@agenticmail/enterprise 0.5.291 → 0.5.293

package/dist/cli-verify-R32RJGVW.js

@@ -0,0 +1,149 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-verify.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+function hasFlag(args, name) {
+  return args.includes(name);
+}
+function detectDbType(url) {
+  const u = url.toLowerCase().trim();
+  if (u.startsWith("postgres") || u.startsWith("pg:")) return "postgres";
+  if (u.startsWith("mysql")) return "mysql";
+  if (u.startsWith("mongodb")) return "mongodb";
+  if (u.startsWith("libsql") || u.includes(".turso.io")) return "turso";
+  if (u.endsWith(".db") || u.endsWith(".sqlite") || u.endsWith(".sqlite3") || u.startsWith("file:")) return "sqlite";
+  return "postgres";
+}
+async function runVerifyDomain(args) {
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Verification"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  let dnsChallenge;
+  let db = null;
+  let dbConnected = false;
+  const envDbUrl = process.env.DATABASE_URL;
+  if (envDbUrl) {
+    const dbType = detectDbType(envDbUrl);
+    const spinner = ora(`Connecting to database (${dbType})...`).start();
+    try {
+      const { createAdapter } = await import("./factory-KWNTMIVU.js");
+      db = await createAdapter({ type: dbType, connectionString: envDbUrl });
+      await db.migrate();
+      const settings = await db.getSettings();
+      if (!domain && settings?.domain) domain = settings.domain;
+      if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+      dbConnected = true;
+      spinner.succeed(`Connected to ${dbType} database` + (domain ? ` (domain: ${domain})` : ""));
+    } catch (err) {
+      spinner.warn(`Could not connect via DATABASE_URL: ${err.message}`);
+      db = null;
+    }
+  }
+  if (!dbConnected) {
+    const dbPath = getFlag(args, "--db");
+    const dbType = getFlag(args, "--db-type") || "sqlite";
+    if (dbPath) {
+      const spinner = ora(`Connecting to ${dbType} database...`).start();
+      try {
+        const { createAdapter } = await import("./factory-KWNTMIVU.js");
+        db = await createAdapter({ type: dbType, connectionString: dbPath });
+        await db.migrate();
+        const settings = await db.getSettings();
+        if (!domain && settings?.domain) domain = settings.domain;
+        if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+        dbConnected = true;
+        spinner.succeed(`Connected to ${dbType} database`);
+      } catch {
+        spinner.warn("Could not read local database");
+      }
+    }
+  }
+  if (!domain) {
+    const { default: inquirer } = await import("inquirer");
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to verify:",
+      suffix: chalk.dim("  (e.g. agents.yourcompany.com)"),
+      validate: (v) => v.includes(".") || "Enter a valid domain",
+      filter: (v) => v.trim().toLowerCase()
+    }]);
+    domain = answer.domain;
+  }
+  const lock = new DomainLock();
+  const maxAttempts = hasFlag(args, "--poll") ? 5 : 1;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const spinner = ora(
+      maxAttempts > 1 ? `Checking DNS verification (attempt ${attempt}/${maxAttempts})...` : "Checking DNS verification..."
+    ).start();
+    try {
+      const result = await lock.checkVerification(domain);
+      if (!result.success) {
+        spinner.fail("Verification check failed");
+        console.log("");
+        console.error(chalk.red(`  ${result.error}`));
+        console.log("");
+        if (db) await db.disconnect();
+        process.exit(1);
+      }
+      if (result.verified) {
+        spinner.succeed("Domain verified!");
+        if (dbConnected && db) {
+          try {
+            await db.updateSettings({
+              domainStatus: "verified",
+              domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+            });
+            console.log(chalk.dim("  Database updated with verified status."));
+          } catch {
+          }
+        }
+        console.log("");
+        console.log(chalk.green.bold(`  \u2713 ${domain} is verified and protected.`));
+        console.log(chalk.dim("  Your deployment domain is locked. No other instance can claim it."));
+        console.log(chalk.dim("  The system now operates 100% offline \u2014 no outbound calls are made."));
+        console.log("");
+        if (db) await db.disconnect();
+        return;
+      }
+    } catch (err) {
+      spinner.warn(`Check failed: ${err.message}`);
+    }
+    if (attempt < maxAttempts) {
+      const waitSpinner = ora(`DNS record not found yet. Retrying in 10 seconds...`).start();
+      await new Promise((r) => setTimeout(r, 1e4));
+      waitSpinner.stop();
+    }
+  }
+  console.log("");
+  console.log(chalk.yellow("  DNS record not detected yet."));
+  console.log("");
+  console.log(chalk.bold("  Make sure this TXT record exists at your DNS provider:"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  if (dnsChallenge) {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
+  } else {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.dim("(check your dashboard or setup output)")}`);
+  }
+  console.log("");
+  console.log(chalk.dim("  DNS propagation can take up to 48 hours."));
+  console.log(chalk.dim("  Run with --poll to retry automatically:"));
+  console.log(chalk.dim(`    npx @agenticmail/enterprise verify-domain --domain ${domain} --poll`));
+  console.log("");
+  if (db) await db.disconnect();
+}
+export {
+  runVerifyDomain
+};

