@agenticmail/enterprise 0.5.230 → 0.5.231

package/dist/cli-recover-GNWBEKCR.js

@@ -0,0 +1,222 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-recover.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+function hasFlag(args, name) {
+  return args.includes(name);
+}
+async function runRecover(args) {
+  const { default: inquirer } = await import("inquirer");
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Recovery"));
+  console.log(chalk.dim("  Recover your domain registration on a new machine."));
+  console.log("");
+  console.log(chalk.dim("  You will need:"));
+  console.log(chalk.dim("    1. Your domain name"));
+  console.log(chalk.dim("    2. Your 64-character deployment key (shown once during setup)"));
+  console.log(chalk.dim("    3. Your database connection string"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  if (!domain) {
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to recover:",
+      suffix: chalk.dim("  (the domain you registered during setup)"),
+      validate: (v) => {
+        const d = v.trim().toLowerCase();
+        if (!d.includes(".")) return "Enter a valid domain (e.g. agents.yourcompany.com)";
+        if (d.startsWith("http")) return "Enter just the domain, not a URL";
+        return true;
+      },
+      filter: (v) => v.trim().toLowerCase()
+    }]);
+    domain = answer.domain;
+  }
+  let key = getFlag(args, "--key");
+  if (!key) {
+    console.log("");
+    console.log(chalk.dim("  Your deployment key was shown once during initial setup."));
+    console.log(chalk.dim("  It is a 64-character hexadecimal string."));
+    console.log("");
+    const answer = await inquirer.prompt([{
+      type: "password",
+      name: "key",
+      message: "Deployment key:",
+      mask: "*",
+      validate: (v) => {
+        if (!v.trim()) return "Deployment key is required";
+        if (v.length !== 64) return `Expected 64 characters, got ${v.length}. Check that you copied the full key.`;
+        if (!/^[0-9a-fA-F]+$/.test(v)) return "Deployment key should be hexadecimal (0-9, a-f)";
+        return true;
+      }
+    }]);
+    key = answer.key;
+  }
+  console.log("");
+  const spinner = ora("Contacting AgenticMail registry...").start();
+  const lock = new DomainLock();
+  const result = await lock.recover(domain, key);
+  if (!result.success) {
+    spinner.fail("Recovery failed");
+    console.log("");
+    console.error(chalk.red(`  ${result.error}`));
+    console.log("");
+    if (result.error?.includes("Invalid deployment key")) {
+      console.log(chalk.yellow("  The deployment key does not match this domain."));
+      console.log(chalk.dim("  Make sure you are using the key that was shown during the original setup."));
+      console.log(chalk.dim("  If you lost your key, contact support@agenticmail.io for manual verification."));
+    } else if (result.error?.includes("not registered")) {
+      console.log(chalk.yellow("  This domain was never registered with AgenticMail."));
+      console.log(chalk.dim("  Run the setup wizard instead: npx @agenticmail/enterprise setup"));
+    }
+    console.log("");
+    process.exit(1);
+  }
+  spinner.succeed("Registry accepted recovery \u2014 new DNS challenge issued");
+  console.log("");
+  console.log(chalk.bold.cyan("  Database Connection"));
+  console.log(chalk.dim("  We need to update your database with the new registration.\n"));
+  let db = null;
+  let dbConnected = false;
+  const envDbUrl = process.env.DATABASE_URL;
+  if (envDbUrl && !hasFlag(args, "--no-db")) {
+    const dbType = detectDbType(envDbUrl);
+    spinner.start(`Connecting to database (${dbType}, from DATABASE_URL)...`);
+    try {
+      const { createAdapter } = await import("./factory-672W7A5B.js");
+      db = await createAdapter({ type: dbType, connectionString: envDbUrl });
+      await db.migrate();
+      dbConnected = true;
+      spinner.succeed(`Connected to ${dbType} database`);
+    } catch (err) {
+      spinner.warn(`Could not connect via DATABASE_URL: ${err.message}`);
+      db = null;
+    }
+  }
+  if (!dbConnected && !hasFlag(args, "--no-db")) {
+    const { connectDb } = await inquirer.prompt([{
+      type: "confirm",
+      name: "connectDb",
+      message: "Connect to your database now?",
+      default: true
+    }]);
+    if (connectDb) {
+      const dbTypes = [
+        { name: `PostgreSQL / Supabase / Neon  ${chalk.dim("(recommended)")}`, value: "postgres" },
