@primitivedotdev/cli 1.4.0 → 1.5.0

package/dist/oclif/index.js

@@ -32,12 +32,14 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	createFilter: () => createFilter,
 	createFunction: () => createFunction,
 	createFunctionSecret: () => createFunctionSecret,
+	createOrgSecret: () => createOrgSecret,
 	deleteDomain: () => deleteDomain,
 	deleteEmail: () => deleteEmail,
 	deleteEndpoint: () => deleteEndpoint,
 	deleteFilter: () => deleteFilter,
 	deleteFunction: () => deleteFunction,
 	deleteFunctionSecret: () => deleteFunctionSecret,
+	deleteOrgSecret: () => deleteOrgSecret,
 	discardEmailContent: () => discardEmailContent,
 	downloadAttachments: () => downloadAttachments,
 	downloadDomainZoneFile: () => downloadDomainZoneFile,
@@ -63,6 +65,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	listFunctionLogs: () => listFunctionLogs,
 	listFunctionSecrets: () => listFunctionSecrets,
 	listFunctions: () => listFunctions,
+	listOrgSecrets: () => listOrgSecrets,
 	listSentEmails: () => listSentEmails,
 	pollCliLogin: () => pollCliLogin,
 	replayDelivery: () => replayDelivery,
@@ -76,6 +79,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	sendEmail: () => sendEmail,
 	setFunctionRoute: () => setFunctionRoute,
 	setFunctionSecret: () => setFunctionSecret,
+	setOrgSecret: () => setOrgSecret,
 	startAgentClaim: () => startAgentClaim,
 	startAgentSignup: () => startAgentSignup,
 	startCliLogin: () => startCliLogin,
@@ -1517,6 +1521,85 @@ const setFunctionSecret = (options) => (options.client ?? client).put({
 	}
 });
 /**
+* List org-level (global) secrets
+*
+* Returns metadata for every org-level secret. Org secrets apply
+* to every function in the org and are read as `env.<KEY>` in
+* handlers. **Values are never returned.** Secret writes are
+* write-only. A function-level secret of the same name overrides
+* the org-level value for that function.
+*
+*/
+const listOrgSecrets = (options) => (options?.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets",
+	...options
+});
+/**
+* Create or update an org secret
+*
+* Idempotent insert-or-update keyed on `(org_id, key)`. Returns
+* 201 the first time the key is set, 200 on subsequent updates.
+* Values are encrypted at rest. A changed value lands in a
+* function only on that function's next deploy.
+*
+* Keys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,
+* digits, underscores; first character is a letter or
+* underscore). Values are at most 4096 UTF-8 bytes. System-
+* managed keys are reserved and rejected.
+*
+*/
+const createOrgSecret = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Delete an org secret
+*
+* Removes the org secret. Functions keep the previous value until
+* each is redeployed. Returns 404 if the key did not exist.
+*
+*/
+const deleteOrgSecret = (options) => (options.client ?? client).delete({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets/{key}",
+	...options
+});
+/**
+* Set an org secret by key
+*
+* Path-keyed companion to `POST /org/secrets`. Idempotent:
+* returns 201 the first time the key is set, 200 on subsequent
+* updates. Same validation and write-only guarantees as POST.
