@agenticmail/enterprise 0.5.252 → 0.5.253

package/dist/chunk-J6QPL5WN.js

@@ -0,0 +1,1224 @@
+import {
+  getSupportedDatabases
+} from "./chunk-ULRBF2T7.js";
+
+// src/setup/index.ts
+import { execSync as execSync2 } from "child_process";
+import { createRequire } from "module";
+import { join as join2 } from "path";
+
+// src/setup/company.ts
+function toSlug(name) {
+  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").slice(0, 63);
+}
+function generateAlternatives(companyName) {
+  const base = toSlug(companyName);
+  const words = companyName.trim().split(/\s+/).map((w) => w.toLowerCase().replace(/[^a-z0-9]/g, "")).filter(Boolean);
+  const suggestions = /* @__PURE__ */ new Set();
+  suggestions.add(base);
+  if (words.length >= 2) {
+    const initials = words.map((w) => w[0]).join("");
+    if (initials.length >= 2) suggestions.add(initials);
+  }
+  if (words[0] && words[0] !== base) {
+    suggestions.add(words[0]);
+  }
+  if (words.length >= 3) {
+    suggestions.add(`${words[0]}-${words[words.length - 1]}`);
+  }
+  suggestions.add(`team-${base}`);
+  suggestions.add(`app-${base}`);
+  suggestions.add(`mail-${words[0] || base}`);
+  suggestions.add(`ai-${words[0] || base}`);
+  suggestions.add(`${words[0] || base}-hq`);
+  suggestions.delete(base);
+  return [...suggestions].map((s) => s.slice(0, 63)).slice(0, 5);
+}
+function validateSubdomain(v) {
+  const s = v.trim();
+  if (!s) return "Subdomain is required";
+  if (s.length < 2) return "Subdomain must be at least 2 characters";
+  if (s.length > 63) return "Subdomain must be 63 characters or fewer";
+  if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(s)) {
+    return "Subdomain must be lowercase letters, numbers, and hyphens (cannot start or end with a hyphen)";
+  }
+  return true;
+}
+async function promptCompanyInfo(inquirer, chalk) {
+  console.log(chalk.bold.cyan("  Step 1 of 5: Company Info"));
+  console.log(chalk.dim("  Tell us about your organization.\n"));
+  const { companyName, adminEmail, adminPassword } = await inquirer.prompt([
+    {
+      type: "input",
+      name: "companyName",
+      message: "Company name:",
+      validate: (v) => {
+        if (!v.trim()) return "Company name is required";
+        if (v.length > 100) return "Company name must be under 100 characters";
+        return true;
+      }
+    },
+    {
+      type: "input",
+      name: "adminEmail",
+      message: "Admin email:",
+      validate: (v) => {
+        if (!v.includes("@") || !v.includes(".")) return "Enter a valid email address";
+        return true;
+      }
+    },
+    {
+      type: "password",
+      name: "adminPassword",
+      message: "Admin password:",
+      mask: "*",
+      validate: (v) => {
+        if (v.length < 8) return "Password must be at least 8 characters";
+        if (!/[A-Z]/.test(v) && !/[0-9]/.test(v)) {
+          return "Password should contain at least one uppercase letter or number";
+        }
+        return true;
+      }
+    }
+  ]);
+  const suggested = toSlug(companyName);
+  const alternatives = generateAlternatives(companyName);
+  console.log("");
+  console.log(chalk.bold("  Subdomain"));
+  console.log(chalk.dim("  Used for your dashboard URL and internal routing.\n"));
+  const choices = [
+    { name: `${suggested}  ${chalk.dim("(recommended)")}`, value: suggested },
+    ...alternatives.map((alt) => ({ name: alt, value: alt })),
+    new inquirer.Separator(),
+    { name: `${chalk.italic("Enter my own...")}`, value: "__custom__" },
+    { name: `${chalk.italic("Generate more suggestions")}`, value: "__regenerate__" }
+  ];
+  let subdomain = suggested;
+  let choosing = true;
+  while (choosing) {
+    const { subdomainChoice } = await inquirer.prompt([{
+      type: "list",
+      name: "subdomainChoice",
+      message: "Choose a subdomain:",
+      choices
+    }]);
+    if (subdomainChoice === "__custom__") {
+      const { custom } = await inquirer.prompt([{
+        type: "input",
+        name: "custom",
+        message: "Custom subdomain:",
+        suffix: chalk.dim("  (lowercase, letters/numbers/hyphens)"),
+        validate: validateSubdomain,
+        filter: (v) => v.trim().toLowerCase()
+      }]);
+      subdomain = custom;
+      choosing = false;
+    } else if (subdomainChoice === "__regenerate__") {
+      const base = toSlug(companyName);
+      const words = companyName.trim().split(/\s+/).map((w2) => w2.toLowerCase().replace(/[^a-z0-9]/g, "")).filter(Boolean);
+      const w = words[0] || base;
+      const rand = () => Math.random().toString(36).slice(2, 5);
+      const fresh = [
+        `${w}-${rand()}`,
+        `${base}-${rand()}`,
+        `${w}-agents`,
+        `${w}-mail`,
+        `${w}-platform`
+      ];
+      choices.splice(
+        1,
+        alternatives.length,
+        ...fresh.map((alt) => ({ name: alt, value: alt }))
+      );
+    } else {
+      subdomain = subdomainChoice;
+      choosing = false;
+    }
+  }
+  console.log(chalk.dim(`  Your subdomain: ${chalk.white(subdomain)}
+`));
+  return { companyName, adminEmail, adminPassword, subdomain };
+}
+
+// src/setup/database.ts
+var CONNECTION_HINTS = {
+  postgres: "postgresql://user:pass@host:5432/dbname",
+  mysql: "mysql://user:pass@host:3306/dbname",
+  mongodb: "mongodb+srv://user:pass@cluster.mongodb.net/dbname",
+  supabase: "postgresql://postgres:pass@db.xxxx.supabase.co:5432/postgres",
+  neon: "postgresql://user:pass@ep-xxx.us-east-1.aws.neon.tech/dbname?sslmode=require",
+  planetscale: 'mysql://user:pass@aws.connect.psdb.cloud/dbname?ssl={"rejectUnauthorized":true}',
+  cockroachdb: "postgresql://user:pass@cluster.cockroachlabs.cloud:26257/dbname?sslmode=verify-full"
+};
+async function promptDatabase(inquirer, chalk) {
+  console.log("");
+  console.log(chalk.bold.cyan("  Step 2 of 4: Database"));
+  console.log(chalk.dim("  Where should your data live?\n"));
+  const databases = getSupportedDatabases();
+  const { dbType } = await inquirer.prompt([
+    {
+      type: "list",
+      name: "dbType",
+      message: "Database backend:",
+      choices: databases.map((d) => ({
+        name: `${d.label}  ${chalk.dim(`(${d.group})`)}`,
+        value: d.type
+      }))
+    }
