primitive 1.2.1 → 1.5.0

package/dist/oclif/index.js

@@ -3,9 +3,9 @@ import { Args, Command, Errors, Flags, ux } from "@oclif/core";
 import { chmodSync, closeSync, existsSync, mkdirSync, openSync, readFileSync, readdirSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, writeSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import path, { basename, dirname, join, relative, resolve, sep } from "node:path";
-import { hostname } from "node:os";
 import process$1 from "node:process";
 import { createInterface } from "node:readline/promises";
+import { hostname } from "node:os";
 import { spawn } from "node:child_process";
 //#region \0rolldown/runtime.js
 var __defProp = Object.defineProperty;
@@ -26,16 +26,20 @@ const client = createClient(createConfig({ baseUrl: "https://api.primitive.dev/v
 var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	addDomain: () => addDomain,
 	cliLogout: () => cliLogout,
+	createAgentAccount: () => createAgentAccount,
+	createAgentClaimLink: () => createAgentClaimLink,
 	createEndpoint: () => createEndpoint,
 	createFilter: () => createFilter,
 	createFunction: () => createFunction,
 	createFunctionSecret: () => createFunctionSecret,
+	createOrgSecret: () => createOrgSecret,
 	deleteDomain: () => deleteDomain,
 	deleteEmail: () => deleteEmail,
 	deleteEndpoint: () => deleteEndpoint,
 	deleteFilter: () => deleteFilter,
 	deleteFunction: () => deleteFunction,
 	deleteFunctionSecret: () => deleteFunctionSecret,
+	deleteOrgSecret: () => deleteOrgSecret,
 	discardEmailContent: () => discardEmailContent,
 	downloadAttachments: () => downloadAttachments,
 	downloadDomainZoneFile: () => downloadDomainZoneFile,
@@ -61,6 +65,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	listFunctionLogs: () => listFunctionLogs,
 	listFunctionSecrets: () => listFunctionSecrets,
 	listFunctions: () => listFunctions,
+	listOrgSecrets: () => listOrgSecrets,
 	listSentEmails: () => listSentEmails,
 	pollCliLogin: () => pollCliLogin,
 	replayDelivery: () => replayDelivery,
@@ -74,6 +79,8 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	sendEmail: () => sendEmail,
 	setFunctionRoute: () => setFunctionRoute,
 	setFunctionSecret: () => setFunctionSecret,
+	setOrgSecret: () => setOrgSecret,
+	startAgentClaim: () => startAgentClaim,
 	startAgentSignup: () => startAgentSignup,
 	startCliLogin: () => startCliLogin,
 	startCliSignup: () => startCliSignup,
@@ -85,6 +92,7 @@ var sdk_gen_exports = /* @__PURE__ */ __exportAll({
 	updateEndpoint: () => updateEndpoint,
 	updateFilter: () => updateFilter,
 	updateFunction: () => updateFunction,
+	verifyAgentClaim: () => verifyAgentClaim,
 	verifyAgentSignup: () => verifyAgentSignup,
 	verifyCliSignup: () => verifyCliSignup,
 	verifyDomain: () => verifyDomain
@@ -229,6 +237,92 @@ const verifyAgentSignup = (options) => (options.client ?? client).post({
 	}
 });
 /**
+* Create an emailless agent account
+*
+* Creates an emailless agent account without authentication and returns a
+* one-time API key (prefixed `prim_`) plus a provisioned managed inbox.
+* The account is on the `agent` plan: reply-only (it can send only to
+* addresses that have already sent it authenticated mail) with tight send
+* limits. Use the returned `api_key` as a Bearer token on later calls. The
+* account can be upgraded to a full developer account by confirming an
+* email through the claim flow. This endpoint does not require an API key.
+*
+*/
+const createAgentAccount = (options) => (options.client ?? client).post({
+	url: "/agent/accounts",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Start an agent account email claim
+*
+* Begins upgrading an emailless `agent` account into a full `developer`
+* account by confirming an email address. Authenticated by the agent's own
+* API key (the org is taken from the credential). Sends a verification
+* code to the supplied email and returns the claim session id plus resend
+* timing. Submit the code to `/agent/claim/verify` to complete the
+* upgrade. Confirming an email that already belongs to a Primitive account
+* is rejected.
+*
+*/
+const startAgentClaim = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/agent/claim/start",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Verify an agent account email claim
+*
+* Confirms the verification code emailed by `/agent/claim/start` and
+* upgrades the account to the `developer` plan. The org id, API key, and
+* managed inbox all carry over; the send cap lifts. Authenticated by the
+* agent's own API key.
+*
+*/
+const verifyAgentClaim = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/agent/claim/verify",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Create a browser claim link
+*
+* Mints an opaque, single-use link an agent can hand to a human to
+* complete the email-confirmation upgrade in a browser. Authenticated by
+* the agent's own API key. `claim_url` is null when the API host cannot
+* resolve a web origin to build the link.
+*
+*/
+const createAgentClaimLink = (options) => (options?.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/agent/claim/link",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options?.headers
+	}
+});
+/**
 * Revoke the current CLI OAuth session
 *
 * Revokes the OAuth grant used to authenticate the request. API-key
@@ -1104,10 +1198,12 @@ const listFunctions = (options) => (options?.client ?? client).get({
 * each delivery and forwards the `Primitive-Signature` header to
 * the handler. Verify the raw request body with
 * `PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification
-* the request body parses to an `email.received` event (see
-* `EmailReceivedEvent` and the Webhook payload section for the full
-* schema). Code is bundled before being uploaded; ship a single
-* self-contained file rather than relying on external imports.
+* the request body parses to a webhook event whose `event` field is
+* `email.received` for normal inbound mail, or a machine-mail type
+* (`email.bounced`, `email.tls_report`, `email.dmarc_report`,
+* `email.dmarc_failure`) for bounces and reports. Code is bundled
+* before being uploaded; ship a single self-contained file rather
+* than relying on external imports.
 *
 * **Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`
 * (optional) is capped at 5 MiB UTF-8, stored with each deployment
@@ -1425,6 +1521,85 @@ const setFunctionSecret = (options) => (options.client ?? client).put({
 	}
 });
 /**
+* List org-level (global) secrets
+*
+* Returns metadata for every org-level secret. Org secrets apply
+* to every function in the org and are read as `env.<KEY>` in
+* handlers. **Values are never returned.** Secret writes are
+* write-only. A function-level secret of the same name overrides
+* the org-level value for that function.
+*
+*/
+const listOrgSecrets = (options) => (options?.client ?? client).get({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets",
+	...options
+});
+/**
+* Create or update an org secret
+*
+* Idempotent insert-or-update keyed on `(org_id, key)`. Returns
+* 201 the first time the key is set, 200 on subsequent updates.
+* Values are encrypted at rest. A changed value lands in a
+* function only on that function's next deploy.
+*
+* Keys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,
+* digits, underscores; first character is a letter or
+* underscore). Values are at most 4096 UTF-8 bytes. System-
+* managed keys are reserved and rejected.
+*
+*/
+const createOrgSecret = (options) => (options.client ?? client).post({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
+* Delete an org secret
+*
+* Removes the org secret. Functions keep the previous value until
+* each is redeployed. Returns 404 if the key did not exist.
+*
+*/
+const deleteOrgSecret = (options) => (options.client ?? client).delete({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets/{key}",
+	...options
+});
+/**
+* Set an org secret by key
+*
+* Path-keyed companion to `POST /org/secrets`. Idempotent:
+* returns 201 the first time the key is set, 200 on subsequent
+* updates. Same validation and write-only guarantees as POST.
