@primitivedotdev/sdk 0.19.0 → 0.21.0

package/dist/oclif/commands/emails-wait.js

@@ -0,0 +1,171 @@
+import { Command, Errors, Flags } from "@oclif/core";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
+import { formatHeader, formatRow, pickIdWidth } from "./emails-latest.js";
+import { collectNewAcceptedEmails, DEFAULT_EMAIL_POLL_INTERVAL_SECONDS, DEFAULT_EMAIL_POLL_PAGE_SIZE, fetchEmailSearchPage, filtersFromFlags, MAX_EMAIL_POLL_PAGE_SIZE, sinceFromFlags, sleep, } from "./emails-poll.js";
+const DEFAULT_WAIT_TIMEOUT_SECONDS = 300;
+function cliError(message) {
+    return new Errors.CLIError(message, { exit: 1 });
+}
+class EmailsWaitCommand extends Command {
+    static description = "Poll until matching inbound emails arrive, printing each match as it is found.";
+    static summary = "Wait for matching inbound emails";
+    static examples = [
+        "<%= config.bin %> emails wait --to test@example.com",
+        "<%= config.bin %> emails wait --subject verify --number 5 --timeout 120",
+        "<%= config.bin %> emails wait --q 'domain:example.com' --table",
+    ];
+    static flags = {
+        "api-key": Flags.string({
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+            env: "PRIMITIVE_API_KEY",
+        }),
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
+        }),
+        body: Flags.string({
+            description: "Full-text body filter",
+        }),
+        domain: Flags.string({
+            description: "Filter by inbound email domain",
+        }),
+        "domain-id": Flags.string({
+            description: "Filter by domain UUID",
+        }),
+        from: Flags.string({
+            description: "Filter by sender address or domain",
+        }),
+        "has-attachment": Flags.boolean({
+            description: "Only match emails with one or more attachments",
+        }),
+        "include-existing": Flags.boolean({
+            description: "Start from existing matching emails instead of only new arrivals",
+        }),
+        interval: Flags.integer({
+            default: DEFAULT_EMAIL_POLL_INTERVAL_SECONDS,
+            description: "Seconds to wait between empty polls",
+            min: 1,
+        }),
+        number: Flags.integer({
+            char: "n",
+            default: 1,
+            description: "Exit successfully after this many matching emails",
+            min: 1,
+        }),
+        "page-size": Flags.integer({
+            default: DEFAULT_EMAIL_POLL_PAGE_SIZE,
+            description: `Emails to fetch per poll (1-${MAX_EMAIL_POLL_PAGE_SIZE})`,
+            max: MAX_EMAIL_POLL_PAGE_SIZE,
+            min: 1,
+        }),
+        q: Flags.string({
+            description: "Full-text search DSL query",
+        }),
+        since: Flags.string({
+            description: "Only match emails received on or after this date/time",
+        }),
+        "spam-score-gte": Flags.integer({
+            description: "Only match emails with spam score greater than or equal to this value",
+        }),
+        "spam-score-lt": Flags.integer({
+            description: "Only match emails with spam score below this value",
+        }),
+        subject: Flags.string({
+            description: "Full-text subject filter",
+        }),
+        table: Flags.boolean({
+            description: "Print a human-readable table instead of JSONL",
+        }),
+        timeout: Flags.integer({
+            default: DEFAULT_WAIT_TIMEOUT_SECONDS,
+            description: "Seconds to wait before exiting nonzero; 0 waits forever",
+            min: 0,
+        }),
+        to: Flags.string({
+            description: "Filter by recipient address or domain",
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(EmailsWaitCommand);
+        const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+            flags["api-base-url-2"] !== undefined;
+        const auth = resolveCliAuth({
+            apiKey: flags["api-key"],
+            apiBaseUrl1: flags["api-base-url-1"],
+            apiBaseUrl2: flags["api-base-url-2"],
+            configDir: this.config.configDir,
+        });
+        const apiClient = new PrimitiveApiClient({
+            apiKey: auth.apiKey,
+            apiBaseUrl1: auth.apiBaseUrl1,
+            apiBaseUrl2: auth.apiBaseUrl2,
+        });
+        let since;
+        try {
+            since = sinceFromFlags(flags);
+        }
+        catch (error) {
+            throw cliError(error instanceof Error ? error.message : String(error));
+        }
+        const filters = filtersFromFlags(flags);
+        const deadline = flags.timeout === 0 ? null : Date.now() + flags.timeout * 1000;
+        const idWidth = pickIdWidth(Boolean(process.stdout.isTTY));
+        const seenIds = new Set();
+        let cursor = null;
+        let matched = 0;
+        let headerPrinted = false;
+        while (deadline === null || Date.now() < deadline) {
+            const page = await fetchEmailSearchPage({
+                apiClient,
+                cursor,
+                filters,
+                pageSize: flags["page-size"],
+                since,
+            });
+            if (!page.ok) {
+                const payload = extractErrorPayload(page.error);
+                writeErrorWithHints(payload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    auth,
+                    baseUrlOverridden,
+                    configDir: this.config.configDir,
+                    payload,
+                });
+                process.exitCode = 1;
+                return;
+            }
+            cursor = page.cursor ?? cursor;
+            for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
+                if (flags.table) {
+                    if (!headerPrinted) {
+                        process.stderr.write(`${formatHeader(idWidth)}\n`);
+                        headerPrinted = true;
+                    }
+                    this.log(formatRow(email, idWidth));
+                }
+                else {
+                    this.log(JSON.stringify(email));
+                }
+                matched += 1;
+                if (matched >= flags.number)
+                    return;
+            }
+            if (page.rows.length > 0)
+                continue;
+            if (deadline !== null && Date.now() >= deadline)
+                break;
+            await sleep(flags.interval * 1000);
+        }
+        process.stderr.write(`Timed out waiting for ${flags.number} matching email${flags.number === 1 ? "" : "s"}; received ${matched}.\n`);
+        process.exitCode = 1;
+    }
+}
+export default EmailsWaitCommand;

