@primitivedotdev/sdk 0.18.0 → 0.19.0

package/dist/oclif/api-command.js

@@ -1,6 +1,16 @@
 import { readFileSync, writeFileSync } from "node:fs";
 import { Command, Errors, Flags } from "@oclif/core";
 import { operations, PrimitiveApiClient } from "../api/index.js";
+import { deleteCliCredentials, resolveCliAuth, } from "./auth.js";
+export const API_ERROR_CODES = {
+    accessDenied: "access_denied",
+    authorizationPending: "authorization_pending",
+    expiredToken: "expired_token",
+    invalidDeviceCode: "invalid_device_code",
+    notFound: "not_found",
+    slowDown: "slow_down",
+    unauthorized: "unauthorized",
+};
 function flagName(parameterName) {
     return parameterName.replace(/_/g, "-");
 }
@@ -288,7 +298,7 @@ export function extractErrorCode(payload) {
 // `--api-key` flag; this closes that gap without having to
 // special-case every command.
 const ERROR_CODE_HINTS = {
-    unauthorized: "Hint: pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify a key is live.",
+    [API_ERROR_CODES.unauthorized]: "Hint: run `primitive login`, pass --api-key explicitly, or set PRIMITIVE_API_KEY in your environment. `primitive whoami` is the fastest way to verify a key is live.",
 };
 // Write a server / SDK error to stderr in the canonical envelope
 // shape, plus an actionable hint when the code is one we know how
@@ -298,9 +308,26 @@ const ERROR_CODE_HINTS = {
 export function writeErrorWithHints(payload) {
     process.stderr.write(`${formatErrorPayload(payload)}\n`);
     const code = extractErrorCode(payload);
-    if (code && ERROR_CODE_HINTS[code]) {
-        process.stderr.write(`${ERROR_CODE_HINTS[code]}\n`);
+    if (code && code in ERROR_CODE_HINTS) {
+        const hint = ERROR_CODE_HINTS[code];
+        process.stderr.write(`${hint}\n`);
+    }
+}
+export function removeStaleSavedCredentialOnUnauthorized(params) {
+    if (extractErrorCode(params.payload) !== API_ERROR_CODES.unauthorized ||
+        params.auth.source !== "stored") {
+        return false;
+    }
+    const baseUrlDiffersFromSaved = params.baseUrlOverridden &&
+        params.auth.credentials !== null &&
+        params.auth.baseUrl !== params.auth.credentials.base_url;
+    if (baseUrlDiffersFromSaved) {
+        process.stderr.write("Saved Primitive CLI credentials were rejected by the overridden API base URL. The local credential was not removed; check --base-url / PRIMITIVE_API_URL, or run `primitive logout` to remove it.\n");
+        return false;
     }
+    deleteCliCredentials(params.configDir);
+    process.stderr.write("Removed saved Primitive CLI credentials because the backing API key is no longer valid. Run `primitive login` to create a new one.\n");
+    return true;
 }
 // Format milliseconds as a short human-readable wall-clock duration.