+*
+*/
+const setOrgSecret = (options) => (options.client ?? client).put({
+	security: [{
+		scheme: "bearer",
+		type: "http"
+	}],
+	url: "/org/secrets/{key}",
+	...options,
+	headers: {
+		...options.body !== void 0 && { "Content-Type": "application/json" },
+		...options.headers
+	}
+});
+/**
 * List a function's execution logs
 *
 * Returns the most recent `function_logs` rows for the function,
@@ -1528,7 +1703,7 @@ const openapiDocument = {
 		},
 		{
 			"name": "Functions",
-			"description": "Deploy JavaScript handlers that run on inbound mail. Each function\nis a single ESM module whose default export is an object with an\nasync `fetch(request, env)` method, in the shape of a Workers-style\nhandler. Primitive signs each delivery and forwards the\n`Primitive-Signature` header to the handler; verify the raw request\nbody with `PRIMITIVE_WEBHOOK_SECRET` before trusting the parsed\n`email.received` event (see `EmailReceivedEvent` and the Webhook\npayload section for the full schema). Code runs on\nPrimitive's edge runtime; there is no infrastructure to manage.\nSecrets land in `env` as encrypted bindings and are refreshed on\nevery redeploy.\n"
+			"description": "Deploy JavaScript handlers that run on inbound mail. Each function\nis a single ESM module whose default export is an object with an\nasync `fetch(request, env)` method, in the shape of a Workers-style\nhandler. Primitive signs each delivery and forwards the\n`Primitive-Signature` header to the handler; verify the raw request\nbody with `PRIMITIVE_WEBHOOK_SECRET` before trusting the parsed event.\nThe `event` field is `email.received` for normal inbound mail, or a\nmachine-mail type (`email.bounced`, `email.tls_report`,\n`email.dmarc_report`, `email.dmarc_failure`) for bounces and reports;\nthe payload shape is otherwise identical. Code runs on\nPrimitive's edge runtime; there is no infrastructure to manage.\nSecrets land in `env` as encrypted bindings and are refreshed on\nevery redeploy.\n"
 		}
 	],
 	"paths": {
@@ -1834,6 +2009,128 @@ const openapiDocument = {
 				"429": { "$ref": "#/components/responses/RateLimited" }
 			}
 		} },
+		"/agent/accounts": { "post": {
+			"operationId": "createAgentAccount",
+			"summary": "Create an emailless agent account",
+			"description": "Creates an emailless agent account without authentication and returns a\none-time API key (prefixed `prim_`) plus a provisioned managed inbox.\nThe account is on the `agent` plan: reply-only (it can send only to\naddresses that have already sent it authenticated mail) with tight send\nlimits. Use the returned `api_key` as a Bearer token on later calls. The\naccount can be upgraded to a full developer account by confirming an\nemail through the claim flow. This endpoint does not require an API key.\n",
+			"tags": ["Agent"],
+			"security": [],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAgentAccountInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Agent account created; the API key is returned once",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentAccountResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/start": { "post": {
+			"operationId": "startAgentClaim",
+			"summary": "Start an agent account email claim",
+			"description": "Begins upgrading an emailless `agent` account into a full `developer`\naccount by confirming an email address. Authenticated by the agent's own\nAPI key (the org is taken from the credential). Sends a verification\ncode to the supplied email and returns the claim session id plus resend\ntiming. Submit the code to `/agent/claim/verify` to complete the\nupgrade. Confirming an email that already belongs to a Primitive account\nis rejected.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/StartAgentClaimInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim started and verification email sent",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimStartResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The email is already in use, or the account is not claimable",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/verify": { "post": {
+			"operationId": "verifyAgentClaim",
+			"summary": "Verify an agent account email claim",
+			"description": "Confirms the verification code emailed by `/agent/claim/start` and\nupgrades the account to the `developer` plan. The org id, API key, and\nmanaged inbox all carry over; the send cap lifts. Authenticated by the\nagent's own API key.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": true,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/VerifyAgentClaimInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim verified; account upgraded to developer",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimResult" } }
+					}] } } }
+				},
+				"400": { "$ref": "#/components/responses/ValidationError" },
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The account is already claimed, or the email is in use",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"410": {
+					"description": "The claim or its verification code has expired",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
+		"/agent/claim/link": { "post": {
+			"operationId": "createAgentClaimLink",
+			"summary": "Create a browser claim link",
+			"description": "Mints an opaque, single-use link an agent can hand to a human to\ncomplete the email-confirmation upgrade in a browser. Authenticated by\nthe agent's own API key. `claim_url` is null when the API host cannot\nresolve a web origin to build the link.\n",
+			"tags": ["Agent"],
+			"requestBody": {
+				"required": false,
+				"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateAgentClaimLinkInput" } } }
+			},
+			"responses": {
+				"200": {
+					"description": "Claim link created",
+					"headers": { "Cache-Control": {
+						"schema": { "type": "string" },
+						"description": "Always `no-store`"
+					} },
+					"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+						"type": "object",
+						"properties": { "data": { "$ref": "#/components/schemas/AgentClaimLinkResult" } }
+					}] } } }
+				},
+				"401": { "$ref": "#/components/responses/Unauthorized" },
+				"404": { "$ref": "#/components/responses/NotFound" },
+				"409": {
+					"description": "The account is not claimable (not an agent account, or already claimed)",
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } }
+				},
+				"429": { "$ref": "#/components/responses/RateLimited" }
+			}
+		} },
 		"/cli/logout": { "post": {
 			"operationId": "cliLogout",
 			"summary": "Revoke the current CLI OAuth session",
@@ -2178,6 +2475,25 @@ const openapiDocument = {
 						"format": "date-time"
 					},
 					"description": "Filter emails created on or before this timestamp"
+				},
+				{
+					"name": "since",
+					"in": "query",
+					"schema": {
+						"type": "string",
+						"maxLength": 200
+					},
+					"description": "Forward-tail cursor. Returns rows that became visible AFTER this\ncursor, oldest-first, so a caller can stream new inbound mail by\nre-passing the cursor from each response. Mutually exclusive with\n`cursor` (which pages history newest-first). Pass the `meta.cursor`\nfrom the previous `since` response; an empty page means caught up.\n"
+				},
+				{
+					"name": "wait",
+					"in": "query",
+					"schema": {
+						"type": "integer",
+						"minimum": 0,
+						"maximum": 30
+					},
+					"description": "Long-poll: hold the request up to this many seconds waiting for new\nmail past `since`, returning as soon as any arrives (or an empty\npage when the wait elapses). Requires `since`. Omitted means no wait\n(returns immediately); the server treats an absent value as 0. NOT\ngiven an OpenAPI `default` on purpose: a default makes some\ngenerators (e.g. openapi-python-client) send `wait=0` on every call,\nwhich then fails the `wait` requires `since` check for plain history\nlistings.\n"
 				}
 			],
 			"responses": {
@@ -3117,7 +3433,7 @@ const openapiDocument = {
 			"post": {
 				"operationId": "createFunction",
 				"summary": "Deploy a function",
-				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+				"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to a webhook event whose `event` field is\n`email.received` for normal inbound mail, or a machine-mail type\n(`email.bounced`, `email.tls_report`, `email.dmarc_report`,\n`email.dmarc_failure`) for bounces and reports. Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
@@ -3394,37 +3710,143 @@ const openapiDocument = {
 				}
 			},
 			"post": {
-				"operationId": "createFunctionSecret",
-				"summary": "Create or update a secret",
-				"description": "Idempotent insert-or-update keyed on `(function_id, key)`.\nReturns 201 the first time the key is set, 200 on subsequent\nupdates. Values are encrypted at rest and only become visible\nto the running handler on the next deploy (`PUT /functions/{id}`\nwith the existing code is sufficient to refresh bindings).\n\nKeys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,\ndigits, underscores; first character is a letter or\nunderscore). Values are at most 4096 UTF-8 bytes. System-\nmanaged keys are reserved and rejected.\n",
+				"operationId": "createFunctionSecret",
+				"summary": "Create or update a secret",