+  ]);
+  if (dbType === "sqlite") {
+    const { dbPath } = await inquirer.prompt([{
+      type: "input",
+      name: "dbPath",
+      message: "Database file path:",
+      default: "./agenticmail-enterprise.db"
+    }]);
+    return { type: dbType, connectionString: dbPath };
+  }
+  if (dbType === "dynamodb") {
+    const answers = await inquirer.prompt([
+      {
+        type: "input",
+        name: "region",
+        message: "AWS Region:",
+        default: "us-east-1"
+      },
+      {
+        type: "input",
+        name: "accessKeyId",
+        message: "AWS Access Key ID:",
+        validate: (v) => v.length > 0 || "Required"
+      },
+      {
+        type: "password",
+        name: "secretAccessKey",
+        message: "AWS Secret Access Key:",
+        mask: "*",
+        validate: (v) => v.length > 0 || "Required"
+      }
+    ]);
+    return { type: dbType, ...answers };
+  }
+  if (dbType === "turso") {
+    const answers = await inquirer.prompt([
+      {
+        type: "input",
+        name: "connectionString",
+        message: "Turso database URL:",
+        suffix: chalk.dim("  (e.g. libsql://db-org.turso.io)"),
+        validate: (v) => v.length > 0 || "Required"
+      },
+      {
+        type: "password",
+        name: "authToken",
+        message: "Turso auth token:",
+        mask: "*",
+        validate: (v) => v.length > 0 || "Required"
+      }
+    ]);
+    return { type: dbType, connectionString: answers.connectionString, authToken: answers.authToken };
+  }
+  const hint = CONNECTION_HINTS[dbType] || "";
+  const { connectionString } = await inquirer.prompt([{
+    type: "input",
+    name: "connectionString",
+    message: "Connection string:",
+    suffix: hint ? chalk.dim(`  (e.g. ${hint})`) : "",
+    validate: (v) => v.length > 0 || "Connection string is required"
+  }]);
+  return { type: dbType, connectionString };
+}
+
+// src/setup/deployment.ts
+import { execSync, exec as execCb } from "child_process";
+import { promisify } from "util";
+import { existsSync, writeFileSync } from "fs";
+import { join } from "path";
+import { homedir, platform, arch } from "os";
+var execP = promisify(execCb);
+async function promptDeployment(inquirer, chalk) {
+  console.log("");
+  console.log(chalk.bold.cyan("  Step 3 of 4: Deployment"));
+  console.log(chalk.dim("  Where should your dashboard run?\n"));
+  const { deployTarget } = await inquirer.prompt([{
+    type: "list",
+    name: "deployTarget",
+    message: "Deploy to:",
+    choices: [
+      {
+        name: `AgenticMail Cloud  ${chalk.dim("(managed, instant URL)")}`,
+        value: "cloud"
+      },
+      {
+        name: `Cloudflare Tunnel  ${chalk.green("\u2190 recommended")}  ${chalk.dim("(self-hosted, free, no ports)")}`,
+        value: "cloudflare-tunnel"
+      },
+      {
+        name: `Fly.io  ${chalk.dim("(your account)")}`,
+        value: "fly"
+      },
+      {
+        name: `Railway  ${chalk.dim("(your account)")}`,
+        value: "railway"
+      },
+      {
+        name: `Docker  ${chalk.dim("(self-hosted)")}`,
+        value: "docker"
+      },
+      {
+        name: `Local  ${chalk.dim("(dev/testing, runs here)")}`,
+        value: "local"
+      }
+    ]
+  }]);
+  if (deployTarget === "cloudflare-tunnel") {
+    const tunnel = await runTunnelSetup(inquirer, chalk);
+    return { target: deployTarget, tunnel };
+  }
+  return { target: deployTarget };
+}
+async function runTunnelSetup(inquirer, chalk) {
+  console.log("");
+  console.log(chalk.bold("  Cloudflare Tunnel Setup"));
+  console.log(chalk.dim("  Exposes your local server to the internet via Cloudflare."));
+  console.log(chalk.dim("  No open ports, free TLS, auto-DNS.\n"));
+  console.log(chalk.bold("  1. Cloudflared CLI"));
+  let installed = false;
+  let version = "";
+  try {
+    version = execSync("cloudflared --version 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
+    installed = true;
+  } catch {
+  }
+  if (installed) {
+    console.log(chalk.green(`     \u2713 Installed (${version})
+`));
+  } else {
+    console.log(chalk.yellow("     Not installed."));
+    const { doInstall } = await inquirer.prompt([{
+      type: "confirm",
+      name: "doInstall",
+      message: "Install cloudflared now?",
+      default: true
+    }]);
+    if (!doInstall) {
+      console.log(chalk.red("\n  cloudflared is required for tunnel deployment."));
+      console.log(chalk.dim("  Install it manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/\n"));
+      process.exit(1);
+    }
+    console.log(chalk.dim("     Installing..."));
+    try {
+      await installCloudflared();
+      version = execSync("cloudflared --version 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
+      console.log(chalk.green(`     \u2713 Installed (${version})
+`));
+    } catch (err) {
+      console.log(chalk.red(`     \u2717 Installation failed: ${err.message}`));
+      console.log(chalk.dim("     Install manually and re-run setup.\n"));
+      process.exit(1);
+    }
+  }
+  console.log(chalk.bold("  2. Cloudflare Authentication"));
+  const cfDir = join(homedir(), ".cloudflared");
+  const certPath = join(cfDir, "cert.pem");
+  const loggedIn = existsSync(certPath);
+  if (loggedIn) {
+    console.log(chalk.green("     \u2713 Already authenticated\n"));
+  } else {
+    console.log(chalk.dim("     This will open your browser to authorize Cloudflare.\n"));
+    const { doLogin } = await inquirer.prompt([{
+      type: "confirm",
+      name: "doLogin",
+      message: "Open browser to login to Cloudflare?",
+      default: true
+    }]);
+    if (!doLogin) {
+      console.log(chalk.red("\n  Cloudflare auth is required. Run `cloudflared tunnel login` manually.\n"));
+      process.exit(1);
+    }
+    console.log(chalk.dim("     Waiting for browser authorization..."));
+    try {
+      await execP("cloudflared tunnel login", { timeout: 12e4 });
+      console.log(chalk.green("     \u2713 Authenticated\n"));
+    } catch (err) {
+      console.log(chalk.red(`     \u2717 Login failed or timed out: ${err.message}`));
+      console.log(chalk.dim("     Complete the browser authorization and try again.\n"));
+      process.exit(1);
+    }
+  }