+        { name: "MySQL / PlanetScale", value: "mysql" },
+        { name: "SQLite (local file)", value: "sqlite" },
+        { name: "Turso (LibSQL)", value: "turso" },
+        { name: "MongoDB", value: "mongodb" }
+      ];
+      const { dbType } = await inquirer.prompt([{
+        type: "list",
+        name: "dbType",
+        message: "Database type:",
+        choices: dbTypes
+      }]);
+      const placeholders = {
+        postgres: "postgresql://user:pass@host:5432/dbname?sslmode=require",
+        mysql: "mysql://user:pass@host:3306/dbname",
+        sqlite: "./data/agenticmail.db",
+        turso: "libsql://your-db-name-org.turso.io",
+        mongodb: "mongodb+srv://user:pass@cluster.mongodb.net/dbname"
+      };
+      const { connString } = await inquirer.prompt([{
+        type: "input",
+        name: "connString",
+        message: "Connection string:",
+        suffix: chalk.dim(`
+  e.g. ${placeholders[dbType]}
+  >`),
+        validate: (v) => v.trim() ? true : "Connection string is required"
+      }]);
+      spinner.start(`Connecting to ${dbType} database...`);
+      try {
+        const { createAdapter } = await import("./factory-672W7A5B.js");
+        db = await createAdapter({ type: dbType, connectionString: connString.trim() });
+        await db.migrate();
+        dbConnected = true;
+        spinner.succeed(`Connected to ${dbType} database`);
+      } catch (err) {
+        spinner.fail(`Database connection failed: ${err.message}`);
+        console.log(chalk.yellow("\n  Could not connect. You can update settings manually from the dashboard."));
+        console.log(chalk.dim("  Or set DATABASE_URL and run this command again.\n"));
+      }
+    }
+  }
+  if (dbConnected && db) {
+    spinner.start("Updating domain registration in database...");
+    try {
+      const { createHash } = await import("crypto");
+      const keyHash = createHash("sha256").update(key).digest("hex");
+      await db.updateSettings({
+        domain,
+        deploymentKeyHash: keyHash,
+        domainRegistrationId: result.registrationId,
+        domainDnsChallenge: result.dnsChallenge,
+        domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
+        domainStatus: "pending_dns",
+        domainVerifiedAt: void 0
+      });
+      spinner.succeed("Database updated with new registration");
+    } catch (err) {
+      spinner.warn(`Could not update database: ${err.message}`);
+      console.log(chalk.dim("  You can update manually from the dashboard after DNS verification."));
+    }
+    try {
+      await db.disconnect();
+    } catch {
+    }
+  }
+  console.log("");
+  console.log(chalk.green.bold("  \u2713 Domain recovery successful!"));
+  console.log("");
+  console.log(chalk.bold("  Next: Add this DNS TXT record to verify ownership"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(result.dnsChallenge)}`);
+  console.log("");
+  if (dbConnected) {
+    console.log(chalk.dim("  After adding the DNS record, verify from the dashboard"));
+    console.log(chalk.dim("  or run:"));
+  } else {
+    console.log(chalk.dim("  After adding the DNS record, connect to your database"));
+    console.log(chalk.dim("  and verify:"));
+  }
+  console.log("");
+  console.log(chalk.dim(`    npx @agenticmail/enterprise verify-domain --domain ${domain}`));
+  console.log("");
+  if (!dbConnected) {
+    console.log(chalk.yellow.bold("  \u26A0  Database was not updated"));
+    console.log(chalk.dim("  The registry accepted your recovery, but your local database"));
+    console.log(chalk.dim("  does not have the new DNS challenge yet. Options:"));
+    console.log("");
+    console.log(chalk.dim("    1. Set DATABASE_URL and run this command again"));
+    console.log(chalk.dim("    2. Start your server \u2014 the dashboard will show the DNS challenge"));
+    console.log(chalk.dim("    3. Run verify-domain with --db after adding DNS records"));
+    console.log("");
+  }
+}
+function detectDbType(url) {
+  const u = url.toLowerCase().trim();
+  if (u.startsWith("postgres") || u.startsWith("pg:")) return "postgres";
+  if (u.startsWith("mysql")) return "mysql";
+  if (u.startsWith("mongodb")) return "mongodb";
+  if (u.startsWith("libsql") || u.includes(".turso.io")) return "turso";
+  if (u.endsWith(".db") || u.endsWith(".sqlite") || u.endsWith(".sqlite3") || u.startsWith("file:")) return "sqlite";
+  return "postgres";
+}
+export {
+  runRecover
+};