+				"description": "Idempotent insert-or-update keyed on `(function_id, key)`.\nReturns 201 the first time the key is set, 200 on subsequent\nupdates. Values are encrypted at rest and only become visible\nto the running handler on the next deploy (`PUT /functions/{id}`\nwith the existing code is sufficient to refresh bindings).\n\nKeys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,\ndigits, underscores; first character is a letter or\nunderscore). Values are at most 4096 UTF-8 bytes. System-\nmanaged keys are reserved and rejected.\n",
+				"tags": ["Functions"],
+				"requestBody": {
+					"required": true,
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateFunctionSecretInput" } } }
+				},
+				"responses": {
+					"200": {
+						"description": "Secret updated",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+						}] } } }
+					},
+					"201": {
+						"description": "Secret created",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+						}] } } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			}
+		},
+		"/functions/{id}/secrets/{key}": {
+			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }, {
+				"name": "key",
+				"in": "path",
+				"required": true,
+				"description": "Secret key. Must match `^[A-Z_][A-Z0-9_]*$`.",
+				"schema": {
+					"type": "string",
+					"pattern": "^[A-Z_][A-Z0-9_]*$"
+				}
+			}],
+			"put": {
+				"operationId": "setFunctionSecret",
+				"summary": "Set a secret by key",
+				"description": "Path-keyed companion to `POST /functions/{id}/secrets`.\nIdempotent: returns 201 the first time the key is set, 200 on\nsubsequent updates. Same validation rules and same write-only\nguarantees as the POST verb; the new value lands in the running\nhandler on the next deploy.\n",
+				"tags": ["Functions"],
+				"requestBody": {
+					"required": true,
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/SetFunctionSecretInput" } } }
+				},
+				"responses": {
+					"200": {
+						"description": "Secret updated",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+						}] } } }
+					},
+					"201": {
+						"description": "Secret created",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+						}] } } }
+					},
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			},
+			"delete": {
+				"operationId": "deleteFunctionSecret",
+				"summary": "Delete a secret",
+				"description": "Removes the secret. The binding stays live in the running\nhandler until the next deploy refreshes the binding set\n(`PUT /functions/{id}` with the existing code is sufficient).\nReturns 404 if the key did not exist. Managed system keys\ncannot be deleted.\n",
+				"tags": ["Functions"],
+				"responses": {
+					"204": { "description": "Secret deleted" },
+					"400": { "$ref": "#/components/responses/ValidationError" },
+					"401": { "$ref": "#/components/responses/Unauthorized" },
+					"404": { "$ref": "#/components/responses/NotFound" }
+				}
+			}
+		},
+		"/org/secrets": {
+			"get": {
+				"operationId": "listOrgSecrets",
+				"summary": "List org-level (global) secrets",
+				"description": "Returns metadata for every org-level secret. Org secrets apply\nto every function in the org and are read as `env.<KEY>` in\nhandlers. **Values are never returned.** Secret writes are\nwrite-only. A function-level secret of the same name overrides\nthe org-level value for that function.\n",
+				"tags": ["Functions"],
+				"responses": {
+					"200": {
+						"description": "List of org secrets (metadata only, no values)",
+						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
+							"type": "object",
+							"properties": { "data": {
+								"type": "object",
+								"properties": { "items": {
+									"type": "array",
+									"items": { "$ref": "#/components/schemas/OrgSecretListItem" }
+								} },
+								"required": ["items"]
+							} }
+						}] } } }
+					},
+					"401": { "$ref": "#/components/responses/Unauthorized" }
+				}
+			},
+			"post": {
+				"operationId": "createOrgSecret",
+				"summary": "Create or update an org secret",
+				"description": "Idempotent insert-or-update keyed on `(org_id, key)`. Returns\n201 the first time the key is set, 200 on subsequent updates.\nValues are encrypted at rest. A changed value lands in a\nfunction only on that function's next deploy.\n\nKeys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,\ndigits, underscores; first character is a letter or\nunderscore). Values are at most 4096 UTF-8 bytes. System-\nmanaged keys are reserved and rejected.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
-					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateFunctionSecretInput" } } }
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateOrgSecretInput" } } }
 				},
 				"responses": {
 					"200": {
 						"description": "Secret updated",
 						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
 							"type": "object",
-							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
 						}] } } }
 					},
 					"201": {
 						"description": "Secret created",
 						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
 							"type": "object",
-							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
 						}] } } }
 					},
 					"400": { "$ref": "#/components/responses/ValidationError" },
-					"401": { "$ref": "#/components/responses/Unauthorized" },
-					"404": { "$ref": "#/components/responses/NotFound" }
+					"401": { "$ref": "#/components/responses/Unauthorized" }
 				}
 			}
 		},
-		"/functions/{id}/secrets/{key}": {
-			"parameters": [{ "$ref": "#/components/parameters/ResourceId" }, {
+		"/org/secrets/{key}": {
+			"parameters": [{
 				"name": "key",
 				"in": "path",
 				"required": true,
@@ -3435,38 +3857,37 @@ const openapiDocument = {
 				}
 			}],
 			"put": {
-				"operationId": "setFunctionSecret",
-				"summary": "Set a secret by key",
-				"description": "Path-keyed companion to `POST /functions/{id}/secrets`.\nIdempotent: returns 201 the first time the key is set, 200 on\nsubsequent updates. Same validation rules and same write-only\nguarantees as the POST verb; the new value lands in the running\nhandler on the next deploy.\n",
+				"operationId": "setOrgSecret",
+				"summary": "Set an org secret by key",
+				"description": "Path-keyed companion to `POST /org/secrets`. Idempotent:\nreturns 201 the first time the key is set, 200 on subsequent\nupdates. Same validation and write-only guarantees as POST.\n",
 				"tags": ["Functions"],
 				"requestBody": {
 					"required": true,
-					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/SetFunctionSecretInput" } } }
+					"content": { "application/json": { "schema": { "$ref": "#/components/schemas/SetOrgSecretInput" } } }
 				},
 				"responses": {
 					"200": {
 						"description": "Secret updated",
 						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
 							"type": "object",
-							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
 						}] } } }
 					},
 					"201": {
 						"description": "Secret created",
 						"content": { "application/json": { "schema": { "allOf": [{ "$ref": "#/components/schemas/SuccessEnvelope" }, {
 							"type": "object",
-							"properties": { "data": { "$ref": "#/components/schemas/FunctionSecretWriteResult" } }
+							"properties": { "data": { "$ref": "#/components/schemas/OrgSecretWriteResult" } }
 						}] } } }
 					},
 					"400": { "$ref": "#/components/responses/ValidationError" },
-					"401": { "$ref": "#/components/responses/Unauthorized" },
-					"404": { "$ref": "#/components/responses/NotFound" }
+					"401": { "$ref": "#/components/responses/Unauthorized" }
 				}
 			},
 			"delete": {
-				"operationId": "deleteFunctionSecret",
-				"summary": "Delete a secret",
-				"description": "Removes the secret. The binding stays live in the running\nhandler until the next deploy refreshes the binding set\n(`PUT /functions/{id}` with the existing code is sufficient).\nReturns 404 if the key did not exist. Managed system keys\ncannot be deleted.\n",
+				"operationId": "deleteOrgSecret",
+				"summary": "Delete an org secret",
+				"description": "Removes the org secret. Functions keep the previous value until\neach is redeployed. Returns 404 if the key did not exist.\n",
 				"tags": ["Functions"],
 				"responses": {
 					"204": { "description": "Secret deleted" },
@@ -4428,6 +4849,177 @@ const openapiDocument = {
 					"orgs"
 				]
 			},
+			"PlanLimits": {
+				"type": "object",
+				"description": "Plan-derived quota limits for an account.",
+				"properties": {
+					"storage_mb": { "type": "number" },
+					"send_per_hour": { "type": "number" },
+					"send_per_day": { "type": "number" },
+					"api_per_minute": { "type": "number" },
+					"webhooks_max_global": { "type": ["number", "null"] },
+					"webhooks_per_domain": { "type": "boolean" },
+					"filters_per_domain": { "type": "boolean" },
+					"spam_thresholds_per_domain": { "type": "boolean" }
+				},
+				"required": [
+					"storage_mb",
+					"send_per_hour",
+					"send_per_day",
+					"api_per_minute",
+					"webhooks_max_global",
+					"webhooks_per_domain",
+					"filters_per_domain",
+					"spam_thresholds_per_domain"
+				]
+			},
+			"CreateAgentAccountInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": {
+					"terms_accepted": {
+						"type": "boolean",
+						"enum": [true],
+						"description": "Must be true to accept the Terms of Service and Privacy Policy."