 // Sub-second uses 2 decimal places (e.g. `0.18s`); seconds use 2
@@ -395,7 +422,7 @@ function bodyFieldFlag(field) {
 function buildFlags(operation) {
     const flags = {
         "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY)",
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
         "base-url": Flags.string({
@@ -503,13 +530,19 @@ export function createOperationCommand(operation) {
             const { flags } = await this.parse(OperationCommand);
             const parsedFlags = flags;
             await runWithTiming(parsedFlags.time === true, async () => {
-                const apiClient = new PrimitiveApiClient({
+                const baseUrlOverridden = typeof parsedFlags["base-url"] === "string";
+                const auth = resolveCliAuth({
                     apiKey: typeof parsedFlags["api-key"] === "string"
                         ? parsedFlags["api-key"]
                         : undefined,
                     baseUrl: typeof parsedFlags["base-url"] === "string"
                         ? parsedFlags["base-url"]
                         : undefined,
+                    configDir: this.config.configDir,
+                });
+                const apiClient = new PrimitiveApiClient({
+                    apiKey: auth.apiKey,
+                    baseUrl: auth.baseUrl,
                 });
                 // Two body sources, merged: explicit JSON via --body /
                 // --body-file (the base) plus per-field flags (the
@@ -564,7 +597,14 @@ export function createOperationCommand(operation) {
                     responseStyle: "fields",
                 });
                 if (result.error) {
-                    writeErrorWithHints(extractErrorPayload(result.error));
+                    const errorPayload = extractErrorPayload(result.error);
+                    writeErrorWithHints(errorPayload);
+                    removeStaleSavedCredentialOnUnauthorized({
+                        auth,
+                        baseUrlOverridden,
+                        configDir: this.config.configDir,
+                        payload: errorPayload,
+                    });
                     process.exitCode = 1;
                     return;
                 }

package/dist/oclif/auth.js

@@ -0,0 +1,168 @@
+import { randomUUID } from "node:crypto";
+import { chmodSync, mkdirSync, readFileSync, renameSync, rmSync, statSync, writeFileSync, } from "node:fs";
+import { join } from "node:path";
+import { DEFAULT_BASE_URL } from "../api/index.js";
+const CREDENTIALS_FILE = "credentials.json";
+const CREDENTIALS_LOCK_DIR = "credentials.lock";
+const CREDENTIALS_LOCK_STALE_MS = 30 * 60 * 1000;
+const MALFORMED_CREDENTIALS_HINT = "Run `primitive logout` and then `primitive login`.";
+function isRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function requireString(value, key) {
+    const raw = value[key];
+    if (typeof raw !== "string" || raw.trim().length === 0) {
+        throw new Error(`Stored Primitive CLI credentials are malformed: ${key} must be a non-empty string. ${MALFORMED_CREDENTIALS_HINT}`);
+    }
+    return raw;
+}
+function parseCredentials(raw) {
+    if (!isRecord(raw)) {
+        throw new Error(`Stored Primitive CLI credentials are malformed: expected a JSON object. ${MALFORMED_CREDENTIALS_HINT}`);
+    }
+    const orgName = raw.org_name;
+    if (orgName !== null && typeof orgName !== "string") {
+        throw new Error(`Stored Primitive CLI credentials are malformed: org_name must be a string or null. ${MALFORMED_CREDENTIALS_HINT}`);
+    }
+    return {
+        api_key: requireString(raw, "api_key"),
+        key_id: requireString(raw, "key_id"),
+        key_prefix: requireString(raw, "key_prefix"),
+        org_id: requireString(raw, "org_id"),
+        org_name: orgName,
+        base_url: requireString(raw, "base_url"),
+        created_at: requireString(raw, "created_at"),
+    };
+}
+export function credentialsPath(configDir) {
+    return join(configDir, CREDENTIALS_FILE);
+}
+export function normalizeBaseUrl(baseUrl) {
+    const trimmed = baseUrl?.trim();
+    if (!trimmed)
+        return DEFAULT_BASE_URL;
+    return trimmed.replace(/\/+$/, "");
+}
+export function loadCliCredentials(configDir) {
+    const path = credentialsPath(configDir);
+    let contents;
+    try {
+        contents = readFileSync(path, "utf8");
