@agenticmail/enterprise 0.5.288 → 0.5.289

package/dist/cli-recover-TIXQPY44.js

@@ -0,0 +1,423 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-recover.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+function hasFlag(args, name) {
+  return args.includes(name);
+}
+async function runRecover(args) {
+  const { default: inquirer } = await import("inquirer");
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  const isCloud = hasFlag(args, "--cloud") || hasFlag(args, "-c");
+  if (isCloud || !getFlag(args, "--domain") && !getFlag(args, "--key")) {
+    if (!isCloud && !getFlag(args, "--domain")) {
+      const { recoveryType } = await inquirer.prompt([{
+        type: "list",
+        name: "recoveryType",
+        message: "What are you recovering?",
+        choices: [
+          { name: `AgenticMail Cloud  ${chalk.dim("(yourname.agenticmail.io)")}`, value: "cloud" },
+          { name: `Custom Domain  ${chalk.dim("(your own domain)")}`, value: "domain" }
+        ]
+      }]);
+      if (recoveryType === "cloud") {
+        return runCloudRecover(args, inquirer, chalk, ora);
+      }
+    } else if (isCloud) {
+      return runCloudRecover(args, inquirer, chalk, ora);
+    }
+  }
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Recovery"));
+  console.log(chalk.dim("  Recover your domain registration on a new machine."));
+  console.log("");
+  console.log(chalk.dim("  You will need:"));
+  console.log(chalk.dim("    1. Your domain name"));
+  console.log(chalk.dim("    2. Your 64-character deployment key (shown once during setup)"));
+  console.log(chalk.dim("    3. Your database connection string"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  if (!domain) {
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to recover:",
+      suffix: chalk.dim("  (the domain you registered during setup)"),
+      validate: (v) => {
+        const d = v.trim().toLowerCase();
+        if (!d.includes(".")) return "Enter a valid domain (e.g. agents.yourcompany.com)";
+        if (d.startsWith("http")) return "Enter just the domain, not a URL";
+        return true;
+      },
+      filter: (v) => v.trim().toLowerCase()
+    }]);
+    domain = answer.domain;
+  }
+  let key = getFlag(args, "--key");
+  if (!key) {
+    console.log("");
+    console.log(chalk.dim("  Your deployment key was shown once during initial setup."));
+    console.log(chalk.dim("  It is a 64-character hexadecimal string."));
+    console.log("");
+    const answer = await inquirer.prompt([{
+      type: "password",
+      name: "key",
+      message: "Deployment key:",
+      mask: "*",
+      validate: (v) => {
+        if (!v.trim()) return "Deployment key is required";
+        if (v.length !== 64) return `Expected 64 characters, got ${v.length}. Check that you copied the full key.`;
+        if (!/^[0-9a-fA-F]+$/.test(v)) return "Deployment key should be hexadecimal (0-9, a-f)";
+        return true;
+      }
+    }]);
+    key = answer.key;
+  }
+  console.log("");
+  const spinner = ora("Contacting AgenticMail registry...").start();
+  const lock = new DomainLock();
+  const result = await lock.recover(domain, key);
+  if (!result.success) {
+    spinner.fail("Recovery failed");
+    console.log("");
+    console.error(chalk.red(`  ${result.error}`));
+    console.log("");
+    if (result.error?.includes("Invalid deployment key")) {
+      console.log(chalk.yellow("  The deployment key does not match this domain."));
+      console.log(chalk.dim("  Make sure you are using the key that was shown during the original setup."));
+      console.log(chalk.dim("  If you lost your key, contact support@agenticmail.io for manual verification."));
+    } else if (result.error?.includes("not registered")) {
+      console.log(chalk.yellow("  This domain was never registered with AgenticMail."));
+      console.log(chalk.dim("  Run the setup wizard instead: npx @agenticmail/enterprise setup"));
+    }
+    console.log("");
+    process.exit(1);
+  }
+  spinner.succeed("Registry accepted recovery \u2014 new DNS challenge issued");
+  console.log("");
+  console.log(chalk.bold.cyan("  Database Connection"));
+  console.log(chalk.dim("  We need to update your database with the new registration.\n"));
+  let db = null;
+  let dbConnected = false;
+  const envDbUrl = process.env.DATABASE_URL;
+  if (envDbUrl && !hasFlag(args, "--no-db")) {
