@primitivedotdev/sdk 0.16.0 → 0.17.0

package/dist/api/generated/sdk.gen.js

@@ -31,8 +31,25 @@ export const getStorageStats = (options) => (options?.client ?? client).get({
 /**
  * Get webhook signing secret
  *
- * Returns the webhook signing secret for your account. If no secret
- * exists yet, one is generated automatically on first access.
+ * Returns the webhook signing secret for your account. If no
+ * secret exists yet, one is generated automatically on first
+ * access.
+ *
+ * Signing is account-scoped, not per-endpoint. Every webhook
+ * delivery from any of your registered endpoints is signed
+ * with this single secret. Rotate via
+ * `POST /account/webhook-secret/rotate`.
+ *
+ * **Secret format**: the returned string looks base64-shaped
+ * (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`) but is NOT base64.
+ * Use it AS-IS as a UTF-8 string when computing HMAC over a
+ * delivery body. Base64-decoding before HMAC will silently
+ * produce mismatched signatures.
+ *
+ * See the API-level "Webhook signing" section for the full
+ * wire format (header name, signed string shape, hash algo,
+ * tolerance) including a language-agnostic verification
+ * recipe.
  *
  */
 export const getWebhookSecret = (options) => (options?.client ?? client).get({
@@ -125,12 +142,20 @@ export const verifyDomain = (options) => (options.client ?? client).post({
  * List inbound emails
  *
  * Returns a paginated list of INBOUND emails received at your
- * verified domains. Outbound messages sent via /send-mail are not
- * included; this endpoint is the inbox view, not a unified
- * send/receive history.
+ * verified domains. Outbound messages sent via /send-mail are
+ * not included; this endpoint is the inbox view, not a
+ * unified send/receive history.
+ *
+ * Supports filtering by domain, status, date range, and
+ * free-text search across subject, sender, and recipient
+ * fields.
  *
- * Supports filtering by domain, status, date range, and free-text
- * search across subject, sender, and recipient fields.
+ * For a compact text-table summary of the most recent N
+ * inbounds (no filters, no cursor pagination), the CLI ships
+ * `primitive emails:latest` as a one-line-per-email shortcut.
+ * It's TTY-aware so id columns are full UUIDs when piped, and
+ * a `--json` flag returns the same envelope this endpoint
+ * does. Use whichever fits the call site.
  *
  */
 export const listEmails = (options) => (options?.client ?? client).get({
@@ -288,9 +313,22 @@ export const listEndpoints = (options) => (options?.client ?? client).get({
 /**
  * Create a webhook endpoint
  *
- * Creates a new webhook endpoint. If a deactivated endpoint with the
- * same URL and domain exists, it is reactivated instead.
- * Subject to plan limits on the number of active endpoints.
+ * Creates a new webhook endpoint. If a deactivated endpoint
+ * with the same URL and domain exists, it is reactivated
+ * instead. Subject to plan limits on the number of active
+ * endpoints.
+ *
+ * **Signing is account-scoped, not per-endpoint.** This call
+ * does not return any signing material; every endpoint on the
+ * account uses the same webhook secret, fetched via
+ * `GET /account/webhook-secret`. See the API-level "Webhook
+ * signing" section for the full wire format (header name,
+ * signed string, hash algo, secret format, tolerance) and a
+ * language-agnostic verification recipe.
+ *
+ * After creating the endpoint, fire a test delivery against
+ * it via `POST /endpoints/{id}/test` to confirm your verifier
+ * accepts the signature.
  *
  */
 export const createEndpoint = (options) => (options.client ?? client).post({

