
+	const listed = await api.listFunctions();
+	if (listed.error) return {
+		kind: "error",
+		payload: extractErrorPayload(listed.error),
+		stage: "lookup"
+	};
+	const foundId = (listed.data?.data ?? []).find((f) => f.name === params.name)?.id ?? null;
+	let functionId;
+	let createPayload;
+	if (foundId === null) {
+		const created = await api.createFunction({
+			files: params.files,
+			name: params.name
+		});
+		if (created.error) return {
+			kind: "error",
+			payload: extractErrorPayload(created.error),
+			stage: "create"
+		};
+		const data = created.data?.data;
+		if (!data) return {
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Create returned no data"
+			},
+			stage: "create"
+		};
+		functionId = data.id;
+		createPayload = data;
+	} else functionId = foundId;
+	const writtenSecrets = [];
+	const succeededKeys = [];
+	for (let i = 0; i < params.secrets.length; i++) {
+		const pair = params.secrets[i];
+		const pendingKeys = params.secrets.slice(i + 1).map((p) => p.key);
+		const setResult = await api.setSecret({
+			id: functionId,
+			key: pair.key,
+			value: pair.value
+		});
+		if (setResult.error) return {
+			...createPayload ? { created: createPayload } : {},
+			failedKey: pair.key,
+			functionId,
+			kind: "error",
+			payload: extractErrorPayload(setResult.error),
+			pendingKeys,
+			stage: "set-secret",
+			succeededKeys
+		};
+		const secret = setResult.data?.data;
+		if (!secret) return {
+			...createPayload ? { created: createPayload } : {},
+			failedKey: pair.key,
+			functionId,
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Secret write returned no data"
+			},
+			pendingKeys,
+			stage: "set-secret",
+			succeededKeys
+		};
+		writtenSecrets.push(secret);
+		succeededKeys.push(pair.key);
+	}
+	const updated = await api.updateFunction({
+		files: params.files,
+		id: functionId
+	});
+	if (updated.error) return {
+		...createPayload ? { created: createPayload } : {},
+		functionId,
+		kind: "error",
+		payload: extractErrorPayload(updated.error),
+		stage: "secret-redeploy",
+		succeededKeys
+	};
+	const redeployed = updated.data?.data;
+	if (!redeployed) return {
+		...createPayload ? { created: createPayload } : {},
+		functionId,
+		kind: "error",
+		payload: {
+			code: "client_error",
+			message: "Redeploy returned no data"
+		},
+		stage: "secret-redeploy",
+		succeededKeys
+	};
+	return {
+		kind: "ok",
+		result: {
+			action: foundId === null ? "created" : "redeployed",
+			redeploy: redeployed,
+			secrets: writtenSecrets
+		}
+	};
+}
 function renderBuildFailure(payload, write) {
 	if (typeof payload !== "object" || payload === null) return false;
 	const error = payload.error ?? payload;
@@ -17657,14 +17759,23 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 
   Pass secret source flags to seed bindings in the same command. Keys
   must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters, digits,
-  underscores; first character is a letter or underscore). With one
-  or more secrets the deploy fans out to multiple API calls:
-  create-function, set-secret per pair, then a final update-function
-  with the same bundle so the running handler picks up the bindings.
-  If a secret write fails after the create step the function exists
-  with whatever secrets succeeded and the redeploy has NOT fired;
-  re-run \`primitive functions set-secret\` for the missing keys, then
-  \`primitive functions redeploy\` to push them live. ${SECRET_SOURCE_FLAGS_DESCRIPTION}`;
+  underscores; first character is a letter or underscore).
+
+  With one or more secrets the deploy fans out to multiple API calls.
+  For --file (and for --source when no function with the given name
+  exists yet): create-function, set-secret per pair, then a final
+  update-function so the running handler picks up the bindings. For
+  --source against an existing function name: the create-function step
+  is replaced by an id lookup, then set-secret per pair, then a single
+  update-function that binds the new code and the new secret env in
+  one step (avoiding an intermediate redeploy that would briefly run
+  the new code with the previous secret bindings).