+    }
+    catch (error) {
+        if (error &&
+            typeof error === "object" &&
+            error.code === "ENOENT") {
+            return null;
+        }
+        const detail = error instanceof Error ? error.message : String(error);
+        throw new Error(`Could not read Primitive CLI credentials: ${detail}`);
+    }
+    try {
+        return parseCredentials(JSON.parse(contents));
+    }
+    catch (error) {
+        if (error instanceof SyntaxError) {
+            throw new Error("Stored Primitive CLI credentials are not valid JSON. Run `primitive logout` and then `primitive login`.");
+        }
+        throw error;
+    }
+}
+export function saveCliCredentials(configDir, credentials) {
+    mkdirSync(configDir, { mode: 0o700, recursive: true });
+    const path = credentialsPath(configDir);
+    const tempPath = join(configDir, `${CREDENTIALS_FILE}.${process.pid}.${randomUUID()}.tmp`);
+    try {
+        writeFileSync(tempPath, `${JSON.stringify(credentials, null, 2)}\n`, {
+            mode: 0o600,
+        });
+        chmodSync(tempPath, 0o600);
+        renameSync(tempPath, path);
+        chmodSync(path, 0o600);
+    }
+    catch (error) {
+        rmSync(tempPath, { force: true });
+        throw error;
+    }
+}
+export function deleteCliCredentials(configDir) {
+    rmSync(credentialsPath(configDir), { force: true });
+}
+function errorCode(error) {
+    return error && typeof error === "object"
+        ? error.code
+        : undefined;
+}
+function removeStaleCliCredentialsLock(lockPath, staleMs, now) {
+    try {
+        const stats = statSync(lockPath);
+        if (now() - stats.mtimeMs < staleMs)
+            return false;
+    }
+    catch (error) {
+        if (errorCode(error) === "ENOENT")
+            return true;
+        throw error;
+    }
+    rmSync(lockPath, { force: true, recursive: true });
+    return true;
+}
+export function acquireCliCredentialsLock(configDir, options = {}) {
+    mkdirSync(configDir, { mode: 0o700, recursive: true });
+    const lockPath = join(configDir, CREDENTIALS_LOCK_DIR);
+    const now = options.now ?? Date.now;
+    const staleMs = options.staleMs ?? CREDENTIALS_LOCK_STALE_MS;
+    let acquired = false;
+    for (let attempt = 0; attempt < 2; attempt += 1) {
+        try {
+            mkdirSync(lockPath, { mode: 0o700 });
+            acquired = true;
+            break;
+        }
+        catch (error) {
+            if (errorCode(error) !== "EEXIST")
+                throw error;
+            if (removeStaleCliCredentialsLock(lockPath, staleMs, now))
+                continue;
+            throw new Error("Another Primitive CLI credential operation is already in progress. Wait for it to finish, then retry.");
+        }
+    }
+    if (!acquired) {
+        throw new Error("Another Primitive CLI credential operation is already in progress. Wait for it to finish, then retry.");
+    }
+    let released = false;
+    return () => {
+        if (released)
+            return;
+        released = true;
+        rmSync(lockPath, { force: true, recursive: true });
+    };
+}
+export function resolveCliAuth(params) {
+    const apiKey = params.apiKey?.trim();
+    if (apiKey) {
+        return {
+            apiKey,
+            baseUrl: normalizeBaseUrl(params.baseUrl),
+            credentials: null,
+            source: "flag-or-env",
+        };
+    }
+    const credentials = loadCliCredentials(params.configDir);
+    if (credentials) {
+        return {
+            apiKey: credentials.api_key,
+            baseUrl: params.baseUrl
+                ? normalizeBaseUrl(params.baseUrl)
+                : credentials.base_url,
+            credentials,
+            source: "stored",
+        };
+    }
+    return {
+        apiKey: undefined,
+        baseUrl: normalizeBaseUrl(params.baseUrl),
+        credentials: null,
+        source: "none",
+    };
+}

package/dist/oclif/commands/emails-latest.js

@@ -1,7 +1,8 @@
 import { Command, Flags } from "@oclif/core";
 import { listEmails } from "../../api/generated/sdk.gen.js";
 import { PrimitiveApiClient } from "../../api/index.js";
-import { extractErrorPayload, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
 // `primitive emails:latest` is the agent-grade shortcut for "show me
 // the most recent inbound emails as something I can read at a glance."
