@agenticmail/enterprise 0.5.294 → 0.5.296

package/dist/cli-verify-HYUKQELV.js

@@ -0,0 +1,149 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-verify.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+function hasFlag(args, name) {
+  return args.includes(name);
+}
+function detectDbType(url) {
+  const u = url.toLowerCase().trim();
+  if (u.startsWith("postgres") || u.startsWith("pg:")) return "postgres";
+  if (u.startsWith("mysql")) return "mysql";
+  if (u.startsWith("mongodb")) return "mongodb";
+  if (u.startsWith("libsql") || u.includes(".turso.io")) return "turso";
+  if (u.endsWith(".db") || u.endsWith(".sqlite") || u.endsWith(".sqlite3") || u.startsWith("file:")) return "sqlite";
+  return "postgres";
+}
+async function runVerifyDomain(args) {
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Verification"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  let dnsChallenge;
+  let db = null;
+  let dbConnected = false;
+  const envDbUrl = process.env.DATABASE_URL;
+  if (envDbUrl) {
+    const dbType = detectDbType(envDbUrl);
+    const spinner = ora(`Connecting to database (${dbType})...`).start();
+    try {
+      const { createAdapter } = await import("./factory-NTLTU26R.js");
+      db = await createAdapter({ type: dbType, connectionString: envDbUrl });
+      await db.migrate();
+      const settings = await db.getSettings();
+      if (!domain && settings?.domain) domain = settings.domain;
+      if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+      dbConnected = true;
+      spinner.succeed(`Connected to ${dbType} database` + (domain ? ` (domain: ${domain})` : ""));
+    } catch (err) {
+      spinner.warn(`Could not connect via DATABASE_URL: ${err.message}`);
+      db = null;
+    }
+  }
+  if (!dbConnected) {
+    const dbPath = getFlag(args, "--db");
+    const dbType = getFlag(args, "--db-type") || "sqlite";
+    if (dbPath) {
+      const spinner = ora(`Connecting to ${dbType} database...`).start();
+      try {
+        const { createAdapter } = await import("./factory-NTLTU26R.js");
+        db = await createAdapter({ type: dbType, connectionString: dbPath });
+        await db.migrate();
+        const settings = await db.getSettings();
+        if (!domain && settings?.domain) domain = settings.domain;
+        if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+        dbConnected = true;
+        spinner.succeed(`Connected to ${dbType} database`);
+      } catch {
+        spinner.warn("Could not read local database");
+      }
+    }
+  }
+  if (!domain) {
+    const { default: inquirer } = await import("inquirer");
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to verify:",
+      suffix: chalk.dim("  (e.g. agents.yourcompany.com)"),
+      validate: (v) => v.includes(".") || "Enter a valid domain",
+      filter: (v) => v.trim().toLowerCase()
+    }]);
+    domain = answer.domain;
+  }
+  const lock = new DomainLock();
+  const maxAttempts = hasFlag(args, "--poll") ? 5 : 1;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const spinner = ora(
+      maxAttempts > 1 ? `Checking DNS verification (attempt ${attempt}/${maxAttempts})...` : "Checking DNS verification..."
+    ).start();
+    try {
+      const result = await lock.checkVerification(domain);
+      if (!result.success) {
+        spinner.fail("Verification check failed");
+        console.log("");
+        console.error(chalk.red(`  ${result.error}`));
+        console.log("");
+        if (db) await db.disconnect();
+        process.exit(1);
+      }
+      if (result.verified) {
+        spinner.succeed("Domain verified!");
+        if (dbConnected && db) {
+          try {
+            await db.updateSettings({
+              domainStatus: "verified",
+              domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+            });
+            console.log(chalk.dim("  Database updated with verified status."));
+          } catch {
+          }
+        }
+        console.log("");
+        console.log(chalk.green.bold(`  \u2713 ${domain} is verified and protected.`));
+        console.log(chalk.dim("  Your deployment domain is locked. No other instance can claim it."));
+        console.log(chalk.dim("  The system now operates 100% offline \u2014 no outbound calls are made."));
+        console.log("");
+        if (db) await db.disconnect();
+        return;
+      }
+    } catch (err) {
+      spinner.warn(`Check failed: ${err.message}`);
+    }
+    if (attempt < maxAttempts) {
+      const waitSpinner = ora(`DNS record not found yet. Retrying in 10 seconds...`).start();
+      await new Promise((r) => setTimeout(r, 1e4));
+      waitSpinner.stop();
+    }
+  }
+  console.log("");
+  console.log(chalk.yellow("  DNS record not detected yet."));
+  console.log("");
+  console.log(chalk.bold("  Make sure this TXT record exists at your DNS provider:"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  if (dnsChallenge) {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
+  } else {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.dim("(check your dashboard or setup output)")}`);
+  }
+  console.log("");
+  console.log(chalk.dim("  DNS propagation can take up to 48 hours."));
+  console.log(chalk.dim("  Run with --poll to retry automatically:"));
+  console.log(chalk.dim(`    npx @agenticmail/enterprise verify-domain --domain ${domain} --poll`));
+  console.log("");
+  if (db) await db.disconnect();
+}
+export {
+  runVerifyDomain
+};

