@primitivedotdev/cli 1.1.0 → 1.2.1

package/README.md

@@ -16,6 +16,8 @@ primitive whoami
 prim whoami
 ```
 
+The same CLI is also published unscoped as [`primcli`](https://www.npmjs.com/package/primcli) — `npm install -g primcli` installs an identical build with the same `primitive`/`prim` commands. Use whichever name you prefer; they track the same version.
+
 Or with no install:
 
 ```bash

package/dist/oclif/index.js

@@ -2,7 +2,7 @@ import { A as PrimitiveApiClient, C as saveCliCredentials, D as loadActiveChatSt
 import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, closeSync, existsSync, mkdirSync, openSync, readFileSync, readdirSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, writeSync } from "node:fs";
 import { randomUUID } from "node:crypto";
-import { basename, dirname, join, relative, resolve, sep } from "node:path";
+import path, { basename, dirname, join, relative, resolve, sep } from "node:path";
 import { hostname } from "node:os";
 import process$1 from "node:process";
 import { createInterface } from "node:readline/promises";
@@ -17171,6 +17171,108 @@ async function runSourceDeploy(api, params) {
 		result: data
 	};
 }
+async function runSourceDeployWithSecrets(api, params) {
+	const listed = await api.listFunctions();
+	if (listed.error) return {
+		kind: "error",
+		payload: extractErrorPayload(listed.error),
+		stage: "lookup"
+	};
+	const foundId = (listed.data?.data ?? []).find((f) => f.name === params.name)?.id ?? null;
+	let functionId;
+	let createPayload;
+	if (foundId === null) {
+		const created = await api.createFunction({
+			files: params.files,
+			name: params.name
+		});
+		if (created.error) return {
+			kind: "error",
+			payload: extractErrorPayload(created.error),
+			stage: "create"
+		};
+		const data = created.data?.data;
+		if (!data) return {
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Create returned no data"
+			},
+			stage: "create"
+		};
+		functionId = data.id;
+		createPayload = data;
+	} else functionId = foundId;
+	const writtenSecrets = [];
+	const succeededKeys = [];
+	for (let i = 0; i < params.secrets.length; i++) {
+		const pair = params.secrets[i];
+		const pendingKeys = params.secrets.slice(i + 1).map((p) => p.key);
+		const setResult = await api.setSecret({
+			id: functionId,
+			key: pair.key,
+			value: pair.value
+		});
+		if (setResult.error) return {
+			...createPayload ? { created: createPayload } : {},
+			failedKey: pair.key,
+			functionId,
+			kind: "error",
+			payload: extractErrorPayload(setResult.error),
+			pendingKeys,
+			stage: "set-secret",
+			succeededKeys
+		};
+		const secret = setResult.data?.data;
+		if (!secret) return {
+			...createPayload ? { created: createPayload } : {},
+			failedKey: pair.key,
+			functionId,
+			kind: "error",
+			payload: {
+				code: "client_error",
+				message: "Secret write returned no data"
+			},
+			pendingKeys,
+			stage: "set-secret",
+			succeededKeys
+		};
+		writtenSecrets.push(secret);
+		succeededKeys.push(pair.key);
+	}
+	const updated = await api.updateFunction({
+		files: params.files,
+		id: functionId
+	});
+	if (updated.error) return {
+		...createPayload ? { created: createPayload } : {},
+		functionId,
+		kind: "error",
+		payload: extractErrorPayload(updated.error),
+		stage: "secret-redeploy",
+		succeededKeys
+	};
+	const redeployed = updated.data?.data;
+	if (!redeployed) return {
+		...createPayload ? { created: createPayload } : {},
+		functionId,
+		kind: "error",
+		payload: {
+			code: "client_error",
+			message: "Redeploy returned no data"
+		},
+		stage: "secret-redeploy",
+		succeededKeys
+	};
+	return {
+		kind: "ok",
+		result: {
+			action: foundId === null ? "created" : "redeployed",
+			redeploy: redeployed,
+			secrets: writtenSecrets
+		}
+	};
+}
 function renderBuildFailure(payload, write) {
 	if (typeof payload !== "object" || payload === null) return false;
 	const error = payload.error ?? payload;
@@ -17657,14 +17759,23 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 
   Pass secret source flags to seed bindings in the same command. Keys
   must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters, digits,
-  underscores; first character is a letter or underscore). With one
-  or more secrets the deploy fans out to multiple API calls:
-  create-function, set-secret per pair, then a final update-function
-  with the same bundle so the running handler picks up the bindings.