+  console.log(chalk.bold("  3. Tunnel Configuration"));
+  const { domain, port, tunnelName } = await inquirer.prompt([
+    {
+      type: "input",
+      name: "domain",
+      message: "Domain (e.g. dashboard.yourcompany.com):",
+      validate: (v) => v.includes(".") ? true : "Enter a valid domain"
+    },
+    {
+      type: "number",
+      name: "port",
+      message: "Local port:",
+      default: 3200
+    },
+    {
+      type: "input",
+      name: "tunnelName",
+      message: "Tunnel name:",
+      default: "agenticmail-enterprise"
+    }
+  ]);
+  console.log("");
+  console.log(chalk.bold("  4. Deploying"));
+  let tunnelId = "";
+  try {
+    console.log(chalk.dim("     Creating tunnel..."));
+    const out = execSync(`cloudflared tunnel create ${tunnelName} 2>&1`, { encoding: "utf8", timeout: 3e4 });
+    const match = out.match(/Created tunnel .+ with id ([a-f0-9-]+)/);
+    tunnelId = match?.[1] || "";
+    console.log(chalk.green(`     \u2713 Tunnel created: ${tunnelName} (${tunnelId})`));
+  } catch (e) {
+    if (e.message?.includes("already exists") || e.stderr?.includes("already exists")) {
+      try {
+        const listOut = execSync("cloudflared tunnel list --output json 2>&1", { encoding: "utf8", timeout: 15e3 });
+        const tunnels = JSON.parse(listOut);
+        const existing = tunnels.find((t) => t.name === tunnelName);
+        if (existing) {
+          tunnelId = existing.id;
+          console.log(chalk.green(`     \u2713 Using existing tunnel: ${tunnelName} (${tunnelId})`));
+        }
+      } catch {
+        console.log(chalk.red(`     \u2717 Tunnel "${tunnelName}" exists but couldn't read its ID`));
+        process.exit(1);
+      }
+    } else {
+      console.log(chalk.red(`     \u2717 Failed to create tunnel: ${e.message}`));
+      process.exit(1);
+    }
+  }
+  if (!tunnelId) {
+    console.log(chalk.red("     \u2717 Could not determine tunnel ID"));
+    process.exit(1);
+  }
+  const config = [
+    `tunnel: ${tunnelId}`,
+    `credentials-file: ${join(cfDir, tunnelId + ".json")}`,
+    "",
+    "ingress:",
+    `  - hostname: ${domain}`,
+    `    service: http://localhost:${port}`,
+    "  - service: http_status:404"
+  ].join("\n");
+  writeFileSync(join(cfDir, "config.yml"), config);
+  console.log(chalk.green(`     \u2713 Config written: ${domain} \u2192 localhost:${port}`));
+  try {
+    execSync(`cloudflared tunnel route dns ${tunnelId} ${domain} 2>&1`, { encoding: "utf8", timeout: 3e4 });
+    console.log(chalk.green(`     \u2713 DNS CNAME created: ${domain}`));
+  } catch (e) {
+    if (e.message?.includes("already exists") || e.stderr?.includes("already exists")) {
+      console.log(chalk.green(`     \u2713 DNS CNAME already exists for ${domain}`));
+    } else {
+      console.log(chalk.yellow(`     \u26A0 DNS routing failed \u2014 add CNAME manually: ${domain} \u2192 ${tunnelId}.cfargotunnel.com`));
+    }
+  }
+  let started = false;
+  try {
+    execSync("which pm2", { timeout: 3e3 });
+    try {
+      execSync("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
+    } catch {
+    }
+    execSync(`pm2 start cloudflared --name cloudflared -- tunnel run`, { encoding: "utf8", timeout: 15e3 });
+    try {
+      execSync("pm2 save 2>/dev/null", { timeout: 5e3 });
+    } catch {
+    }
+    console.log(chalk.green("     \u2713 Tunnel running via PM2 (auto-restarts on crash)"));
+    started = true;
+  } catch {
+  }
+  if (!started) {
+    try {
+      console.log(chalk.dim("     Installing PM2 for process management..."));
+      execSync("npm install -g pm2", { timeout: 6e4, stdio: "pipe" });
+      try {
+        execSync("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
+      } catch {
+      }
+      execSync(`pm2 start cloudflared --name cloudflared -- tunnel run`, { encoding: "utf8", timeout: 15e3 });
+      try {
+        execSync("pm2 save 2>/dev/null", { timeout: 5e3 });
+      } catch {
+      }
+      console.log(chalk.green("     \u2713 PM2 installed + tunnel running (auto-restarts on crash)"));
+      started = true;
+    } catch {
+      console.log(chalk.yellow("     \u26A0 PM2 not available \u2014 tunnel started in background"));
+      console.log(chalk.dim("       Install PM2 for auto-restart: npm install -g pm2"));
+      try {
+        const { spawn } = await import("child_process");
+        const child = spawn("cloudflared", ["tunnel", "run"], { detached: true, stdio: "ignore" });
+        child.unref();
+        started = true;
+      } catch {
+      }
+    }
+  }
+  console.log("");
+  console.log(chalk.green.bold(`  \u2713 Tunnel deployed! Your dashboard will be at https://${domain}`));
+  console.log("");
+  return { tunnelId, domain, port, tunnelName };
+}
+async function installCloudflared() {
+  const plat = platform();
+  const a = arch();
+  if (plat === "darwin") {
+    try {
+      execSync("which brew", { timeout: 3e3 });
+      execSync("brew install cloudflared 2>&1", { encoding: "utf8", timeout: 12e4 });
+      return;
+    } catch {
+    }
+    const cfArch = a === "arm64" ? "arm64" : "amd64";
+    execSync(
+      `curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`,
+      { timeout: 6e4 }
+    );
+  } else if (plat === "linux") {
+    const cfArch = a === "arm64" ? "arm64" : "amd64";
+    execSync(
+      `curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`,
+      { timeout: 6e4 }
+    );
+  } else {
+    throw new Error("Unsupported platform: " + plat);
+  }
+}
+
+// src/setup/domain.ts
+async function promptDomain(inquirer, chalk, deployTarget) {
+  if (deployTarget === "local") {
+    return {};
+  }
+  console.log("");
+  console.log(chalk.bold.cyan("  Step 4 of 5: Custom Domain"));
+  console.log(chalk.dim("  Configure how your team will access the dashboard.\n"));
+  const targetHints = {
+    cloud: "By default, your dashboard is at <subdomain>.agenticmail.io. Add a custom domain for a branded URL.",
+    docker: "Configure your reverse proxy (nginx, Caddy, etc.) to route your domain to the Docker container.",
+    fly: "After deploying, run `fly certs add <domain>` to provision TLS for your domain.",
+    railway: "Add your domain in Railway project settings after deploying."