 // `emails:list-emails` returns the full JSON envelope which is great
@@ -94,7 +95,7 @@ class EmailsLatestCommand extends Command {
     ];
     static flags = {
         "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY)",
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
         "base-url": Flags.string({
@@ -120,9 +121,15 @@ class EmailsLatestCommand extends Command {
     async run() {
         const { flags } = await this.parse(EmailsLatestCommand);
         await runWithTiming(flags.time, async () => {
-            const apiClient = new PrimitiveApiClient({
+            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
                 baseUrl: flags["base-url"],
+                configDir: this.config.configDir,
+            });
+            const apiClient = new PrimitiveApiClient({
+                apiKey: auth.apiKey,
+                baseUrl: auth.baseUrl,
             });
             const result = await listEmails({
                 client: apiClient.client,
@@ -130,7 +137,14 @@ class EmailsLatestCommand extends Command {
                 responseStyle: "fields",
             });
             if (result.error) {
-                writeErrorWithHints(extractErrorPayload(result.error));
+                const errorPayload = extractErrorPayload(result.error);
+                writeErrorWithHints(errorPayload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    auth,
+                    baseUrlOverridden,
+                    configDir: this.config.configDir,
+                    payload: errorPayload,
+                });
                 process.exitCode = 1;
                 return;
             }

package/dist/oclif/commands/login.js

@@ -0,0 +1,233 @@
+import { spawn } from "node:child_process";
+import { hostname } from "node:os";
+import { Command, Errors, Flags } from "@oclif/core";
+import { getAccount, pollCliLogin, startCliLogin, } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, writeErrorWithHints, } from "../api-command.js";
+import { acquireCliCredentialsLock, credentialsPath, loadCliCredentials, normalizeBaseUrl, saveCliCredentials, } from "../auth.js";
+const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
+function cliError(message) {
+    return new Errors.CLIError(message, { exit: 1 });
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function openBrowser(url) {
+    const command = process.platform === "darwin"
+        ? "open"
+        : process.platform === "win32"
+            ? "cmd"
+            : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+    const child = spawn(command, args, { detached: true, stdio: "ignore" });
+    child.on("error", () => undefined);
+    child.unref();
+}
+function unwrapData(value) {
+    const envelope = value;
+    return envelope?.data ?? null;
+}
+function retryAfterSeconds(result) {
+    const response = result.response;
+    const raw = response?.headers.get("retry-after");
+    if (!raw)
+        return null;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+}
+export async function checkExistingLogin(params) {
+    const baseUrlOverridden = params.baseUrl !== undefined;
+    const probeBaseUrl = baseUrlOverridden
+        ? normalizeBaseUrl(params.baseUrl)
+        : params.credentials.base_url;
+    const apiClient = new PrimitiveApiClient({
+        apiKey: params.credentials.api_key,
+        baseUrl: probeBaseUrl,
+    });
+    const result = await (params.checkAccount ??
+        ((client) => getAccount({
+            client: client.client,
+            responseStyle: "fields",
+        })))(apiClient);
+    if (!result.error)
+        return { status: "valid" };
+    const payload = extractErrorPayload(result.error);
+    const auth = {
+        apiKey: params.credentials.api_key,
+        baseUrl: probeBaseUrl,
+        credentials: params.credentials,
+        source: "stored",
+    };
+    const removed = removeStaleSavedCredentialOnUnauthorized({
+        auth,
+        baseUrlOverridden,
+        configDir: params.configDir,
+        payload,
+    });
+    if (removed)
+        return { status: "removed_stale" };
+    const code = extractErrorCode(payload);
+    return {
+        status: "blocked",
+        payload,
+        message: code === API_ERROR_CODES.unauthorized
+            ? "Saved Primitive CLI credentials were rejected. Run `primitive logout` to remove them before logging in again."
