@agenticmail/enterprise 0.2.2 → 0.3.0

package/dist/chunk-FL3VQBGL.js

@@ -0,0 +1,757 @@
+import {
+  CircuitBreaker,
+  HealthMonitor,
+  KeyedRateLimiter,
+  requestId
+} from "./chunk-JLSQOQ5L.js";
+
+// src/server.ts
+import { Hono as Hono3 } from "hono";
+import { cors } from "hono/cors";
+import { serve } from "@hono/node-server";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+
+// src/admin/routes.ts
+import { Hono } from "hono";
+
+// src/middleware/index.ts
+function requestIdMiddleware() {
+  return async (c, next) => {
+    const id = c.req.header("X-Request-Id") || requestId();
+    c.set("requestId", id);
+    c.header("X-Request-Id", id);
+    await next();
+  };
+}
+function requestLogger() {
+  return async (c, next) => {
+    const start = Date.now();
+    const method = c.req.method;
+    const path = c.req.path;
+    await next();
+    const elapsed = Date.now() - start;
+    const status = c.res.status;
+    const reqId = c.get("requestId") || "-";
+    const level = status >= 500 ? "ERROR" : status >= 400 ? "WARN" : "INFO";
+    console.log(
+      `[${(/* @__PURE__ */ new Date()).toISOString()}] ${level} ${method} ${path} ${status} ${elapsed}ms req=${reqId}`
+    );
+  };
+}
+function rateLimiter(config) {
+  const limiter = new KeyedRateLimiter({
+    maxTokens: config.limit,
+    refillRate: config.limit / config.windowSec
+  });
+  return async (c, next) => {
+    if (config.skipPaths?.some((p) => c.req.path.startsWith(p))) {
+      return next();
+    }
+    const key = config.keyFn?.(c) || c.req.header("x-forwarded-for")?.split(",")[0]?.trim() || c.req.header("x-real-ip") || "unknown";
+    if (!limiter.tryConsume(key)) {
+      const retryAfter = Math.ceil(limiter.getRetryAfterMs(key) / 1e3);
+      c.header("Retry-After", String(retryAfter));
+      c.header("X-RateLimit-Limit", String(config.limit));
+      c.header("X-RateLimit-Remaining", "0");
+      return c.json(
+        { error: "Too many requests", retryAfter },
+        429
+      );
+    }
+    await next();
+  };
+}
+function securityHeaders() {
+  return async (c, next) => {
+    await next();
+    c.header("X-Content-Type-Options", "nosniff");
+    c.header("X-Frame-Options", "DENY");
+    c.header("X-XSS-Protection", "0");
+    c.header("Referrer-Policy", "strict-origin-when-cross-origin");
+    c.header("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+    if (c.req.url.startsWith("https://") || c.req.header("x-forwarded-proto") === "https") {
+      c.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+    }
+  };
+}
+function errorHandler() {
+  return async (c, next) => {
+    try {
+      await next();
+    } catch (err) {
+      const reqId = c.get("requestId");
+      const status = err.status || err.statusCode || 500;
+      const message = status >= 500 ? "Internal server error" : err.message;
+      if (status >= 500) {
+        console.error(`[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR req=${reqId}`, err);
+      }
+      const body = {
+        error: message,
+        code: err.code,
+        requestId: reqId
+      };
+      if (status === 400 && err.details) {
+        body.details = err.details;
+      }
+      return c.json(body, status);
+    }
+  };
+}
+var ValidationError = class extends Error {
+  status = 400;
+  code = "VALIDATION_ERROR";
+  details;
+  constructor(details) {
+    const fields = Object.keys(details).join(", ");
+    super(`Validation failed: ${fields}`);
+    this.details = details;
+  }
+};
+function validate(body, validators) {
+  const errors = {};
+  for (const v of validators) {
+    const value = body[v.field];
+    if (value === void 0 || value === null || value === "") {
+      if (v.required) errors[v.field] = "Required";
+      continue;
+    }
+    switch (v.type) {
+      case "string":
+        if (typeof value !== "string") {
+          errors[v.field] = "Must be a string";
+          break;
+        }
+        if (v.minLength && value.length < v.minLength) errors[v.field] = `Min length: ${v.minLength}`;
