@agenticmail/enterprise 0.5.287 → 0.5.288

package/src/domain-lock/cli-recover.ts

@@ -37,6 +37,28 @@ export async function runRecover(args: string[]): Promise<void> {
   const { default: chalk } = await import('chalk');
   const { default: ora } = await import('ora');
 
+  // ─── Detect recovery type ─────────────────────────
+  const isCloud = hasFlag(args, '--cloud') || hasFlag(args, '-c');
+  if (isCloud || (!getFlag(args, '--domain') && !getFlag(args, '--key'))) {
+    // Ask which type
+    if (!isCloud && !getFlag(args, '--domain')) {
+      const { recoveryType } = await inquirer.prompt([{
+        type: 'list',
+        name: 'recoveryType',
+        message: 'What are you recovering?',
+        choices: [
+          { name: `AgenticMail Cloud  ${chalk.dim('(yourname.agenticmail.io)')}`, value: 'cloud' },
+          { name: `Custom Domain  ${chalk.dim('(your own domain)')}`, value: 'domain' },
+        ],
+      }]);
+      if (recoveryType === 'cloud') {
+        return runCloudRecover(args, inquirer, chalk, ora);
+      }
+    } else if (isCloud) {
+      return runCloudRecover(args, inquirer, chalk, ora);
+    }
+  }
+
   console.log('');
   console.log(chalk.bold('  AgenticMail Enterprise — Domain Recovery'));
   console.log(chalk.dim('  Recover your domain registration on a new machine.'));
@@ -276,6 +298,182 @@ export async function runRecover(args: string[]): Promise<void> {
   }
 }
 
+// ─── AgenticMail Cloud Recovery ─────────────────────
+
+const REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL
+  || 'https://registry.agenticmail.io';
+
+async function runCloudRecover(args: string[], inquirer: any, chalk: any, ora: any): Promise<void> {
+  console.log('');
+  console.log(chalk.bold('  AgenticMail Cloud — Recovery'));
+  console.log(chalk.dim('  Recover your agenticmail.io subdomain on a new machine.'));
+  console.log('');
+  console.log(chalk.dim('  You will need your AGENTICMAIL_VAULT_KEY — the key from your'));
+  console.log(chalk.dim('  original installation\'s ~/.agenticmail/.env file.'));
+  console.log('');
+
+  // Step 1: Get vault key
+  let vaultKey = getFlag(args, '--vault-key') || process.env.AGENTICMAIL_VAULT_KEY;
+  if (!vaultKey) {
+    const answer = await inquirer.prompt([{
+      type: 'password',
+      name: 'vaultKey',
+      message: 'Your AGENTICMAIL_VAULT_KEY:',
+      mask: '*',
+      validate: (v: string) => v.trim().length >= 16 ? true : 'Key seems too short — check your backup',
+    }]);
+    vaultKey = answer.vaultKey.trim();
+  }
+
+  // Step 2: Optionally get subdomain name (speeds up recovery)
+  let subdomain = getFlag(args, '--name') || getFlag(args, '--subdomain');
+  if (!subdomain) {
+    const answer = await inquirer.prompt([{
+      type: 'input',
+      name: 'subdomain',
+      message: 'Your subdomain (optional — press Enter to auto-detect):',
+      suffix: chalk.dim('.agenticmail.io'),
+    }]);
+    subdomain = answer.subdomain?.trim() || undefined;
+  }
+
+  // Step 3: Recover from registry
+  const { createHash } = await import('crypto');
+  const vaultKeyHash = createHash('sha256').update(vaultKey!).digest('hex');
+
+  const spinner = ora('Recovering subdomain credentials...').start();
+  try {
+    const body: any = { vaultKeyHash };
+    if (subdomain) body.name = subdomain;
+
+    const resp = await fetch(`${REGISTRY_URL}/recover`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    });
+    const data = await resp.json() as any;
+
+    if (!data.success) {
+      spinner.fail(data.error || 'Recovery failed');
+      console.log('');
+      console.log(chalk.dim('  Make sure you are using the exact AGENTICMAIL_VAULT_KEY from'));
+      console.log(chalk.dim('  your original installation (~/.agenticmail/.env).'));
+      return;
+    }
+
+    spinner.succeed(`Recovered: ${chalk.bold(data.fqdn)}`);
+
+    // Step 4: Save to .env
+    const { existsSync, readFileSync, writeFileSync, mkdirSync } = await import('fs');
+    const { join } = await import('path');
+    const { homedir } = await import('os');
+
+    const amDir = join(homedir(), '.agenticmail');
+    mkdirSync(amDir, { recursive: true });
+    const envPath = join(amDir, '.env');
+
+    let envContent = '';
+    if (existsSync(envPath)) {
+      envContent = readFileSync(envPath, 'utf8');
+    }
+
+    // Update or add each key
+    const updates: Record<string, string> = {
+      AGENTICMAIL_VAULT_KEY: vaultKey!,
+      AGENTICMAIL_SUBDOMAIN: data.subdomain,
+      AGENTICMAIL_DOMAIN: data.fqdn,
+      CLOUDFLARED_TOKEN: data.tunnelToken,
+    };
+
+    for (const [key, val] of Object.entries(updates)) {
+      if (!val) continue;
+      const regex = new RegExp(`^${key}=.*$`, 'm');
+      if (regex.test(envContent)) {
+        envContent = envContent.replace(regex, `${key}=${val}`);
+      } else {
+        envContent += `${envContent.endsWith('\n') ? '' : '\n'}${key}=${val}\n`;
+      }
+    }
+
+    writeFileSync(envPath, envContent, { mode: 0o600 });
+
+    console.log('');
+    console.log(chalk.green.bold('  Recovery complete!'));
+    console.log('');
+    console.log(`  Subdomain:    ${chalk.bold(data.fqdn)}`);
+    console.log(`  Tunnel Token: ${chalk.dim('saved to ~/.agenticmail/.env')}`);
+    console.log(`  Vault Key:    ${chalk.dim('saved to ~/.agenticmail/.env')}`);
+    console.log('');
+    console.log(chalk.bold('  Next steps:'));
+    console.log('');
+    console.log(`  1. Set your DATABASE_URL in ${chalk.dim('~/.agenticmail/.env')}`);
+    console.log(`     ${chalk.dim('(same database from your original installation)')}`);
+    console.log('');
+    console.log(`  2. Start your instance:`);
+    console.log(`     ${chalk.cyan('npx @agenticmail/enterprise start')}`);
+    console.log('');
+    console.log(chalk.dim('  The server will auto-start cloudflared with your tunnel token.'));
+    console.log(chalk.dim('  Your dashboard will be live again at https://' + data.fqdn));
+    console.log('');
+
+    // Step 5: Offer to install cloudflared now
+    const { doInstall } = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'doInstall',
+      message: 'Install cloudflared and start the tunnel now?',
+      default: true,
+    }]);
+
+    if (doInstall) {
+      const { execSync } = await import('child_process');
+      const { platform, arch } = await import('os');
+
+      // Install cloudflared if needed
+      try {
+        execSync('which cloudflared', { timeout: 3000 });
+        console.log(chalk.green('  cloudflared already installed'));
+      } catch {
+        const spinner2 = ora('Installing cloudflared...').start();
+        try {
+          const os = platform();
+          if (os === 'darwin') {
+            try {
+              execSync('brew install cloudflared', { stdio: 'pipe', timeout: 120000 });
+            } catch {
+              const cfArch = arch() === 'arm64' ? 'arm64' : 'amd64';
+              execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 60000 });
+            }
+          } else {
+            const cfArch = arch() === 'arm64' ? 'arm64' : 'amd64';
+            execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 60000 });
+          }
+          spinner2.succeed('cloudflared installed');
+        } catch (e: any) {
+          spinner2.fail('Could not install cloudflared: ' + e.message);
+          console.log(chalk.dim('  Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'));
+        }
+      }
+
+      // Start via PM2
+      try {
+        const { execSync: ex } = await import('child_process');
+        ex('which pm2', { timeout: 3000 });
+        try { ex('pm2 delete cloudflared 2>/dev/null', { timeout: 5000 }); } catch {}
+        ex(`pm2 start cloudflared --name cloudflared -- tunnel --no-autoupdate run --token ${data.tunnelToken}`, { timeout: 15000 });
+        try { ex('pm2 save 2>/dev/null', { timeout: 5000 }); } catch {}
+        console.log(chalk.green('  Tunnel running via PM2'));
+      } catch {
+        console.log(chalk.dim('  Start the tunnel manually:'));
+        console.log(chalk.cyan(`  cloudflared tunnel --no-autoupdate run --token ${data.tunnelToken}`));
+      }
+    }
+
+  } catch (err: any) {
+    spinner.fail('Recovery failed: ' + err.message);
+    console.log(chalk.dim('  Check your internet connection and try again.'));
+  }
+}
+
 /** Detect DB type from connection string */
 function detectDbType(url: string): string {
   const u = url.toLowerCase().trim();

