@primitivedotdev/sdk 0.20.0 → 0.22.0

package/dist/oclif/commands/functions-deploy.js

@@ -36,9 +36,15 @@ class FunctionsDeployCommand extends Command {
             description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
-        "base-url": Flags.string({
-            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
         }),
         name: Flags.string({
             description: "Slug-style name. Lowercase letters, digits, hyphens, underscores. 1-64 chars. Must be unique within the org.",
@@ -66,15 +72,18 @@ class FunctionsDeployCommand extends Command {
             const sourceMap = flags["source-map-file"]
                 ? readTextFileFlag(flags["source-map-file"], "--source-map-file")
                 : undefined;
-            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
             const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
-                baseUrl: flags["base-url"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
                 configDir: this.config.configDir,
             });
             const apiClient = new PrimitiveApiClient({
                 apiKey: auth.apiKey,
-                baseUrl: auth.baseUrl,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
             });
             const authFailureContext = {
                 auth,

package/dist/oclif/commands/functions-redeploy.js

@@ -27,9 +27,15 @@ class FunctionsRedeployCommand extends Command {
             description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
-        "base-url": Flags.string({
-            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
         }),
         id: Flags.string({
             description: "Function id (UUID). The function must already exist.",
@@ -55,15 +61,18 @@ class FunctionsRedeployCommand extends Command {
             const sourceMap = flags["source-map-file"]
                 ? readTextFileFlag(flags["source-map-file"], "--source-map-file")
                 : undefined;
-            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
             const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
-                baseUrl: flags["base-url"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
                 configDir: this.config.configDir,
             });
             const apiClient = new PrimitiveApiClient({
                 apiKey: auth.apiKey,
-                baseUrl: auth.baseUrl,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
             });
             const authFailureContext = {
                 auth,