+        if (v.maxLength && value.length > v.maxLength) errors[v.field] = `Max length: ${v.maxLength}`;
+        if (v.pattern && !v.pattern.test(value)) errors[v.field] = "Invalid format";
+        break;
+      case "number":
+        if (typeof value !== "number" || isNaN(value)) {
+          errors[v.field] = "Must be a number";
+          break;
+        }
+        if (v.min !== void 0 && value < v.min) errors[v.field] = `Min: ${v.min}`;
+        if (v.max !== void 0 && value > v.max) errors[v.field] = `Max: ${v.max}`;
+        break;
+      case "boolean":
+        if (typeof value !== "boolean") errors[v.field] = "Must be a boolean";
+        break;
+      case "email":
+        if (typeof value !== "string" || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value))
+          errors[v.field] = "Invalid email";
+        break;
+      case "url":
+        try {
+          new URL(value);
+        } catch {
+          errors[v.field] = "Invalid URL";
+        }
+        break;
+      case "uuid":
+        if (typeof value !== "string" || !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value))
+          errors[v.field] = "Invalid UUID";
+        break;
+    }
+  }
+  if (Object.keys(errors).length > 0) {
+    throw new ValidationError(errors);
+  }
+}
+function auditLogger(db) {
+  const AUDIT_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE"]);
+  return async (c, next) => {
+    await next();
+    if (!AUDIT_METHODS.has(c.req.method)) return;
+    if (c.res.status >= 400) return;
+    try {
+      const userId = c.get("userId") || "anonymous";
+      const path = c.req.path;
+      const method = c.req.method;
+      const segments = path.split("/").filter(Boolean);
+      const resource = segments[segments.length - 2] || segments[segments.length - 1] || "unknown";
+      const actionMap = {
+        POST: "create",
+        PUT: "update",
+        PATCH: "update",
+        DELETE: "delete"
+      };
+      const action = `${resource}.${actionMap[method] || method.toLowerCase()}`;
+      await db.logEvent({
+        actor: userId,
+        actorType: "user",
+        action,
+        resource: path,
+        ip: c.req.header("x-forwarded-for")?.split(",")[0]?.trim() || c.req.header("x-real-ip")
+      });
+    } catch {
+    }
+  };
+}
+var ROLE_HIERARCHY = {
+  viewer: 0,
+  member: 1,
+  admin: 2,
+  owner: 3
+};
+function requireRole(minRole) {
+  return async (c, next) => {
+    const userRole = c.get("userRole");
+    if (c.get("authType") === "api-key") {
+      return next();
+    }
+    if (!userRole || ROLE_HIERARCHY[userRole] < ROLE_HIERARCHY[minRole]) {
+      return c.json({
+        error: "Insufficient permissions",
+        required: minRole,
+        current: userRole || "none"
+      }, 403);
+    }
+    return next();
+  };
+}
+
+// src/admin/routes.ts
+function createAdminRoutes(db) {
+  const api = new Hono();
+  api.get("/stats", async (c) => {
+    const stats = await db.getStats();
+    return c.json(stats);
+  });
+  api.get("/agents", async (c) => {
+    const status = c.req.query("status");
+    const limit = Math.min(parseInt(c.req.query("limit") || "50"), 200);
+    const offset = Math.max(parseInt(c.req.query("offset") || "0"), 0);
+    const agents = await db.listAgents({ status, limit, offset });
+    const total = await db.countAgents(status);
+    return c.json({ agents, total, limit, offset });
+  });
+  api.get("/agents/:id", async (c) => {
+    const agent = await db.getAgent(c.req.param("id"));
+    if (!agent) return c.json({ error: "Agent not found" }, 404);
+    return c.json(agent);
+  });
+  api.post("/agents", async (c) => {
+    const body = await c.req.json();
+    validate(body, [
+      { field: "name", type: "string", required: true, minLength: 1, maxLength: 64, pattern: /^[a-zA-Z0-9_-]+$/ },
+      { field: "email", type: "email" },
+      { field: "role", type: "string", maxLength: 32 }
+    ]);
+    const existing = await db.getAgentByName(body.name);
