@primitivedotdev/cli 1.2.0 → 1.3.0

package/README.md

@@ -16,6 +16,8 @@ primitive whoami
 prim whoami
 ```
 
+The same CLI is also published unscoped as [`primcli`](https://www.npmjs.com/package/primcli) — `npm install -g primcli` installs an identical build with the same `primitive`/`prim` commands. Use whichever name you prefer; they track the same version.
+
 Or with no install:
 
 ```bash

package/dist/oclif/index.js

@@ -2,7 +2,7 @@ import { A as PrimitiveApiClient, C as saveCliCredentials, D as loadActiveChatSt
 import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, closeSync, existsSync, mkdirSync, openSync, readFileSync, readdirSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, writeSync } from "node:fs";
 import { randomUUID } from "node:crypto";
-import { basename, dirname, join, relative, resolve, sep } from "node:path";
+import path, { basename, dirname, join, relative, resolve, sep } from "node:path";
 import { hostname } from "node:os";
 import process$1 from "node:process";
 import { createInterface } from "node:readline/promises";
@@ -26,6 +26,8 @@ const client = createClient(createConfig({ baseUrl: "https://api.primitive.dev/v
 var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	addDomain: () => addDomain,
 	cliLogout: () => cliLogout,
+	createAgentAccount: () => createAgentAccount,
+	createAgentClaimLink: () => createAgentClaimLink,
 	createEndpoint: () => createEndpoint,
 	createFilter: () => createFilter,
 	createFunction: () => createFunction,
@@ -74,6 +76,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	sendEmail: () => sendEmail,
 	setFunctionRoute: () => setFunctionRoute,
 	setFunctionSecret: () => setFunctionSecret,
+	startAgentClaim: () => startAgentClaim,
 	startAgentSignup: () => startAgentSignup,
 	startCliLogin: () => startCliLogin,
 	startCliSignup: () => startCliSignup,
@@ -85,6 +88,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	updateEndpoint: () => updateEndpoint,
 	updateFilter: () => updateFilter,
 	updateFunction: () => updateFunction,
+	verifyAgentClaim: () => verifyAgentClaim,
 	verifyAgentSignup: () => verifyAgentSignup,
 	verifyCliSignup: () => verifyCliSignup,
 	verifyDomain: () => verifyDomain
@@ -229,6 +233,92 @@ const verifyAgentSignup = (options) => (options.client ?? client).post({
 	}
 });
 /**
+* Create an emailless agent account
+*
+* Creates an emailless agent account without authentication and returns a
+* one-time API key (prefixed `prim_`) plus a provisioned managed inbox.
+* The account is on the `agent` plan: reply-only (it can send only to
+* addresses that have already sent it authenticated mail) with tight send
+* limits. Use the returned `api_key` as a Bearer token on later calls. The
+* account can be upgraded to a full developer account by confirming an
+* email through the claim flow. This endpoint does not require an API key.
+*
+*/
+const createAgentAccount = (options) => (options.client ?? client).post({
+	url: "/agent/accounts",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Start an agent account email claim
+*
+* Begins upgrading an emailless `agent` account into a full `developer`
+* account by confirming an email address. Authenticated by the agent's own
+* API key (the org is taken from the credential). Sends a verification
+* code to the supplied email and returns the claim session id plus resend
+* timing. Submit the code to `/agent/claim/verify` to complete the
+* upgrade. Confirming an email that already belongs to a Primitive account
+* is rejected.
+*
+*/
+const startAgentClaim = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/agent/claim/start",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Verify an agent account email claim
+*
+* Confirms the verification code emailed by `/agent/claim/start` and
+* upgrades the account to the `developer` plan. The org id, API key, and
+* managed inbox all carry over; the send cap lifts. Authenticated by the
+* agent's own API key.
+*
+*/
+const verifyAgentClaim = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/agent/claim/verify",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Create a browser claim link
+*
+* Mints an opaque, single-use link an agent can hand to a human to
+* complete the email-confirmation upgrade in a browser. Authenticated by
+* the agent's own API key. `claim_url` is null when the API host cannot
+* resolve a web origin to build the link.