package/dist/cli-serve-NGGPNMP7.js

@@ -0,0 +1,114 @@
+import "./chunk-KFQGP6VL.js";
+
+// src/cli-serve.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+function loadEnvFile() {
+  const candidates = [
+    join(process.cwd(), ".env"),
+    join(homedir(), ".agenticmail", ".env")
+  ];
+  for (const envPath of candidates) {
+    if (!existsSync(envPath)) continue;
+    try {
+      const content = readFileSync(envPath, "utf8");
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) continue;
+        const eq = trimmed.indexOf("=");
+        if (eq < 0) continue;
+        const key = trimmed.slice(0, eq).trim();
+        let val = trimmed.slice(eq + 1).trim();
+        if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
+          val = val.slice(1, -1);
+        }
+        if (!process.env[key]) process.env[key] = val;
+      }
+      console.log(`Loaded config from ${envPath}`);
+      return;
+    } catch {
+    }
+  }
+}
+async function ensureSecrets() {
+  const { randomUUID } = await import("crypto");
+  const envDir = join(homedir(), ".agenticmail");
+  const envPath = join(envDir, ".env");
+  let dirty = false;
+  if (!process.env.JWT_SECRET) {
+    process.env.JWT_SECRET = randomUUID() + randomUUID();
+    dirty = true;
+    console.log("[startup] Generated new JWT_SECRET (existing sessions will need to re-login)");
+  }
+  if (!process.env.AGENTICMAIL_VAULT_KEY) {
+    process.env.AGENTICMAIL_VAULT_KEY = randomUUID() + randomUUID();
+    dirty = true;
+    console.log("[startup] Generated new AGENTICMAIL_VAULT_KEY");
+    console.log("[startup] \u26A0\uFE0F  Previously encrypted credentials will need to be re-entered in the dashboard");
+  }
+  if (dirty) {
+    try {
+      if (!existsSync(envDir)) {
+        const { mkdirSync } = await import("fs");
+        mkdirSync(envDir, { recursive: true });
+      }
+      const { appendFileSync } = await import("fs");
+      const lines = [];
+      let existing = "";
+      if (existsSync(envPath)) {
+        existing = readFileSync(envPath, "utf8");
+      }
+      if (!existing.includes("JWT_SECRET=")) {
+        lines.push(`JWT_SECRET=${process.env.JWT_SECRET}`);
+      }
+      if (!existing.includes("AGENTICMAIL_VAULT_KEY=")) {
+        lines.push(`AGENTICMAIL_VAULT_KEY=${process.env.AGENTICMAIL_VAULT_KEY}`);
+      }
+      if (lines.length) {
+        appendFileSync(envPath, "\n" + lines.join("\n") + "\n", { mode: 384 });
+        console.log(`[startup] Saved secrets to ${envPath}`);
+      }
+    } catch (e) {
+      console.warn(`[startup] Could not save secrets to ${envPath}: ${e.message}`);
+    }
+  }
+}
+async function runServe(_args) {
+  loadEnvFile();
+  const DATABASE_URL = process.env.DATABASE_URL;
+  const PORT = parseInt(process.env.PORT || "8080", 10);
+  await ensureSecrets();
+  const JWT_SECRET = process.env.JWT_SECRET;
+  const VAULT_KEY = process.env.AGENTICMAIL_VAULT_KEY;
+  if (!DATABASE_URL) {
+    console.error("ERROR: DATABASE_URL is required.");
+    console.error("");
+    console.error("Set it via environment variable or .env file:");
+    console.error("  DATABASE_URL=postgresql://user:pass@host:5432/db npx @agenticmail/enterprise start");
+    console.error("");
+    console.error("Or create a .env file (in cwd or ~/.agenticmail/.env):");
+    console.error("  DATABASE_URL=postgresql://user:pass@host:5432/db");
+    console.error("  JWT_SECRET=your-secret-here");
+    console.error("  PORT=3200");
+    process.exit(1);
+  }
+  const { createAdapter } = await import("./factory-672W7A5B.js");
+  const { createServer } = await import("./server-RZ22KAON.js");
+  const db = await createAdapter({
+    type: DATABASE_URL.startsWith("postgres") ? "postgres" : "sqlite",
+    connectionString: DATABASE_URL
+  });
+  await db.migrate();
+  const server = createServer({
+    port: PORT,
+    db,
+    jwtSecret: JWT_SECRET,
+    corsOrigins: ["*"]
+  });
+  await server.start();
+  console.log(`AgenticMail Enterprise server running on :${PORT}`);
+}
+export {
+  runServe
+};