+  };
+  if (targetHints[deployTarget]) {
+    console.log(chalk.dim(`  ${targetHints[deployTarget]}`));
+    console.log("");
+  }
+  const { domainMode } = await inquirer.prompt([{
+    type: "list",
+    name: "domainMode",
+    message: "Domain setup:",
+    choices: [
+      {
+        name: `Use default subdomain only  ${chalk.dim("(<subdomain>.agenticmail.io)")}`,
+        value: "subdomain_only"
+      },
+      {
+        name: `Add a custom subdomain  ${chalk.dim("(e.g. agents.yourcompany.com)")}`,
+        value: "custom_subdomain"
+      },
+      {
+        name: `Deploy on my root domain  ${chalk.dim("(e.g. yourcompany.com \u2014 no subdomain)")}`,
+        value: "root_domain"
+      }
+    ]
+  }]);
+  if (domainMode === "subdomain_only") {
+    return {};
+  }
+  const isRoot = domainMode === "root_domain";
+  const { domain } = await inquirer.prompt([{
+    type: "input",
+    name: "domain",
+    message: isRoot ? "Your domain:" : "Custom domain:",
+    suffix: isRoot ? chalk.dim("  (e.g. yourcompany.com)") : chalk.dim("  (e.g. agents.yourcompany.com)"),
+    validate: (v) => {
+      const d = v.trim().toLowerCase();
+      if (!d.includes(".")) return "Enter a valid domain (e.g. yourcompany.com)";
+      if (d.startsWith("http")) return "Enter just the domain, not a URL";
+      if (d.endsWith(".")) return "Do not include a trailing dot";
+      return true;
+    },
+    filter: (v) => v.trim().toLowerCase()
+  }]);
+  if (isRoot) {
+    console.log("");
+    console.log(chalk.bold("  Root Domain Deployment"));
+    console.log(chalk.dim(`  Your dashboard will be accessible at: ${chalk.white("https://" + domain)}`));
+    console.log(chalk.dim("  This means the entire domain is dedicated to your AgenticMail deployment."));
+    console.log("");
+  }
+  console.log("");
+  console.log(chalk.dim("  After setup, you will need DNS records for this domain:"));
+  console.log("");
+  if (isRoot) {
+    console.log(chalk.dim(`  1. ${chalk.white("A record")}         \u2014 point ${domain} to your server IP`));
+    console.log(chalk.dim(`     (or CNAME if your provider allows it at the apex)`));
+  } else {
+    console.log(chalk.dim(`  1. ${chalk.white("CNAME or A record")}  \u2014 routes traffic to your server`));
+  }
+  console.log(chalk.dim(`  2. ${chalk.white("TXT record")}          \u2014 proves domain ownership (next step)`));
+  console.log("");
+  return {
+    customDomain: domain,
+    useRootDomain: isRoot || void 0
+  };
+}
+
+// src/setup/registration.ts
+import { randomBytes } from "crypto";
+var REGISTRY_BASE_URL = process.env.AGENTICMAIL_REGISTRY_URL || "https://agenticmail.io/enterprise/v1";
+async function promptRegistration(inquirer, chalk, ora, domain, companyName, adminEmail) {
+  if (!domain) {
+    return { registered: false, verificationStatus: "skipped" };
+  }
+  console.log("");
+  console.log(chalk.bold.cyan("  Step 5 of 5: Domain Registration"));
+  console.log(chalk.dim("  Protect your deployment from unauthorized duplication.\n"));
+  const { wantsRegistration } = await inquirer.prompt([{
+    type: "confirm",
+    name: "wantsRegistration",
+    message: `Register ${chalk.bold(domain)} with AgenticMail?`,
+    default: true
+  }]);
+  if (!wantsRegistration) {
+    console.log(chalk.dim("  Skipped. You can register later from the dashboard.\n"));
+    return { registered: false, verificationStatus: "skipped" };
+  }
+  const spinner = ora("Generating deployment key...").start();
+  const { createHash } = await import("crypto");
+  const plaintextKey = randomBytes(32).toString("hex");
+  const keyHash = createHash("sha256").update(plaintextKey).digest("hex");
+  spinner.succeed("Deployment key generated");
+  spinner.start("Registering domain with AgenticMail registry...");
+  const registryUrl = REGISTRY_BASE_URL.replace(/\/$/, "");
+  let registrationId;
+  let dnsChallenge;
+  try {
+    const res = await fetch(`${registryUrl}/domains/register`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        domain: domain.toLowerCase().trim(),
+        keyHash,
+        sha256Hash: keyHash,
+        orgName: companyName,
+        contactEmail: adminEmail
+      }),
+      signal: AbortSignal.timeout(15e3)
+    });
+    const data = await res.json().catch(() => ({}));
+    if (res.status === 409) {
+      spinner.info("Domain already registered \u2014 verifying ownership");
+      console.log("");
+      console.log(chalk.yellow("  This domain is already registered and verified."));
+      console.log(chalk.dim("  Enter your deployment key to prove ownership and continue.\n"));
+      const { deploymentKey } = await inquirer.prompt([{
+        type: "password",
+        name: "deploymentKey",
+        message: "Deployment key:",
+        mask: "*",
+        validate: (v) => v.length === 64 || "Deployment key should be 64 hex characters"
+      }]);
+      const recoverSpinner = ora("Verifying deployment key...").start();
+      try {
+        const recoverRes = await fetch(`${registryUrl}/domains/recover`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            domain: domain.toLowerCase().trim(),
+            deploymentKey
+          }),
+          signal: AbortSignal.timeout(15e3)
+        });
+        const recoverData = await recoverRes.json().catch(() => ({}));
+        if (recoverRes.status === 403) {
+          recoverSpinner.fail("Invalid deployment key");
+          console.log("");
+          console.log(chalk.red("  The deployment key does not match this domain."));
+          console.log("");
+          const { continueAnyway } = await inquirer.prompt([{
+            type: "confirm",
+            name: "continueAnyway",
+            message: "Continue setup without registration?",
+            default: true
+          }]);
+          if (continueAnyway) {
+            return { registered: false, verificationStatus: "skipped" };