package/src/setup/deployment.ts

@@ -17,7 +17,7 @@ const execP = promisify(execCb);
 export type DeployTarget = 'cloud' | 'cloudflare-tunnel' | 'fly' | 'railway' | 'docker' | 'local';
 
 const SUBDOMAIN_REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL
-  || 'https://subdomain-registry.agenticmail.io';
+  || 'https://registry.agenticmail.io';
 
 export interface DeploymentSelection {
   target: DeployTarget;
@@ -52,11 +52,11 @@ export async function promptDeployment(
     message: 'Deploy to:',
     choices: [
       {
-        name: `AgenticMail Cloud  ${chalk.dim('(managed, instant URL)')}`,
+        name: `AgenticMail Cloud  ${chalk.green('← recommended')}  ${chalk.dim('(instant URL, zero config)')}`,
         value: 'cloud',
       },
       {
-        name: `Cloudflare Tunnel  ${chalk.green('← recommended')}  ${chalk.dim('(self-hosted, free, no ports)')}`,
+        name: `Cloudflare Tunnel  ${chalk.dim('(self-hosted, free, no ports)')}`,
         value: 'cloudflare-tunnel',
       },
       {
@@ -253,6 +253,19 @@ async function runCloudSetup(
   console.log(chalk.bold.green('  ✓ Setup Complete!'));
   console.log('');
   console.log(`  Your dashboard: ${chalk.bold.cyan('https://' + fqdn)}`);
+
+  // ── CRITICAL: Vault key backup warning ─────────
+  console.log('');
+  console.log(chalk.bgYellow.black.bold('  ⚠  SAVE YOUR RECOVERY KEY  ⚠  '));
+  console.log('');
+  console.log(chalk.yellow('  If your computer crashes, you need this key to recover your subdomain.'));
+  console.log(chalk.yellow('  It is stored in ~/.agenticmail/.env — back up this file somewhere safe!'));
+  console.log('');
+  console.log(`  ${chalk.bold('AGENTICMAIL_VAULT_KEY=')}${chalk.dim(process.env.AGENTICMAIL_VAULT_KEY || '(check ~/.agenticmail/.env)')}`);
+  console.log('');
+  console.log(chalk.dim('  To recover on a new machine, run:'));
+  console.log(chalk.dim('    npx @agenticmail/enterprise recover --cloud'));
+  console.log('');
   console.log('');
   console.log(chalk.dim('  To start your instance, run these two processes:'));
   console.log('');