package/dist/cli-verify-F3KN23M7.js

@@ -0,0 +1,149 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-verify.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+function hasFlag(args, name) {
+  return args.includes(name);
+}
+function detectDbType(url) {
+  const u = url.toLowerCase().trim();
+  if (u.startsWith("postgres") || u.startsWith("pg:")) return "postgres";
+  if (u.startsWith("mysql")) return "mysql";
+  if (u.startsWith("mongodb")) return "mongodb";
+  if (u.startsWith("libsql") || u.includes(".turso.io")) return "turso";
+  if (u.endsWith(".db") || u.endsWith(".sqlite") || u.endsWith(".sqlite3") || u.startsWith("file:")) return "sqlite";
+  return "postgres";
+}
+async function runVerifyDomain(args) {
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Verification"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  let dnsChallenge;
+  let db = null;
+  let dbConnected = false;
+  const envDbUrl = process.env.DATABASE_URL;
+  if (envDbUrl) {
+    const dbType = detectDbType(envDbUrl);
+    const spinner = ora(`Connecting to database (${dbType})...`).start();
+    try {
+      const { createAdapter } = await import("./factory-672W7A5B.js");
+      db = await createAdapter({ type: dbType, connectionString: envDbUrl });
+      await db.migrate();
+      const settings = await db.getSettings();
+      if (!domain && settings?.domain) domain = settings.domain;
+      if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+      dbConnected = true;
+      spinner.succeed(`Connected to ${dbType} database` + (domain ? ` (domain: ${domain})` : ""));
+    } catch (err) {
+      spinner.warn(`Could not connect via DATABASE_URL: ${err.message}`);
+      db = null;
+    }
+  }
+  if (!dbConnected) {
+    const dbPath = getFlag(args, "--db");
+    const dbType = getFlag(args, "--db-type") || "sqlite";
+    if (dbPath) {
+      const spinner = ora(`Connecting to ${dbType} database...`).start();
+      try {
+        const { createAdapter } = await import("./factory-672W7A5B.js");
+        db = await createAdapter({ type: dbType, connectionString: dbPath });
+        await db.migrate();
+        const settings = await db.getSettings();
+        if (!domain && settings?.domain) domain = settings.domain;
+        if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+        dbConnected = true;
+        spinner.succeed(`Connected to ${dbType} database`);
+      } catch {
+        spinner.warn("Could not read local database");
+      }
+    }
+  }
+  if (!domain) {
+    const { default: inquirer } = await import("inquirer");
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to verify:",
+      suffix: chalk.dim("  (e.g. agents.yourcompany.com)"),
+      validate: (v) => v.includes(".") || "Enter a valid domain",
+      filter: (v) => v.trim().toLowerCase()
+    }]);
+    domain = answer.domain;
+  }
+  const lock = new DomainLock();
+  const maxAttempts = hasFlag(args, "--poll") ? 5 : 1;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const spinner = ora(
+      maxAttempts > 1 ? `Checking DNS verification (attempt ${attempt}/${maxAttempts})...` : "Checking DNS verification..."
+    ).start();
+    try {
+      const result = await lock.checkVerification(domain);
+      if (!result.success) {
+        spinner.fail("Verification check failed");
+        console.log("");
+        console.error(chalk.red(`  ${result.error}`));
+        console.log("");
+        if (db) await db.disconnect();
+        process.exit(1);
+      }
+      if (result.verified) {
+        spinner.succeed("Domain verified!");
+        if (dbConnected && db) {
+          try {
+            await db.updateSettings({
+              domainStatus: "verified",
+              domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+            });
+            console.log(chalk.dim("  Database updated with verified status."));
+          } catch {
+          }
+        }
+        console.log("");
+        console.log(chalk.green.bold(`  \u2713 ${domain} is verified and protected.`));
+        console.log(chalk.dim("  Your deployment domain is locked. No other instance can claim it."));
+        console.log(chalk.dim("  The system now operates 100% offline \u2014 no outbound calls are made."));
+        console.log("");
+        if (db) await db.disconnect();
+        return;
+      }
+    } catch (err) {
+      spinner.warn(`Check failed: ${err.message}`);
+    }
+    if (attempt < maxAttempts) {
+      const waitSpinner = ora(`DNS record not found yet. Retrying in 10 seconds...`).start();
+      await new Promise((r) => setTimeout(r, 1e4));
+      waitSpinner.stop();
+    }
+  }
+  console.log("");
+  console.log(chalk.yellow("  DNS record not detected yet."));
+  console.log("");
+  console.log(chalk.bold("  Make sure this TXT record exists at your DNS provider:"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  if (dnsChallenge) {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
+  } else {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.dim("(check your dashboard or setup output)")}`);
+  }
+  console.log("");
+  console.log(chalk.dim("  DNS propagation can take up to 48 hours."));
+  console.log(chalk.dim("  Run with --poll to retry automatically:"));
+  console.log(chalk.dim(`    npx @agenticmail/enterprise verify-domain --domain ${domain} --poll`));
+  console.log("");
+  if (db) await db.disconnect();
+}
+export {
+  runVerifyDomain
+};