package/dist/api/index.d.ts

@@ -1,2 +1,2 @@
-import { $ as AddDomainData, $i as RequestOptions, $n as ListDomainsErrors, $r as SendPermissionAddress, $t as DownloadAttachmentsResponses, A as getSendPermissions, Ai as UpdateEndpointError, An as GetSentEmailData, Ar as ReplayEmailWebhooksError, At as DeleteEndpointError, B as replayDelivery, Bi as UpdateFilterResponses, Bn as GetWebhookSecretData, Br as ResourceId, Bt as DeliverySummary, C as deleteEndpoint, Ci as UpdateDomainData, Cn as GetEmailResponse, Cr as PaginationMeta, Ct as DeleteDomainResponses, D as downloadRawEmail, Di as UpdateDomainResponse, Dn as GetSendPermissionsErrors, Dr as ReplayDeliveryResponse, Dt as DeleteEmailResponse, E as downloadAttachments, Ei as UpdateDomainInput, En as GetSendPermissionsError, Er as ReplayDeliveryErrors, Et as DeleteEmailErrors, F as listDomains, Fi as UpdateFilterData, Fn as GetStorageStatsData, Fr as ReplyToEmailData, Ft as DeleteFilterError, G as testEndpoint, Gi as VerifyDomainResponse, Gn as Limit, Gr as RotateWebhookSecretResponses, Gt as DiscardEmailContentResponse, H as replyToEmail, Hi as VerifyDomainData, Hn as GetWebhookSecretErrors, Hr as RotateWebhookSecretError, Ht as DiscardEmailContentData, I as listEmails, Ii as UpdateFilterError, In as GetStorageStatsError, Ir as ReplyToEmailError, It as DeleteFilterErrors, J as updateEndpoint, Ji as Client, Jn as ListDeliveriesErrors, Jr as SendEmailErrors, Jt as DomainVerifyResult, K as updateAccount, Ki as VerifyDomainResponses, Kn as ListDeliveriesData, Kr as SendEmailData, Kt as DiscardEmailContentResponses, L as listEndpoints, Li as UpdateFilterErrors, Ln as GetStorageStatsErrors, Lr as ReplyToEmailErrors, Lt as DeleteFilterResponse, M as getStorageStats, Mi as UpdateEndpointInput, Mn as GetSentEmailErrors, Mr as ReplayEmailWebhooksResponse, Mt as DeleteEndpointResponse, N as getWebhookSecret, Ni as UpdateEndpointResponse, Nn as GetSentEmailResponse, Nr as ReplayEmailWebhooksResponses, Nt as DeleteEndpointResponses, O as getAccount, Oi as UpdateDomainResponses, On as GetSendPermissionsResponse, Or as ReplayDeliveryResponses, Ot as DeleteEmailResponses, P as listDeliveries, Pi as UpdateEndpointResponses, Pn as GetSentEmailResponses, Pr as ReplayResult, Pt as DeleteFilterData, Q as AccountUpdated, Qi as Options$1, Qn as ListDomainsError, Qr as SendMailResult, Qt as DownloadAttachmentsResponse, R as listFilters, Ri as UpdateFilterInput, Rn as GetStorageStatsResponse, Rr as ReplyToEmailResponse, Rt as DeleteFilterResponses, S as deleteEmail, Si as UpdateAccountResponses, Sn as GetEmailErrors, Sr as ListSentEmailsResponses, St as DeleteDomainResponse, T as discardEmailContent, Ti as UpdateDomainErrors, Tn as GetSendPermissionsData, Tr as ReplayDeliveryError, Tt as DeleteEmailError, U as rotateWebhookSecret, Ui as VerifyDomainError, Un as GetWebhookSecretResponse, Ur as RotateWebhookSecretErrors, Ut as DiscardEmailContentError, V as replayEmailWebhooks, Vi as VerifiedDomain, Vn as GetWebhookSecretError, Vr as RotateWebhookSecretData, Vt as DiscardContentResult, W as sendEmail, Wi as VerifyDomainErrors, Wn as GetWebhookSecretResponses, Wr as RotateWebhookSecretResponse, Wt as DiscardEmailContentErrors, X as verifyDomain, Xi as Config, Xn as ListDeliveriesResponses, Xr as SendEmailResponses, Xt as DownloadAttachmentsError, Y as updateFilter, Yi as ClientOptions$1, Yn as ListDeliveriesResponse, Yr as SendEmailResponse, Yt as DownloadAttachmentsData, Z as Account, Zi as CreateClientConfig, Zn as ListDomainsData, Zr as SendMailInput, Zt as DownloadAttachmentsErrors, _ as Options, _i as UpdateAccountData, _n as GetAccountErrors, _r as ListFiltersResponses, _t as CreateFilterResponses, a as PrimitiveApiError, ai as SentEmailDetail, an as EmailDetail, ar as ListEmailsResponse, at as ClientOptions, b as createFilter, bi as UpdateAccountInput, bn as GetEmailData, br as ListSentEmailsErrors, bt as DeleteDomainError, c as PrimitiveClientOptions, ci as StorageStats, cn as EmailSummary, cr as ListEndpointsError, ct as CreateEndpointErrors, d as SendResult, di as TestEndpointError, dn as ErrorResponse, dr as ListEndpointsResponses, dt as CreateEndpointResponses, ea as RequestResult, ei as SendPermissionAnyRecipient, en as DownloadRawEmailData, er as ListDomainsResponse, et as AddDomainError, f as SendThreadInput, fi as TestEndpointErrors, fn as Filter, fr as ListEnvelope, ft as CreateFilterData, g as operations, gi as UnverifiedDomain, gn as GetAccountError, gr as ListFiltersResponse, gt as CreateFilterResponse, h as createPrimitiveClient, hi as TestResult, hn as GetAccountData, hr as ListFiltersErrors, ht as CreateFilterInput, i as PrimitiveApiClientOptions, ii as SendPermissionsMeta, in as DownloadRawEmailResponses, ir as ListEmailsErrors, it as AddDomainResponses, j as getSentEmail, ji as UpdateEndpointErrors, jn as GetSentEmailError, jr as ReplayEmailWebhooksErrors, jt as DeleteEndpointErrors, k as getEmail, ki as UpdateEndpointData, kn as GetSendPermissionsResponses, kr as ReplayEmailWebhooksData, kt as DeleteEndpointData, l as ReplyInput, li as SuccessEnvelope, ln as EmailWebhookStatus, lr as ListEndpointsErrors, lt as CreateEndpointInput, m as createPrimitiveApiClient, mi as TestEndpointResponses, mn as GateFix, mr as ListFiltersError, mt as CreateFilterErrors, n as ForwardInput, na as Auth, ni as SendPermissionRule, nn as DownloadRawEmailErrors, nr as ListEmailsData, nt as AddDomainInput, o as PrimitiveApiErrorDetails, oi as SentEmailStatus, on as EmailDetailReply, or as ListEmailsResponses, ot as CreateEndpointData, p as client, pi as TestEndpointResponse, pn as GateDenial, pr as ListFiltersData, pt as CreateFilterError, q as updateDomain, qi as WebhookSecret, qn as ListDeliveriesError, qr as SendEmailError, qt as Domain, r as PrimitiveApiClient, ri as SendPermissionYourDomain, rn as DownloadRawEmailResponse, rr as ListEmailsError, rt as AddDomainResponse, s as PrimitiveClient, si as SentEmailSummary, sn as EmailStatus, sr as ListEndpointsData, st as CreateEndpointError, t as DEFAULT_BASE_URL, ta as ResponseStyle, ti as SendPermissionManagedZone, tn as DownloadRawEmailError, tr as ListDomainsResponses, tt as AddDomainErrors, u as SendInput, ui as TestEndpointData, un as Endpoint, ur as ListEndpointsResponse, ut as CreateEndpointResponse, v as addDomain, vi as UpdateAccountError, vn as GetAccountResponse, vr as ListSentEmailsData, vt as Cursor, w as deleteFilter, wi as UpdateDomainError, wn as GetEmailResponses, wr as ReplayDeliveryData, wt as DeleteEmailData, x as deleteDomain, xi as UpdateAccountResponse, xn as GetEmailError, xr as ListSentEmailsResponse, xt as DeleteDomainErrors, y as createEndpoint, yi as UpdateAccountErrors, yn as GetAccountResponses, yr as ListSentEmailsError, yt as DeleteDomainData, z as listSentEmails, zi as UpdateFilterResponse, zn as GetStorageStatsResponses, zr as ReplyToEmailResponses, zt as DeliveryStatus } from "../index-SK_HbwVN.js";
