@primitivedotdev/sdk 0.7.0 → 0.9.0

package/dist/{webhook-COe5N_Uj.js → webhook-zkN4wUTs.js}

@@ -1,6 +1,10 @@
+import { i as normalizeReceivedEmail } from "./received-email-D6tKtWwW.js";
 import { createHash, createHmac, timingSafeEqual } from "node:crypto";
-
 //#region src/generated/email-received-event.validator.generated.ts
+/**
+* AUTO-GENERATED - DO NOT EDIT
+* Run `pnpm generate:validator` to regenerate.
+*/
 var email_received_event_validator_generated_default = validate10;
 const schema12 = {
 	"type": "object",
@@ -182,12 +186,12 @@ const schema12 = {
 	],
 	"description": "Webhook payload for the `email.received` event.\n\nThis is delivered to your webhook endpoint when Primitive receives an email matching your domain configuration."
 };
-const pattern0 = new RegExp("^evt_[a-f0-9]{64}$", "u");
-const pattern1 = new RegExp("^(?:(?:\\d{4}-(?:(?:01|03|05|07|08|10|12)-(?:0[1-9]|[12]\\d|3[01])|(?:04|06|09|11)-(?:0[1-9]|[12]\\d|30)|02-(?:0[1-9]|1\\d|2[0-8])))|(?:(?:[02468][048]00|[13579][26]00|\\d{2}(?:0[48]|[2468][048]|[13579][26]))-02-29))$", "u");
-const pattern4 = new RegExp("^https?://", "u");
+const pattern0 = /* @__PURE__ */ new RegExp("^evt_[a-f0-9]{64}$", "u");
+const pattern1 = /* @__PURE__ */ new RegExp("^(?:(?:\\d{4}-(?:(?:01|03|05|07|08|10|12)-(?:0[1-9]|[12]\\d|3[01])|(?:04|06|09|11)-(?:0[1-9]|[12]\\d|30)|02-(?:0[1-9]|1\\d|2[0-8])))|(?:(?:[02468][048]00|[13579][26]00|\\d{2}(?:0[48]|[2468][048]|[13579][26]))-02-29))$", "u");
+const pattern4 = /* @__PURE__ */ new RegExp("^https?://", "u");
 const formats0 = /^\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])[T\t ](?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d(?:\.\d+)?(?:[Zz]|[+-](?:[01]\d|2[0-3]):?[0-5]\d)$/;
 const formats4 = /^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;
-const pattern2 = new RegExp("^[a-fA-F0-9]{64}$", "u");
+const pattern2 = /* @__PURE__ */ new RegExp("^[a-fA-F0-9]{64}$", "u");
 function validate12(data, { instancePath = "", parentData, parentDataProperty, rootData = data } = {}) {
 	let vErrors = null;
 	let errors = 0;
@@ -5627,7 +5631,6 @@ function validate10(data, { instancePath = "", parentData, parentDataProperty, r
 	validate10.errors = vErrors;
 	return errors === 0;
 }
-
 //#endregion
 //#region src/webhook/errors.ts
 /**
@@ -5846,7 +5849,6 @@ var RawEmailDecodeError = class extends PrimitiveWebhookError {
 		this.suggestion = RAW_EMAIL_ERRORS[code].suggestion;
 	}
 };
-
 //#endregion
 //#region src/validation.ts
 const validateSchema = email_received_event_validator_generated_default;
@@ -5870,7 +5872,7 @@ function resolveValueAtPath(input, instancePath) {
 			current = current[key];
 			continue;
 		}
-		return void 0;
+		return;
 	}
 	return current;
 }
@@ -5941,10 +5943,9 @@ function formatValidationIssue(error, input) {
 		}
 		case "format": {
 			const format = String(error.params.format ?? "unknown format");
-			const humanFormat = format === "uri" ? "valid URI" : `valid ${format}`;
 			return {
 				field,
-				message: `Invalid value for ${field}: must be a ${humanFormat}`,
+				message: `Invalid value for ${field}: must be a ${format === "uri" ? "valid URI" : `valid ${format}`}`,
 				suggestion: field.endsWith("url") ? `Check that ${fromFieldLabel(field)} is a complete URL including the scheme.` : `Check the format of ${fromFieldLabel(field)} in the webhook payload.`
 			};
 		}
@@ -5979,10 +5980,9 @@ function formatValidationIssue(error, input) {
 		}
 		case "minItems": {
 			const limit = Number(error.params.limit ?? 0);
-			const itemLabel = limit === 1 ? "item" : "items";