package/dist/oclif/commands/functions-set-secret.js

@@ -0,0 +1,213 @@
+import { Command, Flags } from "@oclif/core";
+import { getFunction, setFunctionSecret, updateFunction, } from "../../api/generated/sdk.gen.js";
+import { PrimitiveApiClient } from "../../api/index.js";
+import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
+import { resolveCliAuth } from "../auth.js";
+// Pure-ish orchestration of the set-secret + optional redeploy
+// flow. Pulled out as a named export so the unit test can drive
+// both the happy path and each error stage with a fake API
+// surface, without spinning up a real client or the oclif
+// command lifecycle.
+//
+// The redeploy step uses the function's CURRENT code (fetched via
+// getFunction) as the new bundle. This is the documented way to
+// "refresh secret bindings without changing the handler": the
+// server-side deploy reads the secrets table fresh on every call,
+// so re-deploying the same code picks up the secret we just wrote.
+export async function runSetSecret(api, params) {
+    const setResult = await api.setSecret({
+        id: params.id,
+        key: params.key,
+        value: params.value,
+    });
+    if (setResult.error) {
+        return {
+            kind: "error",
+            payload: extractErrorPayload(setResult.error),
+            stage: "set-secret",
+        };
+    }
+    const secret = setResult.data?.data;
+    if (!secret) {
+        // Server returned 2xx with no `data` body. Treat as an error
+        // so we don't fabricate a success payload; this should not
+        // happen in practice but the shape forces us to handle it.
+        return {
+            kind: "error",
+            payload: {
+                code: "client_error",
+                message: "Secret write returned no data",
+            },
+            stage: "set-secret",
+        };
+    }
+    if (!params.redeploy) {
+        return { kind: "ok", result: { secret } };
+    }
+    const fnResult = await api.getFunction({ id: params.id });
+    if (fnResult.error) {
+        return {
+            kind: "error",
+            payload: extractErrorPayload(fnResult.error),
+            stage: "get-function",
+        };
+    }
+    const fn = fnResult.data?.data;
+    if (!fn) {
+        return {
+            kind: "error",
+            payload: {
+                code: "client_error",
+                message: "Could not read current function code for redeploy",
+            },
+            stage: "get-function",
+        };
+    }
+    const updateResult = await api.updateFunction({
+        code: fn.code,
+        id: params.id,
+    });
+    if (updateResult.error) {
+        return {
+            kind: "error",
+            payload: extractErrorPayload(updateResult.error),
+            stage: "redeploy",
+        };
+    }
+    const redeployed = updateResult.data?.data;
+    if (!redeployed) {
+        return {
+            kind: "error",
+            payload: {
+                code: "client_error",
+                message: "Redeploy returned no data",
+            },
+            stage: "redeploy",
+        };
+    }
+    return { kind: "ok", result: { redeploy: redeployed, secret } };
+}
+class FunctionsSetSecretCommand extends Command {
+    static description = `Write a function secret and optionally redeploy so the new value lands in the running handler. Agent-grade shortcut for functions:set-function-secret + functions:redeploy.
+
+  Without --redeploy this is a plain secret upsert: the value is
+  encrypted at rest but is NOT visible to the running handler until
+  the next deploy. Pass --redeploy to re-run the deploy with the
+  function's current code in the same call, which refreshes the
+  binding set with the value you just wrote.
+
+  Keys must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters, digits,
+  underscores; first character is a letter or underscore). System-
+  managed keys are reserved and rejected.`;
+    static summary = "Write a function secret (optionally redeploying to push it live)";
+    static examples = [
+        "<%= config.bin %> functions:set-secret --id <fn-id> --key API_TOKEN --value abc123",
+        "<%= config.bin %> functions:set-secret --id <fn-id> --key API_TOKEN --value abc123 --redeploy",
+    ];
+    static flags = {
+        "api-key": Flags.string({
+            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
+            env: "PRIMITIVE_API_KEY",
+        }),
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
+        }),
+        id: Flags.string({
+            description: "Function id (UUID). The function must already exist.",
+            required: true,
+        }),
+        key: Flags.string({
+            description: "Secret key. Uppercase letters, digits, underscores; must start with a letter or underscore. System-managed keys are reserved.",
+            required: true,
+        }),
+        value: Flags.string({
+            description: "Secret value (up to 4096 UTF-8 bytes). Encrypted at rest.",
+            required: true,
+        }),
+        redeploy: Flags.boolean({
+            description: "Also redeploy the function with its current code so the new value lands in the running handler. Without this, the secret is written but not visible to the handler until the next deploy. Note: source maps are stored only on the runtime side and getFunction does not return them, so this redeploy drops any previously-uploaded source map. If preserving stack-trace symbolication matters, use `functions:redeploy --file <bundle.js> --source-map-file <bundle.js.map>` instead.",
+        }),
+        time: Flags.boolean({
+            description: TIME_FLAG_DESCRIPTION,
+        }),
+    };
+    async run() {
+        const { flags } = await this.parse(FunctionsSetSecretCommand);
+        await runWithTiming(flags.time, async () => {
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
+            const auth = resolveCliAuth({
+                apiKey: flags["api-key"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
+                configDir: this.config.configDir,
+            });
+            const apiClient = new PrimitiveApiClient({
+                apiKey: auth.apiKey,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
+            });
+            const authFailureContext = {
+                auth,
+                baseUrlOverridden,
+                configDir: this.config.configDir,
+            };
+            // Adapter: thin wrappers around the generated SDK calls,
+            // routed through host 1 (apiClient.client). The secrets and
+            // function-detail endpoints are not on host 2.
+            const apiSurface = {
+                getFunction: (p) => getFunction({
+                    client: apiClient.client,
+                    path: { id: p.id },
+                    responseStyle: "fields",
+                }),
+                setSecret: (p) => setFunctionSecret({
+                    body: { value: p.value },
+                    client: apiClient.client,
+                    path: { id: p.id, key: p.key },
+                    responseStyle: "fields",
+                }),
+                updateFunction: (p) => updateFunction({
+                    body: { code: p.code },
+                    client: apiClient.client,
+                    path: { id: p.id },
+                    responseStyle: "fields",
+                }),
+            };
+            const outcome = await runSetSecret(apiSurface, {
+                id: flags.id,
+                key: flags.key,
+                redeploy: flags.redeploy === true,
+                value: flags.value,
+            });
+            if (outcome.kind === "error") {
+                // Stage-specific framing on stderr so callers can tell
+                // whether the secret landed before a failed redeploy. The
+                // JSON envelope still goes through writeErrorWithHints so
+                // any actionable hint (e.g. unauthorized) is surfaced.
+                if (outcome.stage === "get-function") {
+                    process.stderr.write("Secret was written, but reading current function code for redeploy failed; the secret is NOT yet live. Re-run with --redeploy, or call `primitive functions:redeploy --id <id> --file <bundle>` once you have the bundle.\n");
+                }
+                else if (outcome.stage === "redeploy") {
+                    process.stderr.write("Secret was written, but the redeploy step failed; the secret is NOT yet live. Inspect the function's deploy_error and re-run `primitive functions:redeploy --id <id> --file <bundle>` once the cause is fixed.\n");
+                }
+                writeErrorWithHints(outcome.payload);
+                removeStaleSavedCredentialOnUnauthorized({
+                    ...authFailureContext,
+                    payload: outcome.payload,
+                });
+                process.exitCode = 1;
+                return;
+            }
+            this.log(JSON.stringify(outcome.result, null, 2));
+        });
+    }
+}
+export default FunctionsSetSecretCommand;