+            : "A saved Primitive CLI login exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again.",
+    };
+}
+class LoginCommand extends Command {
+    static description = "Log in by opening Primitive in your browser and saving an org-scoped CLI API key locally.";
+    static summary = "Log in with browser approval";
+    static examples = [
+        "<%= config.bin %> login",
+        "<%= config.bin %> login --device-name work-laptop",
+        "<%= config.bin %> login --force",
+    ];
+    static flags = {
+        "base-url": Flags.string({
+            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
+            env: "PRIMITIVE_API_URL",
+        }),
+        "device-name": Flags.string({
+            description: "Device name shown in the browser approval screen",
+        }),
+        "no-browser": Flags.boolean({
+            description: "Do not attempt to open the browser automatically",
+        }),
+        force: Flags.boolean({
+            char: "f",
+            description: "Replace saved credentials without first verifying the existing login",
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(LoginCommand);
+        let releaseCredentialsLock;
+        try {
+            releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            throw cliError(detail);
+        }
+        try {
+            await this.runWithCredentialLock(flags);
+        }
+        finally {
+            releaseCredentialsLock();
+        }
+    }
+    async runWithCredentialLock(flags) {
+        const baseUrl = normalizeBaseUrl(flags["base-url"]);
+        let existing;
+        try {
+            existing = loadCliCredentials(this.config.configDir);
+        }
+        catch (error) {
+            if (!flags.force)
+                throw error;
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
+            existing = null;
+        }
+        if (existing && flags.force) {
+            process.stderr.write("Replacing saved Primitive CLI credentials after browser approval because --force was set.\n");
+        }
+        else if (existing) {
+            const existingStatus = await checkExistingLogin({
+                baseUrl: flags["base-url"],
+                configDir: this.config.configDir,
+                credentials: existing,
+            });
+            if (existingStatus.status === "removed_stale") {
+                process.stderr.write("Continuing with a new Primitive CLI login...\n");
+            }
+            else if (existingStatus.status === "blocked") {
+                writeErrorWithHints(existingStatus.payload);
+                throw cliError(existingStatus.message);
+            }
+            else {
+                const org = existing.org_name ? ` for ${existing.org_name}` : "";
+                throw cliError(`Already logged in${org}. Run \`primitive logout\` before logging in again.`);
+            }
+        }
+        const apiClient = new PrimitiveApiClient({ baseUrl });
+        const deviceName = flags["device-name"] ?? hostname();
+        const started = await startCliLogin({
+            body: {
+                device_name: deviceName,
+            },
+            client: apiClient.client,
+            responseStyle: "fields",
+        });
+        if (started.error) {
+            writeErrorWithHints(extractErrorPayload(started.error));
+            throw cliError("Could not start Primitive CLI login.");
+        }
+        const start = unwrapData(started.data);
+        if (!start) {
+            throw cliError("Primitive API returned an empty CLI login response.");
+        }
+        process.stderr.write(`Your login code is: ${start.user_code}\n`);
+        if (!flags["no-browser"]) {
+            openBrowser(start.verification_uri_complete);
+            process.stderr.write("Opening Primitive in your browser...\n");
+        }
+        process.stderr.write(`If the browser did not open, visit: ${start.verification_uri_complete}\n`);
+        process.stderr.write("Waiting for browser approval...\n");
+        const deadline = Date.now() + start.expires_in * 1000;
+        let interval = Math.min(Math.max(1, start.interval), MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS);
+        let nextPollDelay = 1;
+        while (Date.now() < deadline) {
+            await sleep(nextPollDelay * 1000);
+            nextPollDelay = interval;
+            const polled = await pollCliLogin({
+                body: { device_code: start.device_code },
+                client: apiClient.client,
+                responseStyle: "fields",
+            });
+            if (polled.data) {
+                const login = unwrapData(polled.data);
+                if (!login) {
+                    throw cliError("Primitive API returned an empty CLI poll response.");
+                }
+                saveCliCredentials(this.config.configDir, {
+                    api_key: login.api_key,
+                    base_url: baseUrl,
+                    created_at: new Date().toISOString(),
+                    key_id: login.key_id,
+                    key_prefix: login.key_prefix,