 			return {
 				field,
-				message: `Invalid value for ${field}: must have at least ${limit} ${itemLabel}`,
+				message: `Invalid value for ${field}: must have at least ${limit} ${limit === 1 ? "item" : "items"}`,
 				suggestion: `Add more entries to ${fromFieldLabel(field)} in the webhook payload.`
 			};
 		}
@@ -5999,22 +5999,16 @@ function formatValidationIssue(error, input) {
 				suggestion: `Check that ${fromFieldLabel(field)} meets the minimum length requirement.`
 			};
 		}
-		case "minimum": {
-			const limit = Number(error.params.limit ?? 0);
-			return {
-				field,
-				message: `Invalid value for ${field}: must be >= ${limit}`,
-				suggestion: `Check that ${fromFieldLabel(field)} meets the minimum allowed value.`
-			};
-		}
-		case "maximum": {
-			const limit = Number(error.params.limit ?? 0);
-			return {
-				field,
-				message: `Invalid value for ${field}: must be <= ${limit}`,
-				suggestion: `Check that ${fromFieldLabel(field)} stays within the maximum allowed value.`
-			};
-		}
+		case "minimum": return {
+			field,
+			message: `Invalid value for ${field}: must be >= ${Number(error.params.limit ?? 0)}`,
+			suggestion: `Check that ${fromFieldLabel(field)} meets the minimum allowed value.`
+		};
+		case "maximum": return {
+			field,
+			message: `Invalid value for ${field}: must be <= ${Number(error.params.limit ?? 0)}`,
+			suggestion: `Check that ${fromFieldLabel(field)} stays within the maximum allowed value.`
+		};
 		default: return {
 			field,
 			message: `Validation failed for ${field}: ${error.message ?? error.keyword}`,
@@ -6042,9 +6036,31 @@ function safeValidateEmailReceivedEvent(input) {
 		data: input
 	};
 }
-
 //#endregion
 //#region src/webhook/download-tokens.ts
+/**
+* Signed download tokens.
+*
+* A download token is a self-describing bearer credential for fetching a
+* specific email's raw bytes or attachment bundle from a per-deployment
+* download endpoint. It binds:
+*
+* - `email_id` — the specific email the token authorizes.
+* - `aud` — a caller-chosen audience label (e.g. the resource kind being
+*   downloaded). Tokens minted for one audience will not verify under another.
+* - `exp` — an absolute expiration time (unix seconds).
+*
+* Format: `<base64url(payload)>.<base64url(signature)>` where `signature`
+* is HMAC-SHA256 over the base64url-encoded payload using the shared secret.
+*
+* The audience is an opaque caller-chosen string. Both the issuer and the
+* verifier must agree on the exact bytes; the SDK does not prescribe a
+* convention. New integrations are encouraged to namespace audiences
+* (e.g. `primitive:raw-download`).
+*
+* Tokens are stateless: verification needs only the shared secret. Keep
+* expirations as short as operationally tolerable.
+*/
 const BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
 /**
 * Issue a signed download token.
@@ -6059,15 +6075,13 @@ const BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
 */
 function generateDownloadToken(params) {
 	const { emailId, expiresAt, audience, secret } = params;
-	const payload = {
+	const payloadJson = JSON.stringify({
 		email_id: emailId,
 		exp: expiresAt,
 		aud: audience
-	};
-	const payloadJson = JSON.stringify(payload);
+	});
 	const payloadStr = Buffer.from(payloadJson, "utf8").toString("base64url");
-	const signature = createHmac("sha256", secret).update(payloadStr).digest("base64url");
-	return `${payloadStr}.${signature}`;
+	return `${payloadStr}.${createHmac("sha256", secret).update(payloadStr).digest("base64url")}`;
 }
 /**
 * Verify a signed download token.
