@primitivedotdev/sdk 0.18.0 → 0.20.0

package/dist/oclif/commands/login.js

@@ -0,0 +1,233 @@
+import { spawn } from "node:child_process";
+import { hostname } from "node:os";
+import { Command, Errors, Flags } from "@oclif/core";
+import { getAccount, pollCliLogin, startCliLogin, } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, writeErrorWithHints, } from "../api-command.js";
+import { acquireCliCredentialsLock, credentialsPath, loadCliCredentials, normalizeBaseUrl, saveCliCredentials, } from "../auth.js";
+const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
+function cliError(message) {
+    return new Errors.CLIError(message, { exit: 1 });
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function openBrowser(url) {
+    const command = process.platform === "darwin"
+        ? "open"
+        : process.platform === "win32"
+            ? "cmd"
+            : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+    const child = spawn(command, args, { detached: true, stdio: "ignore" });
+    child.on("error", () => undefined);
+    child.unref();
+}
+function unwrapData(value) {
+    const envelope = value;
+    return envelope?.data ?? null;
+}
+function retryAfterSeconds(result) {
+    const response = result.response;
+    const raw = response?.headers.get("retry-after");
+    if (!raw)
+        return null;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+}
+export async function checkExistingLogin(params) {
+    const baseUrlOverridden = params.baseUrl !== undefined;
+    const probeBaseUrl = baseUrlOverridden
+        ? normalizeBaseUrl(params.baseUrl)
+        : params.credentials.base_url;
+    const apiClient = new PrimitiveApiClient({
+        apiKey: params.credentials.api_key,
+        baseUrl: probeBaseUrl,
+    });
+    const result = await (params.checkAccount ??
+        ((client) => getAccount({
+            client: client.client,
+            responseStyle: "fields",
+        })))(apiClient);
+    if (!result.error)
+        return { status: "valid" };
+    const payload = extractErrorPayload(result.error);
+    const auth = {
+        apiKey: params.credentials.api_key,
+        baseUrl: probeBaseUrl,
+        credentials: params.credentials,
+        source: "stored",
+    };
+    const removed = removeStaleSavedCredentialOnUnauthorized({
+        auth,
+        baseUrlOverridden,
+        configDir: params.configDir,
+        payload,
+    });
+    if (removed)
+        return { status: "removed_stale" };
+    const code = extractErrorCode(payload);
+    return {
+        status: "blocked",
+        payload,
+        message: code === API_ERROR_CODES.unauthorized
+            ? "Saved Primitive CLI credentials were rejected. Run `primitive logout` to remove them before logging in again."
+            : "A saved Primitive CLI login exists, but the CLI could not verify whether it is still valid. Run `primitive logout` before logging in again.",
+    };
+}
+class LoginCommand extends Command {
+    static description = "Log in by opening Primitive in your browser and saving an org-scoped CLI API key locally.";
+    static summary = "Log in with browser approval";
+    static examples = [
+        "<%= config.bin %> login",
+        "<%= config.bin %> login --device-name work-laptop",
+        "<%= config.bin %> login --force",
+    ];
+    static flags = {
+        "base-url": Flags.string({
+            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
+            env: "PRIMITIVE_API_URL",
+        }),
+        "device-name": Flags.string({
+            description: "Device name shown in the browser approval screen",
+        }),
+        "no-browser": Flags.boolean({
+            description: "Do not attempt to open the browser automatically",
+        }),
+        force: Flags.boolean({
+            char: "f",
+            description: "Replace saved credentials without first verifying the existing login",
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(LoginCommand);
+        let releaseCredentialsLock;
+        try {
+            releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            throw cliError(detail);
+        }
+        try {
+            await this.runWithCredentialLock(flags);
+        }
+        finally {
+            releaseCredentialsLock();
+        }
+    }
+    async runWithCredentialLock(flags) {
+        const baseUrl = normalizeBaseUrl(flags["base-url"]);
+        let existing;
+        try {
+            existing = loadCliCredentials(this.config.configDir);
+        }
+        catch (error) {
+            if (!flags.force)
+                throw error;
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(`Replacing unreadable Primitive CLI credentials because --force was set: ${detail}\n`);
+            existing = null;
+        }
+        if (existing && flags.force) {
