@agenticmail/enterprise 0.5.286 → 0.5.288

package/src/domain-lock/cli-recover.ts

@@ -37,6 +37,28 @@ export async function runRecover(args: string[]): Promise<void> {
   const { default: chalk } = await import('chalk');
   const { default: ora } = await import('ora');
 
+  // ─── Detect recovery type ─────────────────────────
+  const isCloud = hasFlag(args, '--cloud') || hasFlag(args, '-c');
+  if (isCloud || (!getFlag(args, '--domain') && !getFlag(args, '--key'))) {
+    // Ask which type
+    if (!isCloud && !getFlag(args, '--domain')) {
+      const { recoveryType } = await inquirer.prompt([{
+        type: 'list',
+        name: 'recoveryType',
+        message: 'What are you recovering?',
+        choices: [
+          { name: `AgenticMail Cloud  ${chalk.dim('(yourname.agenticmail.io)')}`, value: 'cloud' },
+          { name: `Custom Domain  ${chalk.dim('(your own domain)')}`, value: 'domain' },
+        ],
+      }]);
+      if (recoveryType === 'cloud') {
+        return runCloudRecover(args, inquirer, chalk, ora);
+      }
+    } else if (isCloud) {
+      return runCloudRecover(args, inquirer, chalk, ora);
+    }
+  }
+
   console.log('');
   console.log(chalk.bold('  AgenticMail Enterprise — Domain Recovery'));
   console.log(chalk.dim('  Recover your domain registration on a new machine.'));
@@ -276,6 +298,182 @@ export async function runRecover(args: string[]): Promise<void> {
   }
 }
 