+					},
+					"device_name": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 80,
+						"description": "Optional label for the device or agent creating the account."
+					}
+				},
+				"required": ["terms_accepted"]
+			},
+			"AgentAccountUpgradeHint": {
+				"type": "object",
+				"description": "In-band pointer to the upgrade path for an agent account.",
+				"properties": {
+					"plan": {
+						"type": "string",
+						"enum": ["developer"]
+					},
+					"description": { "type": "string" },
+					"claim_path": { "type": "string" }
+				},
+				"required": [
+					"plan",
+					"description",
+					"claim_path"
+				]
+			},
+			"AgentAccountResult": {
+				"type": "object",
+				"properties": {
+					"api_key": {
+						"type": "string",
+						"description": "One-time API key (prefixed `prim_`). Shown once; store it securely."
+					},
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"address": {
+						"type": ["string", "null"],
+						"description": "Provisioned managed inbox FQDN, or null if the inbox publish was deferred."
+					},
+					"plan": {
+						"type": "string",
+						"enum": ["agent"]
+					},
+					"limits": { "$ref": "#/components/schemas/PlanLimits" },
+					"upgrade": { "$ref": "#/components/schemas/AgentAccountUpgradeHint" }
+				},
+				"required": [
+					"api_key",
+					"org_id",
+					"address",
+					"plan",
+					"limits",
+					"upgrade"
+				]
+			},
+			"StartAgentClaimInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "email": {
+					"type": "string",
+					"format": "email",
+					"maxLength": 254,
+					"description": "Email to confirm. Must not already belong to a Primitive account."
+				} },
+				"required": ["email"]
+			},
+			"AgentClaimStartResult": {
+				"type": "object",
+				"properties": {
+					"claim_session_id": { "type": "string" },
+					"resend_after_seconds": { "type": "integer" },
+					"expires_in_seconds": { "type": "integer" }
+				},
+				"required": [
+					"claim_session_id",
+					"resend_after_seconds",
+					"expires_in_seconds"
+				]
+			},
+			"VerifyAgentClaimInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"properties": { "verification_code": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 32,
+					"description": "The verification code emailed by the claim start step."
+				} },
+				"required": ["verification_code"]
+			},
+			"AgentClaimResult": {
+				"type": "object",
+				"properties": {
+					"org_id": {
+						"type": "string",
+						"format": "uuid"
+					},
+					"plan": {
+						"type": "string",
+						"enum": ["developer"]
+					},
+					"email": {
+						"type": "string",
+						"format": "email"
+					},
+					"limits": { "$ref": "#/components/schemas/PlanLimits" }
+				},
+				"required": [
+					"org_id",
+					"plan",
+					"email",
+					"limits"
+				]
+			},
+			"CreateAgentClaimLinkInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "No fields; an empty object is accepted.",
+				"properties": {}
+			},
+			"AgentClaimLinkResult": {
+				"type": "object",
+				"properties": {
+					"claim_token": { "type": "string" },
+					"claim_url": {
+						"type": ["string", "null"],
+						"description": "Browser URL to hand to a human, or null if no web origin is configured."
+					},
+					"expires_in_seconds": { "type": "integer" }
+				},
+				"required": [
+					"claim_token",
+					"claim_url",
+					"expires_in_seconds"
+				]
+			},
 			"CliLogoutInput": {
 				"type": "object",
 				"additionalProperties": false,
@@ -4466,6 +5058,16 @@ const openapiDocument = {
 					},
 					"email": { "type": "string" },
 					"plan": { "type": "string" },
+					"limits": { "$ref": "#/components/schemas/PlanLimits" },
+					"entitlements": {
+						"type": "array",
+						"items": { "type": "string" },
+						"description": "Granted org entitlement keys (sorted). A headless caller reads its\ncapabilities here — e.g. an emailless agent seeing only\n[\"send_mail\", \"send_to_known_addresses\"] knows it is reply-only.\n"
+					},
+					"managed_inbox_address": {
+						"type": ["string", "null"],
+						"description": "The managed inbox FQDN to reply as, or null if the org has no managed inbox."
+					},
 					"created_at": {
 						"type": "string",
 						"format": "date-time"
@@ -4493,6 +5095,9 @@ const openapiDocument = {
 					"id",
 					"email",
 					"plan",
+					"limits",
+					"entitlements",
+					"managed_inbox_address",
 					"created_at",
 					"discard_content_on_webhook_confirmed"
 				]
@@ -7503,6 +8108,81 @@ const openapiDocument = {
 					"updated_at",
 					"created"
 				]
+			},
+			"OrgSecretListItem": {
+				"type": "object",
+				"description": "One row from GET /org/secrets. Org secrets are always user-set\n(there are no managed org secrets), so `created_at` /\n`updated_at` are always present.\n",
+				"properties": {
+					"key": { "type": "string" },
+					"created_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"updated_at": {
+						"type": "string",
+						"format": "date-time"
+					}
+				},
+				"required": [
+					"key",
+					"created_at",
+					"updated_at"
+				]
+			},
+			"CreateOrgSecretInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "Body for POST /org/secrets.",
+				"properties": {
+					"key": {
+						"type": "string",
+						"pattern": "^[A-Z_][A-Z0-9_]*$",
+						"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys are reserved.\n"
+					},
+					"value": {
+						"type": "string",
+						"minLength": 1,
+						"maxLength": 4096,
+						"description": "Secret value, up to 4096 UTF-8 bytes. Encrypted at rest.\nNever returned by any read endpoint.\n"
+					}
+				},
+				"required": ["key", "value"]
+			},
+			"SetOrgSecretInput": {
+				"type": "object",
+				"additionalProperties": false,
+				"description": "Body for PUT /org/secrets/{key}. Key comes from the path.",
+				"properties": { "value": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 4096
+				} },
+				"required": ["value"]
+			},
+			"OrgSecretWriteResult": {
+				"type": "object",
+				"description": "Returned by POST and PUT org secret routes.",
+				"properties": {
+					"key": { "type": "string" },
+					"created_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"updated_at": {
+						"type": "string",
+						"format": "date-time"
+					},
+					"created": {
+						"type": "boolean",
+						"description": "True if this call inserted a new row, false if it updated an existing one."
+					}
+				},
+				"required": [
+					"key",
+					"created_at",
+					"updated_at",
+					"created"
+				]
 			}
 		}
 	}
@@ -7531,6 +8211,39 @@ const operationManifest = [
 				},
 				"email": { "type": "string" },
 				"plan": { "type": "string" },
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				},
+				"entitlements": {
+					"type": "array",
+					"items": { "type": "string" },
+					"description": "Granted org entitlement keys (sorted). A headless caller reads its\ncapabilities here — e.g. an emailless agent seeing only\n[\"send_mail\", \"send_to_known_addresses\"] knows it is reply-only.\n"
+				},
+				"managed_inbox_address": {
+					"type": ["string", "null"],
+					"description": "The managed inbox FQDN to reply as, or null if the org has no managed inbox."
+				},
 				"created_at": {
 					"type": "string",
 					"format": "date-time"
@@ -7558,6 +8271,9 @@ const operationManifest = [
 				"id",
 				"email",
 				"plan",
+				"limits",
+				"entitlements",
+				"managed_inbox_address",
 				"created_at",
 				"discard_content_on_webhook_confirmed"
 			]
@@ -7686,46 +8402,188 @@ const operationManifest = [
 			"type": "object",
 			"additionalProperties": false,
 			"properties": {
-				"spam_threshold": {
-					"type": ["number", "null"],
-					"minimum": 0,
-					"maximum": 15,
-					"description": "Global spam score threshold (0-15). Emails scoring above this are rejected. Set to null to disable."