+    const dbType = detectDbType(envDbUrl);
+    spinner.start(`Connecting to database (${dbType}, from DATABASE_URL)...`);
+    try {
+      const { createAdapter } = await import("./factory-672W7A5B.js");
+      db = await createAdapter({ type: dbType, connectionString: envDbUrl });
+      await db.migrate();
+      dbConnected = true;
+      spinner.succeed(`Connected to ${dbType} database`);
+    } catch (err) {
+      spinner.warn(`Could not connect via DATABASE_URL: ${err.message}`);
+      db = null;
+    }
+  }
+  if (!dbConnected && !hasFlag(args, "--no-db")) {
+    const { connectDb } = await inquirer.prompt([{
+      type: "confirm",
+      name: "connectDb",
+      message: "Connect to your database now?",
+      default: true
+    }]);
+    if (connectDb) {
+      const dbTypes = [
+        { name: `PostgreSQL / Supabase / Neon  ${chalk.dim("(recommended)")}`, value: "postgres" },
+        { name: "MySQL / PlanetScale", value: "mysql" },
+        { name: "SQLite (local file)", value: "sqlite" },
+        { name: "Turso (LibSQL)", value: "turso" },
+        { name: "MongoDB", value: "mongodb" }
+      ];
+      const { dbType } = await inquirer.prompt([{
+        type: "list",
+        name: "dbType",
+        message: "Database type:",
+        choices: dbTypes
+      }]);
+      const placeholders = {
+        postgres: "postgresql://user:pass@host:5432/dbname?sslmode=require",
+        mysql: "mysql://user:pass@host:3306/dbname",
+        sqlite: "./data/agenticmail.db",
+        turso: "libsql://your-db-name-org.turso.io",
+        mongodb: "mongodb+srv://user:pass@cluster.mongodb.net/dbname"
+      };
+      const { connString } = await inquirer.prompt([{
+        type: "input",
+        name: "connString",
+        message: "Connection string:",
+        suffix: chalk.dim(`
+  e.g. ${placeholders[dbType]}
+  >`),
+        validate: (v) => v.trim() ? true : "Connection string is required"
+      }]);
+      spinner.start(`Connecting to ${dbType} database...`);
+      try {
+        const { createAdapter } = await import("./factory-672W7A5B.js");
+        db = await createAdapter({ type: dbType, connectionString: connString.trim() });
+        await db.migrate();
+        dbConnected = true;
+        spinner.succeed(`Connected to ${dbType} database`);
+      } catch (err) {
+        spinner.fail(`Database connection failed: ${err.message}`);
+        console.log(chalk.yellow("\n  Could not connect. You can update settings manually from the dashboard."));
+        console.log(chalk.dim("  Or set DATABASE_URL and run this command again.\n"));
+      }
+    }
+  }
+  if (dbConnected && db) {
+    spinner.start("Updating domain registration in database...");
+    try {
+      const { createHash } = await import("crypto");
+      const keyHash = createHash("sha256").update(key).digest("hex");
+      await db.updateSettings({
+        domain,
+        deploymentKeyHash: keyHash,
+        domainRegistrationId: result.registrationId,
+        domainDnsChallenge: result.dnsChallenge,
+        domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
+        domainStatus: "pending_dns",
+        domainVerifiedAt: void 0
+      });
+      spinner.succeed("Database updated with new registration");
+    } catch (err) {
+      spinner.warn(`Could not update database: ${err.message}`);
+      console.log(chalk.dim("  You can update manually from the dashboard after DNS verification."));
+    }
+    try {
+      await db.disconnect();
+    } catch {
+    }
+  }
+  console.log("");
+  console.log(chalk.green.bold("  \u2713 Domain recovery successful!"));
+  console.log("");
+  console.log(chalk.bold("  Next: Add this DNS TXT record to verify ownership"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(result.dnsChallenge)}`);
+  console.log("");
+  if (dbConnected) {
+    console.log(chalk.dim("  After adding the DNS record, verify from the dashboard"));
+    console.log(chalk.dim("  or run:"));
+  } else {
+    console.log(chalk.dim("  After adding the DNS record, connect to your database"));
+    console.log(chalk.dim("  and verify:"));
+  }
+  console.log("");
+  console.log(chalk.dim(`    npx @agenticmail/enterprise verify-domain --domain ${domain}`));
+  console.log("");
+  if (!dbConnected) {
+    console.log(chalk.yellow.bold("  \u26A0  Database was not updated"));
+    console.log(chalk.dim("  The registry accepted your recovery, but your local database"));