+// ─── AgenticMail Cloud Recovery ─────────────────────
+
+const REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL
+  || 'https://registry.agenticmail.io';
+
+async function runCloudRecover(args: string[], inquirer: any, chalk: any, ora: any): Promise<void> {
+  console.log('');
+  console.log(chalk.bold('  AgenticMail Cloud — Recovery'));
+  console.log(chalk.dim('  Recover your agenticmail.io subdomain on a new machine.'));
+  console.log('');
+  console.log(chalk.dim('  You will need your AGENTICMAIL_VAULT_KEY — the key from your'));
+  console.log(chalk.dim('  original installation\'s ~/.agenticmail/.env file.'));
+  console.log('');
+
+  // Step 1: Get vault key
+  let vaultKey = getFlag(args, '--vault-key') || process.env.AGENTICMAIL_VAULT_KEY;
+  if (!vaultKey) {
+    const answer = await inquirer.prompt([{
+      type: 'password',
+      name: 'vaultKey',
+      message: 'Your AGENTICMAIL_VAULT_KEY:',
+      mask: '*',
+      validate: (v: string) => v.trim().length >= 16 ? true : 'Key seems too short — check your backup',
+    }]);
+    vaultKey = answer.vaultKey.trim();
+  }
+
+  // Step 2: Optionally get subdomain name (speeds up recovery)
+  let subdomain = getFlag(args, '--name') || getFlag(args, '--subdomain');
+  if (!subdomain) {
+    const answer = await inquirer.prompt([{
+      type: 'input',
+      name: 'subdomain',
+      message: 'Your subdomain (optional — press Enter to auto-detect):',
+      suffix: chalk.dim('.agenticmail.io'),
+    }]);
+    subdomain = answer.subdomain?.trim() || undefined;
+  }
+
+  // Step 3: Recover from registry
+  const { createHash } = await import('crypto');
+  const vaultKeyHash = createHash('sha256').update(vaultKey!).digest('hex');
+
+  const spinner = ora('Recovering subdomain credentials...').start();
+  try {
+    const body: any = { vaultKeyHash };
+    if (subdomain) body.name = subdomain;
+
+    const resp = await fetch(`${REGISTRY_URL}/recover`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    });
+    const data = await resp.json() as any;
+
+    if (!data.success) {
+      spinner.fail(data.error || 'Recovery failed');
+      console.log('');
+      console.log(chalk.dim('  Make sure you are using the exact AGENTICMAIL_VAULT_KEY from'));
+      console.log(chalk.dim('  your original installation (~/.agenticmail/.env).'));
+      return;
+    }
+
+    spinner.succeed(`Recovered: ${chalk.bold(data.fqdn)}`);
+
+    // Step 4: Save to .env
+    const { existsSync, readFileSync, writeFileSync, mkdirSync } = await import('fs');
+    const { join } = await import('path');
+    const { homedir } = await import('os');
+
+    const amDir = join(homedir(), '.agenticmail');
+    mkdirSync(amDir, { recursive: true });
+    const envPath = join(amDir, '.env');
+
+    let envContent = '';
+    if (existsSync(envPath)) {
+      envContent = readFileSync(envPath, 'utf8');
+    }
+
+    // Update or add each key
+    const updates: Record<string, string> = {
+      AGENTICMAIL_VAULT_KEY: vaultKey!,
+      AGENTICMAIL_SUBDOMAIN: data.subdomain,
+      AGENTICMAIL_DOMAIN: data.fqdn,
+      CLOUDFLARED_TOKEN: data.tunnelToken,
+    };
+
+    for (const [key, val] of Object.entries(updates)) {
+      if (!val) continue;
+      const regex = new RegExp(`^${key}=.*$`, 'm');
+      if (regex.test(envContent)) {
+        envContent = envContent.replace(regex, `${key}=${val}`);
+      } else {
+        envContent += `${envContent.endsWith('\n') ? '' : '\n'}${key}=${val}\n`;
+      }
+    }
+
+    writeFileSync(envPath, envContent, { mode: 0o600 });
+
+    console.log('');
+    console.log(chalk.green.bold('  Recovery complete!'));
+    console.log('');
+    console.log(`  Subdomain:    ${chalk.bold(data.fqdn)}`);
+    console.log(`  Tunnel Token: ${chalk.dim('saved to ~/.agenticmail/.env')}`);
+    console.log(`  Vault Key:    ${chalk.dim('saved to ~/.agenticmail/.env')}`);
+    console.log('');
+    console.log(chalk.bold('  Next steps:'));
+    console.log('');
+    console.log(`  1. Set your DATABASE_URL in ${chalk.dim('~/.agenticmail/.env')}`);
+    console.log(`     ${chalk.dim('(same database from your original installation)')}`);
+    console.log('');
+    console.log(`  2. Start your instance:`);
+    console.log(`     ${chalk.cyan('npx @agenticmail/enterprise start')}`);
+    console.log('');
+    console.log(chalk.dim('  The server will auto-start cloudflared with your tunnel token.'));
+    console.log(chalk.dim('  Your dashboard will be live again at https://' + data.fqdn));
+    console.log('');
+
+    // Step 5: Offer to install cloudflared now
+    const { doInstall } = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'doInstall',
+      message: 'Install cloudflared and start the tunnel now?',
+      default: true,
+    }]);
+
+    if (doInstall) {
+      const { execSync } = await import('child_process');
+      const { platform, arch } = await import('os');
+
+      // Install cloudflared if needed
+      try {
+        execSync('which cloudflared', { timeout: 3000 });
+        console.log(chalk.green('  cloudflared already installed'));
+      } catch {
+        const spinner2 = ora('Installing cloudflared...').start();
+        try {
+          const os = platform();
+          if (os === 'darwin') {
+            try {
+              execSync('brew install cloudflared', { stdio: 'pipe', timeout: 120000 });
+            } catch {
+              const cfArch = arch() === 'arm64' ? 'arm64' : 'amd64';
+              execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 60000 });
+            }
+          } else {
+            const cfArch = arch() === 'arm64' ? 'arm64' : 'amd64';
+            execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 60000 });
+          }
+          spinner2.succeed('cloudflared installed');
+        } catch (e: any) {
+          spinner2.fail('Could not install cloudflared: ' + e.message);
+          console.log(chalk.dim('  Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'));
+        }
+      }
+
+      // Start via PM2
+      try {
+        const { execSync: ex } = await import('child_process');
+        ex('which pm2', { timeout: 3000 });
+        try { ex('pm2 delete cloudflared 2>/dev/null', { timeout: 5000 }); } catch {}
+        ex(`pm2 start cloudflared --name cloudflared -- tunnel --no-autoupdate run --token ${data.tunnelToken}`, { timeout: 15000 });
+        try { ex('pm2 save 2>/dev/null', { timeout: 5000 }); } catch {}
+        console.log(chalk.green('  Tunnel running via PM2'));
+      } catch {
+        console.log(chalk.dim('  Start the tunnel manually:'));
+        console.log(chalk.cyan(`  cloudflared tunnel --no-autoupdate run --token ${data.tunnelToken}`));
+      }
+    }
+
+  } catch (err: any) {
+    spinner.fail('Recovery failed: ' + err.message);
+    console.log(chalk.dim('  Check your internet connection and try again.'));
+  }
+}
+
 /** Detect DB type from connection string */
 function detectDbType(url: string): string {
   const u = url.toLowerCase().trim();