+import { $ as AddDomainData, $i as RequestOptions, $n as ListDomainsErrors, $r as SendPermissionAddress, $t as DownloadAttachmentsResponses, A as getSendPermissions, Ai as UpdateEndpointError, An as GetSentEmailData, Ar as ReplayEmailWebhooksError, At as DeleteEndpointError, B as replayDelivery, Bi as UpdateFilterResponses, Bn as GetWebhookSecretData, Br as ResourceId, Bt as DeliverySummary, C as deleteEndpoint, Ci as UpdateDomainData, Cn as GetEmailResponse, Cr as PaginationMeta, Ct as DeleteDomainResponses, D as downloadRawEmail, Di as UpdateDomainResponse, Dn as GetSendPermissionsErrors, Dr as ReplayDeliveryResponse, Dt as DeleteEmailResponse, E as downloadAttachments, Ei as UpdateDomainInput, En as GetSendPermissionsError, Er as ReplayDeliveryErrors, Et as DeleteEmailErrors, F as listDomains, Fi as UpdateFilterData, Fn as GetStorageStatsData, Fr as ReplyToEmailData, Ft as DeleteFilterError, G as testEndpoint, Gi as VerifyDomainResponse, Gn as Limit, Gr as RotateWebhookSecretResponses, Gt as DiscardEmailContentResponse, H as replyToEmail, Hi as VerifyDomainData, Hn as GetWebhookSecretErrors, Hr as RotateWebhookSecretError, Ht as DiscardEmailContentData, I as listEmails, Ii as UpdateFilterError, In as GetStorageStatsError, Ir as ReplyToEmailError, It as DeleteFilterErrors, J as updateEndpoint, Ji as Client, Jn as ListDeliveriesErrors, Jr as SendEmailErrors, Jt as DomainVerifyResult, K as updateAccount, Ki as VerifyDomainResponses, Kn as ListDeliveriesData, Kr as SendEmailData, Kt as DiscardEmailContentResponses, L as listEndpoints, Li as UpdateFilterErrors, Ln as GetStorageStatsErrors, Lr as ReplyToEmailErrors, Lt as DeleteFilterResponse, M as getStorageStats, Mi as UpdateEndpointInput, Mn as GetSentEmailErrors, Mr as ReplayEmailWebhooksResponse, Mt as DeleteEndpointResponse, N as getWebhookSecret, Ni as UpdateEndpointResponse, Nn as GetSentEmailResponse, Nr as ReplayEmailWebhooksResponses, Nt as DeleteEndpointResponses, O as getAccount, Oi as UpdateDomainResponses, On as GetSendPermissionsResponse, Or as ReplayDeliveryResponses, Ot as DeleteEmailResponses, P as listDeliveries, Pi as UpdateEndpointResponses, Pn as GetSentEmailResponses, Pr as ReplayResult, Pt as DeleteFilterData, Q as AccountUpdated, Qi as Options$1, Qn as ListDomainsError, Qr as SendMailResult, Qt as DownloadAttachmentsResponse, R as listFilters, Ri as UpdateFilterInput, Rn as GetStorageStatsResponse, Rr as ReplyToEmailResponse, Rt as DeleteFilterResponses, S as deleteEmail, Si as UpdateAccountResponses, Sn as GetEmailErrors, Sr as ListSentEmailsResponses, St as DeleteDomainResponse, T as discardEmailContent, Ti as UpdateDomainErrors, Tn as GetSendPermissionsData, Tr as ReplayDeliveryError, Tt as DeleteEmailError, U as rotateWebhookSecret, Ui as VerifyDomainError, Un as GetWebhookSecretResponse, Ur as RotateWebhookSecretErrors, Ut as DiscardEmailContentError, V as replayEmailWebhooks, Vi as VerifiedDomain, Vn as GetWebhookSecretError, Vr as RotateWebhookSecretData, Vt as DiscardContentResult, W as sendEmail, Wi as VerifyDomainErrors, Wn as GetWebhookSecretResponses, Wr as RotateWebhookSecretResponse, Wt as DiscardEmailContentErrors, X as verifyDomain, Xi as Config, Xn as ListDeliveriesResponses, Xr as SendEmailResponses, Xt as DownloadAttachmentsError, Y as updateFilter, Yi as ClientOptions$1, Yn as ListDeliveriesResponse, Yr as SendEmailResponse, Yt as DownloadAttachmentsData, Z as Account, Zi as CreateClientConfig, Zn as ListDomainsData, Zr as SendMailInput, Zt as DownloadAttachmentsErrors, _ as Options, _i as UpdateAccountData, _n as GetAccountErrors, _r as ListFiltersResponses, _t as CreateFilterResponses, a as PrimitiveApiError, ai as SentEmailDetail, an as EmailDetail, ar as ListEmailsResponse, at as ClientOptions, b as createFilter, bi as UpdateAccountInput, bn as GetEmailData, br as ListSentEmailsErrors, bt as DeleteDomainError, c as PrimitiveClientOptions, ci as StorageStats, cn as EmailSummary, cr as ListEndpointsError, ct as CreateEndpointErrors, d as SendResult, di as TestEndpointError, dn as ErrorResponse, dr as ListEndpointsResponses, dt as CreateEndpointResponses, ea as RequestResult, ei as SendPermissionAnyRecipient, en as DownloadRawEmailData, er as ListDomainsResponse, et as AddDomainError, f as SendThreadInput, fi as TestEndpointErrors, fn as Filter, fr as ListEnvelope, ft as CreateFilterData, g as operations, gi as UnverifiedDomain, gn as GetAccountError, gr as ListFiltersResponse, gt as CreateFilterResponse, h as createPrimitiveClient, hi as TestResult, hn as GetAccountData, hr as ListFiltersErrors, ht as CreateFilterInput, i as PrimitiveApiClientOptions, ii as SendPermissionsMeta, in as DownloadRawEmailResponses, ir as ListEmailsErrors, it as AddDomainResponses, j as getSentEmail, ji as UpdateEndpointErrors, jn as GetSentEmailError, jr as ReplayEmailWebhooksErrors, jt as DeleteEndpointErrors, k as getEmail, ki as UpdateEndpointData, kn as GetSendPermissionsResponses, kr as ReplayEmailWebhooksData, kt as DeleteEndpointData, l as ReplyInput, li as SuccessEnvelope, ln as EmailWebhookStatus, lr as ListEndpointsErrors, lt as CreateEndpointInput, m as createPrimitiveApiClient, mi as TestEndpointResponses, mn as GateFix, mr as ListFiltersError, mt as CreateFilterErrors, n as ForwardInput, na as Auth, ni as SendPermissionRule, nn as DownloadRawEmailErrors, nr as ListEmailsData, nt as AddDomainInput, o as PrimitiveApiErrorDetails, oi as SentEmailStatus, on as EmailDetailReply, or as ListEmailsResponses, ot as CreateEndpointData, p as client, pi as TestEndpointResponse, pn as GateDenial, pr as ListFiltersData, pt as CreateFilterError, q as updateDomain, qi as WebhookSecret, qn as ListDeliveriesError, qr as SendEmailError, qt as Domain, r as PrimitiveApiClient, ri as SendPermissionYourDomain, rn as DownloadRawEmailResponse, rr as ListEmailsError, rt as AddDomainResponse, s as PrimitiveClient, si as SentEmailSummary, sn as EmailStatus, sr as ListEndpointsData, st as CreateEndpointError, t as DEFAULT_BASE_URL, ta as ResponseStyle, ti as SendPermissionManagedZone, tn as DownloadRawEmailError, tr as ListDomainsResponses, tt as AddDomainErrors, u as SendInput, ui as TestEndpointData, un as Endpoint, ur as ListEndpointsResponse, ut as CreateEndpointResponse, v as addDomain, vi as UpdateAccountError, vn as GetAccountResponse, vr as ListSentEmailsData, vt as Cursor, w as deleteFilter, wi as UpdateDomainError, wn as GetEmailResponses, wr as ReplayDeliveryData, wt as DeleteEmailData, x as deleteDomain, xi as UpdateAccountResponse, xn as GetEmailError, xr as ListSentEmailsResponse, xt as DeleteDomainErrors, y as createEndpoint, yi as UpdateAccountErrors, yn as GetAccountResponses, yr as ListSentEmailsError, yt as DeleteDomainData, z as listSentEmails, zi as UpdateFilterResponse, zn as GetStorageStatsResponses, zr as ReplyToEmailResponses, zt as DeliveryStatus } from "../index-CHWqMBs6.js";