+    console.log(chalk.dim("  does not have the new DNS challenge yet. Options:"));
+    console.log("");
+    console.log(chalk.dim("    1. Set DATABASE_URL and run this command again"));
+    console.log(chalk.dim("    2. Start your server \u2014 the dashboard will show the DNS challenge"));
+    console.log(chalk.dim("    3. Run verify-domain with --db after adding DNS records"));
+    console.log("");
+  }
+}
+var REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL || "https://registry.agenticmail.io";
+async function runCloudRecover(args, inquirer, chalk, ora) {
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Cloud \u2014 Recovery"));
+  console.log(chalk.dim("  Recover your agenticmail.io subdomain on a new machine."));
+  console.log("");
+  console.log(chalk.dim("  You will need your AGENTICMAIL_VAULT_KEY \u2014 the key from your"));
+  console.log(chalk.dim("  original installation's ~/.agenticmail/.env file."));
+  console.log("");
+  let vaultKey = getFlag(args, "--vault-key") || process.env.AGENTICMAIL_VAULT_KEY;
+  if (!vaultKey) {
+    const answer = await inquirer.prompt([{
+      type: "password",
+      name: "vaultKey",
+      message: "Your AGENTICMAIL_VAULT_KEY:",
+      mask: "*",
+      validate: (v) => v.trim().length >= 16 ? true : "Key seems too short \u2014 check your backup"
+    }]);
+    vaultKey = answer.vaultKey.trim();
+  }
+  let subdomain = getFlag(args, "--name") || getFlag(args, "--subdomain");
+  if (!subdomain) {
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "subdomain",
+      message: "Your subdomain (optional \u2014 press Enter to auto-detect):",
+      suffix: chalk.dim(".agenticmail.io")
+    }]);
+    subdomain = answer.subdomain?.trim() || void 0;
+  }
+  const { createHash } = await import("crypto");
+  const vaultKeyHash = createHash("sha256").update(vaultKey).digest("hex");
+  const spinner = ora("Recovering subdomain credentials...").start();
+  try {
+    const body = { vaultKeyHash };
+    if (subdomain) body.name = subdomain;
+    const resp = await fetch(`${REGISTRY_URL}/recover`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    const data = await resp.json();
+    if (!data.success) {
+      spinner.fail(data.error || "Recovery failed");
+      console.log("");
+      console.log(chalk.dim("  Make sure you are using the exact AGENTICMAIL_VAULT_KEY from"));
+      console.log(chalk.dim("  your original installation (~/.agenticmail/.env)."));
+      return;
+    }
+    spinner.succeed(`Recovered: ${chalk.bold(data.fqdn)}`);
+    const { existsSync, readFileSync, writeFileSync, mkdirSync } = await import("fs");
+    const { join } = await import("path");
+    const { homedir } = await import("os");
+    const amDir = join(homedir(), ".agenticmail");
+    mkdirSync(amDir, { recursive: true });
+    const envPath = join(amDir, ".env");
+    let envContent = "";
+    if (existsSync(envPath)) {
+      envContent = readFileSync(envPath, "utf8");
+    }
+    const updates = {
+      AGENTICMAIL_VAULT_KEY: vaultKey,
+      AGENTICMAIL_SUBDOMAIN: data.subdomain,
+      AGENTICMAIL_DOMAIN: data.fqdn,
+      CLOUDFLARED_TOKEN: data.tunnelToken
+    };
+    for (const [key, val] of Object.entries(updates)) {
+      if (!val) continue;
+      const regex = new RegExp(`^${key}=.*$`, "m");
+      if (regex.test(envContent)) {
+        envContent = envContent.replace(regex, `${key}=${val}`);
+      } else {
+        envContent += `${envContent.endsWith("\n") ? "" : "\n"}${key}=${val}
+`;
+      }
+    }
+    writeFileSync(envPath, envContent, { mode: 384 });
+    console.log("");
+    console.log(chalk.green.bold("  Recovery complete!"));
+    console.log("");
+    console.log(`  Subdomain:    ${chalk.bold(data.fqdn)}`);
+    console.log(`  Tunnel Token: ${chalk.dim("saved to ~/.agenticmail/.env")}`);
+    console.log(`  Vault Key:    ${chalk.dim("saved to ~/.agenticmail/.env")}`);
+    console.log("");
+    console.log(chalk.bold("  Next steps:"));
+    console.log("");
+    const envFilePath = join(amDir, ".env");
+    let currentEnv = "";
+    try {
+      currentEnv = readFileSync(envFilePath, "utf8");
+    } catch {
+    }
+    const hasDbUrl = currentEnv.includes("DATABASE_URL=") && !currentEnv.includes("DATABASE_URL=\n");
+    if (!hasDbUrl) {
+      console.log(chalk.yellow("  Your database connection string is needed to restore your data."));
