@primitivedotdev/sdk 1.2.1 → 1.4.0

package/dist/{operations.generated-CvXrZUzc.js → operations.generated-XrEy5EtX.js}

@@ -79,7 +79,7 @@ const openapiDocument = {
 		},
 		{
 			"name": "Functions",
-			"description": "Deploy JavaScript handlers that run on inbound mail. Each function\nis a single ESM module whose default export is an object with an\nasync `fetch(request, env)` method, in the shape of a Workers-style\nhandler. Primitive signs each delivery and forwards the\n`Primitive-Signature` header to the handler; verify the raw request\nbody with `PRIMITIVE_WEBHOOK_SECRET` before trusting the parsed\n`email.received` event (see `EmailReceivedEvent` and the Webhook\npayload section for the full schema). Code runs on\nPrimitive's edge runtime; there is no infrastructure to manage.\nSecrets land in `env` as encrypted bindings and are refreshed on\nevery redeploy.\n"
+			"description": "Deploy JavaScript handlers that run on inbound mail. Each function\nis a single ESM module whose default export is an object with an\nasync `fetch(request, env)` method, in the shape of a Workers-style\nhandler. Primitive signs each delivery and forwards the\n`Primitive-Signature` header to the handler; verify the raw request\nbody with `PRIMITIVE_WEBHOOK_SECRET` before trusting the parsed event.\nThe `event` field is `email.received` for normal inbound mail, or a\nmachine-mail type (`email.bounced`, `email.tls_report`,\n`email.dmarc_report`, `email.dmarc_failure`) for bounces and reports;\nthe payload shape is otherwise identical. Code runs on\nPrimitive's edge runtime; there is no infrastructure to manage.\nSecrets land in `env` as encrypted bindings and are refreshed on\nevery redeploy.\n"
 		}
 	],
 	"paths": {
@@ -385,6 +385,128 @@ const openapiDocument = {
 				"429": { "$ref": "#/components/responses/RateLimited" }
 			}
 		} },
+		"/agent/accounts": { "post": {
+			"operationId": "createAgentAccount",
+			"summary": "Create an emailless agent account",
+			"description": "Creates an emailless agent account without authentication and returns a\none-time API key (prefixed `prim_`) plus a provisioned managed inbox.\nThe account is on the `agent` plan: reply-only (it can send only to\naddresses that have already sent it authenticated mail) with tight send\nlimits. Use the returned `api_key` as a Bearer token on later calls. The\naccount can be upgraded to a full developer account by confirming an\nemail through the claim flow. This endpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAgentAccountInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Agent account created; the API key is returned once",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentAccountResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/start": { "post": {
+			"operationId": "startAgentClaim",
+			"summary": "Start an agent account email claim",
+			"description": "Begins upgrading an emailless `agent` account into a full `developer`\naccount by confirming an email address. Authenticated by the agent's own\nAPI key (the org is taken from the credential). Sends a verification\ncode to the supplied email and returns the claim session id plus resend\ntiming. Submit the code to `/agent/claim/verify` to complete the\nupgrade. Confirming an email that already belongs to a Primitive account\nis rejected.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/StartAgentClaimInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim started and verification email sent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimStartResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The email is already in use, or the account is not claimable",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/verify": { "post": {
+			"operationId": "verifyAgentClaim",
+			"summary": "Verify an agent account email claim",
+			"description": "Confirms the verification code emailed by `/agent/claim/start` and\nupgrades the account to the `developer` plan. The org id, API key, and\nmanaged inbox all carry over; the send cap lifts. Authenticated by the\nagent's own API key.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/VerifyAgentClaimInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim verified; account upgraded to developer",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The account is already claimed, or the email is in use",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"410": {
+					"description": "The claim or its verification code has expired",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/link": { "post": {
+			"operationId": "createAgentClaimLink",
+			"summary": "Create a browser claim link",
+			"description": "Mints an opaque, single-use link an agent can hand to a human to\ncomplete the email-confirmation upgrade in a browser. Authenticated by\nthe agent's own API key. `claim_url` is null when the API host cannot\nresolve a web origin to build the link.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": false,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAgentClaimLinkInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim link created",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimLinkResult" } }
+					}] } } }
+				},
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The account is not claimable (not an agent account, or already claimed)",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/cli/logout": { "post": {
