@agenticmail/enterprise 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/chunk-ISOODMEF.js +1943 -0
  2. package/dist/chunk-PQADDAC2.js +765 -0
  3. package/dist/chunk-UPU23ZRG.js +154 -0
  4. package/dist/cli-recover-X4MKJQVV.js +97 -0
  5. package/dist/cli-verify-YT7IADFX.js +98 -0
  6. package/dist/cli.js +3 -3
  7. package/dist/domain-lock-Z5A74VJK.js +7 -0
  8. package/dist/index.js +2 -2
  9. package/dist/server-6LWKND7R.js +11 -0
  10. package/dist/setup-5CVRQ5ES.js +20 -0
  11. package/package.json +1 -1
  12. package/src/domain-lock/index.ts +1 -1
  13. package/src/setup/registration.ts +4 -3
package/dist/chunk-UPU23ZRG.js ADDED
@@ -0,0 +1,154 @@
1
+ // src/domain-lock/index.ts
2
+ import { randomBytes } from "crypto";
3
+ var REGISTRY_BASE_URL = process.env.AGENTICMAIL_REGISTRY_URL || "https://agenticmail.io/enterprise/v1";
4
+ var DomainLock = class {
5
+ registryUrl;
6
+ constructor(opts) {
7
+ this.registryUrl = (opts?.registryUrl || REGISTRY_BASE_URL).replace(/\/$/, "");
8
+ }
9
+ /**
10
+ * Generate a 256-bit deployment key.
11
+ * Returns the plaintext (hex) and its bcrypt hash.
12
+ * The plaintext should be shown to the user ONCE and never stored.
13
+ */
14
+ async generateDeploymentKey() {
15
+ const { default: bcrypt } = await import("bcryptjs");
16
+ const plaintext = randomBytes(32).toString("hex");
17
+ const hash = await bcrypt.hash(plaintext, 12);
18
+ return { plaintext, hash };
19
+ }
20
+ /**
21
+ * Register a domain with the central registry.
22
+ * Called during setup wizard Step 5.
23
+ *
24
+ * @param domain - The domain to register (e.g. "agents.agenticmail.io")
25
+ * @param keyHash - bcrypt hash of the deployment key
26
+ * @param opts - Optional org name and contact email
27
+ */
28
+ async register(domain, keyHash, opts) {
29
+ try {
30
+ const res = await fetch(`${this.registryUrl}/domains/register`, {
31
+ method: "POST",
32
+ headers: { "Content-Type": "application/json" },
33
+ body: JSON.stringify({
34
+ domain: domain.toLowerCase().trim(),
35
+ keyHash,
36
+ orgName: opts?.orgName,
37
+ contactEmail: opts?.contactEmail
38
+ }),
39
+ signal: AbortSignal.timeout(15e3)
40
+ });
41
+ const data = await res.json().catch(() => ({}));
42
+ if (res.status === 409) {
43
+ return {
44
+ success: false,
45
+ error: data.error || 'Domain is already registered and verified. Use "recover" if this is your domain.',
46
+ statusCode: 409
47
+ };
48
+ }
49
+ if (!res.ok) {
50
+ return {
51
+ success: false,
52
+ error: data.error || `Registration failed (HTTP ${res.status})`,
53
+ statusCode: res.status
54
+ };
55
+ }
56
+ return {
57
+ success: true,
58
+ registrationId: data.registrationId,
59
+ dnsChallenge: data.dnsChallenge
60
+ };
61
+ } catch (err) {
62
+ if (err.name === "TimeoutError" || err.name === "AbortError") {
63
+ return { success: false, error: "Registry server unreachable (timeout). You can retry later or continue without registration." };
64
+ }
65
+ return { success: false, error: `Registry connection failed: ${err.message}` };
66
+ }
67
+ }
68
+ /**
69
+ * Ask the registry to check DNS verification for a domain.
70
+ * The registry resolves _agenticmail-verify.<domain> TXT record.
71
+ */
72
+ async checkVerification(domain) {
73
+ try {
74
+ const res = await fetch(`${this.registryUrl}/domains/verify`, {
75
+ method: "POST",
76
+ headers: { "Content-Type": "application/json" },
77
+ body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
78
+ signal: AbortSignal.timeout(15e3)
79
+ });
80
+ const data = await res.json().catch(() => ({}));
81
+ if (!res.ok) {
82
+ return { success: false, error: data.error || `Verification check failed (HTTP ${res.status})` };
83
+ }
84
+ return {
85
+ success: true,
86
+ verified: data.verified === true,
87
+ error: data.verified ? void 0 : data.error || "DNS record not found yet"
88
+ };
89
+ } catch (err) {
90
+ if (err.name === "TimeoutError" || err.name === "AbortError") {
91