-				},
-				"discard_content_on_webhook_confirmed": {
+				"spam_threshold": {
+					"type": ["number", "null"],
+					"minimum": 0,
+					"maximum": 15,
+					"description": "Global spam score threshold (0-15). Emails scoring above this are rejected. Set to null to disable."
+				},
+				"discard_content_on_webhook_confirmed": {
+					"type": "boolean",
+					"description": "Whether to discard email content after the webhook endpoint confirms receipt."
+				}
+			},
+			"minProperties": 1
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"email": { "type": "string" },
+				"plan": { "type": "string" },
+				"spam_threshold": {
+					"type": ["number", "null"],
+					"minimum": 0,
+					"maximum": 15
+				},
+				"discard_content_on_webhook_confirmed": { "type": "boolean" }
+			},
+			"required": [
+				"id",
+				"email",
+				"plan",
+				"discard_content_on_webhook_confirmed"
+			]
+		},
+		"sdkName": "updateAccount",
+		"summary": "Update account settings",
+		"tag": "Account",
+		"tagCommand": "account"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "create-agent-account",
+		"description": "Creates an emailless agent account without authentication and returns a\none-time API key (prefixed `prim_`) plus a provisioned managed inbox.\nThe account is on the `agent` plan: reply-only (it can send only to\naddresses that have already sent it authenticated mail) with tight send\nlimits. Use the returned `api_key` as a Bearer token on later calls. The\naccount can be upgraded to a full developer account by confirming an\nemail through the claim flow. This endpoint does not require an API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createAgentAccount",
+		"path": "/agent/accounts",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": {
+				"terms_accepted": {
 					"type": "boolean",
-					"description": "Whether to discard email content after the webhook endpoint confirms receipt."
+					"enum": [true],
+					"description": "Must be true to accept the Terms of Service and Privacy Policy."
+				},
+				"device_name": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 80,
+					"description": "Optional label for the device or agent creating the account."
 				}
 			},
-			"minProperties": 1
+			"required": ["terms_accepted"]
 		},
 		"responseSchema": {
 			"type": "object",
 			"properties": {
-				"id": {
+				"api_key": {
+					"type": "string",
+					"description": "One-time API key (prefixed `prim_`). Shown once; store it securely."
+				},
+				"org_id": {
 					"type": "string",
 					"format": "uuid"
 				},
-				"email": { "type": "string" },
-				"plan": { "type": "string" },
-				"spam_threshold": {
-					"type": ["number", "null"],
-					"minimum": 0,
-					"maximum": 15
+				"address": {
+					"type": ["string", "null"],
+					"description": "Provisioned managed inbox FQDN, or null if the inbox publish was deferred."
 				},
-				"discard_content_on_webhook_confirmed": { "type": "boolean" }
+				"plan": {
+					"type": "string",
+					"enum": ["agent"]
+				},
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				},
+				"upgrade": {
+					"type": "object",
+					"description": "In-band pointer to the upgrade path for an agent account.",
+					"properties": {
+						"plan": {
+							"type": "string",
+							"enum": ["developer"]
+						},
+						"description": { "type": "string" },
+						"claim_path": { "type": "string" }
+					},
+					"required": [
+						"plan",
+						"description",
+						"claim_path"
+					]
+				}
 			},
 			"required": [
-				"id",
-				"email",
+				"api_key",
+				"org_id",
+				"address",
 				"plan",
-				"discard_content_on_webhook_confirmed"
+				"limits",
+				"upgrade"
 			]
 		},
-		"sdkName": "updateAccount",
-		"summary": "Update account settings",
-		"tag": "Account",
-		"tagCommand": "account"
+		"sdkName": "createAgentAccount",
+		"summary": "Create an emailless agent account",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "create-agent-claim-link",
+		"description": "Mints an opaque, single-use link an agent can hand to a human to\ncomplete the email-confirmation upgrade in a browser. Authenticated by\nthe agent's own API key. `claim_url` is null when the API host cannot\nresolve a web origin to build the link.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createAgentClaimLink",
+		"path": "/agent/claim/link",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "No fields; an empty object is accepted.",
+			"properties": {}
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"claim_token": { "type": "string" },
+				"claim_url": {
+					"type": ["string", "null"],
+					"description": "Browser URL to hand to a human, or null if no web origin is configured."
+				},
+				"expires_in_seconds": { "type": "integer" }
+			},
+			"required": [
+				"claim_token",
+				"claim_url",
+				"expires_in_seconds"
+			]
+		},
+		"sdkName": "createAgentClaimLink",
+		"summary": "Create a browser claim link",
+		"tag": "Agent",
+		"tagCommand": "agent"
 	},
 	{
 		"binaryResponse": false,
@@ -7779,6 +8637,46 @@ const operationManifest = [
 		"tag": "Agent",
 		"tagCommand": "agent"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "start-agent-claim",
+		"description": "Begins upgrading an emailless `agent` account into a full `developer`\naccount by confirming an email address. Authenticated by the agent's own\nAPI key (the org is taken from the credential). Sends a verification\ncode to the supplied email and returns the claim session id plus resend\ntiming. Submit the code to `/agent/claim/verify` to complete the\nupgrade. Confirming an email that already belongs to a Primitive account\nis rejected.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "startAgentClaim",
+		"path": "/agent/claim/start",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "email": {
+				"type": "string",
+				"format": "email",
+				"maxLength": 254,
+				"description": "Email to confirm. Must not already belong to a Primitive account."
+			} },
+			"required": ["email"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"claim_session_id": { "type": "string" },
+				"resend_after_seconds": { "type": "integer" },
+				"expires_in_seconds": { "type": "integer" }
+			},
+			"required": [
+				"claim_session_id",
+				"resend_after_seconds",
+				"expires_in_seconds"
+			]
+		},
+		"sdkName": "startAgentClaim",
+		"summary": "Start an agent account email claim",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -7861,6 +8759,80 @@ const operationManifest = [
 		"tag": "Agent",
 		"tagCommand": "agent"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "verify-agent-claim",
+		"description": "Confirms the verification code emailed by `/agent/claim/start` and\nupgrades the account to the `developer` plan. The org id, API key, and\nmanaged inbox all carry over; the send cap lifts. Authenticated by the\nagent's own API key.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "verifyAgentClaim",
+		"path": "/agent/claim/verify",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"properties": { "verification_code": {
+				"type": "string",
+				"minLength": 1,
+				"maxLength": 32,
+				"description": "The verification code emailed by the claim start step."