 export { Account, AccountUpdated, AddDomainData, AddDomainError, AddDomainErrors, AddDomainInput, AddDomainResponse, AddDomainResponses, Auth, ClientOptions, CreateClientConfig, CreateEndpointData, CreateEndpointError, CreateEndpointErrors, CreateEndpointInput, CreateEndpointResponse, CreateEndpointResponses, CreateFilterData, CreateFilterError, CreateFilterErrors, CreateFilterInput, CreateFilterResponse, CreateFilterResponses, Cursor, DEFAULT_BASE_URL, DeleteDomainData, DeleteDomainError, DeleteDomainErrors, DeleteDomainResponse, DeleteDomainResponses, DeleteEmailData, DeleteEmailError, DeleteEmailErrors, DeleteEmailResponse, DeleteEmailResponses, DeleteEndpointData, DeleteEndpointError, DeleteEndpointErrors, DeleteEndpointResponse, DeleteEndpointResponses, DeleteFilterData, DeleteFilterError, DeleteFilterErrors, DeleteFilterResponse, DeleteFilterResponses, DeliveryStatus, DeliverySummary, DiscardContentResult, DiscardEmailContentData, DiscardEmailContentError, DiscardEmailContentErrors, DiscardEmailContentResponse, DiscardEmailContentResponses, Domain, DomainVerifyResult, DownloadAttachmentsData, DownloadAttachmentsError, DownloadAttachmentsErrors, DownloadAttachmentsResponse, DownloadAttachmentsResponses, DownloadRawEmailData, DownloadRawEmailError, DownloadRawEmailErrors, DownloadRawEmailResponse, DownloadRawEmailResponses, EmailDetail, EmailDetailReply, EmailStatus, EmailSummary, EmailWebhookStatus, Endpoint, ErrorResponse, Filter, ForwardInput, GateDenial, GateFix, GetAccountData, GetAccountError, GetAccountErrors, GetAccountResponse, GetAccountResponses, GetEmailData, GetEmailError, GetEmailErrors, GetEmailResponse, GetEmailResponses, GetSendPermissionsData, GetSendPermissionsError, GetSendPermissionsErrors, GetSendPermissionsResponse, GetSendPermissionsResponses, GetSentEmailData, GetSentEmailError, GetSentEmailErrors, GetSentEmailResponse, GetSentEmailResponses, GetStorageStatsData, GetStorageStatsError, GetStorageStatsErrors, GetStorageStatsResponse, GetStorageStatsResponses, GetWebhookSecretData, GetWebhookSecretError, GetWebhookSecretErrors, GetWebhookSecretResponse, GetWebhookSecretResponses, Limit, ListDeliveriesData, ListDeliveriesError, ListDeliveriesErrors, ListDeliveriesResponse, ListDeliveriesResponses, ListDomainsData, ListDomainsError, ListDomainsErrors, ListDomainsResponse, ListDomainsResponses, ListEmailsData, ListEmailsError, ListEmailsErrors, ListEmailsResponse, ListEmailsResponses, ListEndpointsData, ListEndpointsError, ListEndpointsErrors, ListEndpointsResponse, ListEndpointsResponses, ListEnvelope, ListFiltersData, ListFiltersError, ListFiltersErrors, ListFiltersResponse, ListFiltersResponses, ListSentEmailsData, ListSentEmailsError, ListSentEmailsErrors, ListSentEmailsResponse, ListSentEmailsResponses, Options, PaginationMeta, PrimitiveApiClient, PrimitiveApiClientOptions, PrimitiveApiError, PrimitiveApiErrorDetails, PrimitiveClient, PrimitiveClientOptions, Client as PrimitiveGeneratedApiClient, ClientOptions$1 as PrimitiveGeneratedApiClientOptions, Config as PrimitiveGeneratedApiConfig, Options$1 as PrimitiveGeneratedApiOptions, RequestOptions as PrimitiveGeneratedApiRequestOptions, RequestResult as PrimitiveGeneratedApiRequestResult, ReplayDeliveryData, ReplayDeliveryError, ReplayDeliveryErrors, ReplayDeliveryResponse, ReplayDeliveryResponses, ReplayEmailWebhooksData, ReplayEmailWebhooksError, ReplayEmailWebhooksErrors, ReplayEmailWebhooksResponse, ReplayEmailWebhooksResponses, ReplayResult, ReplyInput, ReplyToEmailData, ReplyToEmailError, ReplyToEmailErrors, ReplyToEmailResponse, ReplyToEmailResponses, ResourceId, ResponseStyle, RotateWebhookSecretData, RotateWebhookSecretError, RotateWebhookSecretErrors, RotateWebhookSecretResponse, RotateWebhookSecretResponses, SendEmailData, SendEmailError, SendEmailErrors, SendEmailResponse, SendEmailResponses, SendInput, SendMailInput, SendMailResult, SendPermissionAddress, SendPermissionAnyRecipient, SendPermissionManagedZone, SendPermissionRule, SendPermissionYourDomain, SendPermissionsMeta, SendResult, SendThreadInput, SentEmailDetail, SentEmailStatus, SentEmailSummary, StorageStats, SuccessEnvelope, TestEndpointData, TestEndpointError, TestEndpointErrors, TestEndpointResponse, TestEndpointResponses, TestResult, UnverifiedDomain, UpdateAccountData, UpdateAccountError, UpdateAccountErrors, UpdateAccountInput, UpdateAccountResponse, UpdateAccountResponses, UpdateDomainData, UpdateDomainError, UpdateDomainErrors, UpdateDomainInput, UpdateDomainResponse, UpdateDomainResponses, UpdateEndpointData, UpdateEndpointError, UpdateEndpointErrors, UpdateEndpointInput, UpdateEndpointResponse, UpdateEndpointResponses, UpdateFilterData, UpdateFilterError, UpdateFilterErrors, UpdateFilterInput, UpdateFilterResponse, UpdateFilterResponses, VerifiedDomain, VerifyDomainData, VerifyDomainError, VerifyDomainErrors, VerifyDomainResponse, VerifyDomainResponses, WebhookSecret, addDomain, client, createEndpoint, createFilter, createPrimitiveApiClient, createPrimitiveClient, deleteDomain, deleteEmail, deleteEndpoint, deleteFilter, discardEmailContent, downloadAttachments, downloadRawEmail, getAccount, getEmail, getSendPermissions, getSentEmail, getStorageStats, getWebhookSecret, listDeliveries, listDomains, listEmails, listEndpoints, listFilters, listSentEmails, operations, replayDelivery, replayEmailWebhooks, replyToEmail, rotateWebhookSecret, sendEmail, testEndpoint, updateAccount, updateDomain, updateEndpoint, updateFilter, verifyDomain };