@@ -6131,16 +6145,17 @@ function verifyDownloadToken(params) {
 		valid: false,
 		error: "Email ID mismatch"
 	};
-	const now = nowSeconds ?? Math.floor(Date.now() / 1e3);
-	if (exp <= now) return {
+	if (exp <= (nowSeconds ?? Math.floor(Date.now() / 1e3))) return {
 		valid: false,
 		error: "Token is expired"
 	};
 	return { valid: true };
 }
-
 //#endregion
 //#region src/webhook/encoding.ts
+/**
+* Buffer encoding utilities
+*/
 const utf8Decoder = new TextDecoder("utf-8", { fatal: true });
 /**
 * Convert a Buffer to string with strict UTF-8 validation.
@@ -6161,15 +6176,28 @@ function bufferToString(buffer, label) {
 		throw new WebhookPayloadError("INVALID_ENCODING", `${label} contains invalid UTF-8 bytes`, `Ensure the ${label} is valid UTF-8 encoded text. If the data is binary, it should be base64 encoded first.`, err instanceof Error ? err : void 0);
 	}
 }
-
 //#endregion
 //#region src/webhook/signing.ts
 /**
+* Webhook HMAC Signing (Stripe-style format)
+*
+* Implements HMAC-SHA256 signature for webhook security with timestamp validation.
+* Prevents replay attacks by including timestamp in signature.
+*
+* Header format:
+*   Primitive-Signature: t=<unix_seconds>,v1=<hex_hmac_sha256>
+*
+* Signed payload format: "{timestamp}.{raw_body}"
+*
+* This format matches Stripe's webhook signature scheme, which is widely understood
+* and easy to implement in any language with ~15 lines of code.
+*/
+/**
 * WeakMap cache for computed signatures.
 * Only works for Buffer bodies (strings cannot be WeakMap keys).
 * Automatically garbage collected when Buffer is no longer referenced.
 */
-const signatureCache = new WeakMap();
+const signatureCache = /* @__PURE__ */ new WeakMap();
 /**
 * Hash a secret for cache key comparison.
 * @internal
@@ -6186,7 +6214,7 @@ const PRIMITIVE_CONFIRMED_HEADER = "X-Primitive-Confirmed";
 /** Legacy confirmed header name kept for backward compatibility */
 const LEGACY_CONFIRMED_HEADER = "X-MyMX-Confirmed";
 /** Default max age for webhook requests (5 minutes) */
-const DEFAULT_TOLERANCE_SECONDS$1 = 5 * 60;
+const DEFAULT_TOLERANCE_SECONDS$1 = 300;
 /** Future clock skew tolerance (1 minute) */
 const FUTURE_TOLERANCE_SECONDS$1 = 60;
 /** Valid hex pattern for signature verification */
@@ -6207,8 +6235,7 @@ const UNIX_SECONDS_PATTERN = /^\d+$/;
 */
 function signWebhookPayload(rawBody, secret, timestamp) {
 	const ts = timestamp ?? Math.floor(Date.now() / 1e3);
-	const body = typeof rawBody === "string" ? rawBody : bufferToString(rawBody, "rawBody");
-	const signedPayloadString = `${ts}.${body}`;
+	const signedPayloadString = `${ts}.${typeof rawBody === "string" ? rawBody : bufferToString(rawBody, "rawBody")}`;
 	const hmac = createHmac("sha256", secret);
 	hmac.update(signedPayloadString);
 	const v1 = hmac.digest("hex");
@@ -6287,8 +6314,7 @@ function verifyWebhookSignature(opts) {
 	const parsed = parseSignatureHeader(signatureHeader);
 	if (!parsed) throw new WebhookVerificationError("INVALID_SIGNATURE_HEADER", "Invalid Primitive-Signature header format. Expected: t={timestamp},v1={signature}");
 	const { timestamp, signatures } = parsed;
-	const now = nowSeconds ?? Math.floor(Date.now() / 1e3);
-	const age = now - timestamp;
+	const age = (nowSeconds ?? Math.floor(Date.now() / 1e3)) - timestamp;