+    if (existing) {
+      return c.json({ error: "Agent name already exists" }, 409);
+    }
+    const userId = c.get("userId") || "system";
+    const agent = await db.createAgent({ ...body, createdBy: userId });
+    return c.json(agent, 201);
+  });
+  api.patch("/agents/:id", async (c) => {
+    const id = c.req.param("id");
+    const existing = await db.getAgent(id);
+    if (!existing) return c.json({ error: "Agent not found" }, 404);
+    const body = await c.req.json();
+    validate(body, [
+      { field: "name", type: "string", minLength: 1, maxLength: 64 },
+      { field: "email", type: "email" },
+      { field: "role", type: "string", maxLength: 32 },
+      { field: "status", type: "string", pattern: /^(active|archived|suspended)$/ }
+    ]);
+    if (body.name && body.name !== existing.name) {
+      const conflict = await db.getAgentByName(body.name);
+      if (conflict) return c.json({ error: "Agent name already exists" }, 409);
+    }
+    const agent = await db.updateAgent(id, body);
+    return c.json(agent);
+  });
+  api.post("/agents/:id/archive", async (c) => {
+    const existing = await db.getAgent(c.req.param("id"));
+    if (!existing) return c.json({ error: "Agent not found" }, 404);
+    if (existing.status === "archived") return c.json({ error: "Agent already archived" }, 400);
+    await db.archiveAgent(c.req.param("id"));
+    return c.json({ ok: true, status: "archived" });
+  });
+  api.post("/agents/:id/restore", async (c) => {
+    const existing = await db.getAgent(c.req.param("id"));
+    if (!existing) return c.json({ error: "Agent not found" }, 404);
+    if (existing.status !== "archived") return c.json({ error: "Agent is not archived" }, 400);
+    await db.updateAgent(c.req.param("id"), { status: "active" });
+    return c.json({ ok: true, status: "active" });
+  });
+  api.delete("/agents/:id", requireRole("admin"), async (c) => {
+    const existing = await db.getAgent(c.req.param("id"));
+    if (!existing) return c.json({ error: "Agent not found" }, 404);
+    await db.deleteAgent(c.req.param("id"));
+    return c.json({ ok: true });
+  });
+  api.get("/users", requireRole("admin"), async (c) => {
+    const limit = Math.min(parseInt(c.req.query("limit") || "50"), 200);
+    const offset = Math.max(parseInt(c.req.query("offset") || "0"), 0);
+    const users = await db.listUsers({ limit, offset });
+    const safe = users.map(({ passwordHash, ...u }) => u);
+    return c.json({ users: safe, limit, offset });
+  });
+  api.post("/users", requireRole("admin"), async (c) => {
+    const body = await c.req.json();
+    validate(body, [
+      { field: "email", type: "email", required: true },
+      { field: "name", type: "string", required: true, minLength: 1, maxLength: 128 },
+      { field: "role", type: "string", required: true, pattern: /^(owner|admin|member|viewer)$/ },
+      { field: "password", type: "string", minLength: 8, maxLength: 128 }
+    ]);
+    const existing = await db.getUserByEmail(body.email);
+    if (existing) return c.json({ error: "Email already registered" }, 409);
+    const user = await db.createUser(body);
+    const { passwordHash, ...safe } = user;
+    return c.json(safe, 201);
+  });
+  api.patch("/users/:id", requireRole("admin"), async (c) => {
+    const existing = await db.getUser(c.req.param("id"));
+    if (!existing) return c.json({ error: "User not found" }, 404);
+    const body = await c.req.json();
+    validate(body, [
+      { field: "email", type: "email" },
+      { field: "name", type: "string", minLength: 1, maxLength: 128 },
+      { field: "role", type: "string", pattern: /^(owner|admin|member|viewer)$/ }
+    ]);
+    const user = await db.updateUser(c.req.param("id"), body);
+    const { passwordHash, ...safe } = user;
+    return c.json(safe);
+  });
+  api.delete("/users/:id", requireRole("owner"), async (c) => {
+    const existing = await db.getUser(c.req.param("id"));
+    if (!existing) return c.json({ error: "User not found" }, 404);