+            process.stderr.write("Replacing saved Primitive CLI credentials after browser approval because --force was set.\n");
+        }
+        else if (existing) {
+            const existingStatus = await checkExistingLogin({
+                baseUrl: flags["base-url"],
+                configDir: this.config.configDir,
+                credentials: existing,
+            });
+            if (existingStatus.status === "removed_stale") {
+                process.stderr.write("Continuing with a new Primitive CLI login...\n");
+            }
+            else if (existingStatus.status === "blocked") {
+                writeErrorWithHints(existingStatus.payload);
+                throw cliError(existingStatus.message);
+            }
+            else {
+                const org = existing.org_name ? ` for ${existing.org_name}` : "";
+                throw cliError(`Already logged in${org}. Run \`primitive logout\` before logging in again.`);
+            }
+        }
+        const apiClient = new PrimitiveApiClient({ baseUrl });
+        const deviceName = flags["device-name"] ?? hostname();
+        const started = await startCliLogin({
+            body: {
+                device_name: deviceName,
+            },
+            client: apiClient.client,
+            responseStyle: "fields",
+        });
+        if (started.error) {
+            writeErrorWithHints(extractErrorPayload(started.error));
+            throw cliError("Could not start Primitive CLI login.");
+        }
+        const start = unwrapData(started.data);
+        if (!start) {
+            throw cliError("Primitive API returned an empty CLI login response.");
+        }
+        process.stderr.write(`Your login code is: ${start.user_code}\n`);
+        if (!flags["no-browser"]) {
+            openBrowser(start.verification_uri_complete);
+            process.stderr.write("Opening Primitive in your browser...\n");
+        }
+        process.stderr.write(`If the browser did not open, visit: ${start.verification_uri_complete}\n`);
+        process.stderr.write("Waiting for browser approval...\n");
+        const deadline = Date.now() + start.expires_in * 1000;
+        let interval = Math.min(Math.max(1, start.interval), MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS);
+        let nextPollDelay = 1;
+        while (Date.now() < deadline) {
+            await sleep(nextPollDelay * 1000);
+            nextPollDelay = interval;
+            const polled = await pollCliLogin({
+                body: { device_code: start.device_code },
+                client: apiClient.client,
+                responseStyle: "fields",
+            });
+            if (polled.data) {
+                const login = unwrapData(polled.data);
+                if (!login) {
+                    throw cliError("Primitive API returned an empty CLI poll response.");
+                }
+                saveCliCredentials(this.config.configDir, {
+                    api_key: login.api_key,
+                    base_url: baseUrl,
+                    created_at: new Date().toISOString(),
+                    key_id: login.key_id,
+                    key_prefix: login.key_prefix,
+                    org_id: login.org_id,
+                    org_name: login.org_name,
+                });
+                const org = login.org_name ? ` (${login.org_name})` : "";
+                process.stderr.write(`Logged in to org ${login.org_id}${org}.\n`);
+                process.stderr.write(`Saved credentials to ${credentialsPath(this.config.configDir)}.\n`);
+                return;
+            }
+            const payload = extractErrorPayload(polled.error);
+            const code = extractErrorCode(payload);
+            if (code === API_ERROR_CODES.authorizationPending) {
+                nextPollDelay = interval;
+                continue;
+            }
+            if (code === API_ERROR_CODES.slowDown) {
+                interval = Math.min(retryAfterSeconds(polled) ?? interval + 5, MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS);
+                nextPollDelay = interval;
+                continue;
+            }
+            if (code === API_ERROR_CODES.accessDenied) {
+                throw cliError("Primitive CLI login was denied in the browser.");
+            }
+            if (code === API_ERROR_CODES.expiredToken) {
+                throw cliError("Primitive CLI login expired. Run `primitive login` again.");
+            }
+            if (code === API_ERROR_CODES.invalidDeviceCode) {
+                throw cliError("Primitive CLI login device code is invalid. Run `primitive login` again.");
+            }
+            writeErrorWithHints(payload);
+            throw cliError("Primitive CLI login failed while polling for approval.");
+        }
+        throw cliError("Primitive CLI login expired. Run `primitive login` again.");
+    }
+}
+export default LoginCommand;