 	if (age > toleranceSeconds) throw new WebhookVerificationError("TIMESTAMP_OUT_OF_RANGE", `Webhook timestamp too old (${age}s). Max age is ${toleranceSeconds}s.`);
 	if (age < -FUTURE_TOLERANCE_SECONDS$1) throw new WebhookVerificationError("TIMESTAMP_OUT_OF_RANGE", "Webhook timestamp is too far in the future. Check server clock sync.");
 	const body = typeof rawBody === "string" ? rawBody : bufferToString(rawBody, "request body");
@@ -6317,13 +6343,10 @@ function verifyWebhookSignature(opts) {
 	}
 	for (const receivedHex of signatures) {
 		if (!isValidHex(receivedHex, 64)) continue;
-		const receivedBytes = Buffer.from(receivedHex, "hex");
-		const expectedBytes = Buffer.from(expectedHex, "hex");
-		if (timingSafeEqual(receivedBytes, expectedBytes)) return true;
+		if (timingSafeEqual(Buffer.from(receivedHex, "hex"), Buffer.from(expectedHex, "hex"))) return true;
 	}
 	const reserializationHint = detectReserializedBody(body);
-	const message = reserializationHint ? `No valid signature found. ${reserializationHint}` : "No valid signature found. Verify the webhook secret matches and you're using the raw request body (not re-serialized JSON).";
-	throw new WebhookVerificationError("SIGNATURE_MISMATCH", message);
+	throw new WebhookVerificationError("SIGNATURE_MISMATCH", reserializationHint ? `No valid signature found. ${reserializationHint}` : "No valid signature found. Verify the webhook secret matches and you're using the raw request body (not re-serialized JSON).");
 }
 /**
 * Detect if a body looks like it was re-serialized by a framework.
@@ -6334,13 +6357,27 @@ function detectReserializedBody(body) {
 	if (/^\s*\{[\s\S]*\n\s{2,}/.test(body)) return "Request body appears re-serialized (pretty-printed). Use the raw request body before any JSON.parse() or JSON.stringify() calls.";
 	return null;
 }
-
 //#endregion
 //#region src/webhook/standard-webhooks.ts
+/**
+* Standard Webhooks Verification & Signing
+*
+* Implements the Standard Webhooks spec (standardwebhooks.com) for webhook
+* signature verification and payload signing.
+*
+* Header format:
+*   webhook-id: <msg_id>
+*   webhook-timestamp: <unix_seconds>
+*   webhook-signature: v1,<base64_hmac_sha256> [v1,<base64_2> ...]
+*
+* Signed payload format: "{msg_id}.{timestamp}.{raw_body}"
+*
+* Secrets are base64-encoded, optionally prefixed with "whsec_".
+*/
 const WHSEC_PREFIX = "whsec_";
 const BASE64_PATTERN$1 = /^[A-Za-z0-9+/]*={0,2}$/;
 /** Default max age for webhook requests (5 minutes) */
-const DEFAULT_TOLERANCE_SECONDS = 5 * 60;
+const DEFAULT_TOLERANCE_SECONDS = 300;
 /** Future clock skew tolerance (1 minute) */
 const FUTURE_TOLERANCE_SECONDS = 60;
 /** Standard Webhooks header names */
@@ -6361,7 +6398,7 @@ function prepareStandardWebhooksSecret(secret) {
 		return secret;
 	}
 	let keyStr = secret;
-	if (keyStr.startsWith(WHSEC_PREFIX)) keyStr = keyStr.slice(WHSEC_PREFIX.length);
+	if (keyStr.startsWith(WHSEC_PREFIX)) keyStr = keyStr.slice(6);
 	if (!keyStr || !BASE64_PATTERN$1.test(keyStr)) throw new WebhookVerificationError("MISSING_SECRET", "Standard Webhooks secret must be base64-encoded (optionally with whsec_ prefix)");
 	const decoded = Buffer.from(keyStr, "base64");
 	if (decoded.length === 0) throw new WebhookVerificationError("MISSING_SECRET", "Webhook secret is required but was empty or not provided");
@@ -6403,9 +6440,8 @@ function signStandardWebhooksPayload(rawBody, secret, msgId, timestamp) {