+*
+*/
+const createAgentClaimLink = (options) => (options?.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/agent/claim/link",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options?.headers
+	}
+});
+/**
 * Revoke the current CLI OAuth session
 *
 * Revokes the OAuth grant used to authenticate the request. API-key
@@ -1834,6 +1924,128 @@ const openapiDocument = {
 				"429": { "$ref": "#/components/responses/RateLimited" }
 			}
 		} },
+		"/agent/accounts": { "post": {
+			"operationId": "createAgentAccount",
+			"summary": "Create an emailless agent account",
+			"description": "Creates an emailless agent account without authentication and returns a\none-time API key (prefixed `prim_`) plus a provisioned managed inbox.\nThe account is on the `agent` plan: reply-only (it can send only to\naddresses that have already sent it authenticated mail) with tight send\nlimits. Use the returned `api_key` as a Bearer token on later calls. The\naccount can be upgraded to a full developer account by confirming an\nemail through the claim flow. This endpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAgentAccountInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Agent account created; the API key is returned once",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentAccountResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/start": { "post": {
+			"operationId": "startAgentClaim",
+			"summary": "Start an agent account email claim",
+			"description": "Begins upgrading an emailless `agent` account into a full `developer`\naccount by confirming an email address. Authenticated by the agent's own\nAPI key (the org is taken from the credential). Sends a verification\ncode to the supplied email and returns the claim session id plus resend\ntiming. Submit the code to `/agent/claim/verify` to complete the\nupgrade. Confirming an email that already belongs to a Primitive account\nis rejected.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/StartAgentClaimInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim started and verification email sent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimStartResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The email is already in use, or the account is not claimable",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/verify": { "post": {
+			"operationId": "verifyAgentClaim",
+			"summary": "Verify an agent account email claim",
+			"description": "Confirms the verification code emailed by `/agent/claim/start` and\nupgrades the account to the `developer` plan. The org id, API key, and\nmanaged inbox all carry over; the send cap lifts. Authenticated by the\nagent's own API key.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/VerifyAgentClaimInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim verified; account upgraded to developer",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The account is already claimed, or the email is in use",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"410": {
+					"description": "The claim or its verification code has expired",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/link": { "post": {
+			"operationId": "createAgentClaimLink",
+			"summary": "Create a browser claim link",
+			"description": "Mints an opaque, single-use link an agent can hand to a human to\ncomplete the email-confirmation upgrade in a browser. Authenticated by\nthe agent's own API key. `claim_url` is null when the API host cannot\nresolve a web origin to build the link.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": false,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAgentClaimLinkInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim link created",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimLinkResult" } }
+					}] } } }
+				},
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The account is not claimable (not an agent account, or already claimed)",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/cli/logout": { "post": {
 			"operationId": "cliLogout",
 			"summary": "Revoke the current CLI OAuth session",
@@ -4428,6 +4640,177 @@ const openapiDocument = {
 					"orgs"
 				]
 			},
+			"PlanLimits": {
+				"type": "object",
+				"description": "Plan-derived quota limits for an account.",
+				"properties": {
+					"storage_mb": { "type": "number" },
+					"send_per_hour": { "type": "number" },
+					"send_per_day": { "type": "number" },
+					"api_per_minute": { "type": "number" },
+					"webhooks_max_global": { "type": ["number", "null"] },
+					"webhooks_per_domain": { "type": "boolean" },
+					"filters_per_domain": { "type": "boolean" },
+					"spam_thresholds_per_domain": { "type": "boolean" }
+				},
+				"required": [
+					"storage_mb",
+					"send_per_hour",
+					"send_per_day",
+					"api_per_minute",
+					"webhooks_max_global",
+					"webhooks_per_domain",
+					"filters_per_domain",
+					"spam_thresholds_per_domain"
+				]
+			},
+			"CreateAgentAccountInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"terms_accepted": {
+						"type": "boolean",
+						"enum": [true],
+						"description": "Must be true to accept the Terms of Service and Privacy Policy."
+					},
+					"device_name": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 80,
+						"description": "Optional label for the device or agent creating the account."
+					}
+				},
+				"required": ["terms_accepted"]
+			},
+			"AgentAccountUpgradeHint": {
+				"type": "object",
+				"description": "In-band pointer to the upgrade path for an agent account.",
+				"properties": {
+					"plan": {
+						"type": "string",
+						"enum": ["developer"]
+					},
+					"description": { "type": "string" },
+					"claim_path": { "type": "string" }
+				},
+				"required": [
+					"plan",
+					"description",
+					"claim_path"
+				]
+			},
+			"AgentAccountResult": {
+				"type": "object",
+				"properties": {
+					"api_key": {
+						"type": "string",
+						"description": "One-time API key (prefixed `prim_`). Shown once; store it securely."
+					},
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"address": {
+						"type": ["string", "null"],
+						"description": "Provisioned managed inbox FQDN, or null if the inbox publish was deferred."