package/dist/cli.js

@@ -14,10 +14,10 @@ switch (command) {
     import("./cli-submit-skill-LDFJGSKO.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
     break;
   case "recover":
-    import("./cli-recover-LPV6BP5V.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
+    import("./cli-recover-PMJRFJNY.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
     break;
   case "verify-domain":
-    import("./cli-verify-IWWY34SU.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
+    import("./cli-verify-HYUKQELV.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
     break;
   case "reset-password":
     import("./cli-reset-password-SO5Y6MW7.js").then((m) => m.runResetPassword(args.slice(1))).catch(fatal);
@@ -57,14 +57,14 @@ Skill Development:
     break;
   case "serve":
   case "start":
-    import("./cli-serve-KVJJPGJM.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
+    import("./cli-serve-TTN3XR4Q.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
     break;
   case "agent":
-    import("./cli-agent-PLR52NZQ.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
+    import("./cli-agent-BCISHZTV.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
     break;
   case "setup":
   default:
-    import("./setup-BOLXAOX2.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-2VN7D4OT.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/dashboard/app.js

@@ -94,6 +94,12 @@ function App() {
   const [user, setUser] = useState(null);
   const [pendingCount, setPendingCount] = useState(0);
   const [permissions, setPermissions] = useState('*'); // '*' = full access, or { pageId: true | ['tab1','tab2'] }
+  const [mustResetPassword, setMustResetPassword] = useState(false);
+  const [show2faReminder, setShow2faReminder] = useState(false);
+  const [forceResetPw, setForceResetPw] = useState('');
+  const [forceResetPw2, setForceResetPw2] = useState('');
+  const [forceResetLoading, setForceResetLoading] = useState(false);
+  const [forceResetError, setForceResetError] = useState('');
   const [needsSetup, setNeedsSetup] = useState(null);
   const [sidebarPinned, setSidebarPinned] = useState(() => localStorage.getItem('em_sidebar_pinned') === 'true');
   const [sidebarHovered, setSidebarHovered] = useState(false);
@@ -150,7 +156,54 @@ function App() {
 