 			"operationId": "cliLogout",
 			"summary": "Revoke the current CLI OAuth session",
@@ -729,6 +851,25 @@ const openapiDocument = {
 						"format": "date-time"
 					},
 					"description": "Filter emails created on or before this timestamp"
+				},
+				{
+					"name": "since",
+					"in": "query",
+					"schema": {
+						"type": "string",
+						"maxLength": 200
+					},
+					"description": "Forward-tail cursor. Returns rows that became visible AFTER this\ncursor, oldest-first, so a caller can stream new inbound mail by\nre-passing the cursor from each response. Mutually exclusive with\n`cursor` (which pages history newest-first). Pass the `meta.cursor`\nfrom the previous `since` response; an empty page means caught up.\n"
+				},
+				{
+					"name": "wait",
+					"in": "query",
+					"schema": {
+						"type": "integer",
+						"minimum": 0,
+						"maximum": 30
+					},
+					"description": "Long-poll: hold the request up to this many seconds waiting for new\nmail past `since`, returning as soon as any arrives (or an empty\npage when the wait elapses). Requires `since`. Omitted means no wait\n(returns immediately); the server treats an absent value as 0. NOT\ngiven an OpenAPI `default` on purpose: a default makes some\ngenerators (e.g. openapi-python-client) send `wait=0` on every call,\nwhich then fails the `wait` requires `since` check for plain history\nlistings.\n"
 				}
 			],
 			"responses": {
@@ -1668,7 +1809,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "createFunction",
 				"summary": "Deploy a function",
-				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to a webhook event whose `event` field is\n`email.received` for normal inbound mail, or a machine-mail type\n(`email.bounced`, `email.tls_report`, `email.dmarc_report`,\n`email.dmarc_failure`) for bounces and reports. Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
@@ -2979,6 +3120,177 @@ const openapiDocument = {
 					"orgs"
 				]
 			},
+			"PlanLimits": {
+				"type": "object",
+				"description": "Plan-derived quota limits for an account.",
+				"properties": {
+					"storage_mb": { "type": "number" },
+					"send_per_hour": { "type": "number" },
+					"send_per_day": { "type": "number" },
+					"api_per_minute": { "type": "number" },
+					"webhooks_max_global": { "type": ["number", "null"] },
+					"webhooks_per_domain": { "type": "boolean" },
+					"filters_per_domain": { "type": "boolean" },
+					"spam_thresholds_per_domain": { "type": "boolean" }
+				},
+				"required": [
+					"storage_mb",
+					"send_per_hour",
+					"send_per_day",
+					"api_per_minute",
+					"webhooks_max_global",
+					"webhooks_per_domain",
+					"filters_per_domain",
+					"spam_thresholds_per_domain"
+				]
+			},
+			"CreateAgentAccountInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"terms_accepted": {
+						"type": "boolean",
+						"enum": [true],
+						"description": "Must be true to accept the Terms of Service and Privacy Policy."
+					},
+					"device_name": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 80,
+						"description": "Optional label for the device or agent creating the account."
+					}
+				},
+				"required": ["terms_accepted"]
+			},
+			"AgentAccountUpgradeHint": {
+				"type": "object",
+				"description": "In-band pointer to the upgrade path for an agent account.",
+				"properties": {
+					"plan": {
+						"type": "string",
+						"enum": ["developer"]
+					},
+					"description": { "type": "string" },
+					"claim_path": { "type": "string" }
+				},
+				"required": [
+					"plan",
+					"description",
+					"claim_path"
+				]
+			},
+			"AgentAccountResult": {
+				"type": "object",
+				"properties": {
+					"api_key": {
+						"type": "string",
+						"description": "One-time API key (prefixed `prim_`). Shown once; store it securely."
+					},
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"address": {
+						"type": ["string", "null"],
+						"description": "Provisioned managed inbox FQDN, or null if the inbox publish was deferred."
+					},
+					"plan": {
+						"type": "string",
+						"enum": ["agent"]
+					},
+					"limits": { "$ref": "#/components/schemas/PlanLimits" },
+					"upgrade": { "$ref": "#/components/schemas/AgentAccountUpgradeHint" }
+				},
+				"required": [
+					"api_key",
+					"org_id",
+					"address",
+					"plan",
+					"limits",
+					"upgrade"
+				]
+			},
+			"StartAgentClaimInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "email": {
+					"type": "string",
+					"format": "email",
+					"maxLength": 254,
+					"description": "Email to confirm. Must not already belong to a Primitive account."
+				} },
+				"required": ["email"]
+			},
+			"AgentClaimStartResult": {
+				"type": "object",
+				"properties": {
+					"claim_session_id": { "type": "string" },
+					"resend_after_seconds": { "type": "integer" },
+					"expires_in_seconds": { "type": "integer" }
+				},
+				"required": [
+					"claim_session_id",
+					"resend_after_seconds",
+					"expires_in_seconds"
+				]
+			},
+			"VerifyAgentClaimInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "verification_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 32,
+					"description": "The verification code emailed by the claim start step."