-  If a secret write fails after the create step the function exists
-  with whatever secrets succeeded and the redeploy has NOT fired;
-  re-run \`primitive functions set-secret\` for the missing keys, then
-  \`primitive functions redeploy\` to push them live. ${SECRET_SOURCE_FLAGS_DESCRIPTION}`;
+  underscores; first character is a letter or underscore).
+
+  With one or more secrets the deploy fans out to multiple API calls.
+  For --file (and for --source when no function with the given name
+  exists yet): create-function, set-secret per pair, then a final
+  update-function so the running handler picks up the bindings. For
+  --source against an existing function name: the create-function step
+  is replaced by an id lookup, then set-secret per pair, then a single
+  update-function that binds the new code and the new secret env in
+  one step (avoiding an intermediate redeploy that would briefly run
+  the new code with the previous secret bindings).
+
+  If a secret write fails before the final redeploy, the function row
+  carries whatever bindings landed but the running handler has NOT yet
+  picked them up. Re-run \`primitive functions set-secret\` for the
+  missing keys, then re-run \`primitive functions deploy\` (or
+  \`functions redeploy\`) to push them live. ${SECRET_SOURCE_FLAGS_DESCRIPTION}`;
 	static summary = "Deploy a new function from a bundled handler file";
 	static examples = [
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js",
@@ -17674,6 +17785,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
 		"<%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-env OPENAI_KEY --secret-from-env-file .env.local:OWNER_EMAIL",
+		"<%= config.bin %> functions deploy --name triage --source . --secret-from-env ANTHROPIC_API_KEY",
 		"printf '%s' \"$OPENAI_KEY\" | <%= config.bin %> functions deploy --name forwarder --file ./bundle.js --secret-from-stdin OPENAI_KEY"
 	];
 	static flags = {
@@ -17863,8 +17975,15 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 		});
 	}
 	async runSourceMode(flags, sourceDir) {
-		if ((flags.secret?.length ?? 0) > 0 || (flags["secret-from-env"]?.length ?? 0) > 0 || (flags["secret-from-file"]?.length ?? 0) > 0 || (flags["secret-from-env-file"]?.length ?? 0) > 0 || flags["secret-from-stdin"] !== void 0) {
-			process.stderr.write("Secret flags are not supported with --source yet. Deploy from source first, then set secrets with `primitive functions set-secret` and redeploy.\n");
+		const parsedSecrets = resolveSecretFlags({
+			fromEnv: flags["secret-from-env"] ?? [],
+			fromEnvFile: flags["secret-from-env-file"] ?? [],
+			fromFile: flags["secret-from-file"] ?? [],
+			fromStdin: flags["secret-from-stdin"],
+			inline: flags.secret ?? []
+		});
+		if (parsedSecrets.kind === "error") {
+			process.stderr.write(`${parsedSecrets.message}\n`);
 			process.exitCode = 1;
 			return;
 		}
@@ -17884,7 +18003,7 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 			baseUrlOverridden,
 			configDir: this.config.configDir
 		};
-		const outcome = await runSourceDeploy({
+		const apiSurface = {
 			createFunction: (p) => createFunction({
 				body: {
 					files: p.files,
@@ -17897,27 +18016,80 @@ var FunctionsDeployCommand = class FunctionsDeployCommand extends Command {
 				client: apiClient.client,
 				responseStyle: "fields"
 			}),
+			setSecret: (p) => setFunctionSecret({
+				body: { value: p.value },
+				client: apiClient.client,
+				path: {
+					id: p.id,
+					key: p.key
+				},
+				responseStyle: "fields"
+			}),
 			updateFunction: (p) => updateFunction({
 				body: { files: p.files },
 				client: apiClient.client,
 				path: { id: p.id },
 				responseStyle: "fields"
 			})
-		}, {
+		};
+		if (parsedSecrets.secrets.length === 0) {
+			const outcome = await runSourceDeploy(apiSurface, {
+				files: collected.files,
+				name: flags.name
+			});
+			if (outcome.kind === "error") {
+				renderBuildFailure(outcome.payload, (chunk) => process.stderr.write(chunk));
+				writeErrorWithHints(outcome.payload);
