@agenticmail/enterprise 0.5.287 → 0.5.289

package/src/cli-serve.ts

@@ -140,4 +140,38 @@ export async function runServe(_args: string[]) {
 
   await server.start();
   console.log(`AgenticMail Enterprise server running on :${PORT}`);
+
+  // Auto-start cloudflared if tunnel token is present
+  const tunnelToken = process.env.CLOUDFLARED_TOKEN;
+  if (tunnelToken) {
+    try {
+      const { execSync, spawn } = await import('child_process');
+      try {
+        execSync('which cloudflared', { timeout: 3000 });
+      } catch {
+        console.log('[startup] cloudflared not found — skipping tunnel auto-start');
+        console.log('[startup] Install cloudflared to enable tunnel: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+        return;
+      }
+
+      // Check if already running
+      try {
+        execSync('pgrep -f "cloudflared.*tunnel.*run"', { timeout: 3000 });
+        console.log('[startup] cloudflared tunnel already running');
+        return;
+      } catch { /* not running, start it */ }
+
+      const subdomain = process.env.AGENTICMAIL_SUBDOMAIN || process.env.AGENTICMAIL_DOMAIN || '';
+      console.log(`[startup] Starting cloudflared tunnel${subdomain ? ` for ${subdomain}.agenticmail.io` : ''}...`);
+
+      const child = spawn('cloudflared', ['tunnel', '--no-autoupdate', 'run', '--token', tunnelToken], {
+        detached: true,
+        stdio: 'ignore',
+      });
+      child.unref();
+      console.log('[startup] cloudflared tunnel started (pid ' + child.pid + ')');
+    } catch (e: any) {
+      console.warn('[startup] Could not auto-start cloudflared: ' + e.message);
+    }
+  }
 }

package/src/domain-lock/cli-recover.ts

@@ -37,6 +37,28 @@ export async function runRecover(args: string[]): Promise<void> {
   const { default: chalk } = await import('chalk');
   const { default: ora } = await import('ora');
 
+  // ─── Detect recovery type ─────────────────────────
+  const isCloud = hasFlag(args, '--cloud') || hasFlag(args, '-c');
+  if (isCloud || (!getFlag(args, '--domain') && !getFlag(args, '--key'))) {
+    // Ask which type
+    if (!isCloud && !getFlag(args, '--domain')) {
+      const { recoveryType } = await inquirer.prompt([{
+        type: 'list',
+        name: 'recoveryType',
+        message: 'What are you recovering?',
+        choices: [
+          { name: `AgenticMail Cloud  ${chalk.dim('(yourname.agenticmail.io)')}`, value: 'cloud' },
+          { name: `Custom Domain  ${chalk.dim('(your own domain)')}`, value: 'domain' },
+        ],
+      }]);
+      if (recoveryType === 'cloud') {
+        return runCloudRecover(args, inquirer, chalk, ora);
+      }
+    } else if (isCloud) {
+      return runCloudRecover(args, inquirer, chalk, ora);
+    }
+  }
+
   console.log('');
   console.log(chalk.bold('  AgenticMail Enterprise — Domain Recovery'));
   console.log(chalk.dim('  Recover your domain registration on a new machine.'));
@@ -276,6 +298,217 @@ export async function runRecover(args: string[]): Promise<void> {
   }
 }
 