   if (!authChecked) return h('div', { style: { minHeight: '100vh', display: 'flex', alignItems: 'center', justifyContent: 'center', background: 'var(--bg-primary)', color: 'var(--text-muted)' } }, 'Loading...');
   if (needsSetup === true && !authed) return h(OnboardingWizard, { onComplete: () => { setNeedsSetup(false); setAuthed(true); authCall('/me').then(d => { setUser(d.user || d); }).catch(() => {}); } });
-  if (!authed) return h(LoginPage, { onLogin: (d) => { setAuthed(true); if (d?.user) setUser(d.user); } });
+  if (!authed) return h(LoginPage, { onLogin: (d) => {
+    setAuthed(true);
+    if (d?.user) { setUser(d.user); if (!d.user.totpEnabled) setShow2faReminder(true); }
+    if (d?.mustResetPassword) setMustResetPassword(true);
+  } });
+
+  // Force password reset modal
+  const doForceReset = async () => {
+    if (forceResetPw !== forceResetPw2) { setForceResetError('Passwords do not match'); return; }
+    if (forceResetPw.length < 8) { setForceResetError('Password must be at least 8 characters'); return; }
+    setForceResetLoading(true); setForceResetError('');
+    try {
+      await authCall('/force-reset-password', { method: 'POST', body: JSON.stringify({ newPassword: forceResetPw }) });
+      setMustResetPassword(false);
+      toast('Password updated successfully', 'success');
+    } catch (e) { setForceResetError(e.message); }
+    setForceResetLoading(false);
+  };
+
+  if (mustResetPassword) {
+    return h('div', { style: { minHeight: '100vh', display: 'flex', alignItems: 'center', justifyContent: 'center', background: 'var(--bg-primary)', padding: 20 } },
+      h('div', { style: { maxWidth: 420, width: '100%', background: 'var(--bg-secondary)', borderRadius: 12, padding: 32, border: '1px solid var(--border)' } },
+        h('div', { style: { textAlign: 'center', marginBottom: 24 } },
+          h('div', { style: { width: 48, height: 48, borderRadius: '50%', background: 'var(--warning-soft, rgba(245,158,11,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', margin: '0 auto 12px' } },
+            h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--warning, #f59e0b)', strokeWidth: 2, strokeLinecap: 'round' },
+              h('path', { d: 'M12 9v4m0 4h.01M21 12a9 9 0 1 1-18 0 9 9 0 0 1 18 0z' })
+            )
+          ),
+          h('h2', { style: { fontSize: 18, fontWeight: 700 } }, 'Password Reset Required'),
+          h('p', { style: { color: 'var(--text-muted)', fontSize: 13, marginTop: 4 } }, 'Your administrator created this account with a temporary password. Please set a new password to continue.')
+        ),
+        h('div', { style: { display: 'flex', flexDirection: 'column', gap: 12 } },
+          h('div', null,
+            h('label', { style: { fontSize: 12, fontWeight: 600, color: 'var(--text-secondary)', display: 'block', marginBottom: 4 } }, 'New Password'),
+            h('input', { className: 'input', type: 'password', value: forceResetPw, onChange: (e) => setForceResetPw(e.target.value), placeholder: 'Min 8 characters', autoFocus: true })
+          ),
+          h('div', null,
+            h('label', { style: { fontSize: 12, fontWeight: 600, color: 'var(--text-secondary)', display: 'block', marginBottom: 4 } }, 'Confirm Password'),
+            h('input', { className: 'input', type: 'password', value: forceResetPw2, onChange: (e) => setForceResetPw2(e.target.value), placeholder: 'Confirm new password', onKeyDown: (e) => { if (e.key === 'Enter') doForceReset(); } })
+          ),
+          forceResetError && h('div', { style: { color: 'var(--danger)', fontSize: 12 } }, forceResetError),
+          h('button', { className: 'btn btn-primary', onClick: doForceReset, disabled: forceResetLoading || !forceResetPw || !forceResetPw2, style: { width: '100%', justifyContent: 'center', marginTop: 4 } },
+            forceResetLoading ? 'Updating...' : 'Set New Password'
+          )
+        )
+      )
+    );
+  }
 