+				surfaceUnauthorizedHint({
+					...authFailureContext,
+					payload: outcome.payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			await this.finishSourceDeploy({
+				apiClient,
+				authFailureContext,
+				flags,
+				payload: outcome.result
+			});
+			return;
+		}
+		const secretsOutcome = await runSourceDeployWithSecrets(apiSurface, {
 			files: collected.files,
-			name: flags.name
+			name: flags.name,
+			secrets: parsedSecrets.secrets
 		});
-		if (outcome.kind === "error") {
-			renderBuildFailure(outcome.payload, (chunk) => process.stderr.write(chunk));
-			writeErrorWithHints(outcome.payload);
+		if (secretsOutcome.kind === "error") {
+			if (secretsOutcome.stage === "set-secret") {
+				const succeeded = secretsOutcome.succeededKeys.length > 0 ? secretsOutcome.succeededKeys.join(", ") : "(none)";
+				const pending = secretsOutcome.pendingKeys.length > 0 ? secretsOutcome.pendingKeys.join(", ") : "(none)";
+				const allMissing = [secretsOutcome.failedKey, ...secretsOutcome.pendingKeys].join(", ");
+				const createdClause = secretsOutcome.created ? `Function ${secretsOutcome.created.name} (${secretsOutcome.functionId}) was created` : `Function ${flags.name} (${secretsOutcome.functionId}) already existed`;
+				const stagingWarning = secretsOutcome.succeededKeys.length > 0 ? ` Note: [${succeeded}] are now staged on the function row and will bind on the next deploy of this function (including one that does not pass --secret).` : "";
+				process.stderr.write(`${createdClause}, but writing secret ${secretsOutcome.failedKey} failed; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The redeploy is NOT yet live. Re-run \`primitive functions set-secret\` for each of [${allMissing}], then \`primitive functions deploy --source ${sourceDir} --name ${flags.name}\` to push them live.${stagingWarning}\n`);
+			} else if (secretsOutcome.stage === "secret-redeploy") {
+				const succeeded = secretsOutcome.succeededKeys.length > 0 ? secretsOutcome.succeededKeys.join(", ") : "(none)";
+				const createdClause = secretsOutcome.created ? `Function ${secretsOutcome.created.name} (${secretsOutcome.functionId}) was created and` : `Function ${flags.name} (${secretsOutcome.functionId}) already existed and`;
+				process.stderr.write(`${createdClause} secrets [${succeeded}] were written, but the final redeploy failed; the new bindings are NOT yet live. Re-run \`primitive functions deploy --source ${sourceDir} --name ${flags.name}\` once the cause is fixed.\n`);
+			} else renderBuildFailure(secretsOutcome.payload, (chunk) => process.stderr.write(chunk));
+			writeErrorWithHints(secretsOutcome.payload);
 			surfaceUnauthorizedHint({
 				...authFailureContext,
-				payload: outcome.payload
+				payload: secretsOutcome.payload
 			});
 			process.exitCode = 1;
 			return;
 		}
-		const payload = outcome.result;
+		await this.finishSourceDeploy({
+			apiClient,
+			authFailureContext,
+			flags,
+			payload: secretsOutcome.result.redeploy
+		});
+	}
+	async finishSourceDeploy(args) {
+		const { apiClient, authFailureContext, flags, payload } = args;
 		if (flags.wait) {
 			const waitResult = await waitForFunctionDeploy({
 				getFunction: (p) => getFunction({
@@ -17966,8 +18138,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^1.1.0";
-const CLI_VERSION_RANGE = "^1.1.0";
+const SDK_VERSION_RANGE = "^1.2.0";
+const CLI_VERSION_RANGE = "^1.2.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -20770,6 +20942,74 @@ var SignupCommand = class SignupCommand extends Command {
 		}
 	}
 };
+function resolveVerificationCode(input) {
+	const sources = [
+		input.positional !== void 0 ? "positional" : null,
+		input.fromStdin === true ? "--code-from-stdin" : null,
+		input.fromFile !== void 0 ? "--code-from-file" : null,
+		input.fromEnv !== void 0 ? "--code-from-env" : null
+	].filter((v) => v !== null);
+	if (sources.length === 0) return {
+		kind: "error",
+		message: "Pass the verification code as a positional argument or via one of --code-from-stdin, --code-from-file, or --code-from-env."