+*
+*/
+const setOrgSecret = (options) => (options.client ?? client).put({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets/{key}",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
 * List a function's execution logs
 *
 * Returns the most recent `function_logs` rows for the function,
@@ -3709,6 +3792,111 @@ const openapiDocument = {
 				}
 			}
 		},
+		"/org/secrets": {
+			"get": {
+				"operationId": "listOrgSecrets",
+				"summary": "List org-level (global) secrets",
+				"description": "Returns metadata for every org-level secret. Org secrets apply\nto every function in the org and are read as `env.<KEY>` in\nhandlers. **Values are never returned.** Secret writes are\nwrite-only. A function-level secret of the same name overrides\nthe org-level value for that function.\n",
+				"tags": ["Functions"],
+				"responses": {
+					"200": {
+						"description": "List of org secrets (metadata only, no values)",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": {
+								"type": "object",
+								"properties": { "items": {
+									"type": "array",
+									"items": { "$ref": "#/components/schemas/OrgSecretListItem" }
+								} },
+								"required": ["items"]
+							} }
+						}] } } }
+					},
+					"401": { "$ref": "#/components/responses/Unauthorized" }
+				}
+			},
+			"post": {
+				"operationId": "createOrgSecret",
+				"summary": "Create or update an org secret",
+				"description": "Idempotent insert-or-update keyed on `(org_id, key)`. Returns\n201 the first time the key is set, 200 on subsequent updates.\nValues are encrypted at rest. A changed value lands in a\nfunction only on that function's next deploy.\n\nKeys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,\ndigits, underscores; first character is a letter or\nunderscore). Values are at most 4096 UTF-8 bytes. System-\nmanaged keys are reserved and rejected.\n",
+				"tags": ["Functions"],
+				"requestBody": {
+					"required": true,
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateOrgSecretInput" } } }
+				},
+				"responses": {
+					"200": {
+						"description": "Secret updated",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
+						}] } } }
+					},
+					"201": {
+						"description": "Secret created",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
+						}] } } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" }
+				}
+			}
+		},
+		"/org/secrets/{key}": {
+			"parameters": [{
+				"name": "key",
+				"in": "path",
+				"required": true,
+				"description": "Secret key. Must match `^[A-Z_][A-Z0-9_]*$`.",
+				"schema": {
+					"type": "string",
+					"pattern": "^[A-Z_][A-Z0-9_]*$"
+				}
+			}],
+			"put": {
+				"operationId": "setOrgSecret",
+				"summary": "Set an org secret by key",
+				"description": "Path-keyed companion to `POST /org/secrets`. Idempotent:\nreturns 201 the first time the key is set, 200 on subsequent\nupdates. Same validation and write-only guarantees as POST.\n",
+				"tags": ["Functions"],
+				"requestBody": {
+					"required": true,
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/SetOrgSecretInput" } } }
+				},
+				"responses": {
+					"200": {
+						"description": "Secret updated",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
+						}] } } }
+					},
+					"201": {
+						"description": "Secret created",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
+						}] } } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" }
+				}
+			},
+			"delete": {
+				"operationId": "deleteOrgSecret",
+				"summary": "Delete an org secret",
+				"description": "Removes the org secret. Functions keep the previous value until\neach is redeployed. Returns 404 if the key did not exist.\n",
+				"tags": ["Functions"],
+				"responses": {
+					"204": { "description": "Secret deleted" },
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			}
+		},
 		"/functions/{id}/logs": {
 			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }],
 			"get": {
@@ -7920,6 +8108,81 @@ const openapiDocument = {
 					"updated_at",
 					"created"
 				]
+			},
+			"OrgSecretListItem": {
+				"type": "object",
+				"description": "One row from GET /org/secrets. Org secrets are always user-set\n(there are no managed org secrets), so `created_at` /\n`updated_at` are always present.\n",
+				"properties": {
+					"key": { "type": "string" },
+					"created_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"updated_at": {
+						"type": "string",
+						"format": "date-time"
+					}
+				},
+				"required": [
+					"key",
+					"created_at",
+					"updated_at"
+				]
+			},
+			"CreateOrgSecretInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "Body for POST /org/secrets.",
+				"properties": {
+					"key": {
+						"type": "string",
+						"pattern": "^[A-Z_][A-Z0-9_]*$",
+						"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys are reserved.\n"
+					},
+					"value": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 4096,
+						"description": "Secret value, up to 4096 UTF-8 bytes. Encrypted at rest.\nNever returned by any read endpoint.\n"
+					}
+				},
+				"required": ["key", "value"]
+			},
+			"SetOrgSecretInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "Body for PUT /org/secrets/{key}. Key comes from the path.",
+				"properties": { "value": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 4096
+				} },
+				"required": ["value"]
+			},
+			"OrgSecretWriteResult": {
+				"type": "object",
+				"description": "Returned by POST and PUT org secret routes.",
+				"properties": {
+					"key": { "type": "string" },
+					"created_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"updated_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"created": {
+						"type": "boolean",
+						"description": "True if this call inserted a new row, false if it updated an existing one."