+				} },
+				"required": ["verification_code"]
+			},
+			"AgentClaimResult": {
+				"type": "object",
+				"properties": {
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"plan": {
+						"type": "string",
+						"enum": ["developer"]
+					},
+					"email": {
+						"type": "string",
+						"format": "email"
+					},
+					"limits": { "$ref": "#/components/schemas/PlanLimits" }
+				},
+				"required": [
+					"org_id",
+					"plan",
+					"email",
+					"limits"
+				]
+			},
+			"CreateAgentClaimLinkInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "No fields; an empty object is accepted.",
+				"properties": {}
+			},
+			"AgentClaimLinkResult": {
+				"type": "object",
+				"properties": {
+					"claim_token": { "type": "string" },
+					"claim_url": {
+						"type": ["string", "null"],
+						"description": "Browser URL to hand to a human, or null if no web origin is configured."
+					},
+					"expires_in_seconds": { "type": "integer" }
+				},
+				"required": [
+					"claim_token",
+					"claim_url",
+					"expires_in_seconds"
+				]
+			},
 			"CliLogoutInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -3017,6 +3329,16 @@ const openapiDocument = {
 					},
 					"email": { "type": "string" },
 					"plan": { "type": "string" },
+					"limits": { "$ref": "#/components/schemas/PlanLimits" },
+					"entitlements": {
+						"type": "array",
+						"items": { "type": "string" },
+						"description": "Granted org entitlement keys (sorted). A headless caller reads its\ncapabilities here — e.g. an emailless agent seeing only\n[\"send_mail\", \"send_to_known_addresses\"] knows it is reply-only.\n"
+					},
+					"managed_inbox_address": {
+						"type": ["string", "null"],
+						"description": "The managed inbox FQDN to reply as, or null if the org has no managed inbox."
+					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -3044,6 +3366,9 @@ const openapiDocument = {
 					"id",
 					"email",
 					"plan",
+					"limits",
+					"entitlements",
+					"managed_inbox_address",
 					"created_at",
 					"discard_content_on_webhook_confirmed"
 				]
@@ -6082,6 +6407,39 @@ const operationManifest = [
 				},
 				"email": { "type": "string" },
 				"plan": { "type": "string" },
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				},
+				"entitlements": {
+					"type": "array",
+					"items": { "type": "string" },
+					"description": "Granted org entitlement keys (sorted). A headless caller reads its\ncapabilities here — e.g. an emailless agent seeing only\n[\"send_mail\", \"send_to_known_addresses\"] knows it is reply-only.\n"
+				},
+				"managed_inbox_address": {
+					"type": ["string", "null"],
+					"description": "The managed inbox FQDN to reply as, or null if the org has no managed inbox."
+				},
 				"created_at": {
 					"type": "string",
 					"format": "date-time"
@@ -6109,6 +6467,9 @@ const operationManifest = [
 				"id",
 				"email",
 				"plan",
+				"limits",
+				"entitlements",
+				"managed_inbox_address",
 				"created_at",
 				"discard_content_on_webhook_confirmed"
 			]
@@ -6278,6 +6639,148 @@ const operationManifest = [
 		"tag": "Account",
 		"tagCommand": "account"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "create-agent-account",
+		"description": "Creates an emailless agent account without authentication and returns a\none-time API key (prefixed `prim_`) plus a provisioned managed inbox.\nThe account is on the `agent` plan: reply-only (it can send only to\naddresses that have already sent it authenticated mail) with tight send\nlimits. Use the returned `api_key` as a Bearer token on later calls. The\naccount can be upgraded to a full developer account by confirming an\nemail through the claim flow. This endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createAgentAccount",
+		"path": "/agent/accounts",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"terms_accepted": {
+					"type": "boolean",
+					"enum": [true],
+					"description": "Must be true to accept the Terms of Service and Privacy Policy."
+				},
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Optional label for the device or agent creating the account."
+				}
+			},
+			"required": ["terms_accepted"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"api_key": {
+					"type": "string",
+					"description": "One-time API key (prefixed `prim_`). Shown once; store it securely."
+				},
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"address": {
+					"type": ["string", "null"],
+					"description": "Provisioned managed inbox FQDN, or null if the inbox publish was deferred."