package/dist/cli.js

@@ -14,10 +14,10 @@ switch (command) {
     import("./cli-submit-skill-LDFJGSKO.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
     break;
   case "recover":
-    import("./cli-recover-O2OROH5K.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
+    import("./cli-recover-2U3N37CE.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
     break;
   case "verify-domain":
-    import("./cli-verify-F3KN23M7.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
+    import("./cli-verify-R32RJGVW.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
     break;
   case "reset-password":
     import("./cli-reset-password-SO5Y6MW7.js").then((m) => m.runResetPassword(args.slice(1))).catch(fatal);
@@ -57,14 +57,14 @@ Skill Development:
     break;
   case "serve":
   case "start":
-    import("./cli-serve-VIRN7UCN.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
+    import("./cli-serve-QM2D6TYP.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
     break;
   case "agent":
-    import("./cli-agent-QADP7UDK.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
+    import("./cli-agent-5JNS5J2U.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
     break;
   case "setup":
   default:
-    import("./setup-FUCZUQBB.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-XI4ZTR4B.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/dashboard/app.js

@@ -93,6 +93,7 @@ function App() {
   const [toasts, setToasts] = useState([]);
   const [user, setUser] = useState(null);
   const [pendingCount, setPendingCount] = useState(0);
+  const [permissions, setPermissions] = useState('*'); // '*' = full access, or { pageId: true | ['tab1','tab2'] }
   const [needsSetup, setNeedsSetup] = useState(null);
   const [sidebarPinned, setSidebarPinned] = useState(() => localStorage.getItem('em_sidebar_pinned') === 'true');
   const [sidebarHovered, setSidebarHovered] = useState(false);
@@ -136,6 +137,7 @@ function App() {
     if (!authed) return;
     engineCall('/approvals/pending').then(d => setPendingCount((d.requests || []).length)).catch(() => {});
     apiCall('/settings').then(d => { const s = d.settings || d || {}; if (s.primaryColor) applyBrandColor(s.primaryColor); if (s.orgId) setOrgId(s.orgId); }).catch(() => {});
+    apiCall('/me/permissions').then(d => { if (d && d.permissions) setPermissions(d.permissions); }).catch(() => {});
   }, [authed]);
 
   const logout = useCallback(() => { authCall('/logout', { method: 'POST' }).catch(() => {}).finally(() => { setAuthed(false); setUser(null); }); }, []);
@@ -208,10 +210,20 @@ function App() {
   };
 
   const navigateToAgent = (agentId) => { _setSelectedAgentId(agentId); history.pushState(null, '', '/dashboard/agents/' + agentId); };
-  const PageComponent = pages[page] || DashboardPage;
+
+  // Filter nav based on permissions
+  const hasAccess = (pageId) => permissions === '*' || (permissions && pageId in permissions);
+  const filteredNav = nav.map(section => ({
+    ...section,
+    items: section.items.filter(item => hasAccess(item.id))
+  })).filter(section => section.items.length > 0);
+
+  // Block access to pages user can't see — show unauthorized page
+  const canAccessPage = hasAccess(page);
+  const PageComponent = canAccessPage ? (pages[page] || DashboardPage) : null;
   const sidebarClass = 'sidebar' + (sidebarPinned ? ' expanded' : sidebarHovered ? ' hover-expanded' : '') + (mobileMenuOpen ? ' mobile-open' : '');
 