package/dist/oclif/commands/login.js

@@ -4,7 +4,7 @@ import { Command, Errors, Flags } from "@oclif/core";
 import { getAccount, pollCliLogin, startCliLogin, } from "../../api/generated/sdk.gen.js";
 import { PrimitiveApiClient } from "../../api/index.js";
 import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, writeErrorWithHints, } from "../api-command.js";
-import { acquireCliCredentialsLock, credentialsPath, loadCliCredentials, normalizeBaseUrl, saveCliCredentials, } from "../auth.js";
+import { acquireCliCredentialsLock, credentialsPath, loadCliCredentials, normalizeApiBaseUrl1, normalizeApiBaseUrl2, saveCliCredentials, } from "../auth.js";
 const MAX_CLI_LOGIN_POLL_INTERVAL_SECONDS = 60;
 function cliError(message) {
     return new Errors.CLIError(message, { exit: 1 });
@@ -36,13 +36,13 @@ function retryAfterSeconds(result) {
     return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
 }
 export async function checkExistingLogin(params) {
-    const baseUrlOverridden = params.baseUrl !== undefined;
-    const probeBaseUrl = baseUrlOverridden
-        ? normalizeBaseUrl(params.baseUrl)
-        : params.credentials.base_url;
+    const baseUrlOverridden = params.apiBaseUrl1 !== undefined;
+    const probeApiBaseUrl1 = baseUrlOverridden
+        ? normalizeApiBaseUrl1(params.apiBaseUrl1)
+        : params.credentials.api_base_url_1;
     const apiClient = new PrimitiveApiClient({
         apiKey: params.credentials.api_key,
-        baseUrl: probeBaseUrl,
+        apiBaseUrl1: probeApiBaseUrl1,
     });
     const result = await (params.checkAccount ??
         ((client) => getAccount({
@@ -54,7 +54,10 @@ export async function checkExistingLogin(params) {
     const payload = extractErrorPayload(result.error);
     const auth = {
         apiKey: params.credentials.api_key,
-        baseUrl: probeBaseUrl,
+        apiBaseUrl1: probeApiBaseUrl1,
+        // Host-2 isn't relevant to checkExistingLogin (login is on host-1
+        // only), but the auth shape requires it. Use the default.
+        apiBaseUrl2: normalizeApiBaseUrl2(undefined),
         credentials: params.credentials,
         source: "stored",
     };
@@ -84,9 +87,10 @@ class LoginCommand extends Command {
         "<%= config.bin %> login --force",
     ];
     static flags = {
-        "base-url": Flags.string({
-            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
         }),
         "device-name": Flags.string({
             description: "Device name shown in the browser approval screen",
@@ -117,7 +121,7 @@ class LoginCommand extends Command {
         }
     }
     async runWithCredentialLock(flags) {
-        const baseUrl = normalizeBaseUrl(flags["base-url"]);
+        const apiBaseUrl1 = normalizeApiBaseUrl1(flags["api-base-url-1"]);
         let existing;
         try {
             existing = loadCliCredentials(this.config.configDir);
@@ -134,7 +138,7 @@ class LoginCommand extends Command {
         }
         else if (existing) {
             const existingStatus = await checkExistingLogin({
-                baseUrl: flags["base-url"],
+                apiBaseUrl1: flags["api-base-url-1"],
                 configDir: this.config.configDir,
                 credentials: existing,
             });
@@ -150,7 +154,7 @@ class LoginCommand extends Command {
                 throw cliError(`Already logged in${org}. Run \`primitive logout\` before logging in again.`);
             }
         }
-        const apiClient = new PrimitiveApiClient({ baseUrl });
+        const apiClient = new PrimitiveApiClient({ apiBaseUrl1 });
         const deviceName = flags["device-name"] ?? hostname();
         const started = await startCliLogin({
             body: {
@@ -192,7 +196,7 @@ class LoginCommand extends Command {
                 }
                 saveCliCredentials(this.config.configDir, {
                     api_key: login.api_key,
-                    base_url: baseUrl,
+                    api_base_url_1: apiBaseUrl1,
                     created_at: new Date().toISOString(),
                     key_id: login.key_id,
                     key_prefix: login.key_prefix,