+					},
+					"plan": {
+						"type": "string",
+						"enum": ["agent"]
+					},
+					"limits": { "$ref": "#/components/schemas/PlanLimits" },
+					"upgrade": { "$ref": "#/components/schemas/AgentAccountUpgradeHint" }
+				},
+				"required": [
+					"api_key",
+					"org_id",
+					"address",
+					"plan",
+					"limits",
+					"upgrade"
+				]
+			},
+			"StartAgentClaimInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "email": {
+					"type": "string",
+					"format": "email",
+					"maxLength": 254,
+					"description": "Email to confirm. Must not already belong to a Primitive account."
+				} },
+				"required": ["email"]
+			},
+			"AgentClaimStartResult": {
+				"type": "object",
+				"properties": {
+					"claim_session_id": { "type": "string" },
+					"resend_after_seconds": { "type": "integer" },
+					"expires_in_seconds": { "type": "integer" }
+				},
+				"required": [
+					"claim_session_id",
+					"resend_after_seconds",
+					"expires_in_seconds"
+				]
+			},
+			"VerifyAgentClaimInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "verification_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 32,
+					"description": "The verification code emailed by the claim start step."
+				} },
+				"required": ["verification_code"]
+			},
+			"AgentClaimResult": {
+				"type": "object",
+				"properties": {
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"plan": {
+						"type": "string",
+						"enum": ["developer"]
+					},
+					"email": {
+						"type": "string",
+						"format": "email"
+					},
+					"limits": { "$ref": "#/components/schemas/PlanLimits" }
+				},
+				"required": [
+					"org_id",
+					"plan",
+					"email",
+					"limits"
+				]
+			},
+			"CreateAgentClaimLinkInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "No fields; an empty object is accepted.",
+				"properties": {}
+			},
+			"AgentClaimLinkResult": {
+				"type": "object",
+				"properties": {
+					"claim_token": { "type": "string" },
+					"claim_url": {
+						"type": ["string", "null"],
+						"description": "Browser URL to hand to a human, or null if no web origin is configured."
+					},
+					"expires_in_seconds": { "type": "integer" }
+				},
+				"required": [
+					"claim_token",
+					"claim_url",
+					"expires_in_seconds"
+				]
+			},
 			"CliLogoutInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -7727,6 +8110,148 @@ const operationManifest = [
 		"tag": "Account",
 		"tagCommand": "account"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "create-agent-account",
+		"description": "Creates an emailless agent account without authentication and returns a\none-time API key (prefixed `prim_`) plus a provisioned managed inbox.\nThe account is on the `agent` plan: reply-only (it can send only to\naddresses that have already sent it authenticated mail) with tight send\nlimits. Use the returned `api_key` as a Bearer token on later calls. The\naccount can be upgraded to a full developer account by confirming an\nemail through the claim flow. This endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createAgentAccount",
+		"path": "/agent/accounts",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"terms_accepted": {
+					"type": "boolean",
+					"enum": [true],
+					"description": "Must be true to accept the Terms of Service and Privacy Policy."
+				},
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Optional label for the device or agent creating the account."
+				}
+			},
+			"required": ["terms_accepted"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"api_key": {
+					"type": "string",
+					"description": "One-time API key (prefixed `prim_`). Shown once; store it securely."
+				},
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"address": {
+					"type": ["string", "null"],
+					"description": "Provisioned managed inbox FQDN, or null if the inbox publish was deferred."
+				},
+				"plan": {
+					"type": "string",
+					"enum": ["agent"]
+				},
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				},
+				"upgrade": {
+					"type": "object",
+					"description": "In-band pointer to the upgrade path for an agent account.",
+					"properties": {
+						"plan": {
+							"type": "string",
+							"enum": ["developer"]
+						},
+						"description": { "type": "string" },
+						"claim_path": { "type": "string" }
+					},
+					"required": [
+						"plan",
+						"description",
+						"claim_path"
+					]
+				}
+			},
+			"required": [
+				"api_key",
+				"org_id",
+				"address",
+				"plan",
+				"limits",
+				"upgrade"
+			]
+		},
+		"sdkName": "createAgentAccount",
+		"summary": "Create an emailless agent account",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "create-agent-claim-link",
+		"description": "Mints an opaque, single-use link an agent can hand to a human to\ncomplete the email-confirmation upgrade in a browser. Authenticated by\nthe agent's own API key. `claim_url` is null when the API host cannot\nresolve a web origin to build the link.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createAgentClaimLink",
+		"path": "/agent/claim/link",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "No fields; an empty object is accepted.",
+			"properties": {}
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"claim_token": { "type": "string" },
+				"claim_url": {
+					"type": ["string", "null"],
+					"description": "Browser URL to hand to a human, or null if no web origin is configured."