+// ─── AgenticMail Cloud Recovery ─────────────────────
+
+const REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL
+  || 'https://registry.agenticmail.io';
+
+async function runCloudRecover(args: string[], inquirer: any, chalk: any, ora: any): Promise<void> {
+  console.log('');
+  console.log(chalk.bold('  AgenticMail Cloud — Recovery'));
+  console.log(chalk.dim('  Recover your agenticmail.io subdomain on a new machine.'));
+  console.log('');
+  console.log(chalk.dim('  You will need your AGENTICMAIL_VAULT_KEY — the key from your'));
+  console.log(chalk.dim('  original installation\'s ~/.agenticmail/.env file.'));
+  console.log('');
+
+  // Step 1: Get vault key
+  let vaultKey = getFlag(args, '--vault-key') || process.env.AGENTICMAIL_VAULT_KEY;
+  if (!vaultKey) {
+    const answer = await inquirer.prompt([{
+      type: 'password',
+      name: 'vaultKey',
+      message: 'Your AGENTICMAIL_VAULT_KEY:',
+      mask: '*',
+      validate: (v: string) => v.trim().length >= 16 ? true : 'Key seems too short — check your backup',
+    }]);
+    vaultKey = answer.vaultKey.trim();
+  }
+
+  // Step 2: Optionally get subdomain name (speeds up recovery)
+  let subdomain = getFlag(args, '--name') || getFlag(args, '--subdomain');
+  if (!subdomain) {
+    const answer = await inquirer.prompt([{
+      type: 'input',
+      name: 'subdomain',
+      message: 'Your subdomain (optional — press Enter to auto-detect):',
+      suffix: chalk.dim('.agenticmail.io'),
+    }]);
+    subdomain = answer.subdomain?.trim() || undefined;
+  }
+
+  // Step 3: Recover from registry
+  const { createHash } = await import('crypto');
+  const vaultKeyHash = createHash('sha256').update(vaultKey!).digest('hex');
+
+  const spinner = ora('Recovering subdomain credentials...').start();
+  try {
+    const body: any = { vaultKeyHash };
+    if (subdomain) body.name = subdomain;
+
+    const resp = await fetch(`${REGISTRY_URL}/recover`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    });
+    const data = await resp.json() as any;
+
+    if (!data.success) {
+      spinner.fail(data.error || 'Recovery failed');
+      console.log('');
+      console.log(chalk.dim('  Make sure you are using the exact AGENTICMAIL_VAULT_KEY from'));
+      console.log(chalk.dim('  your original installation (~/.agenticmail/.env).'));
+      return;
+    }
+
+    spinner.succeed(`Recovered: ${chalk.bold(data.fqdn)}`);
+
+    // Step 4: Save to .env
+    const { existsSync, readFileSync, writeFileSync, mkdirSync } = await import('fs');
+    const { join } = await import('path');
+    const { homedir } = await import('os');
+
+    const amDir = join(homedir(), '.agenticmail');
+    mkdirSync(amDir, { recursive: true });
+    const envPath = join(amDir, '.env');
+
+    let envContent = '';
+    if (existsSync(envPath)) {
+      envContent = readFileSync(envPath, 'utf8');
+    }
+
+    // Update or add each key
+    const updates: Record<string, string> = {
+      AGENTICMAIL_VAULT_KEY: vaultKey!,
+      AGENTICMAIL_SUBDOMAIN: data.subdomain,
+      AGENTICMAIL_DOMAIN: data.fqdn,
+      CLOUDFLARED_TOKEN: data.tunnelToken,
+    };
+
+    for (const [key, val] of Object.entries(updates)) {
+      if (!val) continue;
+      const regex = new RegExp(`^${key}=.*$`, 'm');
+      if (regex.test(envContent)) {
+        envContent = envContent.replace(regex, `${key}=${val}`);
+      } else {
+        envContent += `${envContent.endsWith('\n') ? '' : '\n'}${key}=${val}\n`;
+      }
+    }
+
+    writeFileSync(envPath, envContent, { mode: 0o600 });
+
+    console.log('');
+    console.log(chalk.green.bold('  Recovery complete!'));
+    console.log('');
+    console.log(`  Subdomain:    ${chalk.bold(data.fqdn)}`);
+    console.log(`  Tunnel Token: ${chalk.dim('saved to ~/.agenticmail/.env')}`);
+    console.log(`  Vault Key:    ${chalk.dim('saved to ~/.agenticmail/.env')}`);
+    console.log('');
+    console.log(chalk.bold('  Next steps:'));
+    console.log('');
+
+    // Ask for DATABASE_URL right now
+    const envFilePath = join(amDir, '.env');
+    let currentEnv = '';
+    try { currentEnv = readFileSync(envFilePath, 'utf8'); } catch {}
+    const hasDbUrl = currentEnv.includes('DATABASE_URL=') && !currentEnv.includes('DATABASE_URL=\n');
+
+    if (!hasDbUrl) {