+			} },
+			"required": ["verification_code"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"properties": {
+				"org_id": {
+					"type": "string",
+					"format": "uuid"
+				},
+				"plan": {
+					"type": "string",
+					"enum": ["developer"]
+				},
+				"email": {
+					"type": "string",
+					"format": "email"
+				},
+				"limits": {
+					"type": "object",
+					"description": "Plan-derived quota limits for an account.",
+					"properties": {
+						"storage_mb": { "type": "number" },
+						"send_per_hour": { "type": "number" },
+						"send_per_day": { "type": "number" },
+						"api_per_minute": { "type": "number" },
+						"webhooks_max_global": { "type": ["number", "null"] },
+						"webhooks_per_domain": { "type": "boolean" },
+						"filters_per_domain": { "type": "boolean" },
+						"spam_thresholds_per_domain": { "type": "boolean" }
+					},
+					"required": [
+						"storage_mb",
+						"send_per_hour",
+						"send_per_day",
+						"api_per_minute",
+						"webhooks_max_global",
+						"webhooks_per_domain",
+						"filters_per_domain",
+						"spam_thresholds_per_domain"
+					]
+				}
+			},
+			"required": [
+				"org_id",
+				"plan",
+				"email",
+				"limits"
+			]
+		},
+		"sdkName": "verifyAgentClaim",
+		"summary": "Verify an agent account email claim",
+		"tag": "Agent",
+		"tagCommand": "agent"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": true,
@@ -9758,6 +10730,22 @@ const operationManifest = [
 				"name": "date_to",
 				"required": false,
 				"type": "string"
+			},
+			{
+				"description": "Forward-tail cursor. Returns rows that became visible AFTER this\ncursor, oldest-first, so a caller can stream new inbound mail by\nre-passing the cursor from each response. Mutually exclusive with\n`cursor` (which pages history newest-first). Pass the `meta.cursor`\nfrom the previous `since` response; an empty page means caught up.\n",
+				"enum": null,
+				"name": "since",
+				"required": false,
+				"type": "string"
+			},
+			{
+				"description": "Long-poll: hold the request up to this many seconds waiting for new\nmail past `since`, returning as soon as any arrives (or an empty\npage when the wait elapses). Requires `since`. Omitted means no wait\n(returns immediately); the server treats an absent value as 0. NOT\ngiven an OpenAPI `default` on purpose: a default makes some\ngenerators (e.g. openapi-python-client) send `wait=0` on every call,\nwhich then fails the `wait` requires `since` check for plain history\nlistings.\n",
+				"enum": null,
+				"maximum": 30,
+				"minimum": 0,
+				"name": "wait",
+				"required": false,
+				"type": "integer"
 			}
 		],
 		"requestSchema": null,
@@ -10767,7 +11755,7 @@ const operationManifest = [
 		"binaryResponse": false,
 		"bodyRequired": true,
 		"command": "create-function",
-		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to an `email.received` event (see\n`EmailReceivedEvent` and the Webhook payload section for the full\nschema). Code is bundled before being uploaded; ship a single\nself-contained file rather than relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
+		"description": "Creates and deploys a new function. The handler must be a single\nESM module whose default export is an object with an async\n`fetch(request, env)` method (Workers-style). Primitive signs\neach delivery and forwards the `Primitive-Signature` header to\nthe handler. Verify the raw request body with\n`PRIMITIVE_WEBHOOK_SECRET` before parsing JSON; after verification\nthe request body parses to a webhook event whose `event` field is\n`email.received` for normal inbound mail, or a machine-mail type\n(`email.bounced`, `email.tls_report`, `email.dmarc_report`,\n`email.dmarc_failure`) for bounces and reports. Code is bundled\nbefore being uploaded; ship a single self-contained file rather\nthan relying on external imports.\n\n**Code limits.** `code` is capped at 1 MiB UTF-8. `sourceMap`\n(optional) is capped at 5 MiB UTF-8, stored with each deployment\nattempt, and sent to the runtime so stack traces can resolve to\noriginal source files.\n\n**Routing.** On successful deploy, the function code is live\nin the runtime, but inbound mail will not reach it until at\nleast one route is bound. Routes are managed from the Primitive\ndashboard. A `deploy_status` of `deployed` means the script is\ninstalled, not that the function is receiving mail. The\ninternal runtime URL is not returned by the API and is not a\ncustomer-facing integration surface.\n\n**Secrets.** New functions ship with the managed secrets\n(`PRIMITIVE_WEBHOOK_SECRET`, `PRIMITIVE_API_KEY`,\n`PRIMITIVE_API_BASE_URL`) already bound. Add user-set secrets via\n`POST /functions/{id}/secrets`; secret writes only land in the\nrunning handler on the next redeploy.\n",
 		"hasJsonBody": true,
 		"method": "POST",
 		"operationId": "createFunction",
@@ -10899,6 +11887,66 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "create-org-secret",
+		"description": "Idempotent insert-or-update keyed on `(org_id, key)`. Returns\n201 the first time the key is set, 200 on subsequent updates.\nValues are encrypted at rest. A changed value lands in a\nfunction only on that function's next deploy.\n\nKeys must match `^[A-Z_][A-Z0-9_]*$` (uppercase letters,\ndigits, underscores; first character is a letter or\nunderscore). Values are at most 4096 UTF-8 bytes. System-\nmanaged keys are reserved and rejected.\n",
+		"hasJsonBody": true,
+		"method": "POST",
+		"operationId": "createOrgSecret",
+		"path": "/org/secrets",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "Body for POST /org/secrets.",
+			"properties": {
+				"key": {
+					"type": "string",
+					"pattern": "^[A-Z_][A-Z0-9_]*$",
+					"description": "Uppercase letters, digits, and underscores. Must start with\na letter or underscore. System-managed keys are reserved.\n"
+				},
+				"value": {
+					"type": "string",
+					"minLength": 1,
+					"maxLength": 4096,
+					"description": "Secret value, up to 4096 UTF-8 bytes. Encrypted at rest.\nNever returned by any read endpoint.\n"
+				}
+			},
+			"required": ["key", "value"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"description": "Returned by POST and PUT org secret routes.",
+			"properties": {
+				"key": { "type": "string" },
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"updated_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"created": {
+					"type": "boolean",
+					"description": "True if this call inserted a new row, false if it updated an existing one."
+				}
+			},
+			"required": [
+				"key",
+				"created_at",
+				"updated_at",
+				"created"
+			]
+		},
+		"sdkName": "createOrgSecret",
+		"summary": "Create or update an org secret",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -10953,6 +12001,30 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "delete-org-secret",
+		"description": "Removes the org secret. Functions keep the previous value until\neach is redeployed. Returns 404 if the key did not exist.\n",
+		"hasJsonBody": false,
+		"method": "DELETE",
+		"operationId": "deleteOrgSecret",
+		"path": "/org/secrets/{key}",
+		"pathParams": [{
+			"description": "Secret key. Must match `^[A-Z_][A-Z0-9_]*$`.",
+			"enum": null,
+			"name": "key",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": null,
+		"sdkName": "deleteOrgSecret",
+		"summary": "Delete an org secret",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -11828,8 +12900,52 @@ const operationManifest = [
 				]
 			}
 		},
-		"sdkName": "listFunctions",
-		"summary": "List functions",
+		"sdkName": "listFunctions",
+		"summary": "List functions",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": false,
+		"command": "list-org-secrets",
+		"description": "Returns metadata for every org-level secret. Org secrets apply\nto every function in the org and are read as `env.<KEY>` in\nhandlers. **Values are never returned.** Secret writes are\nwrite-only. A function-level secret of the same name overrides\nthe org-level value for that function.\n",
+		"hasJsonBody": false,
+		"method": "GET",
+		"operationId": "listOrgSecrets",
+		"path": "/org/secrets",
+		"pathParams": [],
+		"queryParams": [],
+		"requestSchema": null,
+		"responseSchema": {
+			"type": "object",
+			"properties": { "items": {
+				"type": "array",
+				"items": {
+					"type": "object",
+					"description": "One row from GET /org/secrets. Org secrets are always user-set\n(there are no managed org secrets), so `created_at` /\n`updated_at` are always present.\n",
+					"properties": {
+						"key": { "type": "string" },
+						"created_at": {
+							"type": "string",
+							"format": "date-time"
+						},
+						"updated_at": {
+							"type": "string",
+							"format": "date-time"
+						}
+					},
+					"required": [
+						"key",
+						"created_at",
+						"updated_at"
+					]
+				}
+			} },
+			"required": ["items"]
+		},
+		"sdkName": "listOrgSecrets",
+		"summary": "List org-level (global) secrets",
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
@@ -12021,6 +13137,64 @@ const operationManifest = [
 		"tag": "Functions",
 		"tagCommand": "functions"
 	},
+	{
+		"binaryResponse": false,
+		"bodyRequired": true,
+		"command": "set-org-secret",
+		"description": "Path-keyed companion to `POST /org/secrets`. Idempotent:\nreturns 201 the first time the key is set, 200 on subsequent\nupdates. Same validation and write-only guarantees as POST.\n",
+		"hasJsonBody": true,
+		"method": "PUT",
+		"operationId": "setOrgSecret",
+		"path": "/org/secrets/{key}",
+		"pathParams": [{
+			"description": "Secret key. Must match `^[A-Z_][A-Z0-9_]*$`.",
+			"enum": null,
+			"name": "key",
+			"required": true,
+			"type": "string"
+		}],
+		"queryParams": [],
+		"requestSchema": {
+			"type": "object",
+			"additionalProperties": false,
+			"description": "Body for PUT /org/secrets/{key}. Key comes from the path.",
+			"properties": { "value": {
+				"type": "string",
+				"minLength": 1,
+				"maxLength": 4096
+			} },
+			"required": ["value"]
+		},
+		"responseSchema": {
+			"type": "object",
+			"description": "Returned by POST and PUT org secret routes.",
+			"properties": {
+				"key": { "type": "string" },
+				"created_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"updated_at": {
+					"type": "string",
+					"format": "date-time"
+				},
+				"created": {
+					"type": "boolean",
+					"description": "True if this call inserted a new row, false if it updated an existing one."