+      console.log(chalk.dim("  This is the same DATABASE_URL from your original installation."));
+      console.log(chalk.dim("  Example: postgresql://user:pass@host:5432/dbname\n"));
+      const { dbUrl } = await inquirer.prompt([{
+        type: "input",
+        name: "dbUrl",
+        message: "DATABASE_URL:",
+        validate: (v) => v.trim().length > 5 ? true : "Enter your database connection string"
+      }]);
+      const regex = /^DATABASE_URL=.*$/m;
+      if (regex.test(currentEnv)) {
+        currentEnv = currentEnv.replace(regex, `DATABASE_URL=${dbUrl.trim()}`);
+      } else {
+        currentEnv += `${currentEnv.endsWith("\n") ? "" : "\n"}DATABASE_URL=${dbUrl.trim()}
+`;
+      }
+      writeFileSync(envFilePath, currentEnv, { mode: 384 });
+      console.log(chalk.green("  DATABASE_URL saved"));
+    }
+    if (!currentEnv.includes("JWT_SECRET=") || currentEnv.includes("JWT_SECRET=\n")) {
+      console.log("");
+      console.log(chalk.yellow("  Note: JWT_SECRET is missing \u2014 a new one will be generated on start."));
+      console.log(chalk.dim("  This means existing login sessions from the old machine won't work."));
+      console.log(chalk.dim("  Users will need to log in again. This is normal for recovery."));
+    }
+    console.log("");
+    console.log(`  Start your instance:`);
+    console.log(`     ${chalk.cyan("npx @agenticmail/enterprise start")}`);
+    console.log("");
+    console.log(chalk.dim("  The server will auto-start cloudflared with your tunnel token."));
+    console.log(chalk.dim("  Your dashboard will be live again at https://" + data.fqdn));
+    console.log("");
+    const { doInstall } = await inquirer.prompt([{
+      type: "confirm",
+      name: "doInstall",
+      message: "Install cloudflared and start the tunnel now?",
+      default: true
+    }]);
+    if (doInstall) {
+      const { execSync } = await import("child_process");
+      const { platform, arch } = await import("os");
+      try {
+        execSync("which cloudflared", { timeout: 3e3 });
+        console.log(chalk.green("  cloudflared already installed"));
+      } catch {
+        const spinner2 = ora("Installing cloudflared...").start();
+        try {
+          const os = platform();
+          if (os === "darwin") {
+            try {
+              execSync("brew install cloudflared", { stdio: "pipe", timeout: 12e4 });
+            } catch {
+              const cfArch = arch() === "arm64" ? "arm64" : "amd64";
+              execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 6e4 });
+            }
+          } else {
+            const cfArch = arch() === "arm64" ? "arm64" : "amd64";
+            execSync(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`, { timeout: 6e4 });
+          }
+          spinner2.succeed("cloudflared installed");
+        } catch (e) {
+          spinner2.fail("Could not install cloudflared: " + e.message);
+          console.log(chalk.dim("  Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/"));
+        }
+      }
+      try {
+        const { execSync: ex } = await import("child_process");
+        ex("which pm2", { timeout: 3e3 });
+        try {
+          ex("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
+        } catch {
+        }
+        ex(`pm2 start cloudflared --name cloudflared -- tunnel --no-autoupdate run --token ${data.tunnelToken}`, { timeout: 15e3 });
+        try {
+          ex("pm2 save 2>/dev/null", { timeout: 5e3 });
+        } catch {
+        }
+        console.log(chalk.green("  Tunnel running via PM2"));
+      } catch {
+        console.log(chalk.dim("  Start the tunnel manually:"));
+        console.log(chalk.cyan(`  cloudflared tunnel --no-autoupdate run --token ${data.tunnelToken}`));
+      }
+    }
+  } catch (err) {
+    spinner.fail("Recovery failed: " + err.message);
+    console.log(chalk.dim("  Check your internet connection and try again."));
+  }
+}
+function detectDbType(url) {
+  const u = url.toLowerCase().trim();
+  if (u.startsWith("postgres") || u.startsWith("pg:")) return "postgres";
+  if (u.startsWith("mysql")) return "mysql";
+  if (u.startsWith("mongodb")) return "mongodb";
+  if (u.startsWith("libsql") || u.includes(".turso.io")) return "turso";
+  if (u.endsWith(".db") || u.endsWith(".sqlite") || u.endsWith(".sqlite3") || u.startsWith("file:")) return "sqlite";
+  return "postgres";
+}
+export {
+  runRecover
+};