 	const key = prepareStandardWebhooksSecret(secret);
 	if (key.length === 0) throw new WebhookVerificationError("MISSING_SECRET", "Webhook secret is required but was empty or not provided");
 	const signedPayload = `${msgId}.${ts}.${body}`;
-	const sig = createHmac("sha256", key).update(signedPayload).digest("base64");
 	return {
-		signature: `v1,${sig}`,
+		signature: `v1,${createHmac("sha256", key).update(signedPayload).digest("base64")}`,
 		msgId,
 		timestamp: ts
 	};
@@ -6422,12 +6458,10 @@ function verifyStandardWebhooksSignature(opts) {
 	if (!timestampStr || !/^\d+$/.test(timestampStr)) throw new WebhookVerificationError("INVALID_SIGNATURE_HEADER", `Invalid webhook-timestamp header: "${timestampStr}". Expected a unix timestamp in seconds`);
 	const timestamp = Number(timestampStr);
 	if (!Number.isInteger(timestamp) || timestamp < 0) throw new WebhookVerificationError("INVALID_SIGNATURE_HEADER", `Invalid webhook-timestamp header: "${timestampStr}". Expected a unix timestamp in seconds`);
-	const now = nowSeconds ?? Math.floor(Date.now() / 1e3);
-	const age = now - timestamp;
+	const age = (nowSeconds ?? Math.floor(Date.now() / 1e3)) - timestamp;
 	if (age > toleranceSeconds) throw new WebhookVerificationError("TIMESTAMP_OUT_OF_RANGE", `Webhook timestamp too old (${age}s). Max age is ${toleranceSeconds}s.`);
 	if (age < -FUTURE_TOLERANCE_SECONDS) throw new WebhookVerificationError("TIMESTAMP_OUT_OF_RANGE", "Webhook timestamp is too far in the future. Check server clock sync.");
-	const body = typeof rawBody === "string" ? rawBody : bufferToString(rawBody, "request body");
-	const signedPayload = `${msgId}.${timestamp}.${body}`;
+	const signedPayload = `${msgId}.${timestamp}.${typeof rawBody === "string" ? rawBody : bufferToString(rawBody, "request body")}`;
 	const expectedSig = createHmac("sha256", key).update(signedPayload).digest("base64");
 	const signatures = parseStandardWebhooksSignatures(signatureHeader);
 	if (signatures.length === 0) throw new WebhookVerificationError("INVALID_SIGNATURE_HEADER", "Invalid webhook-signature header format. Expected: \"v1,<base64>\"");
@@ -6439,7 +6473,6 @@ function verifyStandardWebhooksSignature(opts) {
 	}
 	throw new WebhookVerificationError("SIGNATURE_MISMATCH", "No valid signature found. Verify the webhook secret matches and you're using the raw request body (not re-serialized JSON).");
 }
-
 //#endregion
 //#region src/schema.generated.ts
 const emailReceivedEventJsonSchema = {
@@ -7331,7 +7364,6 @@ const emailReceivedEventJsonSchema = {
 		}
 	}
 };
-
 //#endregion
 //#region src/types.ts
 const EventType = { EmailReceived: "email.received" };
@@ -7380,7 +7412,6 @@ const AuthVerdict = {
 	Suspicious: "suspicious",
 	Unknown: "unknown"
 };
-
 //#endregion
 //#region src/webhook/auth.ts
 /**
@@ -7577,7 +7608,6 @@ function validateEmailAuth(auth) {
 		reasons: ["Unable to determine email authenticity"]
 	};
 }
-
 //#endregion
 //#region src/webhook/version.ts
 /**
@@ -7593,10 +7623,13 @@ function validateEmailAuth(auth) {
 * need to handle version-specific behavior.
 */
 const WEBHOOK_VERSION = "2025-12-14";
-
 //#endregion
 //#region src/webhook/parsing.ts
 /**
+* JSON parsing utilities with helpful error messages.
+* @internal
+*/
+/**
 * Parse a raw body string/Buffer into JSON with helpful error messages.