package/dist/oclif/commands/logout.js

@@ -2,7 +2,7 @@ import { Command, Errors, Flags } from "@oclif/core";
 import { cliLogout } from "../../api/generated/sdk.gen.js";
 import { PrimitiveApiClient } from "../../api/index.js";
 import { API_ERROR_CODES, extractErrorCode, extractErrorPayload, writeErrorWithHints, } from "../api-command.js";
-import { acquireCliCredentialsLock, deleteCliCredentials, loadCliCredentials, normalizeBaseUrl, } from "../auth.js";
+import { acquireCliCredentialsLock, deleteCliCredentials, loadCliCredentials, normalizeApiBaseUrl1, } from "../auth.js";
 function cliError(message) {
     return new Errors.CLIError(message, { exit: 1 });
 }
@@ -15,9 +15,10 @@ class LogoutCommand extends Command {
     static summary = "Log out and revoke the saved CLI key";
     static examples = ["<%= config.bin %> logout"];
     static flags = {
-        "base-url": Flags.string({
-            description: "Override the API base URL used for key revocation",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
         }),
     };
     async run() {
@@ -52,12 +53,12 @@ class LogoutCommand extends Command {
         if (!credentials) {
             throw cliError("Not logged in. Run `primitive login` to create saved CLI credentials.");
         }
-        const baseUrl = flags["base-url"]
-            ? normalizeBaseUrl(flags["base-url"])
-            : credentials.base_url;
+        const apiBaseUrl1 = flags["api-base-url-1"]
+            ? normalizeApiBaseUrl1(flags["api-base-url-1"])
+            : credentials.api_base_url_1;
         const apiClient = new PrimitiveApiClient({
             apiKey: credentials.api_key,
-            baseUrl,
+            apiBaseUrl1,
         });
         const result = await cliLogout({
             body: { key_id: credentials.key_id },

package/dist/oclif/commands/send.js

@@ -115,9 +115,15 @@ class SendCommand extends Command {
             description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
-        "base-url": Flags.string({
-            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
         }),
         to: Flags.string({
             description: "Recipient address (e.g. alice@example.com).",
@@ -154,15 +160,18 @@ class SendCommand extends Command {
             throw new Errors.CLIError("Either --body or --html (or both) is required.");
         }
         await runWithTiming(flags.time, async () => {
-            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
             const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
-                baseUrl: flags["base-url"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
                 configDir: this.config.configDir,
             });
             const apiClient = new PrimitiveApiClient({
                 apiKey: auth.apiKey,
-                baseUrl: auth.baseUrl,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
             });
             const authFailureContext = {
                 auth,
@@ -187,7 +196,12 @@ class SendCommand extends Command {
                         ? { wait_timeout_ms: flags["wait-timeout-ms"] }
                         : {}),
                 },
-                client: apiClient.client,
+                // /send-mail goes to the attachments-supporting host. The
+                // wrapper exposes the host-2 client as _sendClient for this
+                // and any other host-2 operation that lands here. Customer
+                // SDK callers should use PrimitiveClient.send() instead so
+                // the routing stays internal.
+                client: apiClient._sendClient,
                 responseStyle: "fields",
             });
             if (result.error) {