+ return { success: false, error: "Registry server unreachable (timeout)" };
92
+ }
93
+ return { success: false, error: `Registry connection failed: ${err.message}` };
94
+ }
95
+ }
96
+ /**
97
+ * Recover a domain registration on a new machine.
98
+ * Requires the original deployment key (plaintext).
99
+ * The registry verifies via bcrypt.compare against stored hash.
100
+ * On success, a new DNS challenge is issued (must re-verify DNS).
101
+ */
102
+ async recover(domain, deploymentKey) {
103
+ try {
104
+ const res = await fetch(`${this.registryUrl}/domains/recover`, {
105
+ method: "POST",
106
+ headers: { "Content-Type": "application/json" },
107
+ body: JSON.stringify({
108
+ domain: domain.toLowerCase().trim(),
109
+ deploymentKey
110
+ }),
111
+ signal: AbortSignal.timeout(15e3)
112
+ });
113
+ const data = await res.json().catch(() => ({}));
114
+ if (res.status === 403) {
115
+ return { success: false, error: "Invalid deployment key. The key does not match the registered domain." };
116
+ }
117
+ if (res.status === 404) {
118
+ return { success: false, error: "Domain is not registered. Use setup wizard to register first." };
119
+ }
120
+ if (!res.ok) {
121
+ return { success: false, error: data.error || `Recovery failed (HTTP ${res.status})` };
122
+ }
123
+ return {
124
+ success: true,
125
+ dnsChallenge: data.dnsChallenge,
126
+ registrationId: data.registrationId
127
+ };
128
+ } catch (err) {
129
+ if (err.name === "TimeoutError" || err.name === "AbortError") {
130
+ return { success: false, error: "Registry server unreachable (timeout)" };
131
+ }
132
+ return { success: false, error: `Registry connection failed: ${err.message}` };
133
+ }
134
+ }
135
+ /**
136
+ * Check domain status on the registry (public, read-only).
137
+ */
138
+ async getRemoteStatus(domain) {
139
+ try {
140
+ const res = await fetch(
141
+ `${this.registryUrl}/domains/${encodeURIComponent(domain.toLowerCase().trim())}/status`,
142
+ { signal: AbortSignal.timeout(1e4) }
143
+ );
144
+ if (!res.ok) return null;
145
+ return await res.json();
146
+ } catch {
147
+ return null;
148
+ }
149
+ }
150
+ };
151
+
152
+ export {
153
+ DomainLock
154
+ };
package/dist/cli-recover-X4MKJQVV.js ADDED
@@ -0,0 +1,97 @@
1
+ import {
2
+ DomainLock
3
+ } from "./chunk-UPU23ZRG.js";
4
+ import "./chunk-KFQGP6VL.js";
5
+
6
+ // src/domain-lock/cli-recover.ts
7
+ function getFlag(args, name) {
8
+ const idx = args.indexOf(name);
9
+ if (idx !== -1 && args[idx + 1]) return args[idx + 1];
10
+ return void 0;
11
+ }
12
+ async function runRecover(args) {
13
+ const { default: inquirer } = await import("inquirer");
14
+ const { default: chalk } = await import("chalk");
15
+ const { default: ora } = await import("ora");
16
+ console.log("");
17
+ console.log(chalk.bold(" AgenticMail Enterprise \u2014 Domain Recovery"));
18
+ console.log(chalk.dim(" Recover your domain registration on a new machine."));
19
+ console.log("");
20
+ let domain = getFlag(args, "--domain");
21
+ if (!domain) {
22
+ const answer = await inquirer.prompt([{
23
+ type: "input",
24
+ name: "domain",
25
+ message: "Domain to recover:",
26
+ suffix: chalk.dim(" (e.g. agents.agenticmail.io)"),
27
+ validate: (v) => v.includes(".") || "Enter a valid domain"
28
+ }]);
29
+ domain = answer.domain;
30
+ }
31
+ let key = getFlag(args, "--key");
32
+ if (!key) {
33
+ const answer = await inquirer.prompt([{
34
+ type: "password",
35
+ name: "key",
36
+ message: "Deployment key:",
37
+ mask: "*",
38
+ validate: (v) => {
39
+ if (v.length !== 64) return "Deployment key should be 64 hex characters";
40
+ if (!/^[0-9a-fA-F]+$/.test(v)) return "Deployment key should be hexadecimal";
41
+ return true;
42
+ }
43
+ }]);
44
+ key = answer.key;
45
+ }
46
+ const spinner = ora("Contacting AgenticMail registry...").start();
47
+ const lock = new DomainLock();
48
+ const result = await lock.recover(domain, key);
49
+ if (!result.success) {
50
+ spinner.fail("Recovery failed");
51
+ console.log("");
52