+
+  If a secret write fails before the final redeploy, the function row
+  carries whatever bindings landed but the running handler has NOT yet
+  picked them up. Re-run \`primitive functions set-secret\` for the
+  missing keys, then re-run \`primitive functions deploy\` (or
+  \`functions redeploy\`) to push them live. ${SECRET_SOURCE_FLAGS_DESCRIPTION}`;
 	static summary = "Deploy a new function from a bundled handler file";
 	static examples = [
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js",
@@ -17674,6 +17785,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-env OPENAI_KEY --secret-from-env-file .env.local:OWNER_EMAIL",
+		"<%= config.bin %> functions deploy --name triage --source . --secret-from-env ANTHROPIC_API_KEY",
 		"printf '%s' \"$OPENAI_KEY\" | <%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-stdin OPENAI_KEY"
 	];
 	static flags = {
@@ -17863,8 +17975,15 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		});
 	}
 	async runSourceMode(flags, sourceDir) {
-		if ((flags.secret?.length ?? 0) > 0 || (flags["secret-from-env"]?.length ?? 0) > 0 || (flags["secret-from-file"]?.length ?? 0) > 0 || (flags["secret-from-env-file"]?.length ?? 0) > 0 || flags["secret-from-stdin"] !== void 0) {
-			process.stderr.write("Secret flags are not supported with --source yet. Deploy from source first, then set secrets with `primitive functions set-secret` and redeploy.\n");
+		const parsedSecrets = resolveSecretFlags({
+			fromEnv: flags["secret-from-env"] ?? [],
+			fromEnvFile: flags["secret-from-env-file"] ?? [],
+			fromFile: flags["secret-from-file"] ?? [],
+			fromStdin: flags["secret-from-stdin"],
+			inline: flags.secret ?? []
+		});
+		if (parsedSecrets.kind === "error") {
+			process.stderr.write(`${parsedSecrets.message}\n`);
 			process.exitCode = 1;
 			return;
 		}
@@ -17884,7 +18003,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			baseUrlOverridden,
 			configDir: this.config.configDir
 		};
-		const outcome = await runSourceDeploy({
+		const apiSurface = {
 			createFunction: (p) => createFunction({
 				body: {
 					files: p.files,
@@ -17897,27 +18016,80 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 				client: apiClient.client,
 				responseStyle: "fields"
 			}),
+			setSecret: (p) => setFunctionSecret({
+				body: { value: p.value },
+				client: apiClient.client,
+				path: {
+					id: p.id,
+					key: p.key
+				},
+				responseStyle: "fields"
+			}),
 			updateFunction: (p) => updateFunction({
 				body: { files: p.files },
 				client: apiClient.client,
 				path: { id: p.id },
 				responseStyle: "fields"
 			})
-		}, {
+		};
+		if (parsedSecrets.secrets.length === 0) {
+			const outcome = await runSourceDeploy(apiSurface, {
+				files: collected.files,
+				name: flags.name
+			});
+			if (outcome.kind === "error") {
+				renderBuildFailure(outcome.payload, (chunk) => process.stderr.write(chunk));
+				writeErrorWithHints(outcome.payload);
+				surfaceUnauthorizedHint({
+					...authFailureContext,
+					payload: outcome.payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			await this.finishSourceDeploy({
+				apiClient,
+				authFailureContext,
+				flags,
+				payload: outcome.result
+			});
+			return;
+		}
+		const secretsOutcome = await runSourceDeployWithSecrets(apiSurface, {
 			files: collected.files,
-			name: flags.name
+			name: flags.name,
+			secrets: parsedSecrets.secrets
 		});
-		if (outcome.kind === "error") {
-			renderBuildFailure(outcome.payload, (chunk) => process.stderr.write(chunk));
-			writeErrorWithHints(outcome.payload);
+		if (secretsOutcome.kind === "error") {
+			if (secretsOutcome.stage === "set-secret") {
+				const succeeded = secretsOutcome.succeededKeys.length > 0 ? secretsOutcome.succeededKeys.join(", ") : "(none)";
+				const pending = secretsOutcome.pendingKeys.length > 0 ? secretsOutcome.pendingKeys.join(", ") : "(none)";
+				const allMissing = [secretsOutcome.failedKey, ...secretsOutcome.pendingKeys].join(", ");
+				const createdClause = secretsOutcome.created ? `Function ${secretsOutcome.created.name} (${secretsOutcome.functionId}) was created` : `Function ${flags.name} (${secretsOutcome.functionId}) already existed`;
+				const stagingWarning = secretsOutcome.succeededKeys.length > 0 ? ` Note: [${succeeded}] are now staged on the function row and will bind on the next deploy of this function (including one that does not pass --secret).` : "";
+				process.stderr.write(`${createdClause}, but writing secret ${secretsOutcome.failedKey} failed; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The redeploy is NOT yet live. Re-run \`primitive functions set-secret\` for each of [${allMissing}], then \`primitive functions deploy --source ${sourceDir} --name ${flags.name}\` to push them live.${stagingWarning}\n`);
+			} else if (secretsOutcome.stage === "secret-redeploy") {
+				const succeeded = secretsOutcome.succeededKeys.length > 0 ? secretsOutcome.succeededKeys.join(", ") : "(none)";
+				const createdClause = secretsOutcome.created ? `Function ${secretsOutcome.created.name} (${secretsOutcome.functionId}) was created and` : `Function ${flags.name} (${secretsOutcome.functionId}) already existed and`;
+				process.stderr.write(`${createdClause} secrets [${succeeded}] were written, but the final redeploy failed; the new bindings are NOT yet live. Re-run \`primitive functions deploy --source ${sourceDir} --name ${flags.name}\` once the cause is fixed.\n`);
+			} else renderBuildFailure(secretsOutcome.payload, (chunk) => process.stderr.write(chunk));
+			writeErrorWithHints(secretsOutcome.payload);
 			surfaceUnauthorizedHint({
 				...authFailureContext,
-				payload: outcome.payload
+				payload: secretsOutcome.payload
 			});
 			process.exitCode = 1;
 			return;
 		}
-		const payload = outcome.result;
+		await this.finishSourceDeploy({
+			apiClient,
+			authFailureContext,
+			flags,
+			payload: secretsOutcome.result.redeploy
+		});
+	}
+	async finishSourceDeploy(args) {
+		const { apiClient, authFailureContext, flags, payload } = args;
 		if (flags.wait) {
 			const waitResult = await waitForFunctionDeploy({
 				getFunction: (p) => getFunction({
@@ -17966,8 +18138,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^1.1.0";
-const CLI_VERSION_RANGE = "^1.1.0";
+const SDK_VERSION_RANGE = "^1.2.0";
+const CLI_VERSION_RANGE = "^1.2.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,