+				},
+				"plan": {
+					"type": "string",
+					"enum": ["agent"]
+				},
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				},
+				"upgrade": {
+					"type": "object",
+					"description": "In-band pointer to the upgrade path for an agent account.",
+					"properties": {
+						"plan": {
+							"type": "string",
+							"enum": ["developer"]
+						},
+						"description": { "type": "string" },
+						"claim_path": { "type": "string" }
+					},
+					"required": [
+						"plan",
+						"description",
+						"claim_path"
+					]
+				}
+			},
+			"required": [
+				"api_key",
+				"org_id",
+				"address",
+				"plan",
+				"limits",
+				"upgrade"
+			]
+		},
+		"sdkName": "createAgentAccount",
+		"summary": "Create an emailless agent account",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "create-agent-claim-link",
+		"description": "Mints an opaque, single-use link an agent can hand to a human to\ncomplete the email-confirmation upgrade in a browser. Authenticated by\nthe agent's own API key. `claim_url` is null when the API host cannot\nresolve a web origin to build the link.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createAgentClaimLink",
+		"path": "/agent/claim/link",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "No fields; an empty object is accepted.",
+			"properties": {}
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"claim_token": { "type": "string" },
+				"claim_url": {
+					"type": ["string", "null"],
+					"description": "Browser URL to hand to a human, or null if no web origin is configured."
+				},
+				"expires_in_seconds": { "type": "integer" }
+			},
+			"required": [
+				"claim_token",
+				"claim_url",
+				"expires_in_seconds"
+			]
+		},
+		"sdkName": "createAgentClaimLink",
+		"summary": "Create a browser claim link",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -6330,6 +6833,46 @@ const operationManifest = [
 		"tag": "Agent",
 		"tagCommand": "agent"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "start-agent-claim",
+		"description": "Begins upgrading an emailless `agent` account into a full `developer`\naccount by confirming an email address. Authenticated by the agent's own\nAPI key (the org is taken from the credential). Sends a verification\ncode to the supplied email and returns the claim session id plus resend\ntiming. Submit the code to `/agent/claim/verify` to complete the\nupgrade. Confirming an email that already belongs to a Primitive account\nis rejected.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startAgentClaim",
+		"path": "/agent/claim/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "email": {
+				"type": "string",
+				"format": "email",
+				"maxLength": 254,
+				"description": "Email to confirm. Must not already belong to a Primitive account."
+			} },
+			"required": ["email"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"claim_session_id": { "type": "string" },
+				"resend_after_seconds": { "type": "integer" },
+				"expires_in_seconds": { "type": "integer" }
+			},
+			"required": [
+				"claim_session_id",
+				"resend_after_seconds",
+				"expires_in_seconds"
+			]
+		},
+		"sdkName": "startAgentClaim",
+		"summary": "Start an agent account email claim",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -6412,6 +6955,80 @@ const operationManifest = [
 		"tag": "Agent",
 		"tagCommand": "agent"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "verify-agent-claim",
+		"description": "Confirms the verification code emailed by `/agent/claim/start` and\nupgrades the account to the `developer` plan. The org id, API key, and\nmanaged inbox all carry over; the send cap lifts. Authenticated by the\nagent's own API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "verifyAgentClaim",
+		"path": "/agent/claim/verify",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "verification_code": {
+				"type": "string",
+				"minLength": 1,
+				"maxLength": 32,
+				"description": "The verification code emailed by the claim start step."
+			} },
+			"required": ["verification_code"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"plan": {
+					"type": "string",
+					"enum": ["developer"]
+				},
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				}
+			},
+			"required": [
+				"org_id",
+				"plan",
+				"email",
+				"limits"
+			]
+		},
+		"sdkName": "verifyAgentClaim",
+		"summary": "Verify an agent account email claim",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -8309,6 +8926,22 @@ const operationManifest = [
 				"name": "date_to",
 				"required": false,
 				"type": "string"
+			},
+			{
+				"description": "Forward-tail cursor. Returns rows that became visible AFTER this\ncursor, oldest-first, so a caller can stream new inbound mail by\nre-passing the cursor from each response. Mutually exclusive with\n`cursor` (which pages history newest-first). Pass the `meta.cursor`\nfrom the previous `since` response; an empty page means caught up.\n",
+				"enum": null,
+				"name": "since",
+				"required": false,
+				"type": "string"
+			},
+			{
+				"description": "Long-poll: hold the request up to this many seconds waiting for new\nmail past `since`, returning as soon as any arrives (or an empty\npage when the wait elapses). Requires `since`. Omitted means no wait\n(returns immediately); the server treats an absent value as 0. NOT\ngiven an OpenAPI `default` on purpose: a default makes some\ngenerators (e.g. openapi-python-client) send `wait=0` on every call,\nwhich then fails the `wait` requires `since` check for plain history\nlistings.\n",
+				"enum": null,
+				"maximum": 30,
+				"minimum": 0,
+				"name": "wait",
+				"required": false,
+				"type": "integer"
 			}
 		],
 		"requestSchema": null,
@@ -9318,7 +9951,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "create-function",
-		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to a webhook event whose `event` field is\n`email.received` for normal inbound mail, or a machine-mail type\n(`email.bounced`, `email.tls_report`, `email.dmarc_report`,\n`email.dmarc_failure`) for bounces and reports. Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "createFunction",