   const nav = [
     { section: 'Overview', items: [{ id: 'dashboard', icon: I.dashboard, label: 'Dashboard' }] },
@@ -279,6 +332,16 @@ function App() {
           )
         ),
         h('div', { className: 'page-content' },
+          // 2FA recommendation banner
+          show2faReminder && h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: '10px 16px', margin: '0 0 16px', background: 'var(--warning-soft, rgba(245,158,11,0.1))', border: '1px solid var(--warning, #f59e0b)', borderRadius: 8, fontSize: 13 } },
+            I.shield(),
+            h('div', { style: { flex: 1 } },
+              h('strong', null, 'Enable Two-Factor Authentication'),
+              h('span', { style: { color: 'var(--text-secondary)', marginLeft: 6 } }, 'Protect your account and enable self-service password reset.')
+            ),
+            h('button', { className: 'btn btn-warning btn-sm', onClick: () => { setPage('settings'); setShow2faReminder(false); history.pushState(null, '', '/dashboard/settings'); } }, 'Set Up 2FA'),
+            h('button', { className: 'btn btn-ghost btn-sm', onClick: () => setShow2faReminder(false), style: { padding: '2px 6px', minWidth: 0 } }, '\u00d7')
+          ),
           selectedAgentId
             ? h(AgentDetailPage, { agentId: selectedAgentId, onBack: () => { _setSelectedAgentId(null); _setPage('agents'); history.pushState(null, '', '/dashboard/agents'); } })
             : page === 'agents'

package/dist/dashboard/pages/login.js

@@ -20,6 +20,16 @@ export function LoginPage({ onLogin }) {
   var [challengeToken, setChallengeToken] = useState('');
   var [totpCode, setTotpCode] = useState('');
 
+  // Forgot password state
+  var [forgotMode, setForgotMode] = useState(false);   // show forgot password form
+  var [forgotEmail, setForgotEmail] = useState('');
+  var [forgotCode, setForgotCode] = useState('');
+  var [forgotNewPw, setForgotNewPw] = useState('');
+  var [forgotNewPw2, setForgotNewPw2] = useState('');
+  var [forgotStep, setForgotStep] = useState('email');  // 'email' | 'code' | 'no2fa' | 'done'
+  var [forgotLoading, setForgotLoading] = useState(false);
+  var [forgotError, setForgotError] = useState('');
+
   useEffect(function() {
     fetch('/auth/sso/providers').then(function(r) { return r.ok ? r.json() : null; }).then(function(d) {
       if (d && d.providers && d.providers.length > 0) setSsoProviders(d.providers);
@@ -59,6 +69,43 @@ export function LoginPage({ onLogin }) {
     setLoading(false);
   };
 
+  var submitForgotEmail = async function() {
+    setForgotLoading(true); setForgotError('');
+    try {
+      // Check if user has 2FA by attempting reset without code
+      var d = await authCall('/reset-password-self', { method: 'POST', body: JSON.stringify({ email: forgotEmail, newPassword: 'check__only__12', totpCode: '' }) });
+      if (d.has2fa) { setForgotStep('code'); }
+      else if (d.no2fa) { setForgotStep('no2fa'); }
+      else { setForgotStep('code'); }
+    } catch (err) {
+      var msg = err.message || '';
+      if (msg.indexOf('not enabled') >= 0 || msg.indexOf('administrator') >= 0) {
+        setForgotStep('no2fa');
+      } else {
+        setForgotStep('code');
+      }
+    }
+    setForgotLoading(false);
+  };
+
+  var submitForgotReset = async function() {
+    if (forgotNewPw !== forgotNewPw2) { setForgotError('Passwords do not match'); return; }
+    if (forgotNewPw.length < 8) { setForgotError('Password must be at least 8 characters'); return; }
+    setForgotLoading(true); setForgotError('');
+    try {
+      var d = await authCall('/reset-password-self', { method: 'POST', body: JSON.stringify({ email: forgotEmail, totpCode: forgotCode, newPassword: forgotNewPw }) });
+      if (d.ok) { setForgotStep('done'); }
+      else if (d.no2fa) { setForgotStep('no2fa'); setForgotError(d.error); }
+      else if (d.error) { setForgotError(d.error); }
+    } catch (err) { setForgotError(err.message); }
+    setForgotLoading(false);
+  };
+
+  var cancelForgot = function() {
+    setForgotMode(false); setForgotStep('email'); setForgotEmail(''); setForgotCode('');
+    setForgotNewPw(''); setForgotNewPw2(''); setForgotError('');
+  };
+
   var cancel2fa = function() {
     setNeeds2fa(false);
     setChallengeToken('');
@@ -110,6 +157,103 @@ export function LoginPage({ onLogin }) {
     );
   }
 