package/dist/cli.js

@@ -14,10 +14,10 @@ switch (command) {
     import("./cli-submit-skill-LDFJGSKO.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
     break;
   case "recover":
-    import("./cli-recover-UWMQORT4.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
+    import("./cli-recover-GNWBEKCR.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
     break;
   case "verify-domain":
-    import("./cli-verify-ENB4NVHG.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
+    import("./cli-verify-F3KN23M7.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
     break;
   case "--help":
   case "-h":
@@ -53,14 +53,14 @@ Skill Development:
     break;
   case "serve":
   case "start":
-    import("./cli-serve-YEDRINZV.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
+    import("./cli-serve-NGGPNMP7.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
     break;
   case "agent":
-    import("./cli-agent-5ZU3YHEY.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
+    import("./cli-agent-M3YGU3IG.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
     break;
   case "setup":
   default:
-    import("./setup-FNMKPXP2.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-3RGSSGB3.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/factory-672W7A5B.js

@@ -0,0 +1,9 @@
+import {
+  createAdapter,
+  getSupportedDatabases
+} from "./chunk-ULRBF2T7.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createAdapter,
+  getSupportedDatabases
+};

package/dist/index.js

@@ -7,7 +7,7 @@ import {
 import {
   provision,
   runSetupWizard
-} from "./chunk-EKAHAAGY.js";
+} from "./chunk-YNG3KJKA.js";
 import {
   AgenticMailManager,
   GoogleEmailProvider,
@@ -42,7 +42,7 @@ import {
   requireRole,
   securityHeaders,
   validate
-} from "./chunk-DFDEYMA5.js";
+} from "./chunk-KQ5NV6LM.js";
 import "./chunk-OF4MUWWS.js";
 import {
   PROVIDER_REGISTRY,
@@ -113,7 +113,7 @@ import {
 import {
   createAdapter,
   getSupportedDatabases
-} from "./chunk-VQQ4SYYQ.js";
+} from "./chunk-ULRBF2T7.js";
 import {
   AGENTICMAIL_TOOLS,
   ALL_TOOLS,