+      console.log(chalk.yellow('  Your database connection string is needed to restore your data.'));
+      console.log(chalk.dim('  This is the same DATABASE_URL from your original installation.'));
+      console.log(chalk.dim('  Example: postgresql://user:pass@host:5432/dbname\n'));
+
+      const { dbUrl } = await inquirer.prompt([{
+        type: 'input',
+        name: 'dbUrl',
+        message: 'DATABASE_URL:',
+        validate: (v: string) => v.trim().length > 5 ? true : 'Enter your database connection string',
+      }]);
+
+      const regex = /^DATABASE_URL=.*$/m;
+      if (regex.test(currentEnv)) {
+        currentEnv = currentEnv.replace(regex, `DATABASE_URL=${dbUrl.trim()}`);
+      } else {
+        currentEnv += `${currentEnv.endsWith('\n') ? '' : '\n'}DATABASE_URL=${dbUrl.trim()}\n`;
+      }
+      writeFileSync(envFilePath, currentEnv, { mode: 0o600 });
+      console.log(chalk.green('  DATABASE_URL saved'));
+    }
+
+    // Check if JWT_SECRET is present — if not, warn them
+    if (!currentEnv.includes('JWT_SECRET=') || currentEnv.includes('JWT_SECRET=\n')) {
+      console.log('');
+      console.log(chalk.yellow('  Note: JWT_SECRET is missing — a new one will be generated on start.'));
+      console.log(chalk.dim('  This means existing login sessions from the old machine won\'t work.'));
+      console.log(chalk.dim('  Users will need to log in again. This is normal for recovery.'));
+    }
+
+    console.log('');
+    console.log(`  Start your instance:`);
+    console.log(`     ${chalk.cyan('npx @agenticmail/enterprise start')}`);
+    console.log('');
+    console.log(chalk.dim('  The server will auto-start cloudflared with your tunnel token.'));
+    console.log(chalk.dim('  Your dashboard will be live again at https://' + data.fqdn));
+    console.log('');
+
+    // Step 5: Offer to install cloudflared now
+    const { doInstall } = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'doInstall',
+      message: 'Install cloudflared and start the tunnel now?',
+      default: true,
+    }]);
+
+    if (doInstall) {
+      const { execSync } = await import('child_process');
+      const { platform, arch } = await import('os');
+
+      // Install cloudflared if needed
+      try {
+        execSync('which cloudflared', { timeout: 3000 });
+        console.log(chalk.green('  cloudflared already installed'));
+      } catch {
+        const spinner2 = ora('Installing cloudflared...').start();
+        try {
+          const os = platform();
+          if (os === 'darwin') {
+            try {
+              execSync('brew install cloudflared', { stdio: 'pipe', timeout: 120000 });
+            } catch {
+              const cfArch = arch() === 'arm64' ? 'arm64' : 'amd64';
+              execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 60000 });
+            }
+          } else {
+            const cfArch = arch() === 'arm64' ? 'arm64' : 'amd64';
+            execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 60000 });
+          }
+          spinner2.succeed('cloudflared installed');
+        } catch (e: any) {
+          spinner2.fail('Could not install cloudflared: ' + e.message);
+          console.log(chalk.dim('  Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'));
+        }
+      }
+
+      // Start via PM2
+      try {
+        const { execSync: ex } = await import('child_process');
+        ex('which pm2', { timeout: 3000 });
+        try { ex('pm2 delete cloudflared 2>/dev/null', { timeout: 5000 }); } catch {}
+        ex(`pm2 start cloudflared --name cloudflared -- tunnel --no-autoupdate run --token ${data.tunnelToken}`, { timeout: 15000 });
+        try { ex('pm2 save 2>/dev/null', { timeout: 5000 }); } catch {}
+        console.log(chalk.green('  Tunnel running via PM2'));
+      } catch {
+        console.log(chalk.dim('  Start the tunnel manually:'));
+        console.log(chalk.cyan(`  cloudflared tunnel --no-autoupdate run --token ${data.tunnelToken}`));
+      }
+    }
+
+  } catch (err: any) {
+    spinner.fail('Recovery failed: ' + err.message);
+    console.log(chalk.dim('  Check your internet connection and try again.'));
+  }
+}
+
 /** Detect DB type from connection string */
 function detectDbType(url: string): string {
   const u = url.toLowerCase().trim();