+  // ─── Forgot Password Screen ──────────────────────────
+
+  if (forgotMode) {
+    return h('div', { className: 'login-page', style: _brandBg ? { backgroundImage: 'url(' + _brandBg + ')', backgroundSize: 'cover', backgroundPosition: 'center' } : {} },
+      h('div', { className: 'login-card' },
+        h('div', { className: 'login-logo' },
+          h('img', { src: _brandLogo, alt: 'AgenticMail', style: { width: 48, height: 48, objectFit: 'contain' } }),
+          h('h1', null, 'Reset Password'),
+          h('p', null, forgotStep === 'email' ? 'Enter your email address' : forgotStep === 'code' ? 'Verify with your authenticator app' : forgotStep === 'done' ? 'Password updated' : 'Contact your administrator')
+        ),
+
+        // Step: enter email
+        forgotStep === 'email' && h('div', null,
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, 'Email Address'),
+            h('input', { className: 'input', type: 'email', value: forgotEmail, onChange: function(e) { setForgotEmail(e.target.value); }, placeholder: 'you@company.com', autoFocus: true })
+          ),
+          forgotError && h('div', { style: { color: 'var(--danger)', fontSize: 13, marginBottom: 12 } }, forgotError),
+          h('button', { className: 'btn btn-primary', onClick: submitForgotEmail, disabled: forgotLoading || !forgotEmail, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, forgotLoading ? 'Checking...' : 'Continue'),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: cancelForgot }, 'Back to login')
+          )
+        ),
+
+        // Step: enter 2FA code + new password
+        forgotStep === 'code' && h('div', null,
+          h('div', { style: { background: 'var(--info-soft, rgba(59,130,246,0.1))', borderRadius: 8, padding: 12, marginBottom: 16, fontSize: 12, color: 'var(--text-secondary)' } },
+            'Enter the 6-digit code from your authenticator app (or a backup code) along with your new password.'
+          ),
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, '2FA Code'),
+            h('input', {
+              className: 'input', type: 'text', inputMode: 'numeric', autoComplete: 'one-time-code',
+              value: forgotCode, onChange: function(e) { setForgotCode(e.target.value.replace(/[^0-9A-Za-z]/g, '').slice(0, 8)); },
+              placeholder: '000000', autoFocus: true, maxLength: 8,
+              style: { textAlign: 'center', fontSize: 20, letterSpacing: '0.2em', fontFamily: 'var(--font-mono)' }
+            })
+          ),
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, 'New Password'),
+            h('input', { className: 'input', type: 'password', value: forgotNewPw, onChange: function(e) { setForgotNewPw(e.target.value); }, placeholder: 'Min 8 characters' })
+          ),
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, 'Confirm Password'),
+            h('input', { className: 'input', type: 'password', value: forgotNewPw2, onChange: function(e) { setForgotNewPw2(e.target.value); }, placeholder: 'Confirm new password' })
+          ),
+          forgotError && h('div', { style: { color: 'var(--danger)', fontSize: 13, marginBottom: 12 } }, forgotError),
+          h('button', { className: 'btn btn-primary', onClick: submitForgotReset, disabled: forgotLoading || !forgotCode || !forgotNewPw || !forgotNewPw2, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, forgotLoading ? 'Resetting...' : 'Reset Password'),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: cancelForgot }, 'Back to login')
+          )
+        ),
+
+        // Step: no 2FA — contact admin
+        forgotStep === 'no2fa' && h('div', null,
+          h('div', { style: { textAlign: 'center', padding: '12px 0' } },
+            h('div', { style: { width: 48, height: 48, borderRadius: '50%', background: 'var(--danger-soft, rgba(220,38,38,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', margin: '0 auto 12px' } },
+              h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger, #dc2626)', strokeWidth: 2, strokeLinecap: 'round' },
+                h('path', { d: 'M12 9v4m0 4h.01M21 12a9 9 0 1 1-18 0 9 9 0 0 1 18 0z' })
+              )
+            ),
+            h('h3', { style: { fontSize: 16, fontWeight: 600, marginBottom: 8 } }, 'Cannot Reset Password'),
+            h('p', { style: { fontSize: 13, color: 'var(--text-muted)', lineHeight: 1.6, maxWidth: 320, margin: '0 auto' } },
+              'Two-factor authentication is not enabled on this account. Without 2FA, you cannot reset your password yourself.'
+            ),
+            h('div', { style: { marginTop: 16, padding: 12, background: 'var(--bg-tertiary)', borderRadius: 8, fontSize: 13 } },
+              h('strong', null, 'What to do:'), h('br', null),
+              'Contact your organization administrator and ask them to reset your password from the Users page.'
+            ),
+            h('div', { style: { marginTop: 16, padding: 10, background: 'var(--warning-soft, rgba(245,158,11,0.08))', borderRadius: 8, fontSize: 12, color: 'var(--text-secondary)' } },
+              'Tip: Once you regain access, enable 2FA immediately so you can reset your own password in the future.'
+            )
+          ),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-primary', onClick: cancelForgot, style: { width: '100%', justifyContent: 'center' } }, 'Back to Login')
+          )
+        ),
+
+        // Step: done
+        forgotStep === 'done' && h('div', null,
+          h('div', { style: { textAlign: 'center', padding: '12px 0' } },
+            h('div', { style: { width: 48, height: 48, borderRadius: '50%', background: 'var(--success-soft, rgba(21,128,61,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', margin: '0 auto 12px' } },
+              h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--success, #15803d)', strokeWidth: 2, strokeLinecap: 'round' },
+                h('path', { d: 'M20 6L9 17l-5-5' })
+              )
+            ),
+            h('h3', { style: { fontSize: 16, fontWeight: 600, marginBottom: 8 } }, 'Password Reset Successfully'),
+            h('p', { style: { fontSize: 13, color: 'var(--text-muted)' } }, 'You can now sign in with your new password.')
+          ),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-primary', onClick: cancelForgot, style: { width: '100%', justifyContent: 'center' } }, 'Sign In')
+          )
+        )
+      )
+    );
+  }
+
   // ─── Main Login Screen ────────────────────────────────
 