 *
 * Handles:
@@ -7617,12 +7650,10 @@ function parseJsonBody(rawBody) {
 		return JSON.parse(cleanBody);
 	} catch (e) {
 		const jsonError = e;
-		const positionMatch = jsonError.message.match(/position\s*(\d+)/i);
-		const position = positionMatch?.[1];
+		const position = jsonError.message.match(/position\s*(\d+)/i)?.[1];
 		throw new WebhookPayloadError("JSON_PARSE_FAILED", "Failed to parse webhook body as JSON", position ? `Invalid JSON at position ${position}. Check your web framework isn't truncating the request body.` : `Invalid JSON: ${jsonError.message}. Check the raw request body is valid JSON.`, jsonError);
 	}
 }
-
 //#endregion
 //#region src/webhook/index.ts
 const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
@@ -7817,17 +7848,26 @@ function handleWebhook(options) {
 		secret,
 		toleranceSeconds
 	});
-	else {
-		const signature = getSignatureHeader(headers);
-		verifyWebhookSignature({
-			rawBody: body,
-			signatureHeader: signature,
-			secret,
-			toleranceSeconds
-		});
-	}
-	const parsed = parseJsonBody(body);
-	return validateEmailReceivedEvent(parsed);
+	else verifyWebhookSignature({
+		rawBody: body,
+		signatureHeader: getSignatureHeader(headers),
+		secret,
+		toleranceSeconds
+	});
+	return validateEmailReceivedEvent(parseJsonBody(body));
+}
+function receive(input, options) {
+	if (input instanceof Request) return receiveFromRequest(input, options);
+	return normalizeReceivedEmail(handleWebhook(input));
+}
+async function receiveFromRequest(request, options) {
+	if (!options?.secret) throw new WebhookVerificationError("MISSING_SECRET", "Webhook secret is required but was empty or not provided");
+	return normalizeReceivedEmail(handleWebhook({
+		body: Buffer.from(await request.arrayBuffer()),
+		headers: request.headers,
+		secret: options.secret,
+		toleranceSeconds: options.toleranceSeconds
+	}));
 }
 /**
 * Returns headers for the optional "content discard" feature.
@@ -7885,8 +7925,7 @@ function confirmedHeaders() {
 * ```
 */
 function isDownloadExpired(event, now = Date.now()) {
-	const expiresAt = new Date(event.email.content.download.expires_at).getTime();
-	return now >= expiresAt;
+	return now >= new Date(event.email.content.download.expires_at).getTime();
 }
 /**
 * Get the time remaining (in milliseconds) before the download URL expires.
@@ -8001,6 +8040,5 @@ function verifyRawEmailDownload(downloaded, event) {
 	if (hash !== expected.toLowerCase()) throw new RawEmailDecodeError("HASH_MISMATCH", `SHA-256 hash mismatch. Expected: ${expected}, got: ${hash}. The downloaded content may be corrupted.`);
 	return buffer;
 }
-
 //#endregion
-export { AuthConfidence, AuthVerdict, DkimResult, DmarcPolicy, DmarcResult, EventType, ForwardVerdict, LEGACY_CONFIRMED_HEADER, LEGACY_SIGNATURE_HEADER, PAYLOAD_ERRORS, PRIMITIVE_CONFIRMED_HEADER, PRIMITIVE_SIGNATURE_HEADER, ParsedStatus, PrimitiveWebhookError, RAW_EMAIL_ERRORS, RawEmailDecodeError, STANDARD_WEBHOOK_ID_HEADER, STANDARD_WEBHOOK_SIGNATURE_HEADER, STANDARD_WEBHOOK_TIMESTAMP_HEADER, SpfResult, VERIFICATION_ERRORS, WEBHOOK_VERSION, WebhookPayloadError, WebhookValidationError, WebhookVerificationError, confirmedHeaders, decodeRawEmail, emailReceivedEventJsonSchema, generateDownloadToken, getDownloadTimeRemaining, handleWebhook, isDownloadExpired, isEmailReceivedEvent, isRawIncluded, parseWebhookEvent, safeValidateEmailReceivedEvent, signStandardWebhooksPayload, signWebhookPayload, validateEmailAuth, validateEmailReceivedEvent, verifyDownloadToken, verifyRawEmailDownload, verifyStandardWebhooksSignature, verifyWebhookSignature };
+export { PRIMITIVE_CONFIRMED_HEADER as A, RAW_EMAIL_ERRORS as B, STANDARD_WEBHOOK_ID_HEADER as C, verifyStandardWebhooksSignature as D, signStandardWebhooksPayload as E, verifyDownloadToken as F, WebhookVerificationError as G, VERIFICATION_ERRORS as H, safeValidateEmailReceivedEvent as I, validateEmailReceivedEvent as L, signWebhookPayload as M, verifyWebhookSignature as N, LEGACY_CONFIRMED_HEADER as O, generateDownloadToken as P, PAYLOAD_ERRORS as R, emailReceivedEventJsonSchema as S, STANDARD_WEBHOOK_TIMESTAMP_HEADER as T, WebhookPayloadError as U, RawEmailDecodeError as V, WebhookValidationError as W, DmarcResult as _, isDownloadExpired as a, ParsedStatus as b, parseWebhookEvent as c, WEBHOOK_VERSION as d, validateEmailAuth as f, DmarcPolicy as g, DkimResult as h, handleWebhook as i, PRIMITIVE_SIGNATURE_HEADER as j, LEGACY_SIGNATURE_HEADER as k, receive as l, AuthVerdict as m, decodeRawEmail as n, isEmailReceivedEvent as o, AuthConfidence as p, getDownloadTimeRemaining as r, isRawIncluded as s, confirmedHeaders as t, verifyRawEmailDownload as u, EventType as v, STANDARD_WEBHOOK_SIGNATURE_HEADER as w, SpfResult as x, ForwardVerdict as y, PrimitiveWebhookError as z };