+	};
+	if (sources.length > 1) return {
+		kind: "error",
+		message: `Pass exactly one source for the verification code; got ${sources.join(", ")}.`
+	};
+	if (input.positional !== void 0) return {
+		kind: "ok",
+		code: input.positional
+	};
+	if (input.fromEnv !== void 0) {
+		const value = (input.env ?? process$1.env)[input.fromEnv];
+		if (value === void 0) return {
+			kind: "error",
+			message: `--code-from-env ${input.fromEnv}: environment variable is not set.`
+		};
+		return {
+			kind: "ok",
+			code: stripTrailingNewline(value)
+		};
+	}
+	if (input.fromFile !== void 0) {
+		const readFile = input.readFile ?? defaultReadCodeFile;
+		try {
+			return {
+				kind: "ok",
+				code: stripTrailingNewline(readFile(input.fromFile))
+			};
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			return {
+				kind: "error",
+				message: `--code-from-file ${input.fromFile}: could not read file: ${detail}`
+			};
+		}
+	}
+	const readStdin = input.readStdin ?? defaultReadCodeStdin;
+	try {
+		return {
+			kind: "ok",
+			code: stripTrailingNewline(readStdin())
+		};
+	} catch (error) {
+		return {
+			kind: "error",
+			message: `--code-from-stdin: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+function stripTrailingNewline(value) {
+	return value.replace(/\r?\n$/, "");
+}
+function defaultReadCodeFile(path) {
+	return readFileSync(path, "utf8");
+}
+function defaultReadCodeStdin() {
+	if (process$1.stdin.isTTY) throw new Error("stdin is a TTY; pipe the code into this command or use --code-from-file / --code-from-env instead.");
+	return readFileSync(0, "utf8");
+}
 var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	static args = {
 		email: Args.string({
@@ -20777,19 +21017,28 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 			required: true
 		}),
 		code: Args.string({
-			description: "Verification code from the signup email",
-			required: true
+			description: "Verification code from the signup email. Optional when one of --code-from-stdin / --code-from-file / --code-from-env is passed; exactly one source must be set.",
+			required: false
 		})
 	};
 	static description = "Confirm a pending Primitive signup, create an OAuth session, and save CLI credentials locally.";
 	static summary = "Confirm account signup";
-	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static examples = [
+		"<%= config.bin %> signup confirm user@example.com 123456",
+		"<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000",
+		"read -rs CODE && CODE=\"$CODE\" <%= config.bin %> signup confirm user@example.com --code-from-env CODE && unset CODE",
+		"read -rs CODE && printf '%s' \"$CODE\" | <%= config.bin %> signup confirm user@example.com --code-from-stdin && unset CODE",
+		"<%= config.bin %> signup confirm user@example.com --code-from-file /run/user/$(id -u)/verification-code"
+	];
 	static flags = {
 		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
+		"code-from-stdin": Flags.boolean({ description: "Read the verification code from stdin instead of the positional argument. Use when an agent is constructing the command for the user to run, so the code never enters the agent's prompt context." }),
+		"code-from-file": Flags.string({ description: "Read the verification code from a UTF-8 file at this path. Trailing newlines are stripped." }),
+		"code-from-env": Flags.string({ description: "Read the verification code from this environment variable. Pair with `read -rs CODE && CODE=\"$CODE\" primitive signup confirm <email> --code-from-env CODE && unset CODE` so the value never appears on the command line or in shell history. Plain `read` creates a shell-local variable that child processes cannot see; the inline `CODE=\"$CODE\"` exports it for just the one command." }),
 		force: Flags.boolean({
 			char: "f",
 			description: "Replace saved credentials after verification"
@@ -20798,6 +21047,13 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	};
 	async run() {
 		const { args, flags } = await this.parse(SignupConfirmCommand);
+		const resolvedCode = resolveVerificationCode({
+			positional: args.code,
+			fromStdin: flags["code-from-stdin"] === true,
+			fromFile: flags["code-from-file"],
+			fromEnv: flags["code-from-env"]
+		});
+		if (resolvedCode.kind === "error") throw cliError$2(resolvedCode.message);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