package/dist/{api-CTf0cUsi.js → api-DrAZhxS-.js}

@@ -687,8 +687,25 @@ const getStorageStats = (options) => (options?.client ?? client$1).get({
 /**
 * Get webhook signing secret
 *
-* Returns the webhook signing secret for your account. If no secret
-* exists yet, one is generated automatically on first access.
+* Returns the webhook signing secret for your account. If no
+* secret exists yet, one is generated automatically on first
+* access.
+*
+* Signing is account-scoped, not per-endpoint. Every webhook
+* delivery from any of your registered endpoints is signed
+* with this single secret. Rotate via
+* `POST /account/webhook-secret/rotate`.
+*
+* **Secret format**: the returned string looks base64-shaped
+* (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`) but is NOT base64.
+* Use it AS-IS as a UTF-8 string when computing HMAC over a
+* delivery body. Base64-decoding before HMAC will silently
+* produce mismatched signatures.
+*
+* See the API-level "Webhook signing" section for the full
+* wire format (header name, signed string shape, hash algo,
+* tolerance) including a language-agnostic verification
+* recipe.
 *
 */
 const getWebhookSecret = (options) => (options?.client ?? client$1).get({
@@ -802,12 +819,20 @@ const verifyDomain = (options) => (options.client ?? client$1).post({
 * List inbound emails
 *
 * Returns a paginated list of INBOUND emails received at your
-* verified domains. Outbound messages sent via /send-mail are not
-* included; this endpoint is the inbox view, not a unified
-* send/receive history.
+* verified domains. Outbound messages sent via /send-mail are
+* not included; this endpoint is the inbox view, not a
+* unified send/receive history.
 *
-* Supports filtering by domain, status, date range, and free-text
-* search across subject, sender, and recipient fields.
+* Supports filtering by domain, status, date range, and
+* free-text search across subject, sender, and recipient
+* fields.
+*
+* For a compact text-table summary of the most recent N
+* inbounds (no filters, no cursor pagination), the CLI ships
+* `primitive emails:latest` as a one-line-per-email shortcut.
+* It's TTY-aware so id columns are full UUIDs when piped, and
+* a `--json` flag returns the same envelope this endpoint
+* does. Use whichever fits the call site.
 *
 */
 const listEmails = (options) => (options?.client ?? client$1).get({
@@ -992,9 +1017,22 @@ const listEndpoints = (options) => (options?.client ?? client$1).get({
 /**
 * Create a webhook endpoint
 *
-* Creates a new webhook endpoint. If a deactivated endpoint with the
-* same URL and domain exists, it is reactivated instead.
-* Subject to plan limits on the number of active endpoints.
+* Creates a new webhook endpoint. If a deactivated endpoint
+* with the same URL and domain exists, it is reactivated
+* instead. Subject to plan limits on the number of active
+* endpoints.
+*
+* **Signing is account-scoped, not per-endpoint.** This call
+* does not return any signing material; every endpoint on the
+* account uses the same webhook secret, fetched via
+* `GET /account/webhook-secret`. See the API-level "Webhook
+* signing" section for the full wire format (header name,
+* signed string, hash algo, secret format, tolerance) and a
+* language-agnostic verification recipe.
+*
+* After creating the endpoint, fire a test delivery against
+* it via `POST /endpoints/{id}/test` to confirm your verifier
+* accepts the signature.
 *
 */
 const createEndpoint = (options) => (options.client ?? client$1).post({

package/dist/{index-SK_HbwVN.d.ts → index-CHWqMBs6.d.ts}

@@ -2711,8 +2711,25 @@ declare const getStorageStats: <ThrowOnError extends boolean = false>(options?:
 /**
  * Get webhook signing secret
  *
- * Returns the webhook signing secret for your account. If no secret
- * exists yet, one is generated automatically on first access.
+ * Returns the webhook signing secret for your account. If no
+ * secret exists yet, one is generated automatically on first
+ * access.
+ *
+ * Signing is account-scoped, not per-endpoint. Every webhook
+ * delivery from any of your registered endpoints is signed
+ * with this single secret. Rotate via
+ * `POST /account/webhook-secret/rotate`.
+ *
+ * **Secret format**: the returned string looks base64-shaped
+ * (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`) but is NOT base64.
+ * Use it AS-IS as a UTF-8 string when computing HMAC over a
+ * delivery body. Base64-decoding before HMAC will silently
+ * produce mismatched signatures.
+ *
+ * See the API-level "Webhook signing" section for the full
+ * wire format (header name, signed string shape, hash algo,
+ * tolerance) including a language-agnostic verification
+ * recipe.
  *
  */
 declare const getWebhookSecret: <ThrowOnError extends boolean = false>(options?: Options<GetWebhookSecretData, ThrowOnError>) => RequestResult<GetWebhookSecretResponses, GetWebhookSecretErrors, ThrowOnError, "fields">;
@@ -2769,12 +2786,20 @@ declare const verifyDomain: <ThrowOnError extends boolean = false>(options: Opti
  * List inbound emails
  *
  * Returns a paginated list of INBOUND emails received at your
- * verified domains. Outbound messages sent via /send-mail are not
- * included; this endpoint is the inbox view, not a unified
- * send/receive history.
+ * verified domains. Outbound messages sent via /send-mail are
+ * not included; this endpoint is the inbox view, not a
+ * unified send/receive history.
  *
- * Supports filtering by domain, status, date range, and free-text
- * search across subject, sender, and recipient fields.
+ * Supports filtering by domain, status, date range, and
+ * free-text search across subject, sender, and recipient
+ * fields.
+ *
+ * For a compact text-table summary of the most recent N
+ * inbounds (no filters, no cursor pagination), the CLI ships
+ * `primitive emails:latest` as a one-line-per-email shortcut.
+ * It's TTY-aware so id columns are full UUIDs when piped, and
+ * a `--json` flag returns the same envelope this endpoint
+ * does. Use whichever fits the call site.
  *
  */
 declare const listEmails: <ThrowOnError extends boolean = false>(options?: Options<ListEmailsData, ThrowOnError>) => RequestResult<ListEmailsResponses, ListEmailsErrors, ThrowOnError, "fields">;
@@ -2884,9 +2909,22 @@ declare const listEndpoints: <ThrowOnError extends boolean = false>(options?: Op
 /**
  * Create a webhook endpoint
  *
- * Creates a new webhook endpoint. If a deactivated endpoint with the
- * same URL and domain exists, it is reactivated instead.
- * Subject to plan limits on the number of active endpoints.
+ * Creates a new webhook endpoint. If a deactivated endpoint
+ * with the same URL and domain exists, it is reactivated
+ * instead. Subject to plan limits on the number of active
+ * endpoints.
+ *
+ * **Signing is account-scoped, not per-endpoint.** This call
+ * does not return any signing material; every endpoint on the
+ * account uses the same webhook secret, fetched via
+ * `GET /account/webhook-secret`. See the API-level "Webhook
+ * signing" section for the full wire format (header name,
+ * signed string, hash algo, secret format, tolerance) and a
+ * language-agnostic verification recipe.
+ *
+ * After creating the endpoint, fire a test delivery against
+ * it via `POST /endpoints/{id}/test` to confirm your verifier
+ * accepts the signature.
  *
  */
 declare const createEndpoint: <ThrowOnError extends boolean = false>(options: Options<CreateEndpointData, ThrowOnError>) => RequestResult<CreateEndpointResponses, CreateEndpointErrors, ThrowOnError, "fields">;