package/oclif.manifest.json

@@ -173,7 +173,7 @@
     "account:update-account": {
       "aliases": [],
       "args": {},
-      "description": "PATCH /account",
+      "description": "PATCH /account\n\nBody fields (JSON --body):\n   discard_content_on_webhook_confirmed  boolean  Whether to discard email content after the webhook endpoint confirms receipt.\n   spam_threshold            number?  Global spam score threshold (0-15). Emails scoring above this are rejected....\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -219,7 +219,7 @@
     "domains:add-domain": {
       "aliases": [],
       "args": {},
-      "description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n",
+      "description": "Creates an unverified domain claim. You will receive a\n`verification_token` to add as a DNS TXT record before\ncalling the verify endpoint.\n\n\nBody fields (JSON --body):\n * domain  string  The domain name to claim (e.g. \"example.com\")\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -337,7 +337,7 @@
     "domains:update-domain": {
       "aliases": [],
       "args": {},
-      "description": "Update a verified domain's settings. Only verified domains can be\nupdated. Per-domain spam thresholds require a Pro plan.\n",
+      "description": "Update a verified domain's settings. Only verified domains can be\nupdated. Per-domain spam thresholds require a Pro plan.\n\n\nBody fields (JSON --body):\n   is_active       boolean  Whether the domain accepts incoming emails\n   spam_threshold  number?  Per-domain spam threshold override (Pro plan required)\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -755,7 +755,7 @@
     "endpoints:create-endpoint": {
       "aliases": [],
       "args": {},
-      "description": "Creates a new webhook endpoint. If a deactivated endpoint with the\nsame URL and domain exists, it is reactivated instead.\nSubject to plan limits on the number of active endpoints.\n",
+      "description": "Creates a new webhook endpoint. If a deactivated endpoint with the\nsame URL and domain exists, it is reactivated instead.\nSubject to plan limits on the number of active endpoints.\n\n\nBody fields (JSON --body):\n * url        string  The webhook URL to deliver events to\n   domain_id  string?  Restrict to emails from a specific domain\n   enabled    boolean  Whether the endpoint is active\n   rules      object  Endpoint-specific filtering rules\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -913,7 +913,7 @@
     "endpoints:update-endpoint": {
       "aliases": [],
       "args": {},
-      "description": "Updates an active webhook endpoint. If the URL is changed, the old\nendpoint is deactivated and a new one is created (or an existing\ndeactivated endpoint with the new URL is reactivated).\n",
+      "description": "Updates an active webhook endpoint. If the URL is changed, the old\nendpoint is deactivated and a new one is created (or an existing\ndeactivated endpoint with the new URL is reactivated).\n\n\nBody fields (JSON --body):\n   domain_id  string?\n   enabled    boolean\n   rules      object\n   url        string  New webhook URL (triggers endpoint rotation)\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -967,7 +967,7 @@
     "filters:create-filter": {
       "aliases": [],
       "args": {},
-      "description": "Creates a new whitelist or blocklist filter. Per-domain filters\nrequire a Pro plan. Patterns are stored as lowercase.\n",
+      "description": "Creates a new whitelist or blocklist filter. Per-domain filters\nrequire a Pro plan. Patterns are stored as lowercase.\n\n\nBody fields (JSON --body):\n * pattern    string  Email address or pattern to filter\n * type       string\n   domain_id  string?  Restrict filter to a specific domain (Pro plan required)\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -1085,7 +1085,7 @@