+				}
+			},
+			"required": [
+				"key",
+				"created_at",
+				"updated_at",
+				"created"
+			]
+		},
+		"sdkName": "setOrgSecret",
+		"summary": "Set an org secret by key",
+		"tag": "Functions",
+		"tagCommand": "functions"
+	},
 	{
 		"binaryResponse": false,
 		"bodyRequired": false,
@@ -14705,6 +15879,76 @@ function canonicalizeCliReferences(description) {
 	return description.replaceAll("`primitive emails:latest`", "`primitive emails latest`").replaceAll("`primitive describe emails:get-email | jq '.responseSchema.properties'`", "`primitive describe emails:get | jq '.responseSchema.properties'`");
 }
 //#endregion
+//#region src/oclif/commands/agent-upgrade.ts
+/**
+* Interactive upgrade of an emailless agent account to a full developer
+* account: starts the email claim, prompts for the emailed code, and verifies
+* it. Combines the generated `agent:claim` (start) and `agent:claim-verify`
+* into one flow with a prompt, mirroring the `signup` interactive command.
+* Authenticated by the agent's own API key (the org is taken from the key).
+*/
+var AgentUpgradeCommand = class AgentUpgradeCommand extends Command {
+	static description = "Upgrade an emailless agent account to a full developer account by confirming an email. Authenticated by the agent's own API key (PRIMITIVE_API_KEY).";
+	static summary = "Upgrade an agent account to developer (email confirmation)";
+	static examples = ["<%= config.bin %> agent upgrade --email you@example.com"];
+	static flags = {
+		email: Flags.string({ description: "Email to confirm. Prompted if omitted." }),
+		code: Flags.string({ description: "Verification code from the email. Prompted if omitted." }),
+		"api-key": Flags.string({
+			env: "PRIMITIVE_API_KEY",
+			description: "Agent API key (defaults to PRIMITIVE_API_KEY or saved credentials)."
+		}),
+		"api-base-url": Flags.string({ description: "Override the API base URL." })
+	};
+	async run() {
+		const { flags } = await this.parse(AgentUpgradeCommand);
+		const { apiClient } = await createAuthenticatedCliApiClient({
+			apiKey: flags["api-key"],
+			apiBaseUrl: flags["api-base-url"],
+			configDir: this.config.configDir
+		});
+		const email = flags.email ?? await promptRequired$1("Email to confirm: ");
+		const started = await startAgentClaim({
+			body: { email },
+			client: apiClient.client,
+			responseStyle: "fields"
+		});
+		if (!started.data) {
+			writeErrorWithHints(extractErrorPayload(started.error));
+			this.exit(1);
+			return;
+		}
+		process$1.stderr.write(`Verification code sent to ${email}.\n`);
+		const verified = await verifyAgentClaim({
+			body: { verification_code: flags.code ?? await promptRequired$1("Verification code: ") },
+			client: apiClient.client,
+			responseStyle: "fields"
+		});
+		const result = verified.data?.data;
+		if (result) {
+			this.log(JSON.stringify(result, null, 2));
+			process$1.stderr.write(`Upgraded to ${result.plan}. Your API key and managed inbox carry over; the send cap is lifted.\n`);
+			return;
+		}
+		writeErrorWithHints(extractErrorPayload(verified.error));
+		this.exit(1);
+	}
+};
+async function promptRequired$1(question) {
+	const rl = createInterface({
+		input: process$1.stdin,
+		output: process$1.stderr
+	});
+	try {
+		for (;;) {
+			const answer = (await rl.question(question)).trim();
+			if (answer) return answer;
+		}
+	} finally {
+		rl.close();
+	}
+}
+//#endregion
 //#region src/oclif/attachments.ts
 function readAttachmentBytes(path, readFile) {
 	try {
@@ -18138,8 +19382,8 @@ const PRIMITIVE_TEAM_AUTHOR = {
 	name: "Primitive Team",
 	url: "https://primitive.dev"
 };
-const SDK_VERSION_RANGE = "^1.2.1";
-const CLI_VERSION_RANGE = "^1.2.1";
+const SDK_VERSION_RANGE = "^1.5.0";
+const CLI_VERSION_RANGE = "^1.5.0";
 const ESBUILD_VERSION_RANGE = "^0.27.0";
 function renderHandler() {
 	return `// env.PRIMITIVE_API_KEY, env.PRIMITIVE_WEBHOOK_SECRET, and
@@ -21284,6 +22528,251 @@ var LogoutCommand = class LogoutCommand extends Command {
 	}
 };
 //#endregion
+//#region src/oclif/commands/org-secrets-shared.ts
+function orgSecretsUrl(baseUrl, key) {
+	const base = `${baseUrl.replace(/\/$/, "")}/org/secrets`;
+	return key ? `${base}/${encodeURIComponent(key)}` : base;
+}
+function orgSecretsAuthHeaders(requestHeaders, apiKey) {
+	return {
+		...requestHeaders ?? {},
+		...apiKey ? { authorization: `Bearer ${apiKey}` } : {}
+	};
+}
+async function orgSecretsErrorPayload(response) {
+	if ((response.headers.get("content-type")?.toLowerCase() ?? "").includes("application/json")) return response.json().catch(() => ({
+		code: "http_error",
+		message: `HTTP ${response.status} ${response.statusText}`.trim()
+	}));
+	return {
+		code: "http_error",
+		message: (await response.text().catch(() => "")).trim() || `HTTP ${response.status} ${response.statusText}`.trim()
+	};
+}
+async function runOrgSecretsRequest(fetchImpl, baseUrl, headers, op) {
+	const url = op.kind === "remove" ? orgSecretsUrl(baseUrl, op.key) : orgSecretsUrl(baseUrl);
+	const init = op.kind === "set" ? {
+		method: "POST",
+		headers: {
+			...headers,
+			"content-type": "application/json"
+		},
+		body: JSON.stringify({
+			key: op.key,
+			value: op.value
+		})
+	} : op.kind === "remove" ? {
+		method: "DELETE",
+		headers
+	} : { headers };
+	let response;
+	try {
+		response = await fetchImpl(url, init);
+	} catch (error) {
+		return {
+			kind: "error",
+			payload: extractErrorPayload(error)
+		};
+	}
+	if (!response.ok) return {
+		kind: "error",
+		payload: extractErrorPayload(await orgSecretsErrorPayload(response))
+	};
+	if (op.kind === "remove") return {
+		kind: "ok",
+		data: null
+	};
+	const body = await response.json().catch(() => ({}));
+	if (op.kind === "list") return {
+		kind: "ok",
+		data: body.data?.items ?? []
+	};
+	return {
+		kind: "ok",
+		data: body.data ?? {}
+	};
+}
+//#endregion
+//#region src/oclif/commands/org-secrets-list.ts
+var OrgSecretsListCommand = class OrgSecretsListCommand extends Command {
+	static description = `List your organization's global secrets.