+          }
+          process.exit(1);
+        }
+        if (!recoverRes.ok) {
+          throw new Error(recoverData.error || `HTTP ${recoverRes.status}`);
+        }
+        recoverSpinner.succeed("Ownership verified \u2014 domain recovered");
+        registrationId = recoverData.registrationId;
+        dnsChallenge = recoverData.dnsChallenge;
+        const verifyRes = await fetch(`${registryUrl}/domains/verify`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
+          signal: AbortSignal.timeout(15e3)
+        });
+        const verifyData = await verifyRes.json().catch(() => ({}));
+        const { createHash: createHash2 } = await import("crypto");
+        const localKeyHash = createHash2("sha256").update(deploymentKey).digest("hex");
+        return {
+          registered: true,
+          deploymentKeyHash: localKeyHash,
+          dnsChallenge,
+          registrationId,
+          verificationStatus: verifyData?.verified ? "verified" : "pending_dns"
+        };
+      } catch (err) {
+        recoverSpinner.fail(`Recovery failed: ${err.message}`);
+        const { continueAnyway } = await inquirer.prompt([{
+          type: "confirm",
+          name: "continueAnyway",
+          message: "Continue setup without registration?",
+          default: true
+        }]);
+        if (continueAnyway) {
+          return { registered: false, verificationStatus: "skipped" };
+        }
+        process.exit(1);
+      }
+    }
+    if (!res.ok) {
+      throw new Error(data.error || `HTTP ${res.status}`);
+    }
+    registrationId = data.registrationId;
+    dnsChallenge = data.dnsChallenge;
+    spinner.succeed("Domain registered");
+  } catch (err) {
+    spinner.warn("Registry unavailable");
+    console.log("");
+    console.log(chalk.yellow(`  Could not reach registry: ${err.message}`));
+    console.log(chalk.dim("  You can register later with: npx @agenticmail/enterprise verify-domain"));
+    console.log("");
+    const { continueAnyway } = await inquirer.prompt([{
+      type: "confirm",
+      name: "continueAnyway",
+      message: "Continue setup without registration?",
+      default: true
+    }]);
+    if (continueAnyway) {
+      return { registered: false, verificationStatus: "skipped" };
+    }
+    process.exit(1);
+  }
+  console.log("");
+  console.log(chalk.red.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(chalk.red.bold("  \u2551") + chalk.white.bold("  DEPLOYMENT KEY \u2014 SAVE THIS NOW                                     ") + chalk.red.bold("\u2551"));
+  console.log(chalk.red.bold("  \u2551") + "                                                                      " + chalk.red.bold("\u2551"));
+  console.log(chalk.red.bold("  \u2551") + `  ${chalk.green.bold(plaintextKey)}  ` + chalk.red.bold("\u2551"));
+  console.log(chalk.red.bold("  \u2551") + "                                                                      " + chalk.red.bold("\u2551"));
+  console.log(chalk.red.bold("  \u2551") + chalk.dim("  This key is shown ONCE. Store it securely (password manager,       ") + chalk.red.bold("\u2551"));
+  console.log(chalk.red.bold("  \u2551") + chalk.dim("  vault, printed backup). You need it to recover this domain.        ") + chalk.red.bold("\u2551"));
+  console.log(chalk.red.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log("");
+  console.log(chalk.bold("  Add this DNS TXT record to prove domain ownership:"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
+  console.log("");
+  console.log(chalk.dim("  DNS changes can take up to 48 hours to propagate."));
+  console.log("");
+  await inquirer.prompt([{
+    type: "confirm",
+    name: "keySaved",
+    message: "I have saved my deployment key",
+    default: false
+  }]);
+  const { checkNow } = await inquirer.prompt([{
+    type: "confirm",
+    name: "checkNow",
+    message: "Check DNS verification now?",
+    default: false
+  }]);
+  let verificationStatus = "pending_dns";
+  if (checkNow) {
+    for (let attempt = 1; attempt <= 5; attempt++) {
+      spinner.start(`Checking DNS (attempt ${attempt}/5)...`);
+      try {
+        const res = await fetch(`${registryUrl}/domains/verify`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
+          signal: AbortSignal.timeout(15e3)
+        });
+        const data = await res.json().catch(() => ({}));
+        if (data.verified) {
+          spinner.succeed("Domain verified!");
+          verificationStatus = "verified";
+          break;
+        }
+      } catch {
+      }
+      if (attempt < 5) {
+        spinner.text = `DNS record not found yet. Retrying in 10s (attempt ${attempt}/5)...`;
+        await new Promise((r) => setTimeout(r, 1e4));
+      } else {
+        spinner.info("DNS record not found yet");
+        console.log(chalk.dim("  Run later: npx @agenticmail/enterprise verify-domain"));
+      }
+    }
+  } else {
+    console.log(chalk.dim("  Run when ready: npx @agenticmail/enterprise verify-domain"));
+  }
+  console.log("");
+  return {
+    registered: true,
+    deploymentKeyHash: keyHash,
+    dnsChallenge,
+    registrationId,
+    verificationStatus
+  };
+}
+
+// src/setup/provision.ts
+import { randomUUID, randomBytes as randomBytes2 } from "crypto";
+function generateOrgId() {
+  const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+  const bytes = randomBytes2(10);
+  let id = "";
+  for (let i = 0; i < 10; i++) id += chars[bytes[i] % chars.length];
+  return id;
+}
+async function provision(config, ora, chalk) {
+  const spinner = ora("Connecting to database...").start();
+  const jwtSecret = randomUUID() + randomUUID();
+  const vaultKey = randomUUID() + randomUUID();
+  try {
+    const { createAdapter } = await import("./factory-672W7A5B.js");
+    const db = await createAdapter({
+      type: config.database.type,