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import { A as UnknownEvent, C as ParsedDataFailed, D as RawContentDownloadOnly, E as RawContent, M as WebhookAttachment, N as WebhookEvent, O as RawContentInline, S as ParsedDataComplete, T as ParsedStatus, _ as ForwardResultInline, a as DmarcPolicy, b as KnownWebhookEvent, c as EmailAnalysis, d as EventType, f as ForwardAnalysis, g as ForwardResultAttachmentSkipped, h as ForwardResultAttachmentAnalyzed, i as DkimSignature, j as ValidateEmailAuthResult, k as SpfResult, l as EmailAuth, m as ForwardResult, n as AuthVerdict, o as DmarcResult, p as ForwardOriginalSender, r as DkimResult, s as EmailAddress, t as AuthConfidence, u as EmailReceivedEvent, v as ForwardVerdict, w as ParsedError, x as ParsedData, y as ForwardVerification } from "./types-9vXGZjPd.js";
 import { a as buildReplySubject, c as parseHeaderAddress, i as buildForwardSubject, n as ReceivedEmailAddress, o as formatAddress, r as ReceivedEmailThread, s as normalizeReceivedEmail, t as ReceivedEmail } from "./received-email-DNjpq_Wt.js";
-import { a as PrimitiveApiError, c as PrimitiveClientOptions, d as SendResult, f as SendThreadInput, h as createPrimitiveClient, l as ReplyInput, n as ForwardInput, p as client, s as PrimitiveClient, u as SendInput } from "./index-SK_HbwVN.js";
+import { a as PrimitiveApiError, c as PrimitiveClientOptions, d as SendResult, f as SendThreadInput, h as createPrimitiveClient, l as ReplyInput, n as ForwardInput, p as client, s as PrimitiveClient, u as SendInput } from "./index-CHWqMBs6.js";
 import { A as VerifyOptions, B as PAYLOAD_ERRORS, C as signStandardWebhooksPayload, D as PRIMITIVE_CONFIRMED_HEADER, E as LEGACY_SIGNATURE_HEADER, F as VerifyDownloadTokenResult, G as VERIFICATION_ERRORS, H as RAW_EMAIL_ERRORS, I as generateDownloadToken, J as WebhookPayloadErrorCode, K as WebhookErrorCode, L as verifyDownloadToken, M as verifyWebhookSignature, N as GenerateDownloadTokenOptions, O as PRIMITIVE_SIGNATURE_HEADER, P as VerifyDownloadTokenOptions, Q as WebhookVerificationErrorCode, R as safeValidateEmailReceivedEvent, S as StandardWebhooksVerifyOptions, T as LEGACY_CONFIRMED_HEADER, U as RawEmailDecodeError, V as PrimitiveWebhookError, W as RawEmailDecodeErrorCode, X as WebhookValidationErrorCode, Y as WebhookValidationError, Z as WebhookVerificationError, _ as emailReceivedEventJsonSchema, a as confirmedHeaders, b as STANDARD_WEBHOOK_TIMESTAMP_HEADER, c as handleWebhook, d as isRawIncluded, f as parseWebhookEvent, g as validateEmailAuth, h as WEBHOOK_VERSION, i as WebhookHeaders, j as signWebhookPayload, k as SignResult, l as isDownloadExpired, m as verifyRawEmailDownload, n as HandleWebhookOptions, o as decodeRawEmail, p as receive, q as WebhookPayloadError, r as ReceiveRequestOptions, s as getDownloadTimeRemaining, t as DecodeRawEmailOptions, u as isEmailReceivedEvent, v as STANDARD_WEBHOOK_ID_HEADER, w as verifyStandardWebhooksSignature, x as StandardWebhooksSignResult, y as STANDARD_WEBHOOK_SIGNATURE_HEADER, z as validateEmailReceivedEvent } from "./index-CbEivn3S.js";
 
 //#region src/index.d.ts

package/dist/index.js

@@ -1,5 +1,5 @@
 import { a as parseHeaderAddress, i as normalizeReceivedEmail, n as buildReplySubject, r as formatAddress, t as buildForwardSubject } from "./received-email-D6tKtWwW.js";
-import { a as client, i as PrimitiveClient, r as PrimitiveApiError, s as createPrimitiveClient } from "./api-CTf0cUsi.js";
+import { a as client, i as PrimitiveClient, r as PrimitiveApiError, s as createPrimitiveClient } from "./api-DrAZhxS-.js";
 import { A as PRIMITIVE_CONFIRMED_HEADER, B as RAW_EMAIL_ERRORS, C as STANDARD_WEBHOOK_ID_HEADER, D as verifyStandardWebhooksSignature, E as signStandardWebhooksPayload, F as verifyDownloadToken, G as WebhookVerificationError, H as VERIFICATION_ERRORS, I as safeValidateEmailReceivedEvent, L as validateEmailReceivedEvent, M as signWebhookPayload, N as verifyWebhookSignature, O as LEGACY_CONFIRMED_HEADER, P as generateDownloadToken, R as PAYLOAD_ERRORS, S as emailReceivedEventJsonSchema, T as STANDARD_WEBHOOK_TIMESTAMP_HEADER, U as WebhookPayloadError, V as RawEmailDecodeError, W as WebhookValidationError, _ as DmarcResult, a as isDownloadExpired, b as ParsedStatus, c as parseWebhookEvent, d as WEBHOOK_VERSION, f as validateEmailAuth, g as DmarcPolicy, h as DkimResult, i as handleWebhook, j as PRIMITIVE_SIGNATURE_HEADER, k as LEGACY_SIGNATURE_HEADER, l as receive, m as AuthVerdict, n as decodeRawEmail, o as isEmailReceivedEvent, p as AuthConfidence, r as getDownloadTimeRemaining, s as isRawIncluded, t as confirmedHeaders, u as verifyRawEmailDownload, v as EventType, w as STANDARD_WEBHOOK_SIGNATURE_HEADER, x as SpfResult, y as ForwardVerdict, z as PrimitiveWebhookError } from "./webhook-zkN4wUTs.js";
 //#region src/index.ts
 const primitive = {

package/dist/oclif/api-command.js

@@ -566,9 +566,9 @@ export function createOperationCommand(operation) {
 // `sdkName` for the operation. Operations without an entry fall
 // back to no hint (silent empty array, same as before).
 const EMPTY_RESULT_HINTS = {
-    listDeliveries: "(no results) Often means no webhook endpoints are configured to receive deliveries. Run `primitive endpoints:list-endpoints` to check.",
+    listDeliveries: "(no results) No webhook deliveries logged yet. If you have an endpoint configured but expected to see test fires here: test deliveries from `primitive endpoints:test-endpoint` are NOT logged in this list, they're synchronous and visible only in the test-endpoint command's response. Real deliveries are logged when an inbound `email.received` event fans out to your endpoints. If you have no endpoints, run `primitive endpoints:list-endpoints` to check.",
     listEndpoints: "(no results) No webhook endpoints configured. Add one with `primitive endpoints:create-endpoint --url <your-url>`.",
-    listEmails: "(no results) No inbound emails received yet on this account.",
+    listEmails: "(no results) No inbound emails received yet on this account. Send one to a verified domain to populate this list. For a compact view, prefer `primitive emails:latest`.",
     listDomains: "(no results) No domains on this account. Add one with `primitive domains:add-domain --domain <yourdomain.example>`.",
     listFilters: "(no results) No filter rules configured.",
 };