+
+  Global secrets apply to every function in the org and are read as
+  \`env.<KEY>\` in handlers. Only the keys and timestamps are returned;
+  the values are encrypted at rest and never surfaced.`;
+	static summary = "List global secrets (keys only; values never returned)";
+	static examples = ["<%= config.bin %> org secrets list"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(OrgSecretsListCommand);
+		await runWithTiming(flags.time, async () => {
+			const { auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const outcome = await runOrgSecretsRequest(fetch, requestConfig.resolvedApiBaseUrl, orgSecretsAuthHeaders(requestConfig.headers, auth.apiKey), { kind: "list" });
+			if (outcome.kind === "error") {
+				writeErrorWithHints(outcome.payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: outcome.payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			this.log(JSON.stringify(outcome.data, null, 2));
+		});
+	}
+};
+//#endregion
+//#region src/oclif/commands/org-secrets-remove.ts
+var OrgSecretsRemoveCommand = class OrgSecretsRemoveCommand extends Command {
+	static description = `Delete a global secret.
+
+  Deployed functions keep the previous value until each is redeployed. A
+  function that defines its own secret of the same name is unaffected.`;
+	static summary = "Delete a global secret";
+	static aliases = ["org:secrets:delete"];
+	static examples = ["<%= config.bin %> org secrets remove --key STRIPE_KEY"];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		key: Flags.string({
+			description: "Global secret key to delete.",
+			required: true
+		}),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(OrgSecretsRemoveCommand);
+		await runWithTiming(flags.time, async () => {
+			const { auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const outcome = await runOrgSecretsRequest(fetch, requestConfig.resolvedApiBaseUrl, orgSecretsAuthHeaders(requestConfig.headers, auth.apiKey), {
+				kind: "remove",
+				key: flags.key
+			});
+			if (outcome.kind === "error") {
+				writeErrorWithHints(outcome.payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: outcome.payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			process.stderr.write(`Global secret ${flags.key} deleted. Deployed functions keep the previous value until each is redeployed.\n`);
+		});
+	}
+};
+//#endregion
+//#region src/oclif/commands/org-secrets-set.ts
+var OrgSecretsSetCommand = class OrgSecretsSetCommand extends Command {
+	static description = `Set a global secret available to every function as \`env.<KEY>\`.
+
+  Global secrets are read into each function at deploy time, so a new or
+  changed value lands in a function only on its next redeploy. A function
+  secret with the same key overrides the global value for that function.
+
+  Keys must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters, digits,
+  underscores; first character a letter or underscore). System-managed keys
+  are reserved and rejected. ${SINGLE_SECRET_VALUE_SOURCE_DESCRIPTION}`;
+	static summary = "Set a global secret shared across all functions";
+	static examples = [
+		"<%= config.bin %> org secrets set --key STRIPE_KEY --value sk_live_...",
+		"<%= config.bin %> org secrets set --key OPENAI_KEY --value-from-env OPENAI_KEY",
+		"printf '%s' \"$OPENAI_KEY\" | <%= config.bin %> org secrets set --key OPENAI_KEY --stdin"
+	];
+	static flags = {
+		"api-key": Flags.string({
+			description: "Primitive API key override (defaults to PRIMITIVE_API_KEY or saved OAuth login credentials)",
+			env: "PRIMITIVE_API_KEY"
+		}),
+		"api-base-url": Flags.string({
+			description: "Override the primary API base URL. Internal testing only; not documented to customers.",
+			env: "PRIMITIVE_API_BASE_URL",
+			hidden: true
+		}),
+		key: Flags.string({
+			description: "Secret key. Uppercase letters, digits, underscores; must start with a letter or underscore. System-managed keys are reserved.",
+			required: true
+		}),
+		value: Flags.string({ description: "Secret value (up to 4096 UTF-8 bytes). Encrypted at rest. Visible in shell history and process argv; prefer a non-argv source for sensitive values." }),
+		"value-from-env": Flags.string({ description: "Environment variable to read as the secret value. Example: --value-from-env OPENAI_KEY reads process.env.OPENAI_KEY." }),
+		"value-file": Flags.string({ description: "UTF-8 file to read as the secret value. The full file contents become the value." }),
+		"value-from-env-file": Flags.string({ description: "Dotenv-style file to read as the secret value. Use FILE to read --key from that file, or FILE:KEY to read a different key." }),
+		stdin: Flags.boolean({ description: "Read the secret value from stdin. A single trailing line ending is stripped." }),
+		time: Flags.boolean({ description: TIME_FLAG_DESCRIPTION })
+	};
+	async run() {
+		const { flags } = await this.parse(OrgSecretsSetCommand);
+		await runWithTiming(flags.time, async () => {
+			const { auth, baseUrlOverridden, requestConfig } = await createAuthenticatedCliApiClient({
+				apiKey: flags["api-key"],
+				apiBaseUrl: flags["api-base-url"],
+				configDir: this.config.configDir
+			});
+			const resolved = resolveSingleSecretValue({
+				key: flags.key,
+				value: flags.value,
+				valueFile: flags["value-file"],
+				valueFromEnv: flags["value-from-env"],
+				valueFromEnvFile: flags["value-from-env-file"],
+				stdin: flags.stdin
+			});
+			if (resolved.kind === "error") {
+				process.stderr.write(`${resolved.message}\n`);
+				process.exitCode = 1;
+				return;
+			}
+			const outcome = await runOrgSecretsRequest(fetch, requestConfig.resolvedApiBaseUrl, orgSecretsAuthHeaders(requestConfig.headers, auth.apiKey), {
+				kind: "set",
+				key: flags.key,
+				value: resolved.value
+			});
+			if (outcome.kind === "error") {
+				writeErrorWithHints(outcome.payload);
+				surfaceUnauthorizedHint({
+					auth,
+					baseUrlOverridden,
+					configDir: this.config.configDir,
+					payload: outcome.payload
+				});
+				process.exitCode = 1;
+				return;
+			}
+			this.log(JSON.stringify(outcome.data, null, 2));
+			process.stderr.write(`Global secret ${flags.key} saved. Deployed functions pick it up on their next redeploy; a function secret of the same name overrides it.\n`);
+		});
+	}
+};
+//#endregion
 //#region src/oclif/message-body-sources.ts
 function defaultReadFile(path) {
 	return readFileSync(path, "utf8");
@@ -22657,6 +24146,10 @@ const CANONICAL_OPERATION_ALIASES = {
 	"account:show": "account:get-account",
 	"account:storage": "account:get-storage-stats",
 	"account:webhook-secret": "account:get-webhook-secret",
+	"agent:claim": "agent:start-agent-claim",
+	"agent:claim-link": "agent:create-agent-claim-link",
+	"agent:claim-verify": "agent:verify-agent-claim",
+	"agent:create": "agent:create-agent-account",
 	"deliveries:list": "webhook-deliveries:list-deliveries",
 	"deliveries:replay": "webhook-deliveries:replay-delivery",
 	"domains:add": "domains:add-domain",
@@ -22715,6 +24208,7 @@ const OVERRIDDEN_OPERATION_IDS = new Set([
 const generatedCommands = Object.fromEntries(operationManifest.filter((operation) => !OVERRIDDEN_OPERATION_IDS.has(operationId(operation))).map((operation) => [operationId(operation), createOperationCommand(operation)]));
 const COMMANDS = {
 	completion: CompletionCommand,
+	"agent:upgrade": AgentUpgradeCommand,
 	"list-operations": ListOperationsCommand,
 	config: ConfigCommand,
 	"config:list": ConfigListCommand,
@@ -22767,6 +24261,9 @@ const COMMANDS = {
 	"functions:deploy": FunctionsDeployCommand,
 	"functions:redeploy": FunctionsRedeployCommand,
 	"functions:set-secret": FunctionsSetSecretCommand,
+	"org:secrets:list": OrgSecretsListCommand,
+	"org:secrets:set": OrgSecretsSetCommand,
+	"org:secrets:remove": OrgSecretsRemoveCommand,
 	"functions:test": FunctionsTestFunctionCommand,
 	"functions:test-function": FunctionsTestFunctionCommand,
 	"functions:route-set": FunctionsRouteSetCommand,