@@ -20806,7 +21062,7 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 		}
 		try {
 			await runSignupConfirmWithCredentialLock({
-				code: args.code,
+				code: resolvedCode.code,
 				configDir: this.config.configDir,
 				email: args.email,
 				flags
@@ -22211,6 +22467,43 @@ function renderFishCompletion(binName) {
 	return `${lines.join("\n")}\n`;
 }
 //#endregion
+//#region src/oclif/shell-completion-script.ts
+/**
+* Path to the sourceable completion *function* file that
+* `@oclif/plugin-autocomplete` writes under the CLI cache dir when its cache is
+* built. This is the artifact a shell is meant to source -- a package manager
+* dropping a file into `bash_completion.d/` or zsh's `site-functions/` wants
+* this, NOT the human-readable setup instructions printed by
+* `<bin> autocomplete <shell>`. The layout mirrors the plugin's own
+* `Create.bashCompletionFunctionPath` / `zshCompletionFunctionPath` getters:
+*   <cacheDir>/autocomplete/functions/bash/<bin>.bash
+*   <cacheDir>/autocomplete/functions/zsh/_<bin>
+*
+* This couples to a private path layout in `@oclif/plugin-autocomplete`
+* (pinned `^3.2.45` in package.json). If a major bump reorganises that cache
+* dir, `readCompletionFunction` will fail even after a successful
+* `--refresh-cache`; re-verify this layout when bumping the plugin.
+*/
+function completionFunctionPath(cacheDir, bin, shell) {
+	const functionsDir = path.join(cacheDir, "autocomplete", "functions", shell);
+	const fileName = shell === "bash" ? `${bin}.bash` : `_${bin}`;
+	return path.join(functionsDir, fileName);
+}
+/**
+* Read the generated completion function script, trimmed of trailing
+* whitespace so the caller can re-add a single newline. Throws an actionable
+* error (rather than a bare `ENOENT`) if the cached script is missing -- e.g.
+* the cache build failed, or the plugin changed its path layout.
+*/
+function readCompletionFunction(cacheDir, bin, shell) {
+	const filePath = completionFunctionPath(cacheDir, bin, shell);
+	try {
+		return readFileSync(filePath, "utf8").trimEnd();
+	} catch (cause) {
+		throw new Error(`Could not read the generated ${shell} completion script at ${filePath}. Run \`${bin} autocomplete ${shell} --refresh-cache\` and try again.`, { cause });
+	}
+}
+//#endregion
 //#region src/oclif/index.ts
 var ListOperationsCommand = class extends Command {
 	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command-or-operation-name>`.";
@@ -22331,14 +22624,32 @@ var CompletionCommand = class CompletionCommand extends Command {
 		],
 		required: true
 	}) };
-	static description = "Show shell completion output or installation instructions for supported shells";
-	static summary = "Show shell completion output or installation instructions";
+	static description = `Output a sourceable shell completion script, or print setup instructions.
+
+  For fish, and for bash/zsh when the output is piped or redirected (e.g. into a
+  completion file under bash_completion.d or zsh's site-functions), this emits
+  the raw completion script. For bash/zsh in an interactive terminal it prints
+  the human-readable setup instructions instead. This keeps a redirected
+  \`<%= config.bin %> completion bash > <file>\` safe to source -- the file holds an
+  actual completion function, never instructional prose a shell would choke on.`;
+	static summary = "Output a shell completion script or print setup instructions";
+	static examples = [
+		"<%= config.bin %> completion bash >> /etc/bash_completion.d/primitive",
+		"<%= config.bin %> completion zsh > /usr/local/share/zsh/site-functions/_primitive",
+		"<%= config.bin %> completion fish > ~/.config/fish/completions/primitive.fish"
+	];
 	async run() {
 		const { args } = await this.parse(CompletionCommand);
-		if (args.shell === "fish") {
+		const shell = args.shell;
+		if (shell === "fish") {
 			this.log(renderFishCompletion(this.config.bin));
 			return;
 		}
+		if ((shell === "bash" || shell === "zsh") && !process.stdout.isTTY) {
+			await this.config.runCommand("autocomplete", [shell, "--refresh-cache"]);
+			this.log(readCompletionFunction(this.config.cacheDir, this.config.bin, shell));
+			return;
+		}
 		await this.config.runCommand("autocomplete", [args.shell]);
 	}
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "1.1.0",
+  "version": "1.2.1",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,