package/dist/openapi/openapi.generated.js

@@ -9,7 +9,7 @@ export const openapiDocument = {
     "info": {
         "title": "Primitive API",
         "version": "1.0.0",
-        "description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nAll endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n",
+        "description": "The Primitive API lets you manage domains, emails, webhook endpoints,\nfilters, and account settings programmatically.\n\n## Authentication\n\nAll endpoints require a Bearer token in the `Authorization` header:\n\n```\nAuthorization: Bearer prim_<your_api_key>\n```\n\nAPI keys are org-scoped. Create and manage them in your dashboard\nunder Settings > API Keys.\n\n## Rate Limiting\n\nThe API enforces a sliding window rate limit of **120 requests per\n60 seconds** per organization. When exceeded, the API returns `429`\nwith a `Retry-After` header indicating how many seconds to wait.\n\n## Pagination\n\nList endpoints use cursor-based pagination. Responses include a\n`meta` object with `total`, `limit`, and `cursor` fields. Pass the\n`cursor` value as a query parameter to fetch the next page. When\n`cursor` is `null`, there are no more results.\n\n## Response Format\n\nAll responses use a consistent envelope:\n\n```json\n{\n  \"success\": true,\n  \"data\": { ... },\n  \"meta\": { \"total\": 42, \"limit\": 50, \"cursor\": \"...\" }\n}\n```\n\nErrors follow the same pattern:\n\n```json\n{\n  \"success\": false,\n  \"error\": { \"code\": \"not_found\", \"message\": \"Email not found\" }\n}\n```\n\n## Webhook signing\n\nOutbound webhook deliveries (configured via the `endpoints` API)\nare signed so receivers can verify they came from Primitive and\nhave not been tampered with in transit. The signing scheme is\ndeliberately simple so it can be reimplemented in any language\nin a few lines. The Node SDK's `verifyWebhookSignature` helper\nis the reference implementation; the wire details below let you\nwrite a verifier in Python, Go, Ruby, etc. without reading our\nsource.\n\n**Header**: `Primitive-Signature: t=<unix-seconds>,v1=<hex>`\n\nA legacy `MyMX-Signature` header is also sent on every delivery\nwith the same value, retained for back-compatibility with\nintegrations written before the rename. New code should read\n`Primitive-Signature`.\n\n**Signed string**: `${timestamp}.${rawBody}` where `timestamp`\nis the Unix-seconds integer from the `t=` parameter and\n`rawBody` is the exact bytes of the HTTP request body BEFORE\nany JSON decoding. Verify against the raw body, not a\nre-serialized parse, or you will silently mismatch on\ninsignificant whitespace.\n\n**Signature**: HMAC-SHA256 of the signed string, hex-encoded\n(lowercase). Use the account's webhook secret as the HMAC key,\nas a UTF-8 byte sequence.\n\n**Secret**: returned by `GET /account/webhook-secret`. The\nstring looks base64-shaped (e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`)\nbut is NOT base64; use it AS-IS as a UTF-8 string for the HMAC\nkey. Base64-decoding before HMAC will silently produce\nmismatched signatures.\n\n**Tolerance**: by convention, reject deliveries whose `t=`\ntimestamp is more than 5 minutes off your wall-clock to defend\nagainst replay attacks. The Node SDK's helper enforces this by\ndefault.\n\n**Verification recipe** (any language):\n\n```\n1. Read the raw HTTP body (do not parse).\n2. Read `Primitive-Signature: t=<ts>,v1=<sig>`.\n3. Reject if abs(now - ts) > 300 seconds.\n4. expected = HMAC_SHA256_hex(secret_utf8, f\"{ts}.{rawBody}\")\n5. Constant-time compare expected to sig. Reject if not equal.\n```\n\nFor Node, use `verifyWebhookSignature` from\n`@primitivedotdev/sdk/webhook` (or the higher-level\n`handleWebhook` helper if you want a one-liner). For other\nlanguages, the recipe above is everything you need.\n\nTest deliveries: `POST /endpoints/{id}/test` triggers a fake\ndelivery to your endpoint URL, signed with your real account\nsecret, so you can confirm verification end-to-end without\nneeding real inbound mail. The test response carries the exact\n`signature` header value sent on the wire so you can compare\nstrings directly.\n",
         "contact": {
             "name": "Primitive",
             "url": "https://primitive.dev"
@@ -193,7 +193,7 @@ export const openapiDocument = {
             "get": {
                 "operationId": "getWebhookSecret",
                 "summary": "Get webhook signing secret",
-                "description": "Returns the webhook signing secret for your account. If no secret\nexists yet, one is generated automatically on first access.\n",
+                "description": "Returns the webhook signing secret for your account. If no\nsecret exists yet, one is generated automatically on first\naccess.\n\nSigning is account-scoped, not per-endpoint. Every webhook\ndelivery from any of your registered endpoints is signed\nwith this single secret. Rotate via\n`POST /account/webhook-secret/rotate`.\n\n**Secret format**: the returned string looks base64-shaped\n(e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`) but is NOT base64.\nUse it AS-IS as a UTF-8 string when computing HMAC over a\ndelivery body. Base64-decoding before HMAC will silently\nproduce mismatched signatures.\n\nSee the API-level \"Webhook signing\" section for the full\nwire format (header name, signed string shape, hash algo,\ntolerance) including a language-agnostic verification\nrecipe.\n",
                 "tags": [
                     "Account"
                 ],
@@ -533,7 +533,7 @@ export const openapiDocument = {
             "get": {
                 "operationId": "listEmails",
                 "summary": "List inbound emails",
-                "description": "Returns a paginated list of INBOUND emails received at your\nverified domains. Outbound messages sent via /send-mail are not\nincluded; this endpoint is the inbox view, not a unified\nsend/receive history.\n\nSupports filtering by domain, status, date range, and free-text\nsearch across subject, sender, and recipient fields.\n",
+                "description": "Returns a paginated list of INBOUND emails received at your\nverified domains. Outbound messages sent via /send-mail are\nnot included; this endpoint is the inbox view, not a\nunified send/receive history.\n\nSupports filtering by domain, status, date range, and\nfree-text search across subject, sender, and recipient\nfields.\n\nFor a compact text-table summary of the most recent N\ninbounds (no filters, no cursor pagination), the CLI ships\n`primitive emails:latest` as a one-line-per-email shortcut.\nIt's TTY-aware so id columns are full UUIDs when piped, and\na `--json` flag returns the same envelope this endpoint\ndoes. Use whichever fits the call site.\n",
                 "tags": [
                     "Emails"
                 ],
@@ -1080,7 +1080,7 @@ export const openapiDocument = {
             "post": {
                 "operationId": "createEndpoint",
                 "summary": "Create a webhook endpoint",
-                "description": "Creates a new webhook endpoint. If a deactivated endpoint with the\nsame URL and domain exists, it is reactivated instead.\nSubject to plan limits on the number of active endpoints.\n",
+                "description": "Creates a new webhook endpoint. If a deactivated endpoint\nwith the same URL and domain exists, it is reactivated\ninstead. Subject to plan limits on the number of active\nendpoints.\n\n**Signing is account-scoped, not per-endpoint.** This call\ndoes not return any signing material; every endpoint on the\naccount uses the same webhook secret, fetched via\n`GET /account/webhook-secret`. See the API-level \"Webhook\nsigning\" section for the full wire format (header name,\nsigned string, hash algo, secret format, tolerance) and a\nlanguage-agnostic verification recipe.\n\nAfter creating the endpoint, fire a test delivery against\nit via `POST /endpoints/{id}/test` to confirm your verifier\naccepts the signature.\n",
                 "tags": [
                     "Endpoints"
                 ],