     "filters:update-filter": {
       "aliases": [],
       "args": {},
-      "description": "Toggle a filter's enabled state.",
+      "description": "Toggle a filter's enabled state.\n\nBody fields (JSON --body):\n * enabled  boolean\n(* = required)",
       "flags": {
         "api-key": {
           "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
@@ -1136,6 +1136,52 @@
       "summary": "Update a filter rule",
       "enableJsonFlag": false
     },
+    "sending:send-email": {
+      "aliases": [],
+      "args": {},
+      "description": "Sends an outbound email through Primitive's outbound relay. By default\nthe request returns once the relay accepts the message for delivery.\nSet `wait: true` to wait for the first downstream SMTP delivery outcome.\n\n\nBody fields (JSON --body):\n * from             string  RFC 5322 From header. The sender domain must be a verified outbound domain ...\n * subject          string  Subject line for the outbound message\n * to               string  Recipient address. Recipient eligibility depends on your account's outbound...\n   body_html        string  HTML message body. At least one of body_text or body_html is required. The ...\n   body_text        string  Plain-text message body. At least one of body_text or body_html is required...\n   in_reply_to      string  Message-ID of the direct parent email when sending a threaded reply.\n   references       array<string>  Full ordered message-id chain for the thread.\n   wait             boolean  When true, wait for the first downstream SMTP delivery outcome before retur...\n   wait_timeout_ms  integer  Maximum time to wait for a delivery outcome when wait is true. Defaults to ...\n(* = required)",
+      "flags": {
+        "api-key": {
+          "description": "Primitive API key (defaults to PRIMITIVE_API_KEY)",
+          "env": "PRIMITIVE_API_KEY",
+          "name": "api-key",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "base-url": {
+          "description": "API base URL (defaults to PRIMITIVE_API_URL or production)",
+          "env": "PRIMITIVE_API_URL",
+          "name": "base-url",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "body": {
+          "description": "JSON request body",
+          "name": "body",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "body-file": {
+          "description": "Path to a JSON file used as the request body",
+          "name": "body-file",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "sending:send-email",
+      "pluginAlias": "@primitivedotdev/sdk",
+      "pluginName": "@primitivedotdev/sdk",
+      "pluginType": "core",
+      "strict": true,
+      "summary": "Send outbound email",
+      "enableJsonFlag": false
+    },
     "webhook-deliveries:list-deliveries": {
       "aliases": [],
       "args": {},
@@ -1263,5 +1309,5 @@
       "enableJsonFlag": false
     }
   },
-  "version": "0.7.0"
+  "version": "0.9.0"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primitivedotdev/sdk",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "description": "Official Primitive Node.js SDK — webhook, api, openapi, contract, and parser modules",
   "type": "module",
   "module": "./dist/index.js",
@@ -68,6 +68,9 @@
       "emails": {
         "description": "List, inspect, and manage received emails"
       },
+      "sending": {
+        "description": "Send outbound emails through the Primitive API"
+      },
       "endpoints": {
         "description": "Manage webhook endpoints that receive email events"
       },
@@ -149,7 +152,7 @@
     "json-schema-to-typescript": "^15.0.4",
     "oclif": "^4.23.0",
     "shx": "^0.3.4",
-    "tsdown": "^0.9.1",
+    "tsdown": "^0.21.10",
     "tsx": "^4.21.0",
     "typescript": "^5.7.2",
     "vite": "^8.0.8",

package/dist/chunk-Cl8Af3a2.js

@@ -1,11 +0,0 @@
-//#region rolldown:runtime
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-	for (var name in all) __defProp(target, name, {
-		get: all[name],
-		enumerable: true
-	});
-};
-
-//#endregion
-export { __export };