package/src/setup/deployment.ts

@@ -17,7 +17,7 @@ const execP = promisify(execCb);
 export type DeployTarget = 'cloud' | 'cloudflare-tunnel' | 'fly' | 'railway' | 'docker' | 'local';
 
 const SUBDOMAIN_REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL
-  || 'https://subdomain-registry.agenticmail.io';
+  || 'https://registry.agenticmail.io';
 
 export interface DeploymentSelection {
   target: DeployTarget;
@@ -52,11 +52,11 @@ export async function promptDeployment(
     message: 'Deploy to:',
     choices: [
       {
-        name: `AgenticMail Cloud  ${chalk.dim('(managed, instant URL)')}`,
+        name: `AgenticMail Cloud  ${chalk.green('← recommended')}  ${chalk.dim('(instant URL, zero config)')}`,
         value: 'cloud',
       },
       {
-        name: `Cloudflare Tunnel  ${chalk.green('← recommended')}  ${chalk.dim('(self-hosted, free, no ports)')}`,
+        name: `Cloudflare Tunnel  ${chalk.dim('(self-hosted, free, no ports)')}`,
         value: 'cloudflare-tunnel',
       },
       {
@@ -253,6 +253,25 @@ async function runCloudSetup(
   console.log(chalk.bold.green('  ✓ Setup Complete!'));
   console.log('');
   console.log(`  Your dashboard: ${chalk.bold.cyan('https://' + fqdn)}`);
+
+  // ── CRITICAL: Vault key backup warning ─────────
+  console.log('');
+  console.log(chalk.bgYellow.black.bold('  ⚠  BACK UP ~/.agenticmail/.env  ⚠  '));
+  console.log('');
+  console.log(chalk.yellow('  This file contains EVERYTHING needed to recover if your machine crashes:'));
+  console.log('');
+  console.log(chalk.yellow('    DATABASE_URL          — your database connection'));
+  console.log(chalk.yellow('    JWT_SECRET            — login session signing key'));
+  console.log(chalk.yellow('    AGENTICMAIL_VAULT_KEY — encrypted credentials + subdomain recovery'));
+  console.log(chalk.yellow('    CLOUDFLARED_TOKEN     — tunnel connection token'));
+  console.log(chalk.yellow('    PORT                  — server port'));
+  console.log('');
+  console.log(chalk.bold.yellow('  Copy this file to a safe place (password manager, cloud drive, etc.)'));
+  console.log(chalk.bold.yellow('  Without it, you CANNOT recover your subdomain or encrypted data.'));
+  console.log('');
+  console.log(chalk.dim('  To recover on a new machine:'));
+  console.log(chalk.cyan('    npx @agenticmail/enterprise recover --cloud'));
+  console.log('');
   console.log('');
   console.log(chalk.dim('  To start your instance, run these two processes:'));
   console.log('');

package/src/setup/provision.ts

@@ -182,12 +182,37 @@ export async function provision(
         || (config.deployTarget === 'local' ? 3000 : undefined)
         || (config.deployTarget === 'docker' ? 3000 : undefined)
         || 3200;
+      // Read existing .env to preserve cloud/tunnel values
+      let existingEnv = '';
+      const envFilePath = join(envDir, '.env');
+      if (existsSync(envFilePath)) {
+        try { existingEnv = (await import('fs')).readFileSync(envFilePath, 'utf8'); } catch {}
+      }
+
+      // Build key=value map preserving existing keys we don't set here
+      const envMap = new Map<string, string>();
+      for (const line of existingEnv.split('\n')) {
+        const t = line.trim();
+        if (!t || t.startsWith('#')) continue;
+        const eq = t.indexOf('=');
+        if (eq > 0) envMap.set(t.slice(0, eq).trim(), t.slice(eq + 1).trim());
+      }
+
+      // Set/overwrite the keys from this setup step
+      envMap.set('DATABASE_URL', config.database.connectionString || '');
+      envMap.set('JWT_SECRET', jwtSecret);
+      envMap.set('AGENTICMAIL_VAULT_KEY', vaultKey);
+      envMap.set('PORT', String(port));
+
+      // Cloud deployment values (from deployment.ts step)
+      if (config.cloud?.tunnelToken) envMap.set('CLOUDFLARED_TOKEN', config.cloud.tunnelToken);
+      if (config.cloud?.subdomain) envMap.set('AGENTICMAIL_SUBDOMAIN', config.cloud.subdomain);
+      if (config.cloud?.fqdn) envMap.set('AGENTICMAIL_DOMAIN', config.cloud.fqdn);
+
       const envContent = [
         '# AgenticMail Enterprise — auto-generated by setup wizard',
-        `DATABASE_URL=${config.database.connectionString || ''}`,
-        `JWT_SECRET=${jwtSecret}`,
-        `AGENTICMAIL_VAULT_KEY=${vaultKey}`,
-        `PORT=${port}`,
+        '# BACK UP THIS FILE! You need it to recover on a new machine.',
+        ...Array.from(envMap.entries()).map(([k, v]) => `${k}=${v}`),
       ].join('\n') + '\n';
       writeFileSync(join(envDir, '.env'), envContent, { mode: 0o600 });
       spinner.succeed(`Config saved to ~/.agenticmail/.env`);