+				},
+				"expires_in_seconds": { "type": "integer" }
+			},
+			"required": [
+				"claim_token",
+				"claim_url",
+				"expires_in_seconds"
+			]
+		},
+		"sdkName": "createAgentClaimLink",
+		"summary": "Create a browser claim link",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -7779,6 +8304,46 @@ const operationManifest = [
 		"tag": "Agent",
 		"tagCommand": "agent"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "start-agent-claim",
+		"description": "Begins upgrading an emailless `agent` account into a full `developer`\naccount by confirming an email address. Authenticated by the agent's own\nAPI key (the org is taken from the credential). Sends a verification\ncode to the supplied email and returns the claim session id plus resend\ntiming. Submit the code to `/agent/claim/verify` to complete the\nupgrade. Confirming an email that already belongs to a Primitive account\nis rejected.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startAgentClaim",
+		"path": "/agent/claim/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "email": {
+				"type": "string",
+				"format": "email",
+				"maxLength": 254,
+				"description": "Email to confirm. Must not already belong to a Primitive account."
+			} },
+			"required": ["email"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"claim_session_id": { "type": "string" },
+				"resend_after_seconds": { "type": "integer" },
+				"expires_in_seconds": { "type": "integer" }
+			},
+			"required": [
+				"claim_session_id",
+				"resend_after_seconds",
+				"expires_in_seconds"
+			]
+		},
+		"sdkName": "startAgentClaim",
+		"summary": "Start an agent account email claim",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -7861,6 +8426,80 @@ const operationManifest = [
 		"tag": "Agent",
 		"tagCommand": "agent"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "verify-agent-claim",
+		"description": "Confirms the verification code emailed by `/agent/claim/start` and\nupgrades the account to the `developer` plan. The org id, API key, and\nmanaged inbox all carry over; the send cap lifts. Authenticated by the\nagent's own API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "verifyAgentClaim",
+		"path": "/agent/claim/verify",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "verification_code": {
+				"type": "string",
+				"minLength": 1,
+				"maxLength": 32,
+				"description": "The verification code emailed by the claim start step."
+			} },
+			"required": ["verification_code"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"plan": {
+					"type": "string",
+					"enum": ["developer"]
+				},
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				}
+			},
+			"required": [
+				"org_id",
+				"plan",
+				"email",
+				"limits"
+			]
+		},
+		"sdkName": "verifyAgentClaim",
+		"summary": "Verify an agent account email claim",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -18138,8 +18777,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^1.2.0";
-const CLI_VERSION_RANGE = "^1.2.0";
+const SDK_VERSION_RANGE = "^1.3.0";
+const CLI_VERSION_RANGE = "^1.3.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -20942,6 +21581,74 @@ var SignupCommand = class SignupCommand extends Command {
 		}
 	}
 };
+function resolveVerificationCode(input) {
+	const sources = [
+		input.positional !== void 0 ? "positional" : null,
+		input.fromStdin === true ? "--code-from-stdin" : null,
+		input.fromFile !== void 0 ? "--code-from-file" : null,
+		input.fromEnv !== void 0 ? "--code-from-env" : null
+	].filter((v) => v !== null);
+	if (sources.length === 0) return {
+		kind: "error",
+		message: "Pass the verification code as a positional argument or via one of --code-from-stdin, --code-from-file, or --code-from-env."