+    const requesterId = c.get("userId");
+    if (requesterId === c.req.param("id")) {
+      return c.json({ error: "Cannot delete your own account" }, 400);
+    }
+    await db.deleteUser(c.req.param("id"));
+    return c.json({ ok: true });
+  });
+  api.get("/audit", requireRole("admin"), async (c) => {
+    const filters = {
+      actor: c.req.query("actor") || void 0,
+      action: c.req.query("action") || void 0,
+      resource: c.req.query("resource") || void 0,
+      from: c.req.query("from") ? new Date(c.req.query("from")) : void 0,
+      to: c.req.query("to") ? new Date(c.req.query("to")) : void 0,
+      limit: Math.min(parseInt(c.req.query("limit") || "50"), 500),
+      offset: Math.max(parseInt(c.req.query("offset") || "0"), 0)
+    };
+    if (filters.from && isNaN(filters.from.getTime())) {
+      return c.json({ error: 'Invalid "from" date' }, 400);
+    }
+    if (filters.to && isNaN(filters.to.getTime())) {
+      return c.json({ error: 'Invalid "to" date' }, 400);
+    }
+    const result = await db.queryAudit(filters);
+    return c.json(result);
+  });
+  api.get("/api-keys", requireRole("admin"), async (c) => {
+    const keys = await db.listApiKeys();
+    const safe = keys.map(({ keyHash, ...k }) => k);
+    return c.json({ keys: safe });
+  });
+  api.post("/api-keys", requireRole("admin"), async (c) => {
+    const body = await c.req.json();
+    validate(body, [
+      { field: "name", type: "string", required: true, minLength: 1, maxLength: 64 }
+    ]);
+    const userId = c.get("userId") || "system";
+    const scopes = Array.isArray(body.scopes) ? body.scopes : ["*"];
+    const expiresAt = body.expiresAt ? new Date(body.expiresAt) : void 0;
+    const { key, plaintext } = await db.createApiKey({
+      name: body.name,
+      scopes,
+      createdBy: userId,
+      expiresAt
+    });
+    const { keyHash, ...safeKey } = key;
+    return c.json({
+      key: safeKey,
+      plaintext,
+      warning: "Store this key securely. It will not be shown again."
+    }, 201);
+  });
+  api.delete("/api-keys/:id", requireRole("admin"), async (c) => {
+    const existing = await db.getApiKey(c.req.param("id"));
+    if (!existing) return c.json({ error: "API key not found" }, 404);
+    await db.revokeApiKey(c.req.param("id"));
+    return c.json({ ok: true, revoked: true });
+  });
+  api.get("/rules", async (c) => {
+    const agentId = c.req.query("agentId") || void 0;
+    const rules = await db.getRules(agentId);
+    return c.json({ rules });
+  });
+  api.post("/rules", async (c) => {
+    const body = await c.req.json();
+    validate(body, [
+      { field: "name", type: "string", required: true, minLength: 1, maxLength: 128 }
+    ]);
+    if (body.conditions && typeof body.conditions !== "object") {
+      return c.json({ error: "conditions must be an object" }, 400);
+    }
+    if (body.actions && typeof body.actions !== "object") {
+      return c.json({ error: "actions must be an object" }, 400);
+    }
+    const rule = await db.createRule({
+      name: body.name,
+      agentId: body.agentId,
+      conditions: body.conditions || {},
+      actions: body.actions || {},
+      priority: body.priority ?? 0,
+      enabled: body.enabled ?? true
+    });
+    return c.json(rule, 201);
+  });
+  api.patch("/rules/:id", async (c) => {
+    const body = await c.req.json();
+    const rule = await db.updateRule(c.req.param("id"), body);
+    return c.json(rule);
+  });
+  api.delete("/rules/:id", async (c) => {
+    await db.deleteRule(c.req.param("id"));
+    return c.json({ ok: true });
+  });
+  api.get("/settings", async (c) => {
+    const settings = await db.getSettings();
+    if (!settings) return c.json({ error: "Not configured" }, 404);
+    const safe = { ...settings };
+    if (safe.smtpPass) safe.smtpPass = "***";
+    if (safe.dkimPrivateKey) safe.dkimPrivateKey = "***";
+    return c.json(safe);
+  });
+  api.patch("/settings", requireRole("admin"), async (c) => {
+    const body = await c.req.json();
+    validate(body, [