-  return h(AppContext.Provider, { value: { toast, toasts, user, theme, setPage } },
+  return h(AppContext.Provider, { value: { toast, toasts, user, theme, setPage, permissions } },
     h('div', { className: 'app-layout' },
       // Mobile hamburger
       h('button', { className: 'mobile-hamburger', onClick: () => setMobileMenuOpen(true) },
@@ -231,7 +243,7 @@ function App() {
           h('button', { className: 'sidebar-toggle' + (sidebarPinned ? ' pinned' : ''), onClick: toggleSidebarPin, title: sidebarPinned ? 'Unpin sidebar' : 'Pin sidebar' }, sidebarPinned ? I.chevronLeft() : I.panelLeft())
         ),
         h('div', { className: 'sidebar-nav' },
-          nav.map((section, si) =>
+          filteredNav.map((section, si) =>
             h('div', { key: section.section + si, className: 'sidebar-section' },
               h('div', { className: 'sidebar-section-title' }, section.section),
               section.items.map(item =>
@@ -271,7 +283,29 @@ function App() {
             ? h(AgentDetailPage, { agentId: selectedAgentId, onBack: () => { _setSelectedAgentId(null); _setPage('agents'); history.pushState(null, '', '/dashboard/agents'); } })
             : page === 'agents'
               ? h(AgentsPage, { onSelectAgent: navigateToAgent })
-              : h(PageComponent)
+              : PageComponent ? h(PageComponent)
+              : h('div', { style: { display: 'flex', flexDirection: 'column', alignItems: 'center', justifyContent: 'center', minHeight: '60vh', textAlign: 'center', padding: 40 } },
+                  h('div', { style: { width: 64, height: 64, borderRadius: '50%', background: 'var(--danger-soft, rgba(220,38,38,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', marginBottom: 20 } },
+                    h('svg', { width: 32, height: 32, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger, #dc2626)', strokeWidth: 2, strokeLinecap: 'round', strokeLinejoin: 'round' },
+                      h('rect', { x: 3, y: 11, width: 18, height: 11, rx: 2, ry: 2 }),
+                      h('path', { d: 'M7 11V7a5 5 0 0 1 10 0v4' })
+                    )
+                  ),
+                  h('h2', { style: { fontSize: 20, fontWeight: 700, marginBottom: 8, color: 'var(--text-primary)' } }, 'Access Restricted'),
+                  h('p', { style: { fontSize: 14, color: 'var(--text-muted)', maxWidth: 400, lineHeight: 1.6, marginBottom: 24 } },
+                    'You don\'t have permission to access this page. If you believe this is an error, please contact your company administrator to request access.'
+                  ),
+                  h('div', { style: { display: 'flex', gap: 12 } },
+                    filteredNav[0]?.items[0] && h('button', {
+                      className: 'btn btn-primary',
+                      onClick: () => { setPage(filteredNav[0].items[0].id); history.pushState(null, '', '/dashboard/' + filteredNav[0].items[0].id); }
+                    }, 'Go to ' + filteredNav[0].items[0].label),
+                    h('button', {
+                      className: 'btn btn-secondary',
+                      onClick: () => { window.location.href = 'mailto:?subject=Access%20Request&body=I%20need%20access%20to%20the%20' + encodeURIComponent(page) + '%20page%20in%20the%20dashboard.'; }
+                    }, 'Request Access')
+                  )
+                )
         )
       )
     ),

package/dist/dashboard/components/icons.js

@@ -54,5 +54,7 @@ export const I = {
   eyeOff: () => h('svg', S, h('path', { d: 'M17.94 17.94A10.07 10.07 0 0112 20c-7 0-11-8-11-8a18.45 18.45 0 015.06-5.94M9.9 4.24A9.12 9.12 0 0112 4c7 0 11 8 11 8a18.5 18.5 0 01-2.16 3.19m-6.72-1.07a3 3 0 11-4.24-4.24' }), h('line', { x1: 1, y1: 1, x2: 23, y2: 23 })),
   panelLeft: () => h('svg', S, h('rect', { x: 3, y: 3, width: 18, height: 18, rx: 2 }), h('line', { x1: 9, y1: 3, x2: 9, y2: 21 })),
   chevronLeft: () => h('svg', S, h('polyline', { points: '15 18 9 12 15 6' })),
+chevronRight: () => h('svg', S, h('polyline', { points: '9 18 15 12 9 6' })),
+chevronDown: () => h('svg', S, h('polyline', { points: '6 9 12 15 18 9' })),
   edit: () => h('svg', S, h('path', { d: 'M11 4H4a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7' }), h('path', { d: 'M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z' })),
 };

package/dist/dashboard/pages/agent-detail/index.js

@@ -44,9 +44,19 @@ export function AgentDetailPage(props) {
   var _agents = useState([]);
   var agents = _agents[0]; var setAgents = _agents[1];
 
-  var TABS = ['overview', 'personal', 'email', 'whatsapp', 'channels', 'configuration', 'manager', 'tools', 'skills', 'permissions', 'activity', 'communication', 'workforce', 'memory', 'guardrails', 'autonomy', 'budget', 'security', 'tool-security', 'deployment'];
+  var ALL_TABS = ['overview', 'personal', 'email', 'whatsapp', 'channels', 'configuration', 'manager', 'tools', 'skills', 'permissions', 'activity', 'communication', 'workforce', 'memory', 'guardrails', 'autonomy', 'budget', 'security', 'tool-security', 'deployment'];
   var TAB_LABELS = { 'security': 'Security', 'tool-security': 'Tool Security', 'manager': 'Manager', 'email': 'Email', 'whatsapp': 'WhatsApp', 'channels': 'Channels', 'tools': 'Tools', 'autonomy': 'Autonomy' };
 
+  // Filter tabs based on user permissions
+  var app = useApp();
+  var perms = app.permissions || '*';
+  var agentGrant = perms === '*' ? true : (perms.agents || false);
+  var TABS = ALL_TABS.filter(function(t) {
+    if (perms === '*' || agentGrant === true) return true;
+    if (Array.isArray(agentGrant)) return agentGrant.indexOf(t) !== -1;
+    return false;
+  });
+
   var load = function() {
     setLoading(true);
     Promise.all([