+ console.error(chalk.red(` ${result.error}`));
53
+ console.log("");
54
+ process.exit(1);
55
+ }
56
+ spinner.succeed("Domain recovery initiated");
57
+ const { default: bcrypt } = await import("bcryptjs");
58
+ const keyHash = await bcrypt.hash(key, 12);
59
+ const dbPath = getFlag(args, "--db");
60
+ const dbType = getFlag(args, "--db-type") || "sqlite";
61
+ if (dbPath) {
62
+ try {
63
+ const spinnerDb = ora("Saving to local database...").start();
64
+ const { createAdapter } = await import("./factory-FVJH5RRY.js");
65
+ const db = await createAdapter({ type: dbType, connectionString: dbPath });
66
+ await db.migrate();
67
+ await db.updateSettings({
68
+ domain,
69
+ deploymentKeyHash: keyHash,
70
+ domainRegistrationId: result.registrationId,
71
+ domainDnsChallenge: result.dnsChallenge,
72
+ domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
73
+ domainStatus: "pending_dns"
74
+ });
75
+ spinnerDb.succeed("Local database updated");
76
+ await db.disconnect();
77
+ } catch (err) {
78
+ console.log(chalk.yellow(`
79
+ Could not update local DB: ${err.message}`));
80
+ console.log(chalk.dim(" You can manually update settings after setup."));
81
+ }
82
+ }
83
+ console.log("");
84
+ console.log(chalk.green.bold(" Domain recovery successful!"));
85
+ console.log("");
86
+ console.log(chalk.bold(" Update your DNS TXT record:"));
87
+ console.log("");
88
+ console.log(` ${chalk.bold("Host:")} ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
89
+ console.log(` ${chalk.bold("Type:")} ${chalk.cyan("TXT")}`);
90
+ console.log(` ${chalk.bold("Value:")} ${chalk.cyan(result.dnsChallenge)}`);
91
+ console.log("");
92
+ console.log(chalk.dim(" Then run: agenticmail-enterprise verify-domain"));
93
+ console.log("");
94
+ }
95
+ export {
96
+ runRecover
97
+ };
package/dist/cli-verify-YT7IADFX.js ADDED
@@ -0,0 +1,98 @@
1
+ import {
2
+ DomainLock
3
+ } from "./chunk-UPU23ZRG.js";
4
+ import "./chunk-KFQGP6VL.js";
5
+
6
+ // src/domain-lock/cli-verify.ts
7
+ function getFlag(args, name) {
8
+ const idx = args.indexOf(name);
9
+ if (idx !== -1 && args[idx + 1]) return args[idx + 1];
10
+ return void 0;
11
+ }
12
+ async function runVerifyDomain(args) {
13
+ const { default: chalk } = await import("chalk");
14
+ const { default: ora } = await import("ora");
15
+ console.log("");
16
+ console.log(chalk.bold(" AgenticMail Enterprise \u2014 Domain Verification"));
17
+ console.log("");
18
+ let domain = getFlag(args, "--domain");
19
+ let dnsChallenge;
20
+ let dbConnected = false;
21
+ let db = null;
22
+ if (!domain) {
23
+ const dbPath = getFlag(args, "--db");
24
+ const dbType = getFlag(args, "--db-type") || "sqlite";
25
+ if (dbPath) {
26
+ try {
27
+ const { createAdapter } = await import("./factory-FVJH5RRY.js");
28
+ db = await createAdapter({ type: dbType, connectionString: dbPath });
29
+ await db.migrate();
30
+ const settings = await db.getSettings();
31
+ domain = settings?.domain;
32
+ dnsChallenge = settings?.domainDnsChallenge;
33
+ dbConnected = true;
34
+ } catch {
35
+ }
36
+ }
37
+ }
38
+ if (!domain) {
39
+ const { default: inquirer } = await import("inquirer");
40
+ const answer = await inquirer.prompt([{
41
+ type: "input",
42
+ name: "domain",
43
+ message: "Domain to verify:",
44
+ suffix: chalk.dim(" (e.g. agents.agenticmail.io)"),
45
+ validate: (v) => v.includes(".") || "Enter a valid domain"
46
+ }]);
47
+ domain = answer.domain;
48
+ }
49
+ const spinner = ora("Checking DNS verification...").start();
50
+ const lock = new DomainLock();
51
+ const result = await lock.checkVerification(domain);
52
+ if (!result.success) {
53
+ spinner.fail("Verification check failed");
54
+ console.log("");
55
+ console.error(chalk.red(` ${result.error}`));
56
+ console.log("");
57
+ if (db) await db.disconnect();
58
+ process.exit(1);
59
+ }
60
+ if (result.verified) {
61
+ spinner.succeed("Domain verified!");
62
+ if (dbConnected && db) {
63
+ try {
64
+ await db.updateSettings({
65
+ domainStatus: "verified",
66
+ domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString()
67
+ });
68
+ } catch {
69
+ }
70
+ }
71
+ console.log("");
72
+ console.log(chalk.green.bold(` ${domain} is verified and protected.`));
73
+ console.log(chalk.dim(" Your deployment domain is locked. No other instance can claim it."));
74
+ console.log("");
75
+ } else {
76
+ spinner.info("DNS record not found yet");
77
+ console.log("");
78
+ console.log(chalk.yellow(" The DNS TXT record has not been detected."));
79
+ console.log("");
80
+ console.log(chalk.bold(" Make sure this record exists:"));
81
+ console.log("");
82
+ console.log(` ${chalk.bold("Host:")} ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
83
+ console.log(` ${chalk.bold("Type:")} ${chalk.cyan("TXT")}`);
84
+ if (dnsChallenge) {
85
+ console.log(` ${chalk.bold("Value:")} ${chalk.cyan(dnsChallenge)}`);
86
+ } else {
87
+ console.log(` ${chalk.bold("Value:")} ${chalk.dim("(check your setup records or dashboard)")}`);
88
+ }
89
+ console.log("");
90
+ console.log(chalk.dim(" DNS changes can take up to 48 hours to propagate."));
91
+ console.log(chalk.dim(" Run this command again after adding the record."));
92
+ console.log("");
93
+ }
94
+ if (db) await db.disconnect();
95
+ }
96
+ export {
97
+ runVerifyDomain
98
+ };
package/dist/cli.js CHANGED
@@ -14,10 +14,10 @@ switch (command) {
14
14
  import("./cli-submit-skill-RSBLF5XN.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
15
15
  break;
16
16
  case "recover":
17
- import("./cli-recover-SSGGSKZJ.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
17
+ import("./cli-recover-X4MKJQVV.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
18
18
  break;
19
19
  case "verify-domain":
20
- import("./cli-verify-V3GPFMWU.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
20
+ import("./cli-verify-YT7IADFX.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
21
21
  break;
22
22
  case "--help":
23
23
  case "-h":
@@ -48,7 +48,7 @@ Skill Development:
48
48
  break;
49
49
  case "setup":
50
50
  default:
51
- import("./setup-HCMMUEW6.js").then((m) => m.runSetupWizard()).catch(fatal);
51
+ import("./setup-5CVRQ5ES.js").then((m) => m.runSetupWizard()).catch(fatal);
52
52
  break;
53
53
  }
54
54
  function fatal(err) {
package/dist/domain-lock-Z5A74VJK.js ADDED
@@ -0,0 +1,7 @@
1
+ import {
2
+ DomainLock
3
+ } from "./chunk-UPU23ZRG.js";
4
+ import "./chunk-KFQGP6VL.js";
5
+ export {
6
+ DomainLock
7
+ };
package/dist/index.js CHANGED
@@ -11,11 +11,11 @@ import {
11
11
  requireRole,
12
12
  securityHeaders,
13
13
  validate
14
- } from "./chunk-V2YIXYDJ.js";
14
+ } from "./chunk-ISOODMEF.js";
15
15
  import {
16
16
  provision,
17
17
  runSetupWizard
18
- } from "./chunk-ANW4OHXR.js";
18
+ } from "./chunk-PQADDAC2.js";
19
19
  import {
20
20
  ENGINE_TABLES,
21
21
  ENGINE_TABLES_POSTGRES,
package/dist/server-6LWKND7R.js ADDED
@@ -0,0 +1,11 @@
1
+ import {
2
+ createServer
3
+ } from "./chunk-ISOODMEF.js";
4
+ import "./chunk-RO537U6H.js";
5
+ import "./chunk-DRXMYYKN.js";
6
+ import "./chunk-ZNR5DDTA.js";
7
+ import "./chunk-JLSQOQ5L.js";
8
+ import "./chunk-KFQGP6VL.js";
9
+ export {
10
+ createServer
11
+ };
package/dist/setup-5CVRQ5ES.js ADDED
@@ -0,0 +1,20 @@
1
+ import {
2
+ promptCompanyInfo,
3
+ promptDatabase,
4
+ promptDeployment,
5
+ promptDomain,
6
+ promptRegistration,
7
+ provision,
8
+ runSetupWizard
9
+ } from "./chunk-PQADDAC2.js";
10
+ import "./chunk-NTVN3JHS.js";
11
+ import "./chunk-KFQGP6VL.js";
12
+ export {
13
+ promptCompanyInfo,
14
+ promptDatabase,
15
+ promptDeployment,
16
+ promptDomain,
17
+ promptRegistration,
18
+ provision,
19
+ runSetupWizard
20
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agenticmail/enterprise",
3
- "version": "0.5.1",
3
+ "version": "0.5.2",
4
4
  "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
5
5
  "type": "module",
6
6
  "bin": {
package/src/domain-lock/index.ts CHANGED
@@ -13,7 +13,7 @@
13
13
  import { randomBytes } from 'crypto';
14
14
 