+	};
+	if (sources.length > 1) return {
+		kind: "error",
+		message: `Pass exactly one source for the verification code; got ${sources.join(", ")}.`
+	};
+	if (input.positional !== void 0) return {
+		kind: "ok",
+		code: input.positional
+	};
+	if (input.fromEnv !== void 0) {
+		const value = (input.env ?? process$1.env)[input.fromEnv];
+		if (value === void 0) return {
+			kind: "error",
+			message: `--code-from-env ${input.fromEnv}: environment variable is not set.`
+		};
+		return {
+			kind: "ok",
+			code: stripTrailingNewline(value)
+		};
+	}
+	if (input.fromFile !== void 0) {
+		const readFile = input.readFile ?? defaultReadCodeFile;
+		try {
+			return {
+				kind: "ok",
+				code: stripTrailingNewline(readFile(input.fromFile))
+			};
+		} catch (error) {
+			const detail = error instanceof Error ? error.message : String(error);
+			return {
+				kind: "error",
+				message: `--code-from-file ${input.fromFile}: could not read file: ${detail}`
+			};
+		}
+	}
+	const readStdin = input.readStdin ?? defaultReadCodeStdin;
+	try {
+		return {
+			kind: "ok",
+			code: stripTrailingNewline(readStdin())
+		};
+	} catch (error) {
+		return {
+			kind: "error",
+			message: `--code-from-stdin: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+function stripTrailingNewline(value) {
+	return value.replace(/\r?\n$/, "");
+}
+function defaultReadCodeFile(path) {
+	return readFileSync(path, "utf8");
+}
+function defaultReadCodeStdin() {
+	if (process$1.stdin.isTTY) throw new Error("stdin is a TTY; pipe the code into this command or use --code-from-file / --code-from-env instead.");
+	return readFileSync(0, "utf8");
+}
 var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	static args = {
 		email: Args.string({
@@ -20949,19 +21656,28 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 			required: true
 		}),
 		code: Args.string({
-			description: "Verification code from the signup email",
-			required: true
+			description: "Verification code from the signup email. Optional when one of --code-from-stdin / --code-from-file / --code-from-env is passed; exactly one source must be set.",
+			required: false
 		})
 	};
 	static description = "Confirm a pending Primitive signup, create an OAuth session, and save CLI credentials locally.";
 	static summary = "Confirm account signup";
-	static examples = ["<%= config.bin %> signup confirm user@example.com 123456", "<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000"];
+	static examples = [
+		"<%= config.bin %> signup confirm user@example.com 123456",
+		"<%= config.bin %> signup confirm user@example.com 123456 --org-id 00000000-0000-4000-8000-000000000000",
+		"read -rs CODE && CODE=\"$CODE\" <%= config.bin %> signup confirm user@example.com --code-from-env CODE && unset CODE",
+		"read -rs CODE && printf '%s' \"$CODE\" | <%= config.bin %> signup confirm user@example.com --code-from-stdin && unset CODE",
+		"<%= config.bin %> signup confirm user@example.com --code-from-file /run/user/$(id -u)/verification-code"
+	];
 	static flags = {
 		"api-base-url": Flags.string({
 			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
 			env: "PRIMITIVE_API_BASE_URL",
 			hidden: true
 		}),
+		"code-from-stdin": Flags.boolean({ description: "Read the verification code from stdin instead of the positional argument. Use when an agent is constructing the command for the user to run, so the code never enters the agent's prompt context." }),
+		"code-from-file": Flags.string({ description: "Read the verification code from a UTF-8 file at this path. Trailing newlines are stripped." }),
+		"code-from-env": Flags.string({ description: "Read the verification code from this environment variable. Pair with `read -rs CODE && CODE=\"$CODE\" primitive signup confirm <email> --code-from-env CODE && unset CODE` so the value never appears on the command line or in shell history. Plain `read` creates a shell-local variable that child processes cannot see; the inline `CODE=\"$CODE\"` exports it for just the one command." }),
 		force: Flags.boolean({
 			char: "f",
 			description: "Replace saved credentials after verification"
@@ -20970,6 +21686,13 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 	};
 	async run() {
 		const { args, flags } = await this.parse(SignupConfirmCommand);
+		const resolvedCode = resolveVerificationCode({
+			positional: args.code,
+			fromStdin: flags["code-from-stdin"] === true,
+			fromFile: flags["code-from-file"],
+			fromEnv: flags["code-from-env"]
+		});
+		if (resolvedCode.kind === "error") throw cliError$2(resolvedCode.message);
 		let releaseCredentialsLock;
 		try {
 			releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
@@ -20978,7 +21701,7 @@ var SignupConfirmCommand = class SignupConfirmCommand extends Command {
 		}
 		try {
 			await runSignupConfirmWithCredentialLock({
-				code: args.code,
+				code: resolvedCode.code,
 				configDir: this.config.configDir,
 				email: args.email,
 				flags
@@ -22383,6 +23106,43 @@ function renderFishCompletion(binName) {
 	return `${lines.join("\n")}\n`;
 }
 //#endregion
+//#region src/oclif/shell-completion-script.ts
+/**
+* Path to the sourceable completion *function* file that
+* `@oclif/plugin-autocomplete` writes under the CLI cache dir when its cache is
+* built. This is the artifact a shell is meant to source -- a package manager
+* dropping a file into `bash_completion.d/` or zsh's `site-functions/` wants
+* this, NOT the human-readable setup instructions printed by
+* `<bin> autocomplete <shell>`. The layout mirrors the plugin's own
+* `Create.bashCompletionFunctionPath` / `zshCompletionFunctionPath` getters:
+*   <cacheDir>/autocomplete/functions/bash/<bin>.bash
+*   <cacheDir>/autocomplete/functions/zsh/_<bin>
+*
+* This couples to a private path layout in `@oclif/plugin-autocomplete`
+* (pinned `^3.2.45` in package.json). If a major bump reorganises that cache
+* dir, `readCompletionFunction` will fail even after a successful
+* `--refresh-cache`; re-verify this layout when bumping the plugin.