+					}
+				},
+				"required": [
+					"key",
+					"created_at",
+					"updated_at",
+					"created"
+				]
 			}
 		}
 	}
@@ -11624,6 +11887,66 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "create-org-secret",
+		"description": "Idempotent insert-or-update keyed on `(org_id, key)`. Returns\n201 the first time the key is set, 200 on subsequent updates.\nValues are encrypted at rest. A changed value lands in a\nfunction only on that function's next deploy.\n\nKeys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,\ndigits, underscores; first character is a letter or\nunderscore). Values are at most 4096 UTF-8 bytes. System-\nmanaged keys are reserved and rejected.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createOrgSecret",
+		"path": "/org/secrets",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "Body for POST /org/secrets.",
+			"properties": {
+				"key": {
+					"type": "string",
+					"pattern": "^[A-Z_][A-Z0-9_]*$",
+					"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys are reserved.\n"
+				},
+				"value": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 4096,
+					"description": "Secret value, up to 4096 UTF-8 bytes. Encrypted at rest.\nNever returned by any read endpoint.\n"
+				}
+			},
+			"required": ["key", "value"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"description": "Returned by POST and PUT org secret routes.",
+			"properties": {
+				"key": { "type": "string" },
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"updated_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"created": {
+					"type": "boolean",
+					"description": "True if this call inserted a new row, false if it updated an existing one."
+				}
+			},
+			"required": [
+				"key",
+				"created_at",
+				"updated_at",
+				"created"
+			]
+		},
+		"sdkName": "createOrgSecret",
+		"summary": "Create or update an org secret",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -11678,6 +12001,30 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "delete-org-secret",
+		"description": "Removes the org secret. Functions keep the previous value until\neach is redeployed. Returns 404 if the key did not exist.\n",
+		"hasJsonBody": false,
+		"method": "DELETE",
+		"operationId": "deleteOrgSecret",
+		"path": "/org/secrets/{key}",
+		"pathParams": [{
+			"description": "Secret key. Must match `^[A-Z_][A-Z0-9_]*$`.",
+			"enum": null,
+			"name": "key",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": null,
+		"sdkName": "deleteOrgSecret",
+		"summary": "Delete an org secret",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -12558,6 +12905,50 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "list-org-secrets",
+		"description": "Returns metadata for every org-level secret. Org secrets apply\nto every function in the org and are read as `env.<KEY>` in\nhandlers. **Values are never returned.** Secret writes are\nwrite-only. A function-level secret of the same name overrides\nthe org-level value for that function.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "listOrgSecrets",
+		"path": "/org/secrets",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "object",
+			"properties": { "items": {
+				"type": "array",
+				"items": {
+					"type": "object",
+					"description": "One row from GET /org/secrets. Org secrets are always user-set\n(there are no managed org secrets), so `created_at` /\n`updated_at` are always present.\n",
+					"properties": {
+						"key": { "type": "string" },
+						"created_at": {
+							"type": "string",
+							"format": "date-time"
+						},
+						"updated_at": {
+							"type": "string",
+							"format": "date-time"
+						}
+					},
+					"required": [
+						"key",
+						"created_at",
+						"updated_at"
+					]
+				}
+			} },
+			"required": ["items"]
+		},
+		"sdkName": "listOrgSecrets",
+		"summary": "List org-level (global) secrets",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -12746,6 +13137,64 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "set-org-secret",
+		"description": "Path-keyed companion to `POST /org/secrets`. Idempotent:\nreturns 201 the first time the key is set, 200 on subsequent\nupdates. Same validation and write-only guarantees as POST.\n",
+		"hasJsonBody": true,
+		"method": "PUT",
+		"operationId": "setOrgSecret",
+		"path": "/org/secrets/{key}",
+		"pathParams": [{
+			"description": "Secret key. Must match `^[A-Z_][A-Z0-9_]*$`.",
+			"enum": null,
+			"name": "key",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "Body for PUT /org/secrets/{key}. Key comes from the path.",
+			"properties": { "value": {
+				"type": "string",
+				"minLength": 1,
+				"maxLength": 4096
+			} },
+			"required": ["value"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"description": "Returned by POST and PUT org secret routes.",
+			"properties": {
+				"key": { "type": "string" },
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"updated_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"created": {
+					"type": "boolean",
+					"description": "True if this call inserted a new row, false if it updated an existing one."
+				}
+			},
+			"required": [
+				"key",
+				"created_at",
+				"updated_at",
+				"created"
+			]
+		},
+		"sdkName": "setOrgSecret",
+		"summary": "Set an org secret by key",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -18933,8 +19382,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^1.4.0";
-const CLI_VERSION_RANGE = "^1.4.0";
+const SDK_VERSION_RANGE = "^1.5.0";
+const CLI_VERSION_RANGE = "^1.5.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/cli",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Official Primitive CLI: deploy Primitive Functions, send and inspect mail, manage endpoints, all from the terminal. Wraps the @primitivedotdev/sdk runtime client with one-shot commands.",
   "type": "module",
   "sideEffects": false,