+      { field: "name", type: "string", minLength: 1, maxLength: 128 },
+      { field: "domain", type: "string", maxLength: 253 },
+      { field: "primaryColor", type: "string", pattern: /^#[0-9a-fA-F]{6}$/ },
+      { field: "logoUrl", type: "url" }
+    ]);
+    const settings = await db.updateSettings(body);
+    return c.json(settings);
+  });
+  api.get("/retention", requireRole("admin"), async (c) => {
+    const policy = await db.getRetentionPolicy();
+    return c.json(policy);
+  });
+  api.put("/retention", requireRole("owner"), async (c) => {
+    const body = await c.req.json();
+    validate(body, [
+      { field: "enabled", type: "boolean", required: true },
+      { field: "retainDays", type: "number", required: true, min: 1, max: 3650 },
+      { field: "archiveFirst", type: "boolean" }
+    ]);
+    await db.setRetentionPolicy({
+      enabled: body.enabled,
+      retainDays: body.retainDays,
+      excludeTags: body.excludeTags || [],
+      archiveFirst: body.archiveFirst ?? true
+    });
+    return c.json({ ok: true });
+  });
+  return api;
+}
+
+// src/auth/routes.ts
+import { Hono as Hono2 } from "hono";
+function createAuthRoutes(db, jwtSecret) {
+  const auth = new Hono2();
+  auth.post("/login", async (c) => {
+    const { email, password } = await c.req.json();
+    if (!email || !password) {
+      return c.json({ error: "Email and password required" }, 400);
+    }
+    const user = await db.getUserByEmail(email);
+    if (!user || !user.passwordHash) {
+      return c.json({ error: "Invalid credentials" }, 401);
+    }
+    const { default: bcrypt } = await import("bcryptjs");
+    const valid = await bcrypt.compare(password, user.passwordHash);
+    if (!valid) {
+      return c.json({ error: "Invalid credentials" }, 401);
+    }
+    const { SignJWT } = await import("jose");
+    const secret = new TextEncoder().encode(jwtSecret);
+    const token = await new SignJWT({ sub: user.id, email: user.email, role: user.role }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("24h").sign(secret);
+    await db.updateUser(user.id, { lastLoginAt: /* @__PURE__ */ new Date() });
+    await db.logEvent({
+      actor: user.id,
+      actorType: "user",
+      action: "auth.login",
+      resource: `user:${user.id}`,
+      details: { method: "password" },
+      ip: c.req.header("x-forwarded-for") || c.req.header("x-real-ip")
+    });
+    return c.json({
+      token,
+      user: { id: user.id, email: user.email, name: user.name, role: user.role }
+    });
+  });
+  auth.post("/refresh", async (c) => {
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader?.startsWith("Bearer ")) {
+      return c.json({ error: "Token required" }, 401);
+    }
+    try {
+      const { jwtVerify, SignJWT } = await import("jose");
+      const secret = new TextEncoder().encode(jwtSecret);
+      const { payload } = await jwtVerify(authHeader.slice(7), secret);
+      const user = await db.getUser(payload.sub);
+      if (!user) return c.json({ error: "User not found" }, 401);
+      const token = await new SignJWT({ sub: user.id, email: user.email, role: user.role }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("24h").sign(secret);
+      return c.json({ token });
+    } catch {
+      return c.json({ error: "Invalid token" }, 401);
+    }
+  });
+  auth.get("/me", async (c) => {
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader?.startsWith("Bearer ")) {
+      return c.json({ error: "Token required" }, 401);
+    }
+    try {
+      const { jwtVerify } = await import("jose");
+      const secret = new TextEncoder().encode(jwtSecret);
+      const { payload } = await jwtVerify(authHeader.slice(7), secret);
+      const user = await db.getUser(payload.sub);
+      if (!user) return c.json({ error: "User not found" }, 404);
+      const { passwordHash, ...safe } = user;
+      return c.json(safe);
+    } catch {
+      return c.json({ error: "Invalid token" }, 401);
+    }
+  });
+  auth.post("/saml/callback", async (c) => {