package/src/setup/deployment.ts

@@ -16,6 +16,9 @@ const execP = promisify(execCb);
 
 export type DeployTarget = 'cloud' | 'cloudflare-tunnel' | 'fly' | 'railway' | 'docker' | 'local';
 
+const SUBDOMAIN_REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL
+  || 'https://registry.agenticmail.io';
+
 export interface DeploymentSelection {
   target: DeployTarget;
   /** Populated when target is 'cloudflare-tunnel' */
@@ -25,6 +28,14 @@ export interface DeploymentSelection {
     port: number;
     tunnelName: string;
   };
+  /** Populated when target is 'cloud' (agenticmail.io subdomain) */
+  cloud?: {
+    subdomain: string;
+    fqdn: string;
+    tunnelId: string;
+    tunnelToken: string;
+    port: number;
+  };
 }
 
 export async function promptDeployment(
@@ -41,11 +52,11 @@ export async function promptDeployment(
     message: 'Deploy to:',
     choices: [
       {
-        name: `AgenticMail Cloud  ${chalk.dim('(managed, instant URL)')}`,
+        name: `AgenticMail Cloud  ${chalk.green('← recommended')}  ${chalk.dim('(instant URL, zero config)')}`,
         value: 'cloud',
       },
       {
-        name: `Cloudflare Tunnel  ${chalk.green('← recommended')}  ${chalk.dim('(self-hosted, free, no ports)')}`,
+        name: `Cloudflare Tunnel  ${chalk.dim('(self-hosted, free, no ports)')}`,
         value: 'cloudflare-tunnel',
       },
       {
@@ -67,6 +78,11 @@ export async function promptDeployment(
     ],
   }]);
 
+  if (deployTarget === 'cloud') {
+    const cloud = await runCloudSetup(inquirer, chalk);
+    return { target: deployTarget, cloud };
+  }
+
   if (deployTarget === 'cloudflare-tunnel') {
     const tunnel = await runTunnelSetup(inquirer, chalk);
     return { target: deployTarget, tunnel };
@@ -75,6 +91,219 @@ export async function promptDeployment(
   return { target: deployTarget };
 }
 