+      connectionString: config.database.connectionString,
+      region: config.database.region,
+      accessKeyId: config.database.accessKeyId,
+      secretAccessKey: config.database.secretAccessKey,
+      authToken: config.database.authToken
+    });
+    spinner.text = "Running migrations...";
+    await db.migrate();
+    spinner.succeed("Database ready");
+    const engineDbInterface = db.getEngineDB();
+    if (engineDbInterface) {
+      spinner.start("Initializing engine...");
+      const { EngineDatabase } = await import("./db-adapter-FBLIO7QY.js");
+      const dialectMap = {
+        sqlite: "sqlite",
+        postgres: "postgres",
+        supabase: "postgres",
+        neon: "postgres",
+        cockroachdb: "postgres",
+        mysql: "mysql",
+        planetscale: "mysql",
+        turso: "turso"
+      };
+      const engineDialect = dialectMap[db.getDialect()] || db.getDialect();
+      const engineDb = new EngineDatabase(engineDbInterface, engineDialect);
+      const migResult = await engineDb.migrate();
+      spinner.succeed(`Engine ready (${migResult.applied} migrations applied)`);
+    }
+    spinner.start("Creating company...");
+    const orgId = generateOrgId();
+    const corsOrigins = [];
+    if (config.domain.customDomain) {
+      corsOrigins.push(`https://${config.domain.customDomain}`);
+    }
+    if (config.company.subdomain) {
+      corsOrigins.push(`https://${config.company.subdomain}.agenticmail.io`);
+    }
+    if (config.deployTarget === "local") {
+      corsOrigins.push("http://localhost:3000", "http://localhost:8080", "http://127.0.0.1:3000", "http://127.0.0.1:8080");
+    }
+    await db.updateSettings({
+      name: config.company.companyName,
+      subdomain: config.company.subdomain,
+      domain: config.domain.customDomain,
+      orgId,
+      ...corsOrigins.length > 0 ? {
+        firewallConfig: {
+          network: { corsOrigins }
+        }
+      } : {}
+    });
+    spinner.succeed(`Company created (org: ${orgId})`);
+    if (config.registration?.registered) {
+      spinner.start("Saving domain registration...");
+      await db.updateSettings({
+        deploymentKeyHash: config.registration.deploymentKeyHash,
+        domainRegistrationId: config.registration.registrationId,
+        domainDnsChallenge: config.registration.dnsChallenge,
+        domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
+        domainStatus: config.registration.verificationStatus === "verified" ? "verified" : "pending_dns",
+        ...config.registration.verificationStatus === "verified" ? { domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString() } : {}
+      });
+      spinner.succeed("Domain registration saved");
+    }
+    spinner.start("Creating admin account...");
+    let admin;
+    try {
+      admin = await db.createUser({
+        email: config.company.adminEmail,
+        name: "Admin",
+        role: "owner",
+        password: config.company.adminPassword
+      });
+    } catch (err) {
+      if (err.message?.includes("duplicate key") || err.message?.includes("UNIQUE constraint") || err.code === "23505") {
+        admin = await db.getUserByEmail(config.company.adminEmail);
+        if (!admin) throw err;
+        spinner.text = "Admin account already exists, reusing...";
+      } else {
+        throw err;
+      }
+    }
+    await db.logEvent({
+      actor: admin.id,
+      actorType: "system",
+      action: "setup.complete",
+      resource: `company:${config.company.subdomain}`,
+      details: {
+        dbType: config.database.type,
+        deployTarget: config.deployTarget,
+        companyName: config.company.companyName
+      }
+    });
+    spinner.succeed("Admin account created");
+    try {
+      const { writeFileSync: writeFileSync2, existsSync: existsSync2, mkdirSync } = await import("fs");
+      const { join: join3 } = await import("path");
+      const { homedir: homedir2 } = await import("os");
+      const envDir = join3(homedir2(), ".agenticmail");
+      if (!existsSync2(envDir)) mkdirSync(envDir, { recursive: true });
+      const port = config.tunnel?.port || (config.deployTarget === "local" ? 3e3 : void 0) || (config.deployTarget === "docker" ? 3e3 : void 0) || 3200;
+      const envContent = [
+        "# AgenticMail Enterprise \u2014 auto-generated by setup wizard",
+        `DATABASE_URL=${config.database.connectionString || ""}`,
+        `JWT_SECRET=${jwtSecret}`,
+        `AGENTICMAIL_VAULT_KEY=${vaultKey}`,
+        `PORT=${port}`
+      ].join("\n") + "\n";
+      writeFileSync2(join3(envDir, ".env"), envContent, { mode: 384 });
+      spinner.succeed(`Config saved to ~/.agenticmail/.env`);
+    } catch {
+    }
+    const result = await deploy(config, db, jwtSecret, vaultKey, spinner, chalk);
+    return {
+      success: true,
+      url: result.url,
+      jwtSecret,
+      db,
+      serverClose: result.close
+    };
+  } catch (err) {
+    spinner.fail(`Setup failed: ${err.message}`);
+    return {
+      success: false,
+      error: err.message,
+      jwtSecret,
+      db: null
+    };
+  }
+}
+async function deploy(config, db, jwtSecret, vaultKey, spinner, chalk) {
+  const { deployTarget, company, database, domain, tunnel } = config;
+  if (deployTarget === "cloudflare-tunnel" && tunnel) {
+    spinner.start(`Starting local server on port ${tunnel.port}...`);
+    const { createServer: createServer2 } = await import("./server-Q4KBC33A.js");
+    const server2 = createServer2({ port: tunnel.port, db, jwtSecret });
+    const handle2 = await server2.start();
+    spinner.succeed("Server running");
+    console.log("");
+    console.log(chalk.green.bold("  AgenticMail Enterprise is live!"));
+    console.log("");
+    console.log(`  ${chalk.bold("Public URL:")}  ${chalk.cyan("https://" + tunnel.domain)}`);