package/dist/oclif/commands/logout.js

@@ -0,0 +1,87 @@
+import { Command, Errors, Flags } from "@oclif/core";
+import { cliLogout } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, writeErrorWithHints, } from "../api-command.js";
+import { acquireCliCredentialsLock, deleteCliCredentials, loadCliCredentials, normalizeBaseUrl, } from "../auth.js";
+function cliError(message) {
+    return new Errors.CLIError(message, { exit: 1 });
+}
+function unwrapData(value) {
+    const envelope = value;
+    return envelope?.data ?? null;
+}
+class LogoutCommand extends Command {
+    static description = "Log out by revoking the saved Primitive CLI API key and deleting local credentials.";
+    static summary = "Log out and revoke the saved CLI key";
+    static examples = ["<%= config.bin %> logout"];
+    static flags = {
+        "base-url": Flags.string({
+            description: "Override the API base URL used for key revocation",
+            env: "PRIMITIVE_API_URL",
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(LogoutCommand);
+        let releaseCredentialsLock;
+        try {
+            releaseCredentialsLock = acquireCliCredentialsLock(this.config.configDir);
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            throw cliError(detail);
+        }
+        try {
+            await this.runWithCredentialLock(flags);
+        }
+        finally {
+            releaseCredentialsLock();
+        }
+    }
+    async runWithCredentialLock(flags) {
+        let credentials;
+        try {
+            credentials = loadCliCredentials(this.config.configDir);
+        }
+        catch (error) {
+            deleteCliCredentials(this.config.configDir);
+            const detail = error instanceof Error ? error.message : String(error);
+            process.stderr.write(`Removed unreadable Primitive CLI credentials. Backing API key was not revoked: ${detail}\n`);
+            process.exitCode = 1;
+            return;
+        }
+        if (!credentials) {
+            throw cliError("Not logged in. Run `primitive login` to create saved CLI credentials.");
+        }
+        const baseUrl = flags["base-url"]
+            ? normalizeBaseUrl(flags["base-url"])
+            : credentials.base_url;
+        const apiClient = new PrimitiveApiClient({
+            apiKey: credentials.api_key,
+            baseUrl,
+        });
+        const result = await cliLogout({
+            body: { key_id: credentials.key_id },
+            client: apiClient.client,
+            responseStyle: "fields",
+        });
+        if (result.error) {
+            const payload = extractErrorPayload(result.error);
+            const code = extractErrorCode(payload);
+            if (code === API_ERROR_CODES.unauthorized ||
+                code === API_ERROR_CODES.notFound) {
+                deleteCliCredentials(this.config.configDir);
+                writeErrorWithHints(payload);
+                process.stderr.write("Removed saved Primitive CLI credentials because the backing API key is already unavailable.\n");
+                process.exitCode = 1;
+                return;
+            }
+            writeErrorWithHints(payload);
+            throw cliError("Could not revoke the saved Primitive CLI API key.");
+        }
+        const logout = unwrapData(result.data);
+        deleteCliCredentials(this.config.configDir);
+        const keyId = logout?.key_id ?? credentials.key_id;
+        process.stderr.write(`Logged out and revoked API key ${keyId}.\n`);
+    }
+}
+export default LogoutCommand;

package/dist/oclif/commands/send.js

@@ -1,7 +1,8 @@
 import { Command, Errors, Flags } from "@oclif/core";
 import { listDomains, sendEmail } from "../../api/generated/sdk.gen.js";
 import { PrimitiveApiClient } from "../../api/index.js";
-import { extractErrorCode, extractErrorPayload, formatErrorPayload, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, formatErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
 // `primitive send` is the agent-grade shortcut for the most common
 // case: send a fresh outbound email. It wraps `sending:send-email`
 // with two ergonomic defaults that the underlying operation can't
@@ -53,7 +54,7 @@ function deriveSubject(body) {
 function isVerifiedDomain(domain) {
     return domain.is_active === true;
 }
-async function pickDefaultFromAddress(apiClient) {
+async function pickDefaultFromAddress(apiClient, authFailureContext) {
     const result = await listDomains({
         client: apiClient.client,
         responseStyle: "fields",
@@ -65,8 +66,12 @@ async function pickDefaultFromAddress(apiClient) {
         // Surface the auth hint via writeErrorWithHints and bail with
         // a focused message instead of the verbose "underlying error"
         // wrapping.
-        if (extractErrorCode(errorPayload) === "unauthorized") {
+        if (extractErrorCode(errorPayload) === API_ERROR_CODES.unauthorized) {
             writeErrorWithHints(errorPayload);
+            removeStaleSavedCredentialOnUnauthorized({
+                ...authFailureContext,
+                payload: errorPayload,
+            });
             // exit: 1 to match the run() unauthorized path (which uses
             // `process.exitCode = 1`). oclif's CLIError defaults to 2,
             // so without this override the same "unauthorized" condition
@@ -107,7 +112,7 @@ class SendCommand extends Command {
     ];
     static flags = {
         "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY)",
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
         "base-url": Flags.string({
@@ -149,11 +154,23 @@ class SendCommand extends Command {
             throw new Errors.CLIError("Either --body or --html (or both) is required.");
         }
         await runWithTiming(flags.time, async () => {
-            const apiClient = new PrimitiveApiClient({
+            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
                 baseUrl: flags["base-url"],
+                configDir: this.config.configDir,
+            });
+            const apiClient = new PrimitiveApiClient({
+                apiKey: auth.apiKey,
+                baseUrl: auth.baseUrl,
             });
-            const from = flags.from ?? (await pickDefaultFromAddress(apiClient));
+            const authFailureContext = {
+                auth,
+                baseUrlOverridden,
+                configDir: this.config.configDir,
+            };
+            const from = flags.from ??
+                (await pickDefaultFromAddress(apiClient, authFailureContext));
             const subject = flags.subject ?? (flags.body ? deriveSubject(flags.body) : "Message");
             const result = await sendEmail({
                 body: {
@@ -174,7 +191,12 @@ class SendCommand extends Command {
                 responseStyle: "fields",
             });
             if (result.error) {
-                writeErrorWithHints(extractErrorPayload(result.error));
+                const errorPayload = extractErrorPayload(result.error);
+                writeErrorWithHints(errorPayload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    ...authFailureContext,
+                    payload: errorPayload,
+                });
                 process.exitCode = 1;
                 return;
             }