package/dist/cli.js

@@ -14,7 +14,7 @@ switch (command) {
     import("./cli-submit-skill-LDFJGSKO.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
     break;
   case "recover":
-    import("./cli-recover-ARHVBGYO.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
+    import("./cli-recover-TIXQPY44.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
     break;
   case "verify-domain":
     import("./cli-verify-F3KN23M7.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
@@ -60,7 +60,7 @@ Skill Development:
     break;
   case "setup":
   default:
-    import("./setup-VXBO4VN5.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-CVOU77CE.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/index.js

@@ -13,7 +13,7 @@ import {
 import {
   provision,
   runSetupWizard
-} from "./chunk-P6YLZXKZ.js";
+} from "./chunk-PQR6XE7B.js";
 import {
   AgentRuntime,
   EmailChannel,

package/dist/setup-CVOU77CE.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-PQR6XE7B.js";
+import "./chunk-ULRBF2T7.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/enterprise",
-  "version": "0.5.288",
+  "version": "0.5.289",
   "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
   "type": "module",
   "bin": {

package/src/domain-lock/cli-recover.ts

@@ -406,10 +406,45 @@ async function runCloudRecover(args: string[], inquirer: any, chalk: any, ora: a
     console.log('');
     console.log(chalk.bold('  Next steps:'));
     console.log('');
-    console.log(`  1. Set your DATABASE_URL in ${chalk.dim('~/.agenticmail/.env')}`);
-    console.log(`     ${chalk.dim('(same database from your original installation)')}`);
+
+    // Ask for DATABASE_URL right now
+    const envFilePath = join(amDir, '.env');
+    let currentEnv = '';
+    try { currentEnv = readFileSync(envFilePath, 'utf8'); } catch {}
+    const hasDbUrl = currentEnv.includes('DATABASE_URL=') && !currentEnv.includes('DATABASE_URL=\n');
+
+    if (!hasDbUrl) {
+      console.log(chalk.yellow('  Your database connection string is needed to restore your data.'));
+      console.log(chalk.dim('  This is the same DATABASE_URL from your original installation.'));
+      console.log(chalk.dim('  Example: postgresql://user:pass@host:5432/dbname\n'));
+
+      const { dbUrl } = await inquirer.prompt([{
+        type: 'input',
+        name: 'dbUrl',
+        message: 'DATABASE_URL:',
+        validate: (v: string) => v.trim().length > 5 ? true : 'Enter your database connection string',
+      }]);
+
+      const regex = /^DATABASE_URL=.*$/m;
+      if (regex.test(currentEnv)) {
+        currentEnv = currentEnv.replace(regex, `DATABASE_URL=${dbUrl.trim()}`);
+      } else {
+        currentEnv += `${currentEnv.endsWith('\n') ? '' : '\n'}DATABASE_URL=${dbUrl.trim()}\n`;
+      }
+      writeFileSync(envFilePath, currentEnv, { mode: 0o600 });
+      console.log(chalk.green('  DATABASE_URL saved'));
+    }
+
+    // Check if JWT_SECRET is present — if not, warn them
+    if (!currentEnv.includes('JWT_SECRET=') || currentEnv.includes('JWT_SECRET=\n')) {
+      console.log('');
+      console.log(chalk.yellow('  Note: JWT_SECRET is missing — a new one will be generated on start.'));
+      console.log(chalk.dim('  This means existing login sessions from the old machine won\'t work.'));
+      console.log(chalk.dim('  Users will need to log in again. This is normal for recovery.'));
+    }
+
     console.log('');
-    console.log(`  2. Start your instance:`);
+    console.log(`  Start your instance:`);
     console.log(`     ${chalk.cyan('npx @agenticmail/enterprise start')}`);
     console.log('');
     console.log(chalk.dim('  The server will auto-start cloudflared with your tunnel token.'));