package/dist/oclif/commands/emails-watch.js

@@ -0,0 +1,165 @@
+import { Command, Errors, Flags } from "@oclif/core";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
+import { formatHeader, formatRow, pickIdWidth } from "./emails-latest.js";
+import { collectNewAcceptedEmails, DEFAULT_EMAIL_POLL_INTERVAL_SECONDS, DEFAULT_EMAIL_POLL_PAGE_SIZE, fetchEmailSearchPage, filtersFromFlags, MAX_EMAIL_POLL_PAGE_SIZE, sinceFromFlags, sleep, } from "./emails-poll.js";
+function cliError(message) {
+    return new Errors.CLIError(message, { exit: 1 });
+}
+class EmailsWatchCommand extends Command {
+    static description = "Poll for new inbound emails and print matching messages as they arrive.";
+    static summary = "Watch inbound emails with filters";
+    static examples = [
+        "<%= config.bin %> emails watch --to support@example.com",
+        "<%= config.bin %> emails watch --subject verify --seconds 300",
+        "<%= config.bin %> emails watch --number 20 --jsonl",
+    ];
+    static flags = {
+        "api-key": Flags.string({
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+            env: "PRIMITIVE_API_KEY",
+        }),
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
+        }),
+        body: Flags.string({
+            description: "Full-text body filter",
+        }),
+        domain: Flags.string({
+            description: "Filter by inbound email domain",
+        }),
+        "domain-id": Flags.string({
+            description: "Filter by domain UUID",
+        }),
+        from: Flags.string({
+            description: "Filter by sender address or domain",
+        }),
+        "has-attachment": Flags.boolean({
+            description: "Only show emails with one or more attachments",
+        }),
+        "include-existing": Flags.boolean({
+            description: "Start from existing matching emails instead of only new arrivals",
+        }),
+        interval: Flags.integer({
+            default: DEFAULT_EMAIL_POLL_INTERVAL_SECONDS,
+            description: "Seconds to wait between empty polls",
+            min: 1,
+        }),
+        jsonl: Flags.boolean({
+            description: "Print each email as one JSON object per line",
+        }),
+        number: Flags.integer({
+            description: "Exit after printing this many matching emails",
+            min: 1,
+        }),
+        "page-size": Flags.integer({
+            default: DEFAULT_EMAIL_POLL_PAGE_SIZE,
+            description: `Emails to fetch per poll (1-${MAX_EMAIL_POLL_PAGE_SIZE})`,
+            max: MAX_EMAIL_POLL_PAGE_SIZE,
+            min: 1,
+        }),
+        q: Flags.string({
+            description: "Full-text search DSL query",
+        }),
+        seconds: Flags.integer({
+            description: "Exit after this many seconds",
+            min: 1,
+        }),
+        since: Flags.string({
+            description: "Only show emails received on or after this date/time",
+        }),
+        "spam-score-gte": Flags.integer({
+            description: "Only show emails with spam score greater than or equal to this value",
+        }),
+        "spam-score-lt": Flags.integer({
+            description: "Only show emails with spam score below this value",
+        }),
+        subject: Flags.string({
+            description: "Full-text subject filter",
+        }),
+        to: Flags.string({
+            description: "Filter by recipient address or domain",
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(EmailsWatchCommand);
+        const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+            flags["api-base-url-2"] !== undefined;
+        const auth = resolveCliAuth({
+            apiKey: flags["api-key"],
+            apiBaseUrl1: flags["api-base-url-1"],
+            apiBaseUrl2: flags["api-base-url-2"],
+            configDir: this.config.configDir,
+        });
+        const apiClient = new PrimitiveApiClient({
+            apiKey: auth.apiKey,
+            apiBaseUrl1: auth.apiBaseUrl1,
+            apiBaseUrl2: auth.apiBaseUrl2,
+        });
+        let since;
+        try {
+            since = sinceFromFlags(flags);
+        }
+        catch (error) {
+            throw cliError(error instanceof Error ? error.message : String(error));
+        }
+        const filters = filtersFromFlags(flags);
+        const deadline = flags.seconds ? Date.now() + flags.seconds * 1000 : null;
+        const idWidth = pickIdWidth(Boolean(process.stdout.isTTY));
+        const seenIds = new Set();
+        let cursor = null;
+        let printed = 0;
+        let headerPrinted = false;
+        while (deadline === null || Date.now() < deadline) {
+            const page = await fetchEmailSearchPage({
+                apiClient,
+                cursor,
+                filters,
+                pageSize: flags["page-size"],
+                since,
+            });
+            if (!page.ok) {
+                const payload = extractErrorPayload(page.error);
+                writeErrorWithHints(payload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    auth,
+                    baseUrlOverridden,
+                    configDir: this.config.configDir,
+                    payload,
+                });
+                process.exitCode = 1;
+                return;
+            }
+            cursor = page.cursor ?? cursor;
+            for (const email of collectNewAcceptedEmails(page.rows, seenIds)) {
+                if (flags.jsonl) {
+                    this.log(JSON.stringify(email));
+                }
+                else {
+                    if (!headerPrinted) {
+                        process.stderr.write(`${formatHeader(idWidth)}\n`);
+                        headerPrinted = true;
+                    }
+                    this.log(formatRow(email, idWidth));
+                }
+                printed += 1;
+                if (flags.number && printed >= flags.number)
+                    return;
+            }
+            if (page.rows.length > 0)
+                continue;
+            if (deadline !== null && Date.now() >= deadline)
+                break;
+            await sleep(flags.interval * 1000);
+        }
+    }
+}
+export default EmailsWatchCommand;