+// ─── AgenticMail Cloud (Subdomain) Setup ────────────
+
+async function runCloudSetup(
+  inquirer: any,
+  chalk: any,
+): Promise<DeploymentSelection['cloud']> {
+  console.log('');
+  console.log(chalk.bold('  AgenticMail Cloud Setup'));
+  console.log(chalk.dim('  Get a free subdomain on agenticmail.io — no Cloudflare account needed.'));
+  console.log(chalk.dim('  Your instance will be live at https://yourname.agenticmail.io\n'));
+
+  // ── Step 1: Choose subdomain ─────────
+
+  let subdomain = '';
+  let claimResult: any = null;
+
+  while (!subdomain) {
+    const { name } = await inquirer.prompt([{
+      type: 'input',
+      name: 'name',
+      message: 'Choose your subdomain:',
+      suffix: chalk.dim('.agenticmail.io'),
+      validate: (input: string) => {
+        const cleaned = input.toLowerCase().trim();
+        if (cleaned.length < 3) return 'Must be at least 3 characters';
+        if (cleaned.length > 32) return 'Must be 32 characters or fewer';
+        if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(cleaned)) return 'Only lowercase letters, numbers, and hyphens allowed';
+        return true;
+      },
+    }]);
+
+    const cleaned = name.toLowerCase().trim();
+
+    // Check availability
+    process.stdout.write(chalk.dim(`  Checking ${cleaned}.agenticmail.io... `));
+    try {
+      const checkResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/check?name=${encodeURIComponent(cleaned)}`);
+      const checkData = await checkResp.json() as any;
+
+      if (!checkData.available) {
+        console.log(chalk.red('✗ ' + (checkData.reason || 'Not available')));
+        continue;
+      }
+      console.log(chalk.green('✓ Available!'));
+    } catch (err: any) {
+      console.log(chalk.yellow('⚠ Could not check availability: ' + err.message));
+      console.log(chalk.dim('  Proceeding anyway — the claim step will verify.\n'));
+    }
+
+    // Confirm
+    const { confirmed } = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'confirmed',
+      message: `Claim ${chalk.bold(cleaned + '.agenticmail.io')}?`,
+      default: true,
+    }]);
+
+    if (!confirmed) continue;
+
+    // ── Step 2: Claim subdomain ─────────
+
+    // Get or generate vault key hash for recovery
+    const { createHash, randomUUID } = await import('crypto');
+    let vaultKey = process.env.AGENTICMAIL_VAULT_KEY;
+    if (!vaultKey) {
+      vaultKey = randomUUID() + randomUUID();
+      process.env.AGENTICMAIL_VAULT_KEY = vaultKey;
+    }
+    const vaultKeyHash = createHash('sha256').update(vaultKey).digest('hex');
+
+    process.stdout.write(chalk.dim('  Provisioning subdomain... '));
+    try {
+      const claimResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/claim`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: cleaned, vaultKeyHash }),
+      });
+      claimResult = await claimResp.json() as any;
+
+      if (claimResult.error) {
+        console.log(chalk.red('✗ ' + claimResult.error));
+
+        // If they already have a subdomain, offer recovery
+        if (claimResult.error.includes('already has subdomain')) {
+          const { wantsRecover } = await inquirer.prompt([{
+            type: 'confirm',
+            name: 'wantsRecover',
+            message: 'Recover your existing subdomain instead?',
+            default: true,
+          }]);
+          if (wantsRecover) {
+            const recoverResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/recover`, {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({ vaultKeyHash }),
+            });
+            claimResult = await recoverResp.json() as any;
+            if (claimResult.success) {
+              subdomain = claimResult.subdomain;
+              console.log(chalk.green(`✓ Recovered: ${claimResult.fqdn}`));
+            } else {
+              console.log(chalk.red('✗ Recovery failed: ' + (claimResult.error || 'Unknown error')));
+            }
+          }
+        }
+        continue;
+      }
+
+      if (claimResult.success) {
+        subdomain = claimResult.subdomain || cleaned;
+        if (claimResult.recovered) {
+          console.log(chalk.green('✓ Recovered existing subdomain'));