package/src/setup/deployment.ts

@@ -256,15 +256,21 @@ async function runCloudSetup(
 
   // ── CRITICAL: Vault key backup warning ─────────
   console.log('');
-  console.log(chalk.bgYellow.black.bold('  ⚠  SAVE YOUR RECOVERY KEY  ⚠  '));
+  console.log(chalk.bgYellow.black.bold('  ⚠  BACK UP ~/.agenticmail/.env  ⚠  '));
   console.log('');
-  console.log(chalk.yellow('  If your computer crashes, you need this key to recover your subdomain.'));
-  console.log(chalk.yellow('  It is stored in ~/.agenticmail/.env — back up this file somewhere safe!'));
+  console.log(chalk.yellow('  This file contains EVERYTHING needed to recover if your machine crashes:'));
   console.log('');
-  console.log(`  ${chalk.bold('AGENTICMAIL_VAULT_KEY=')}${chalk.dim(process.env.AGENTICMAIL_VAULT_KEY || '(check ~/.agenticmail/.env)')}`);
+  console.log(chalk.yellow('    DATABASE_URL          — your database connection'));
+  console.log(chalk.yellow('    JWT_SECRET            — login session signing key'));
+  console.log(chalk.yellow('    AGENTICMAIL_VAULT_KEY — encrypted credentials + subdomain recovery'));
+  console.log(chalk.yellow('    CLOUDFLARED_TOKEN     — tunnel connection token'));
+  console.log(chalk.yellow('    PORT                  — server port'));
   console.log('');
-  console.log(chalk.dim('  To recover on a new machine, run:'));
-  console.log(chalk.dim('    npx @agenticmail/enterprise recover --cloud'));
+  console.log(chalk.bold.yellow('  Copy this file to a safe place (password manager, cloud drive, etc.)'));
+  console.log(chalk.bold.yellow('  Without it, you CANNOT recover your subdomain or encrypted data.'));
+  console.log('');
+  console.log(chalk.dim('  To recover on a new machine:'));
+  console.log(chalk.cyan('    npx @agenticmail/enterprise recover --cloud'));
   console.log('');
   console.log('');
   console.log(chalk.dim('  To start your instance, run these two processes:'));

package/src/setup/provision.ts

@@ -182,12 +182,37 @@ export async function provision(
         || (config.deployTarget === 'local' ? 3000 : undefined)
         || (config.deployTarget === 'docker' ? 3000 : undefined)
         || 3200;
+      // Read existing .env to preserve cloud/tunnel values
+      let existingEnv = '';
+      const envFilePath = join(envDir, '.env');
+      if (existsSync(envFilePath)) {
+        try { existingEnv = (await import('fs')).readFileSync(envFilePath, 'utf8'); } catch {}
+      }
+
+      // Build key=value map preserving existing keys we don't set here
+      const envMap = new Map<string, string>();
+      for (const line of existingEnv.split('\n')) {
+        const t = line.trim();
+        if (!t || t.startsWith('#')) continue;
+        const eq = t.indexOf('=');
+        if (eq > 0) envMap.set(t.slice(0, eq).trim(), t.slice(eq + 1).trim());
+      }
+
+      // Set/overwrite the keys from this setup step
+      envMap.set('DATABASE_URL', config.database.connectionString || '');
+      envMap.set('JWT_SECRET', jwtSecret);
+      envMap.set('AGENTICMAIL_VAULT_KEY', vaultKey);
+      envMap.set('PORT', String(port));
+
+      // Cloud deployment values (from deployment.ts step)
+      if (config.cloud?.tunnelToken) envMap.set('CLOUDFLARED_TOKEN', config.cloud.tunnelToken);
+      if (config.cloud?.subdomain) envMap.set('AGENTICMAIL_SUBDOMAIN', config.cloud.subdomain);
+      if (config.cloud?.fqdn) envMap.set('AGENTICMAIL_DOMAIN', config.cloud.fqdn);
+
       const envContent = [
         '# AgenticMail Enterprise — auto-generated by setup wizard',
-        `DATABASE_URL=${config.database.connectionString || ''}`,
-        `JWT_SECRET=${jwtSecret}`,
-        `AGENTICMAIL_VAULT_KEY=${vaultKey}`,
-        `PORT=${port}`,
+        '# BACK UP THIS FILE! You need it to recover on a new machine.',
+        ...Array.from(envMap.entries()).map(([k, v]) => `${k}=${v}`),
       ].join('\n') + '\n';
       writeFileSync(join(envDir, '.env'), envContent, { mode: 0o600 });
       spinner.succeed(`Config saved to ~/.agenticmail/.env`);