package/dist/oclif/commands/functions-deploy.js

@@ -0,0 +1,117 @@
+import { Command, Flags } from "@oclif/core";
+import { createFunction } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { extractErrorPayload, readTextFileFlag, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
+// `primitive functions:deploy` is the agent-grade shortcut for
+// `functions:create-function`. The underlying operation takes `code`
+// as a string in the JSON body, which is awkward at the CLI for
+// multi-line bundles: agents would otherwise have to shell-escape an
+// entire ESM file or write a temp body.json. This command reads the
+// bundle straight off disk via --file, so the natural workflow is:
+//
+//     esbuild handler.ts --bundle --format=esm --outfile=bundle.js
+//     primitive functions:deploy --name myfn --file bundle.js
+//
+// Source maps follow the same shape via --source-map-file. They are
+// stored only on the runtime side (not in our database) so dropping
+// them later in the pipeline is fine; the CLI just hands them through.
+//
+// For full control (raw body, --raw-body JSON, etc.) the underlying
+// `functions:create-function` operation stays available.
+class FunctionsDeployCommand extends Command {
+    static description = `Deploy a new function from a bundled handler file. Agent-grade shortcut for functions:create-function.
+
+  Reads the bundle off disk (--file) instead of forcing the caller to
+  serialize the source into a JSON body. Use the underlying operation
+  \`functions:create-function\` if you need the full flag surface
+  (raw-body JSON, etc.).`;
+    static summary = "Deploy a new function from a bundled handler file";
+    static examples = [
+        "<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js",
+        "<%= config.bin %> functions:deploy --name forwarder --file ./bundle.js --source-map-file ./bundle.js.map",
+    ];
+    static flags = {
+        "api-key": Flags.string({
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+            env: "PRIMITIVE_API_KEY",
+        }),
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
+        }),
+        name: Flags.string({
+            description: "Slug-style name. Lowercase letters, digits, hyphens, underscores. 1-64 chars. Must be unique within the org.",
+            required: true,
+        }),
+        file: Flags.string({
+            description: "Path to the bundled ESM handler file (single self-contained module). Loaded as the `code` body field.",
+            required: true,
+        }),
+        "source-map-file": Flags.string({
+            description: "Optional path to a source map for the bundle. Stored only on the runtime side and used to symbolicate stack traces.",
+        }),
+        time: Flags.boolean({
+            description: TIME_FLAG_DESCRIPTION,
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(FunctionsDeployCommand);
+        await runWithTiming(flags.time, async () => {
+            // Reads are inside the timed block so --time captures disk I/O
+            // alongside the API call. A pathological filesystem (NFS, slow
+            // FUSE mount) showing up here is exactly the kind of latency
+            // surprise --time is meant to surface.
+            const code = readTextFileFlag(flags.file, "--file");
+            const sourceMap = flags["source-map-file"]
+                ? readTextFileFlag(flags["source-map-file"], "--source-map-file")
+                : undefined;
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
+            const auth = resolveCliAuth({
+                apiKey: flags["api-key"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
+                configDir: this.config.configDir,
+            });
+            const apiClient = new PrimitiveApiClient({
+                apiKey: auth.apiKey,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
+            });
+            const authFailureContext = {
+                auth,
+                baseUrlOverridden,
+                configDir: this.config.configDir,
+            };
+            const result = await createFunction({
+                body: {
+                    name: flags.name,
+                    code,
+                    ...(sourceMap !== undefined ? { sourceMap } : {}),
+                },
+                client: apiClient.client,
+                responseStyle: "fields",
+            });
+            if (result.error) {
+                const errorPayload = extractErrorPayload(result.error);
+                writeErrorWithHints(errorPayload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    ...authFailureContext,
+                    payload: errorPayload,
+                });
+                process.exitCode = 1;
+                return;
+            }
+            const envelope = result.data;
+            this.log(JSON.stringify(envelope?.data ?? null, null, 2));
+        });
+    }
+}
+export default FunctionsDeployCommand;