+        } else {
+          console.log(chalk.green('✓ Subdomain claimed!'));
+        }
+      }
+    } catch (err: any) {
+      console.log(chalk.red('✗ Failed: ' + err.message));
+      console.log(chalk.dim('  Check your internet connection and try again.\n'));
+    }
+  }
+
+  // ── Step 3: Install cloudflared ─────────
+
+  console.log('');
+  console.log(chalk.bold('  Installing cloudflared connector...'));
+
+  let cloudflaredPath = '';
+  try {
+    cloudflaredPath = execSync('which cloudflared', { encoding: 'utf8' }).trim();
+    console.log(chalk.green(`  ✓ cloudflared found at ${cloudflaredPath}`));
+  } catch {
+    console.log(chalk.dim('  cloudflared not found — installing...'));
+    try {
+      const os = platform();
+      if (os === 'darwin') {
+        execSync('brew install cloudflared', { stdio: 'pipe' });
+      } else if (os === 'linux') {
+        const archStr = arch() === 'arm64' ? 'arm64' : 'amd64';
+        execSync(`curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${archStr} -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared`, { stdio: 'pipe' });
+      } else {
+        console.log(chalk.yellow('  Please install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/'));
+      }
+      cloudflaredPath = execSync('which cloudflared', { encoding: 'utf8' }).trim();
+      console.log(chalk.green(`  ✓ cloudflared installed at ${cloudflaredPath}`));
+    } catch (e: any) {
+      console.log(chalk.yellow('  ⚠ Could not auto-install cloudflared.'));
+      console.log(chalk.dim('    Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/'));
+    }
+  }
+
+  // ── Step 4: Configure PM2 ─────────
+
+  const port = 3100;
+  const fqdn = claimResult?.fqdn || `${subdomain}.agenticmail.io`;
+  const tunnelToken = claimResult?.tunnelToken;
+  const tunnelId = claimResult?.tunnelId;
+
+  console.log('');
+  console.log(chalk.bold.green('  ✓ Setup Complete!'));
+  console.log('');
+  console.log(`  Your dashboard: ${chalk.bold.cyan('https://' + fqdn)}`);
+
+  // ── CRITICAL: Vault key backup warning ─────────
+  console.log('');
+  console.log(chalk.bgYellow.black.bold('  ⚠  SAVE YOUR RECOVERY KEY  ⚠  '));
+  console.log('');
+  console.log(chalk.yellow('  If your computer crashes, you need this key to recover your subdomain.'));
+  console.log(chalk.yellow('  It is stored in ~/.agenticmail/.env — back up this file somewhere safe!'));
+  console.log('');
+  console.log(`  ${chalk.bold('AGENTICMAIL_VAULT_KEY=')}${chalk.dim(process.env.AGENTICMAIL_VAULT_KEY || '(check ~/.agenticmail/.env)')}`);
+  console.log('');
+  console.log(chalk.dim('  To recover on a new machine, run:'));
+  console.log(chalk.dim('    npx @agenticmail/enterprise recover --cloud'));
+  console.log('');
+  console.log('');
+  console.log(chalk.dim('  To start your instance, run these two processes:'));
+  console.log('');
+  console.log(`    ${chalk.cyan('cloudflared tunnel --no-autoupdate run --token ' + (tunnelToken || '<your-tunnel-token>'))}`);
+  console.log(`    ${chalk.cyan('npx @agenticmail/enterprise start')}`);
+  console.log('');
+  console.log(chalk.dim('  Or let the setup wizard start them with PM2 (next step).\n'));
+
+  // Save tunnel token to .env
+  const envPath = join(homedir(), '.agenticmail', '.env');
+  try {
+    let envContent = '';
+    if (existsSync(envPath)) {
+      envContent = readFileSync(envPath, 'utf8');
+    }
+    if (tunnelToken && !envContent.includes('CLOUDFLARED_TOKEN=')) {
+      envContent += `\nCLOUDFLARED_TOKEN=${tunnelToken}\n`;
+    }
+    if (!envContent.includes('AGENTICMAIL_SUBDOMAIN=')) {
+      envContent += `AGENTICMAIL_SUBDOMAIN=${subdomain}\n`;
+    }
+    if (!envContent.includes('AGENTICMAIL_DOMAIN=')) {
+      envContent += `AGENTICMAIL_DOMAIN=${fqdn}\n`;
+    }
+    const { mkdirSync } = await import('fs');
+    mkdirSync(join(homedir(), '.agenticmail'), { recursive: true });
+    writeFileSync(envPath, envContent, { mode: 0o600 });
+  } catch {}
+
+  return {
+    subdomain,
+    fqdn,
+    tunnelId: tunnelId || '',
+    tunnelToken: tunnelToken || '',
+    port,
+  };
+}
+
 // ─── Cloudflare Tunnel Interactive Setup ────────────
 