+    console.log(`  ${chalk.bold("Local:")}       ${chalk.cyan("http://localhost:" + tunnel.port)}`);
+    console.log(`  ${chalk.bold("Tunnel:")}      ${tunnel.tunnelName} (${tunnel.tunnelId})`);
+    console.log(`  ${chalk.bold("Admin:")}       ${company.adminEmail}`);
+    console.log("");
+    console.log(chalk.dim("  Tunnel is managed by PM2 \u2014 auto-restarts on crash."));
+    console.log(chalk.dim("  Manage: pm2 status | pm2 logs cloudflared | pm2 restart cloudflared"));
+    console.log(chalk.dim("  Press Ctrl+C to stop the server"));
+    return { url: "https://" + tunnel.domain, close: handle2.close };
+  }
+  if (deployTarget === "cloud") {
+    spinner.start("Deploying to AgenticMail Cloud...");
+    const { deployToCloud } = await import("./managed-AP6ZSDYJ.js");
+    const result = await deployToCloud({
+      subdomain: company.subdomain,
+      plan: "free",
+      dbType: database.type,
+      dbConnectionString: database.connectionString || "",
+      jwtSecret
+    });
+    spinner.succeed(`Deployed to ${result.url}`);
+    printCloudSuccess(chalk, result.url, company.adminEmail, domain.customDomain, company.subdomain);
+    return { url: result.url };
+  }
+  if (deployTarget === "docker") {
+    const { generateDockerCompose, generateEnvFile } = await import("./managed-AP6ZSDYJ.js");
+    const compose = generateDockerCompose({ port: 3e3 });
+    const envFile = generateEnvFile({
+      dbType: database.type,
+      dbConnectionString: database.connectionString || "",
+      jwtSecret,
+      vaultKey
+    });
+    const { writeFileSync: writeFileSync2, existsSync: existsSync2, appendFileSync } = await import("fs");
+    writeFileSync2("docker-compose.yml", compose);
+    writeFileSync2(".env", envFile);
+    if (existsSync2(".gitignore")) {
+      const content = await import("fs").then((f) => f.readFileSync(".gitignore", "utf-8"));
+      if (!content.includes(".env")) {
+        appendFileSync(".gitignore", "\n# Secrets\n.env\n");
+      }
+    } else {
+      writeFileSync2(".gitignore", "# Secrets\n.env\nnode_modules/\n");
+    }
+    spinner.succeed("docker-compose.yml + .env generated");
+    console.log("");
+    console.log(chalk.green.bold("  Docker deployment ready!"));
+    console.log("");
+    console.log(`  Run:       ${chalk.cyan("docker compose up -d")}`);
+    console.log(`  Dashboard: ${chalk.cyan("http://localhost:3000")}`);
+    console.log(chalk.dim("  Secrets stored in .env \u2014 do not commit to git"));
+    if (domain.customDomain) {
+      printCustomDomainInstructions(chalk, domain.customDomain, "docker");
+    }
+    return { url: "http://localhost:3000" };
+  }
+  if (deployTarget === "fly") {
+    const { generateFlyToml } = await import("./managed-AP6ZSDYJ.js");
+    const flyToml = generateFlyToml(`am-${company.subdomain}`, "iad");
+    const { writeFileSync: writeFileSync2 } = await import("fs");
+    writeFileSync2("fly.toml", flyToml);
+    spinner.succeed("fly.toml generated");
+    console.log("");
+    console.log(chalk.green.bold("  Fly.io deployment ready!"));
+    console.log("");
+    console.log(`  1. ${chalk.cyan("fly launch --copy-config")}`);
+    console.log(`  2. ${chalk.cyan(`fly secrets set DATABASE_URL="${database.connectionString}" JWT_SECRET="${jwtSecret}" AGENTICMAIL_VAULT_KEY="${vaultKey}"`)}`);
+    console.log(`  3. ${chalk.cyan("fly deploy")}`);
+    if (domain.customDomain) {
+      console.log(`  4. ${chalk.cyan(`fly certs add ${domain.customDomain}`)}`);
+      printCustomDomainInstructions(chalk, domain.customDomain, "fly", `am-${company.subdomain}.fly.dev`);
+    }
+    return {};
+  }
+  if (deployTarget === "railway") {
+    const { generateRailwayConfig } = await import("./managed-AP6ZSDYJ.js");
+    const railwayConfig = generateRailwayConfig();
+    const { writeFileSync: writeFileSync2 } = await import("fs");
+    writeFileSync2("railway.toml", railwayConfig);
+    spinner.succeed("railway.toml generated");
+    console.log("");
+    console.log(chalk.green.bold("  Railway deployment ready!"));
+    console.log("");
+    console.log(`  1. ${chalk.cyan("railway init")}`);
+    console.log(`  2. ${chalk.cyan("railway link")}`);
+    console.log(`  3. ${chalk.cyan("railway up")}`);
+    if (domain.customDomain) {
+      printCustomDomainInstructions(chalk, domain.customDomain, "railway");
+    }
+    return {};
+  }
+  spinner.start("Starting local server...");
+  const { createServer } = await import("./server-Q4KBC33A.js");
+  const server = createServer({ port: 3e3, db, jwtSecret });
+  const handle = await server.start();
+  spinner.succeed("Server running");
+  console.log("");
+  console.log(chalk.green.bold("  AgenticMail Enterprise is running!"));
+  console.log("");
+  console.log(`  ${chalk.bold("Dashboard:")}  ${chalk.cyan("http://localhost:3000")}`);
+  console.log(`  ${chalk.bold("API:")}        ${chalk.cyan("http://localhost:3000/api")}`);
+  console.log(`  ${chalk.bold("Admin:")}      ${company.adminEmail}`);
+  console.log("");
+  console.log(chalk.dim("  Press Ctrl+C to stop"));
+  return { url: "http://localhost:3000", close: handle.close };
+}
+function printCloudSuccess(chalk, url, adminEmail, customDomain, subdomain) {
+  console.log("");
+  console.log(chalk.green.bold("  Your dashboard is live!"));
+  console.log("");
+  console.log(`  ${chalk.bold("URL:")}      ${chalk.cyan(url)}`);
+  console.log(`  ${chalk.bold("Admin:")}    ${adminEmail}`);
+  console.log(`  ${chalk.bold("Password:")} (the one you just set)`);
+  if (customDomain) {
+    printCustomDomainInstructions(chalk, customDomain, "cloud", `${subdomain}.agenticmail.io`);
+  }
+}
+function printCustomDomainInstructions(chalk, domain, target, cnameTarget) {
+  console.log("");
+  console.log(chalk.bold("  Custom Domain DNS Setup"));
+  console.log(chalk.dim(`  Route ${chalk.white(domain)} to your deployment.