+*/
+function completionFunctionPath(cacheDir, bin, shell) {
+	const functionsDir = path.join(cacheDir, "autocomplete", "functions", shell);
+	const fileName = shell === "bash" ? `${bin}.bash` : `_${bin}`;
+	return path.join(functionsDir, fileName);
+}
+/**
+* Read the generated completion function script, trimmed of trailing
+* whitespace so the caller can re-add a single newline. Throws an actionable
+* error (rather than a bare `ENOENT`) if the cached script is missing -- e.g.
+* the cache build failed, or the plugin changed its path layout.
+*/
+function readCompletionFunction(cacheDir, bin, shell) {
+	const filePath = completionFunctionPath(cacheDir, bin, shell);
+	try {
+		return readFileSync(filePath, "utf8").trimEnd();
+	} catch (cause) {
+		throw new Error(`Could not read the generated ${shell} completion script at ${filePath}. Run \`${bin} autocomplete ${shell} --refresh-cache\` and try again.`, { cause });
+	}
+}
+//#endregion
 //#region src/oclif/index.ts
 var ListOperationsCommand = class extends Command {
 	static description = "List all generated API operations as JSON. Useful for piping to `jq` to discover available commands, their request/response schemas, and per-field descriptions. For inspecting a single operation in detail, prefer `primitive describe <command-or-operation-name>`.";
@@ -22503,14 +23263,32 @@ var CompletionCommand = class CompletionCommand extends Command {
 		],
 		required: true
 	}) };
-	static description = "Show shell completion output or installation instructions for supported shells";
-	static summary = "Show shell completion output or installation instructions";
+	static description = `Output a sourceable shell completion script, or print setup instructions.
+
+  For fish, and for bash/zsh when the output is piped or redirected (e.g. into a
+  completion file under bash_completion.d or zsh's site-functions), this emits
+  the raw completion script. For bash/zsh in an interactive terminal it prints
+  the human-readable setup instructions instead. This keeps a redirected
+  \`<%= config.bin %> completion bash > <file>\` safe to source -- the file holds an
+  actual completion function, never instructional prose a shell would choke on.`;
+	static summary = "Output a shell completion script or print setup instructions";
+	static examples = [
+		"<%= config.bin %> completion bash >> /etc/bash_completion.d/primitive",
+		"<%= config.bin %> completion zsh > /usr/local/share/zsh/site-functions/_primitive",
+		"<%= config.bin %> completion fish > ~/.config/fish/completions/primitive.fish"
+	];
 	async run() {
 		const { args } = await this.parse(CompletionCommand);
-		if (args.shell === "fish") {
+		const shell = args.shell;
+		if (shell === "fish") {
 			this.log(renderFishCompletion(this.config.bin));
 			return;
 		}
+		if ((shell === "bash" || shell === "zsh") && !process.stdout.isTTY) {
+			await this.config.runCommand("autocomplete", [shell, "--refresh-cache"]);
+			this.log(readCompletionFunction(this.config.cacheDir, this.config.bin, shell));
+			return;
+		}
 		await this.config.runCommand("autocomplete", [args.shell]);
 	}
 };
@@ -22518,6 +23296,10 @@ const CANONICAL_OPERATION_ALIASES = {
 	"account:show": "account:get-account",
 	"account:storage": "account:get-storage-stats",
 	"account:webhook-secret": "account:get-webhook-secret",
+	"agent:claim": "agent:start-agent-claim",
+	"agent:claim-link": "agent:create-agent-claim-link",
+	"agent:claim-verify": "agent:verify-agent-claim",
+	"agent:create": "agent:create-agent-account",
 	"deliveries:list": "webhook-deliveries:list-deliveries",
 	"deliveries:replay": "webhook-deliveries:replay-delivery",
 	"domains:add": "domains:add-domain",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,