15
15
  const REGISTRY_BASE_URL = process.env.AGENTICMAIL_REGISTRY_URL
16
- || 'https://registry.agenticmail.com/v1';
16
+ || 'https://agenticmail.io/enterprise/v1';
17
17
 
18
18
  // ─── Types ──────────────────────────────────────────────
19
19
 
package/src/setup/registration.ts CHANGED
@@ -13,7 +13,7 @@
13
13
  import { randomBytes } from 'crypto';
14
14
 
15
15
  const REGISTRY_BASE_URL = process.env.AGENTICMAIL_REGISTRY_URL
16
- || 'https://registry.agenticmail.com/v1';
16
+ || 'https://agenticmail.io/enterprise/v1';
17
17
 
18
18
  // ─── Types ──────────────────────────────────────────────
19
19
 
@@ -60,9 +60,9 @@ export async function promptRegistration(
60
60
 
61
61
  const spinner = ora('Generating deployment key...').start();
62
62
 
63
- const { default: bcrypt } = await import('bcryptjs');
63
+ const { createHash } = await import('crypto');
64
64
  const plaintextKey = randomBytes(32).toString('hex'); // 64-char hex
65
- const keyHash = await bcrypt.hash(plaintextKey, 12);
65
+ const keyHash = createHash('sha256').update(plaintextKey).digest('hex');
66
66
 
67
67
  spinner.succeed('Deployment key generated');
68
68
 
@@ -81,6 +81,7 @@ export async function promptRegistration(
81
81
  body: JSON.stringify({
82
82
  domain: domain.toLowerCase().trim(),
83
83
  keyHash,
84
+ sha256Hash: keyHash,
84
85
  orgName: companyName,
85
86
  contactEmail: adminEmail,
86
87
  }),