package/dist/openapi/operations.generated.js

@@ -152,7 +152,7 @@ export const operationManifest = [
         "binaryResponse": false,
         "bodyRequired": false,
         "command": "get-webhook-secret",
-        "description": "Returns the webhook signing secret for your account. If no secret\nexists yet, one is generated automatically on first access.\n",
+        "description": "Returns the webhook signing secret for your account. If no\nsecret exists yet, one is generated automatically on first\naccess.\n\nSigning is account-scoped, not per-endpoint. Every webhook\ndelivery from any of your registered endpoints is signed\nwith this single secret. Rotate via\n`POST /account/webhook-secret/rotate`.\n\n**Secret format**: the returned string looks base64-shaped\n(e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`) but is NOT base64.\nUse it AS-IS as a UTF-8 string when computing HMAC over a\ndelivery body. Base64-decoding before HMAC will silently\nproduce mismatched signatures.\n\nSee the API-level \"Webhook signing\" section for the full\nwire format (header name, signed string shape, hash algo,\ntolerance) including a language-agnostic verification\nrecipe.\n",
         "hasJsonBody": false,
         "method": "GET",
         "operationId": "getWebhookSecret",
@@ -1071,7 +1071,7 @@ export const operationManifest = [
         "binaryResponse": false,
         "bodyRequired": false,
         "command": "list-emails",
-        "description": "Returns a paginated list of INBOUND emails received at your\nverified domains. Outbound messages sent via /send-mail are not\nincluded; this endpoint is the inbox view, not a unified\nsend/receive history.\n\nSupports filtering by domain, status, date range, and free-text\nsearch across subject, sender, and recipient fields.\n",
+        "description": "Returns a paginated list of INBOUND emails received at your\nverified domains. Outbound messages sent via /send-mail are\nnot included; this endpoint is the inbox view, not a\nunified send/receive history.\n\nSupports filtering by domain, status, date range, and\nfree-text search across subject, sender, and recipient\nfields.\n\nFor a compact text-table summary of the most recent N\ninbounds (no filters, no cursor pagination), the CLI ships\n`primitive emails:latest` as a one-line-per-email shortcut.\nIt's TTY-aware so id columns are full UUIDs when piped, and\na `--json` flag returns the same envelope this endpoint\ndoes. Use whichever fits the call site.\n",
         "hasJsonBody": false,
         "method": "GET",
         "operationId": "listEmails",
@@ -1286,7 +1286,7 @@ export const operationManifest = [
         "binaryResponse": false,
         "bodyRequired": true,
         "command": "create-endpoint",
-        "description": "Creates a new webhook endpoint. If a deactivated endpoint with the\nsame URL and domain exists, it is reactivated instead.\nSubject to plan limits on the number of active endpoints.\n",
+        "description": "Creates a new webhook endpoint. If a deactivated endpoint\nwith the same URL and domain exists, it is reactivated\ninstead. Subject to plan limits on the number of active\nendpoints.\n\n**Signing is account-scoped, not per-endpoint.** This call\ndoes not return any signing material; every endpoint on the\naccount uses the same webhook secret, fetched via\n`GET /account/webhook-secret`. See the API-level \"Webhook\nsigning\" section for the full wire format (header name,\nsigned string, hash algo, secret format, tolerance) and a\nlanguage-agnostic verification recipe.\n\nAfter creating the endpoint, fire a test delivery against\nit via `POST /endpoints/{id}/test` to confirm your verifier\naccepts the signature.\n",
         "hasJsonBody": true,
         "method": "POST",
         "operationId": "createEndpoint",

package/oclif.manifest.json

@@ -317,7 +317,7 @@
     "account:get-webhook-secret": {
       "aliases": [],
       "args": {},
-      "description": "Returns the webhook signing secret for your account. If no secret\nexists yet, one is generated automatically on first access.\n",
+      "description": "Returns the webhook signing secret for your account. If no\nsecret exists yet, one is generated automatically on first\naccess.\n\nSigning is account-scoped, not per-endpoint. Every webhook\ndelivery from any of your registered endpoints is signed\nwith this single secret. Rotate via\n`POST /account/webhook-secret/rotate`.\n\n**Secret format**: the returned string looks base64-shaped\n(e.g. `XNHBBW8VqoBjRfNs1tkZj11jTk...`) but is NOT base64.\nUse it AS-IS as a UTF-8 string when computing HMAC over a\ndelivery body. Base64-decoding before HMAC will silently\nproduce mismatched signatures.\n\nSee the API-level \"Webhook signing\" section for the full\nwire format (header name, signed string shape, hash algo,\ntolerance) including a language-agnostic verification\nrecipe.\n",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -902,7 +902,7 @@
     "emails:list-emails": {
       "aliases": [],
       "args": {},
-      "description": "Returns a paginated list of INBOUND emails received at your\nverified domains. Outbound messages sent via /send-mail are not\nincluded; this endpoint is the inbox view, not a unified\nsend/receive history.\n\nSupports filtering by domain, status, date range, and free-text\nsearch across subject, sender, and recipient fields.\n",
+      "description": "Returns a paginated list of INBOUND emails received at your\nverified domains. Outbound messages sent via /send-mail are\nnot included; this endpoint is the inbox view, not a\nunified send/receive history.\n\nSupports filtering by domain, status, date range, and\nfree-text search across subject, sender, and recipient\nfields.\n\nFor a compact text-table summary of the most recent N\ninbounds (no filters, no cursor pagination), the CLI ships\n`primitive emails:latest` as a one-line-per-email shortcut.\nIt's TTY-aware so id columns are full UUIDs when piped, and\na `--json` flag returns the same envelope this endpoint\ndoes. Use whichever fits the call site.\n",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -1030,7 +1030,7 @@
     "endpoints:create-endpoint": {
       "aliases": [],
       "args": {},
-      "description": "Creates a new webhook endpoint. If a deactivated endpoint with the\nsame URL and domain exists, it is reactivated instead.\nSubject to plan limits on the number of active endpoints.\n\n\nBody fields requiring --raw-body JSON (these are not exposed as flags):\n   rules  object  Endpoint-specific filtering rules\n(* = required. Scalar body fields are exposed as individual --flag-name flags; see FLAGS above.)",
+      "description": "Creates a new webhook endpoint. If a deactivated endpoint\nwith the same URL and domain exists, it is reactivated\ninstead. Subject to plan limits on the number of active\nendpoints.\n\n**Signing is account-scoped, not per-endpoint.** This call\ndoes not return any signing material; every endpoint on the\naccount uses the same webhook secret, fetched via\n`GET /account/webhook-secret`. See the API-level \"Webhook\nsigning\" section for the full wire format (header name,\nsigned string, hash algo, secret format, tolerance) and a\nlanguage-agnostic verification recipe.\n\nAfter creating the endpoint, fire a test delivery against\nit via `POST /endpoints/{id}/test` to confirm your verifier\naccepts the signature.\n\n\nBody fields requiring --raw-body JSON (these are not exposed as flags):\n   rules  object  Endpoint-specific filtering rules\n(* = required. Scalar body fields are exposed as individual --flag-name flags; see FLAGS above.)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -1951,5 +1951,5 @@
       "enableJsonFlag": false
     }
   },
-  "version": "0.16.0"
+  "version": "0.17.0"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/sdk",
-  "version": "0.16.0",
+  "version": "0.17.0",
   "description": "Official Primitive Node.js SDK — webhook, api, openapi, contract, and parser modules",
   "type": "module",
   "module": "./dist/index.js",