+                    org_id: login.org_id,
+                    org_name: login.org_name,
+                });
+                const org = login.org_name ? ` (${login.org_name})` : "";
+                process.stderr.write(`Logged in to org ${login.org_id}${org}.\n`);
+                process.stderr.write(`Saved credentials to ${credentialsPath(this.config.configDir)}.\n`);
+                return;
+            }
+            const payload = extractErrorPayload(polled.error);
+            const code = extractErrorCode(payload);
+            if (code === API_ERROR_CODES.authorizationPending) {
+                nextPollDelay = interval;
+                continue;
+            }
+            if (code === API_ERROR_CODES.slowDown) {
+                interval = Math.min(retryAfterSeconds(polled) ?? interval + 5, MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS);
+                nextPollDelay = interval;
+                continue;
+            }
+            if (code === API_ERROR_CODES.accessDenied) {
+                throw cliError("Primitive CLI login was denied in the browser.");
+            }
+            if (code === API_ERROR_CODES.expiredToken) {
+                throw cliError("Primitive CLI login expired. Run `primitive login` again.");
+            }
+            if (code === API_ERROR_CODES.invalidDeviceCode) {
+                throw cliError("Primitive CLI login device code is invalid. Run `primitive login` again.");
+            }
+            writeErrorWithHints(payload);
+            throw cliError("Primitive CLI login failed while polling for approval.");
+        }
+        throw cliError("Primitive CLI login expired. Run `primitive login` again.");
+    }
+}
+export default LoginCommand;

package/dist/oclif/commands/logout.js

@@ -0,0 +1,87 @@
+import { Command, Errors, Flags } from "@oclif/core";
+import { cliLogout } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, writeErrorWithHints, } from "../api-command.js";
+import { acquireCliCredentialsLock, deleteCliCredentials, loadCliCredentials, normalizeBaseUrl, } from "../auth.js";
+function cliError(message) {
+    return new Errors.CLIError(message, { exit: 1 });
+}
+function unwrapData(value) {
+    const envelope = value;
+    return envelope?.data ?? null;
+}
+class LogoutCommand extends Command {
+    static description = "Log out by revoking the saved Primitive CLI API key and deleting local credentials.";
+    static summary = "Log out and revoke the saved CLI key";
+    static examples = ["<%= config.bin %> logout"];
+    static flags = {
+        "base-url": Flags.string({
+            description: "Override the API base URL used for key revocation",
+            env: "PRIMITIVE_API_URL",
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(LogoutCommand);
+        let releaseCredentialsLock;
+        try {
+            releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            throw cliError(detail);
+        }
+        try {
+            await this.runWithCredentialLock(flags);
+        }
+        finally {
+            releaseCredentialsLock();
+        }
+    }
+    async runWithCredentialLock(flags) {
+        let credentials;
+        try {
+            credentials = loadCliCredentials(this.config.configDir);
+        }
+        catch (error) {
+            deleteCliCredentials(this.config.configDir);
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing API key was not revoked: ${detail}\n`);
+            process.exitCode = 1;
+            return;
+        }
+        if (!credentials) {
+            throw cliError("Not logged in. Run `primitive login` to create saved CLI credentials.");
+        }
+        const baseUrl = flags["base-url"]
+            ? normalizeBaseUrl(flags["base-url"])
+            : credentials.base_url;
+        const apiClient = new PrimitiveApiClient({
+            apiKey: credentials.api_key,
+            baseUrl,
+        });
+        const result = await cliLogout({
+            body: { key_id: credentials.key_id },
+            client: apiClient.client,
+            responseStyle: "fields",
+        });
+        if (result.error) {
+            const payload = extractErrorPayload(result.error);
+            const code = extractErrorCode(payload);
+            if (code === API_ERROR_CODES.unauthorized ||
+                code === API_ERROR_CODES.notFound) {
+                deleteCliCredentials(this.config.configDir);
+                writeErrorWithHints(payload);
+                process.stderr.write("Removed saved Primitive CLI credentials because the backing API key is already unavailable.\n");
+                process.exitCode = 1;
+                return;
+            }
+            writeErrorWithHints(payload);
+            throw cliError("Could not revoke the saved Primitive CLI API key.");
+        }
+        const logout = unwrapData(result.data);
+        deleteCliCredentials(this.config.configDir);
+        const keyId = logout?.key_id ?? credentials.key_id;
+        process.stderr.write(`Logged out and revoked API key ${keyId}.\n`);
+    }
+}
+export default LogoutCommand;