+    return c.json({ error: "SAML not yet configured" }, 501);
+  });
+  auth.get("/saml/metadata", async (c) => {
+    return c.json({ error: "SAML not yet configured" }, 501);
+  });
+  auth.get("/oidc/authorize", async (c) => {
+    return c.json({ error: "OIDC not yet configured" }, 501);
+  });
+  auth.get("/oidc/callback", async (c) => {
+    return c.json({ error: "OIDC not yet configured" }, 501);
+  });
+  return auth;
+}
+
+// src/server.ts
+function createServer(config) {
+  const app = new Hono3();
+  const dbBreaker = new CircuitBreaker({
+    failureThreshold: 5,
+    recoveryTimeMs: 3e4,
+    timeout: 1e4
+  });
+  const healthMonitor = new HealthMonitor(
+    async () => {
+      await config.db.getStats();
+    },
+    { intervalMs: 3e4, timeoutMs: 5e3, unhealthyThreshold: 3 }
+  );
+  healthMonitor.onStatusChange((healthy) => {
+    console.log(
+      `[${(/* @__PURE__ */ new Date()).toISOString()}] ${healthy ? "\u2705" : "\u274C"} Database health: ${healthy ? "healthy" : "unhealthy"}`
+    );
+  });
+  app.use("*", requestIdMiddleware());
+  app.use("*", errorHandler());
+  app.use("*", securityHeaders());
+  app.use("*", cors({
+    origin: config.corsOrigins || "*",
+    credentials: true,
+    allowHeaders: ["Content-Type", "Authorization", "X-API-Key", "X-Request-Id"],
+    exposeHeaders: ["X-Request-Id", "X-RateLimit-Limit", "X-RateLimit-Remaining", "Retry-After"]
+  }));
+  app.use("*", rateLimiter({
+    limit: config.rateLimit ?? 120,
+    windowSec: 60,
+    skipPaths: ["/health", "/ready"]
+  }));
+  if (config.logging !== false) {
+    app.use("*", requestLogger());
+  }
+  app.get("/health", (c) => c.json({
+    status: "ok",
+    version: "0.2.2",
+    uptime: process.uptime()
+  }));
+  app.get("/ready", async (c) => {
+    const dbHealthy = healthMonitor.isHealthy();
+    const status = dbHealthy ? 200 : 503;
+    return c.json({
+      ready: dbHealthy,
+      checks: {
+        database: dbHealthy ? "ok" : "unhealthy",
+        circuitBreaker: dbBreaker.getState()
+      }
+    }, status);
+  });
+  const authRoutes = createAuthRoutes(config.db, config.jwtSecret);
+  app.route("/auth", authRoutes);
+  const api = new Hono3();
+  api.use("*", async (c, next) => {
+    const apiKeyHeader = c.req.header("X-API-Key");
+    if (apiKeyHeader) {
+      const key = await dbBreaker.execute(() => config.db.validateApiKey(apiKeyHeader));
+      if (!key) return c.json({ error: "Invalid API key" }, 401);
+      c.set("userId", key.createdBy);
+      c.set("authType", "api-key");
+      c.set("apiKeyScopes", key.scopes);
+      return next();
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader?.startsWith("Bearer ")) {
+      return c.json({ error: "Authentication required" }, 401);
+    }
+    try {
+      const { jwtVerify } = await import("jose");
+      const secret = new TextEncoder().encode(config.jwtSecret);
+      const { payload } = await jwtVerify(authHeader.slice(7), secret);
+      c.set("userId", payload.sub);
+      c.set("userRole", payload.role);
+      c.set("authType", "jwt");
+      return next();
+    } catch {
+      return c.json({ error: "Invalid or expired token" }, 401);
+    }
+  });
+  api.use("*", auditLogger(config.db));
+  const adminRoutes = createAdminRoutes(config.db);
+  api.route("/", adminRoutes);
+  let engineInitialized = false;
+  api.all("/engine/*", async (c, next) => {
+    try {
+      const { engineRoutes, setEngineDb } = await import("./routes-2JEPIIKC.js");
+      const { EngineDatabase } = await import("./db-adapter-DEWEFNIV.js");
+      if (!engineInitialized) {
+        const dbType = config.db.type || config.db.config?.type || "sqlite";
+        const dialectMap = {
+          sqlite: "sqlite",
+          postgres: "postgres",
+          postgresql: "postgres",
+          mysql: "mysql",
+          mariadb: "mysql",
+          turso: "turso",
+          libsql: "turso",
+          mongodb: "mongodb",
+          dynamodb: "dynamodb"
+        };