package/dist/oclif/commands/whoami.js

@@ -1,7 +1,8 @@
 import { Command, Errors, Flags } from "@oclif/core";
 import { getAccount } from "../../api/generated/sdk.gen.js";
 import { PrimitiveApiClient } from "../../api/index.js";
-import { extractErrorPayload, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
 // `primitive whoami` is the credentials smoke-test the AGX
 // walkthrough kept asking for. Before this command, a user with a
 // suspect API key had no fast way to verify "is my key live and
@@ -21,7 +22,7 @@ class WhoamiCommand extends Command {
     ];
     static flags = {
         "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY)",
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
         "base-url": Flags.string({
@@ -35,16 +36,29 @@ class WhoamiCommand extends Command {
     async run() {
         const { flags } = await this.parse(WhoamiCommand);
         await runWithTiming(flags.time, async () => {
-            const apiClient = new PrimitiveApiClient({
+            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
                 baseUrl: flags["base-url"],
+                configDir: this.config.configDir,
+            });
+            const apiClient = new PrimitiveApiClient({
+                apiKey: auth.apiKey,
+                baseUrl: auth.baseUrl,
             });
             const result = await getAccount({
                 client: apiClient.client,
                 responseStyle: "fields",
             });
             if (result.error) {
-                writeErrorWithHints(extractErrorPayload(result.error));
+                const errorPayload = extractErrorPayload(result.error);
+                writeErrorWithHints(errorPayload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    auth,
+                    baseUrlOverridden,
+                    configDir: this.config.configDir,
+                    payload: errorPayload,
+                });
                 process.exitCode = 1;
                 return;
             }

package/dist/oclif/fish-completion.js

@@ -73,7 +73,7 @@ export function renderFishCompletion(binName) {
             ]) {
                 lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l '${fishEscape(parameter.name.replace(/_/g, "-"))}' -r -d '${fishEscape(parameter.description ?? parameter.name)}'`);
             }
-            lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY)'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'base-url' -r -d 'API base URL (defaults to PRIMITIVE_API_URL or production)'`);
+            lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'base-url' -r -d 'API base URL (defaults to PRIMITIVE_API_URL or production)'`);
             if (operation.hasJsonBody) {
                 lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body' -r -d 'JSON request body'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body-file' -r -d 'Path to a JSON file used as the request body'`);
             }

package/dist/oclif/index.js

@@ -2,6 +2,10 @@ import { Args, Command, Errors } from "@oclif/core";
 import { operationManifest, } from "../openapi/index.js";
 import { createOperationCommand } from "./api-command.js";
 import EmailsLatestCommand from "./commands/emails-latest.js";
+import FunctionsDeployCommand from "./commands/functions-deploy.js";
+import FunctionsRedeployCommand from "./commands/functions-redeploy.js";
+import LoginCommand from "./commands/login.js";
+import LogoutCommand from "./commands/logout.js";
 import SendCommand from "./commands/send.js";
 import WhoamiCommand from "./commands/whoami.js";
 import { renderFishCompletion } from "./fish-completion.js";
@@ -116,6 +120,10 @@ export const COMMANDS = {
     // operation stays available under sending:send-email for callers
     // who want every flag.
     send: SendCommand,
+    // `login` creates and stores an org-scoped CLI API key via browser approval.
+    login: LoginCommand,
+    // `logout` revokes the saved CLI API key and removes local credentials.
+    logout: LogoutCommand,
     // `whoami` is the credentials smoke test. Prints the account the
     // current API key authenticates as. AGX walkthroughs kept
     // wanting this before risking a real call against a possibly-
@@ -125,5 +133,13 @@ export const COMMANDS = {
     // inbound emails as a compact text table. emails:list-emails stays
     // available for the full JSON envelope + cursor pagination.
     "emails:latest": EmailsLatestCommand,
+    // `functions:deploy` and `functions:redeploy` are file-input
+    // shortcuts for create-function / update-function. The underlying
+    // ops take `code` as a body string, which is awkward at the CLI
+    // for multi-line bundles; these read the bundle off disk and pass
+    // it through. The auto-generated functions:* operations stay
+    // available for callers that want the full surface.
+    "functions:deploy": FunctionsDeployCommand,
+    "functions:redeploy": FunctionsRedeployCommand,
     ...generatedCommands,
 };