package/dist/oclif/commands/whoami.js

@@ -25,9 +25,15 @@ class WhoamiCommand extends Command {
             description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
             env: "PRIMITIVE_API_KEY",
         }),
-        "base-url": Flags.string({
-            description: "API base URL (defaults to PRIMITIVE_API_URL or production)",
-            env: "PRIMITIVE_API_URL",
+        "api-base-url-1": Flags.string({
+            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_1",
+            hidden: true,
+        }),
+        "api-base-url-2": Flags.string({
+            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
+            env: "PRIMITIVE_API_BASE_URL_2",
+            hidden: true,
         }),
         time: Flags.boolean({
             description: TIME_FLAG_DESCRIPTION,
@@ -36,15 +42,18 @@ class WhoamiCommand extends Command {
     async run() {
         const { flags } = await this.parse(WhoamiCommand);
         await runWithTiming(flags.time, async () => {
-            const baseUrlOverridden = flags["base-url"] !== undefined;
+            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
+                flags["api-base-url-2"] !== undefined;
             const auth = resolveCliAuth({
                 apiKey: flags["api-key"],
-                baseUrl: flags["base-url"],
+                apiBaseUrl1: flags["api-base-url-1"],
+                apiBaseUrl2: flags["api-base-url-2"],
                 configDir: this.config.configDir,
             });
             const apiClient = new PrimitiveApiClient({
                 apiKey: auth.apiKey,
-                baseUrl: auth.baseUrl,
+                apiBaseUrl1: auth.apiBaseUrl1,
+                apiBaseUrl2: auth.apiBaseUrl2,
             });
             const result = await getAccount({
                 client: apiClient.client,

package/dist/oclif/fish-completion.js

@@ -73,7 +73,7 @@ export function renderFishCompletion(binName) {
             ]) {
                 lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l '${fishEscape(parameter.name.replace(/_/g, "-"))}' -r -d '${fishEscape(parameter.description ?? parameter.name)}'`);
             }
-            lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'base-url' -r -d 'API base URL (defaults to PRIMITIVE_API_URL or production)'`);
+            lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'api-key' -r -d 'Primitive API key (defaults to PRIMITIVE_API_KEY or saved primitive login credentials)'`);
             if (operation.hasJsonBody) {
                 lines.push(`complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body' -r -d 'JSON request body'`, `complete -c ${binName} -n '${operationCondition(operation).replace(BIN_PLACEHOLDER, binName)}' -l 'body-file' -r -d 'Path to a JSON file used as the request body'`);
             }

package/dist/oclif/index.js

@@ -2,8 +2,11 @@ import { Args, Command, Errors } from "@oclif/core";
 import { operationManifest, } from "../openapi/index.js";
 import { createOperationCommand } from "./api-command.js";
 import EmailsLatestCommand from "./commands/emails-latest.js";
+import EmailsWaitCommand from "./commands/emails-wait.js";
+import EmailsWatchCommand from "./commands/emails-watch.js";
 import FunctionsDeployCommand from "./commands/functions-deploy.js";
 import FunctionsRedeployCommand from "./commands/functions-redeploy.js";
+import FunctionsSetSecretCommand from "./commands/functions-set-secret.js";
 import LoginCommand from "./commands/login.js";
 import LogoutCommand from "./commands/logout.js";
 import SendCommand from "./commands/send.js";
@@ -133,6 +136,10 @@ export const COMMANDS = {
     // inbound emails as a compact text table. emails:list-emails stays
     // available for the full JSON envelope + cursor pagination.
     "emails:latest": EmailsLatestCommand,
+    // `emails:watch` and `emails:wait` poll the search API for new matching
+    // inbound mail. `watch` defaults to a human table; `wait` defaults to JSONL.
+    "emails:watch": EmailsWatchCommand,
+    "emails:wait": EmailsWaitCommand,
     // `functions:deploy` and `functions:redeploy` are file-input
     // shortcuts for create-function / update-function. The underlying
     // ops take `code` as a body string, which is awkward at the CLI
@@ -141,5 +148,12 @@ export const COMMANDS = {
     // available for callers that want the full surface.
     "functions:deploy": FunctionsDeployCommand,
     "functions:redeploy": FunctionsRedeployCommand,
+    // `functions:set-secret` is the one-call shortcut for "write a
+    // secret AND (optionally) push it live." The raw
+    // functions:set-function-secret / functions:create-function-secret
+    // operations only do the secret upsert; making the new value
+    // visible to the running handler requires a separate redeploy,
+    // which this shortcut folds in via --redeploy.
+    "functions:set-secret": FunctionsSetSecretCommand,
     ...generatedCommands,
 };