+        const dialect = dialectMap[dbType] || "sqlite";
+        const engineDbWrapper = {
+          run: async (sql, params) => {
+            await config.db.run?.(sql, params) ?? config.db.query?.(sql, params);
+          },
+          get: async (sql, params) => {
+            if (config.db.get) return config.db.get(sql, params);
+            const rows = await config.db.query?.(sql, params) ?? [];
+            return rows[0];
+          },
+          all: async (sql, params) => {
+            if (config.db.all) return config.db.all(sql, params);
+            return await config.db.query?.(sql, params) ?? [];
+          }
+        };
+        const engineDb = new EngineDatabase(engineDbWrapper, dialect, config.db.rawDriver);
+        const migrationResult = await engineDb.migrate();
+        console.log(`[engine] Migrations: ${migrationResult.applied} applied, ${migrationResult.total} total`);
+        setEngineDb(engineDb);
+        engineInitialized = true;
+      }
+      const subPath = c.req.path.replace(/^\/api\/engine/, "") || "/";
+      const subReq = new Request(new URL(subPath, "http://localhost"), {
+        method: c.req.method,
+        headers: c.req.raw.headers,
+        body: c.req.method !== "GET" && c.req.method !== "HEAD" ? c.req.raw.body : void 0
+      });
+      return engineRoutes.fetch(subReq);
+    } catch (e) {
+      console.error("[engine] Error:", e.message);
+      return c.json({ error: "Engine module not available", detail: e.message }, 501);
+    }
+  });
+  app.route("/api", api);
+  let dashboardHtml = null;
+  function getDashboardHtml() {
+    if (!dashboardHtml) {
+      try {
+        const dir = dirname(fileURLToPath(import.meta.url));
+        dashboardHtml = readFileSync(join(dir, "dashboard", "index.html"), "utf-8");
+      } catch {
+        try {
+          dashboardHtml = readFileSync(join(process.cwd(), "node_modules", "@agenticmail", "enterprise", "dist", "dashboard", "index.html"), "utf-8");
+        } catch {
+          dashboardHtml = "<html><body><h1>Dashboard not found</h1><p>The dashboard HTML file could not be located.</p></body></html>";
+        }
+      }
+    }
+    return dashboardHtml;
+  }
+  app.get("/", (c) => c.redirect("/dashboard"));
+  app.get("/dashboard", (c) => c.html(getDashboardHtml()));
+  app.get("/dashboard/*", (c) => c.html(getDashboardHtml()));
+  app.notFound((c) => {
+    return c.json({ error: "Not found", path: c.req.path }, 404);
+  });
+  return {
+    app,
+    healthMonitor,
+    start: () => {
+      return new Promise((resolve) => {
+        const server = serve(
+          { fetch: app.fetch, port: config.port },
+          (info) => {
+            console.log(`
+\u{1F3E2} AgenticMail Enterprise`);
+            console.log(`   API:    http://localhost:${info.port}/api`);
+            console.log(`   Auth:   http://localhost:${info.port}/auth`);
+            console.log(`   Health: http://localhost:${info.port}/health`);
+            console.log("");
+            healthMonitor.start();
+            const shutdown = () => {
+              console.log("\n\u23F3 Shutting down gracefully...");
+              healthMonitor.stop();
+              server.close(() => {
+                config.db.disconnect().then(() => {
+                  console.log("\u2705 Shutdown complete");
+                  process.exit(0);
+                });
+              });
+              setTimeout(() => {
+                process.exit(1);
+              }, 1e4).unref();
+            };
+            process.on("SIGINT", shutdown);
+            process.on("SIGTERM", shutdown);
+            resolve({
+              close: () => {
+                healthMonitor.stop();
+                server.close();
+              }
+            });
+          }
+        );
+      });
+    }
+  };
+}
+
+export {
+  requestIdMiddleware,
+  requestLogger,
+  rateLimiter,
+  securityHeaders,
+  errorHandler,
+  ValidationError,
+  validate,
+  auditLogger,
+  requireRole,
+  createAdminRoutes,
+  createAuthRoutes,
+  createServer
+};