package/dist/oclif/commands/functions-redeploy.js

@@ -0,0 +1,106 @@
+import { Command, Flags } from "@oclif/core";
+import { updateFunction } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { extractErrorPayload, readTextFileFlag, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
+// `primitive functions:redeploy` is the agent-grade shortcut for
+// `functions:update-function`. Same file-reading ergonomic as
+// functions:deploy but for an existing function. Use this to push a
+// new bundle, OR to refresh secret bindings: passing the
+// previously-deployed bundle (or any equivalent file) re-runs the
+// deploy and refreshes env from the secrets table, which is how
+// secret writes go live.
+class FunctionsRedeployCommand extends Command {
+    static description = `Update or redeploy a function from a bundled handler file. Agent-grade shortcut for functions:update-function.
+
+  Use to push a new bundle OR to refresh secret bindings into the
+  running handler. The same file is fine for both: the deploy reads
+  the bindings table fresh on every call, so passing the existing
+  bundle picks up any secret writes since the last deploy.`;
+    static summary = "Redeploy a function from a bundled handler file";
+    static examples = [
+        "<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js",
+        "<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js --source-map-file ./bundle.js.map",
+    ];
+    static flags = {
+        "api-key": Flags.string({
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+            env: "PRIMITIVE_API_KEY",
+        }),
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
+        }),
+        id: Flags.string({
+            description: "Function id (UUID). The function must already exist.",
+            required: true,
+        }),
+        file: Flags.string({
+            description: "Path to the bundled ESM handler file. Loaded as the `code` body field.",
+            required: true,
+        }),
+        "source-map-file": Flags.string({
+            description: "Optional path to a source map for the bundle. Used to symbolicate stack traces in the function's logs.",
+        }),
+        time: Flags.boolean({
+            description: TIME_FLAG_DESCRIPTION,
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(FunctionsRedeployCommand);
+        await runWithTiming(flags.time, async () => {
+            // Reads inside the timed block: --time captures disk I/O too,
+            // which is the latency the flag is meant to surface.
+            const code = readTextFileFlag(flags.file, "--file");
+            const sourceMap = flags["source-map-file"]
+                ? readTextFileFlag(flags["source-map-file"], "--source-map-file")
+                : undefined;
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
+            const auth = resolveCliAuth({
+                apiKey: flags["api-key"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
+                configDir: this.config.configDir,
+            });
+            const apiClient = new PrimitiveApiClient({
+                apiKey: auth.apiKey,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
+            });
+            const authFailureContext = {
+                auth,
+                baseUrlOverridden,
+                configDir: this.config.configDir,
+            };
+            const result = await updateFunction({
+                path: { id: flags.id },
+                body: {
+                    code,
+                    ...(sourceMap !== undefined ? { sourceMap } : {}),
+                },
+                client: apiClient.client,
+                responseStyle: "fields",
+            });
+            if (result.error) {
+                const errorPayload = extractErrorPayload(result.error);
+                writeErrorWithHints(errorPayload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    ...authFailureContext,
+                    payload: errorPayload,
+                });
+                process.exitCode = 1;
+                return;
+            }
+            const envelope = result.data;
+            this.log(JSON.stringify(envelope?.data ?? null, null, 2));
+        });
+    }
+}
+export default FunctionsRedeployCommand;