+`));
+  if (target === "cloud" && cnameTarget) {
+    console.log(chalk.bold("  Add this DNS record at your domain registrar:"));
+    console.log("");
+    console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("CNAME")}`);
+    console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(domain)}`);
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(cnameTarget)}`);
+  } else if (target === "fly" && cnameTarget) {
+    console.log(chalk.bold("  Add this DNS record at your domain registrar:"));
+    console.log("");
+    console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("CNAME")}`);
+    console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(domain)}`);
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(cnameTarget)}`);
+    console.log("");
+    console.log(chalk.dim("  Fly.io will automatically provision a TLS certificate."));
+  } else if (target === "railway") {
+    console.log(chalk.bold("  After deploying:"));
+    console.log("");
+    console.log(`  1. Open your Railway project dashboard`);
+    console.log(`  2. Go to ${chalk.bold("Settings")} \u2192 ${chalk.bold("Domains")}`);
+    console.log(`  3. Add ${chalk.cyan(domain)} as a custom domain`);
+    console.log(`  4. Railway will show you a ${chalk.bold("CNAME")} target \u2014 add it at your DNS provider`);
+  } else if (target === "docker") {
+    console.log(chalk.bold("  Configure your reverse proxy to route traffic:"));
+    console.log("");
+    console.log(`  ${chalk.bold("Domain:")}  ${chalk.cyan(domain)}`);
+    console.log(`  ${chalk.bold("Target:")}  ${chalk.cyan("localhost:3000")}  ${chalk.dim("(or your Docker host IP)")}`);
+    console.log("");
+    console.log(chalk.dim("  Example with nginx:"));
+    console.log(chalk.dim(""));
+    console.log(chalk.dim("    server {"));
+    console.log(chalk.dim(`      server_name ${domain};`));
+    console.log(chalk.dim("      location / {"));
+    console.log(chalk.dim("        proxy_pass http://localhost:3000;"));
+    console.log(chalk.dim("        proxy_set_header Host $host;"));
+    console.log(chalk.dim("        proxy_set_header X-Real-IP $remote_addr;"));
+    console.log(chalk.dim("      }"));
+    console.log(chalk.dim("    }"));
+    console.log("");
+    console.log(chalk.dim("  Then add a DNS A record pointing to your server IP,"));
+    console.log(chalk.dim("  or a CNAME if you have an existing hostname."));
+  }
+  console.log("");
+  console.log(chalk.dim("  Note: This CNAME/A record routes traffic. A separate TXT record"));
+  console.log(chalk.dim("  for domain verification was (or will be) configured in Step 5."));
+  console.log("");
+}
+
+// src/setup/index.ts
+var DB_DRIVER_MAP = {
+  postgres: ["pg"],
+  supabase: ["pg"],
+  neon: ["pg"],
+  cockroachdb: ["pg"],
+  mysql: ["mysql2"],
+  planetscale: ["mysql2"],
+  mongodb: ["mongodb"],
+  sqlite: ["better-sqlite3"],
+  turso: ["@libsql/client"],
+  dynamodb: ["@aws-sdk/client-dynamodb", "@aws-sdk/lib-dynamodb"]
+};
+async function ensureDbDriver(dbType, ora, chalk) {
+  const packages = DB_DRIVER_MAP[dbType];
+  if (!packages?.length) return;
+  const missing = [];
+  for (const pkg of packages) {
+    let found = false;
+    try {
+      await import(pkg);
+      found = true;
+    } catch {
+    }
+    if (!found) {
+      try {
+        const req = createRequire(join2(process.cwd(), "index.js"));
+        req.resolve(pkg);
+        found = true;
+      } catch {
+      }
+    }
+    if (!found) {
+      try {
+        const globalPrefix = execSync2("npm prefix -g", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+        const req = createRequire(join2(globalPrefix, "lib", "node_modules", ".package-lock.json"));
+        req.resolve(pkg);
+        found = true;
+      } catch {
+      }
+    }
+    if (!found) missing.push(pkg);
+  }
+  if (!missing.length) return;
+  const spinner = ora(`Installing database driver: ${missing.join(", ")}...`).start();
+  try {
+    execSync2(`npm install --no-save ${missing.join(" ")}`, {
+      stdio: "pipe",
+      timeout: 12e4,
+      cwd: process.cwd()
+    });
+    spinner.succeed(`Database driver installed: ${missing.join(", ")}`);
+  } catch (err) {
+    spinner.fail(`Failed to install ${missing.join(", ")}`);
+    console.error(chalk.red(`
+  Run manually: npm install ${missing.join(" ")}
+`));
+    process.exit(1);
+  }
+}
+async function runSetupWizard() {
+  const { default: inquirer } = await import("inquirer");
+  const { default: ora } = await import("ora");
+  const { default: chalk } = await import("chalk");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise"));
+  console.log(chalk.dim("  AI Agent Identity & Email for Organizations"));
+  console.log("");
+  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log("");
+  const company = await promptCompanyInfo(inquirer, chalk);
+  const database = await promptDatabase(inquirer, chalk);
+  const deploymentResult = await promptDeployment(inquirer, chalk);
+  const deployTarget = deploymentResult.target;
+  const domain = deploymentResult.tunnel ? { customDomain: deploymentResult.tunnel.domain } : await promptDomain(inquirer, chalk, deployTarget);
+  const registration = deploymentResult.tunnel ? { registered: true, verificationStatus: "verified" } : await promptRegistration(
+    inquirer,
+    chalk,
+    ora,
+    domain.customDomain,
+    company.companyName,
+    company.adminEmail
+  );
+  await ensureDbDriver(database.type, ora, chalk);
+  console.log("");
+  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log("");
+  const result = await provision(
+    { company, database, deployTarget, domain, registration, tunnel: deploymentResult.tunnel },
+    ora,
+    chalk
+  );
+  if (!result.success) {
+    console.error("");
+    console.error(chalk.red(`  Setup failed: ${result.error}`));
+    console.error(chalk.dim("  Check your database connection and try again."));
+    process.exit(1);
+  }
+  console.log("");
+}
+
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};