 async function runTunnelSetup(

package/src/setup/index.ts

@@ -129,14 +129,16 @@ export async function runSetupWizard(): Promise<void> {
   const deployTarget = deploymentResult.target;
 
   // ─── Step 4: Custom Domain ───────────────────────
-  // Skip if Cloudflare Tunnel — domain was already configured during tunnel setup
+  // Skip if Cloudflare Tunnel or Cloud — domain was already configured
   const domain = deploymentResult.tunnel
     ? { customDomain: deploymentResult.tunnel.domain }
+    : deploymentResult.cloud
+    ? { customDomain: deploymentResult.cloud.fqdn }
     : await promptDomain(inquirer, chalk, deployTarget);
 
   // ─── Step 5: Domain Registration ─────────────────
-  // Skip for tunnel — DNS is already configured by cloudflared
-  const registration = deploymentResult.tunnel
+  // Skip for tunnel or cloud — DNS is already configured
+  const registration = (deploymentResult.tunnel || deploymentResult.cloud)
     ? { registered: true, verificationStatus: 'verified' as const } as any
     : await promptRegistration(
         inquirer, chalk, ora,
@@ -154,7 +156,7 @@ export async function runSetupWizard(): Promise<void> {
   console.log('');
 
   const result = await provision(
-    { company, database, deployTarget, domain, registration, tunnel: deploymentResult.tunnel },
+    { company, database, deployTarget, domain, registration, tunnel: deploymentResult.tunnel, cloud: deploymentResult.cloud },
     ora,
     chalk,
   );

package/src/setup/provision.ts

@@ -35,6 +35,13 @@ export interface ProvisionConfig {
     port: number;
     tunnelName: string;
   };
+  cloud?: {
+    subdomain: string;
+    fqdn: string;
+    tunnelId: string;
+    tunnelToken: string;
+    port: number;
+  };
 }
 
 export interface ProvisionResult {
@@ -222,7 +229,7 @@ async function deploy(
   spinner: any,
   chalk: any,
 ): Promise<DeployResult> {
-  const { deployTarget, company, database, domain, tunnel } = config;
+  const { deployTarget, company, database, domain, tunnel, cloud } = config;
 
   // ── Cloudflare Tunnel ─────────────────────────────
   if (deployTarget === 'cloudflare-tunnel' && tunnel) {
@@ -247,21 +254,60 @@ async function deploy(
     return { url: 'https://' + tunnel.domain, close: handle.close };
   }
 
-  // ── Cloud ─────────────────────────────────────────
-  if (deployTarget === 'cloud') {
-    spinner.start('Deploying to AgenticMail Cloud...');
-    const { deployToCloud } = await import('../deploy/managed.js');
-    const result = await deployToCloud({
-      subdomain: company.subdomain,
-      plan: 'free',
-      dbType: database.type,
-      dbConnectionString: database.connectionString || '',
-      jwtSecret,
-    });
-    spinner.succeed(`Deployed to ${result.url}`);
+  // ── Cloud (agenticmail.io subdomain) ───────────────
+  if (deployTarget === 'cloud' && cloud) {
+    spinner.start('Configuring agenticmail.io deployment...');
 
-    printCloudSuccess(chalk, result.url, company.adminEmail, domain.customDomain, company.subdomain);
-    return { url: result.url };
+    // Start cloudflared with the tunnel token via PM2
+    try {
+      const pm2 = await import('pm2' as string);
+      await new Promise<void>((resolve, reject) => {
+        pm2.connect((err: any) => {
+          if (err) { reject(err); return; }
+
+          // Start cloudflared tunnel
+          pm2.start({
+            name: 'cloudflared',
+            script: 'cloudflared',
+            args: `tunnel --no-autoupdate run --token ${cloud.tunnelToken}`,
+            interpreter: 'none',
+            autorestart: true,
+          }, (e: any) => {
+            if (e) console.warn(`PM2 cloudflared start: ${e.message}`);
+
+            // Start enterprise server
+            pm2.start({
+              name: 'enterprise',
+              script: 'npx',
+              args: '@agenticmail/enterprise start',
+              env: {
+                PORT: String(cloud.port || 3100),
+                DATABASE_URL: database.connectionString || '',
+                JWT_SECRET: jwtSecret,
+                AGENTICMAIL_VAULT_KEY: vaultKey,
+                AGENTICMAIL_DOMAIN: cloud.fqdn,
+              },
+              autorestart: true,
+            }, (e2: any) => {
+              pm2.disconnect();
+              if (e2) reject(e2); else resolve();
+            });
+          });
+        });
+      });
+      spinner.succeed(`Live at https://${cloud.fqdn}`);
+    } catch (e: any) {
+      spinner.warn(`PM2 setup failed: ${e.message}`);
+      console.log(`  Start manually:`);
+      console.log(`    cloudflared tunnel --no-autoupdate run --token ${cloud.tunnelToken}`);
+      console.log(`    npx @agenticmail/enterprise start`);
+    }
+
+    console.log('');
+    console.log(`  Dashboard: https://${cloud.fqdn}`);
+    console.log(`  To recover on a new machine, keep your AGENTICMAIL_VAULT_KEY safe.`);
+    console.log('');
+    return { url: `https://${cloud.fqdn}` };
   }
 
   // ── Docker ────────────────────────────────────────