package/dist/oclif/commands/login.js

@@ -4,7 +4,7 @@ import { Command, Errors, Flags } from "@oclif/core";
 import { getAccount, pollCliLogin, startCliLogin, } from "../../api/generated/sdk.gen.js";
 import { PrimitiveApiClient } from "../../api/index.js";
 import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, writeErrorWithHints, } from "../api-command.js";
-import { acquireCliCredentialsLock, credentialsPath, loadCliCredentials, normalizeBaseUrl, saveCliCredentials, } from "../auth.js";
+import { acquireCliCredentialsLock, credentialsPath, loadCliCredentials, normalizeApiBaseUrl1, normalizeApiBaseUrl2, saveCliCredentials, } from "../auth.js";
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
 function cliError(message) {
     return new Errors.CLIError(message, { exit: 1 });
@@ -36,13 +36,13 @@ function retryAfterSeconds(result) {
     return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
 }
 export async function checkExistingLogin(params) {
-    const baseUrlOverridden = params.baseUrl !== undefined;
-    const probeBaseUrl = baseUrlOverridden
-        ? normalizeBaseUrl(params.baseUrl)
-        : params.credentials.base_url;
+    const baseUrlOverridden = params.apiBaseUrl1 !== undefined;
+    const probeApiBaseUrl1 = baseUrlOverridden
+        ? normalizeApiBaseUrl1(params.apiBaseUrl1)
+        : params.credentials.api_base_url_1;
     const apiClient = new PrimitiveApiClient({
         apiKey: params.credentials.api_key,
-        baseUrl: probeBaseUrl,
+        apiBaseUrl1: probeApiBaseUrl1,
     });
     const result = await (params.checkAccount ??
         ((client) => getAccount({
@@ -54,7 +54,10 @@ export async function checkExistingLogin(params) {
     const payload = extractErrorPayload(result.error);
     const auth = {
         apiKey: params.credentials.api_key,
-        baseUrl: probeBaseUrl,
+        apiBaseUrl1: probeApiBaseUrl1,
+        // Host-2 isn't relevant to checkExistingLogin (login is on host-1
+        // only), but the auth shape requires it. Use the default.
+        apiBaseUrl2: normalizeApiBaseUrl2(undefined),
         credentials: params.credentials,
         source: "stored",
     };
@@ -84,9 +87,10 @@ class LoginCommand extends Command {
         "<%= config.bin %> login --force",
     ];
     static flags = {
-        "base-url": Flags.string({
-            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
         }),
         "device-name": Flags.string({
             description: "Device name shown in the browser approval screen",
@@ -117,7 +121,7 @@ class LoginCommand extends Command {
         }
     }
     async runWithCredentialLock(flags) {
-        const baseUrl = normalizeBaseUrl(flags["base-url"]);
+        const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
         let existing;
         try {
             existing = loadCliCredentials(this.config.configDir);
@@ -134,7 +138,7 @@ class LoginCommand extends Command {
         }
         else if (existing) {
             const existingStatus = await checkExistingLogin({
-                baseUrl: flags["base-url"],
+                apiBaseUrl1: flags["api-base-url-1"],
                 configDir: this.config.configDir,
                 credentials: existing,
             });
@@ -150,7 +154,7 @@ class LoginCommand extends Command {
                 throw cliError(`Already logged in${org}. Run \`primitive logout\` before logging in again.`);
             }
         }
-        const apiClient = new PrimitiveApiClient({ baseUrl });
+        const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
         const deviceName = flags["device-name"] ?? hostname();
         const started = await startCliLogin({
             body: {
@@ -192,7 +196,7 @@ class LoginCommand extends Command {
                 }
                 saveCliCredentials(this.config.configDir, {
                     api_key: login.api_key,
-                    base_url: baseUrl,
+                    api_base_url_1: apiBaseUrl1,
                     created_at: new Date().toISOString(),
                     key_id: login.key_id,
                     key_prefix: login.key_prefix,