   return h('div', { className: 'login-page', style: _brandBg ? { backgroundImage: 'url(' + _brandBg + ')', backgroundSize: 'cover', backgroundPosition: 'center' } : {} },
@@ -138,7 +282,10 @@ export function LoginPage({ onLogin }) {
           h('input', { className: 'input', type: 'password', value: password, onChange: function(e) { setPassword(e.target.value); }, placeholder: 'Enter password', required: true })
         ),
         error && h('div', { style: { color: 'var(--danger)', fontSize: 13, marginBottom: 16 } }, error),
-        h('button', { className: 'btn btn-primary', type: 'submit', disabled: loading, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, loading ? 'Signing in...' : 'Sign In')
+        h('button', { className: 'btn btn-primary', type: 'submit', disabled: loading, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, loading ? 'Signing in...' : 'Sign In'),
+        h('div', { style: { textAlign: 'center', marginTop: 12 } },
+          h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: function() { setForgotMode(true); setForgotEmail(email); setError(''); }, style: { fontSize: 12, color: 'var(--text-muted)' } }, 'Forgot Password?')
+        )
       ),
 
       // ── API Key Tab ─────────────────────────────────

package/dist/dashboard/pages/users.js

@@ -210,13 +210,95 @@ function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave
   );
 }
 
+// ─── Inline Permission Picker (for create modal) ──
+
+function InlinePermissionPicker({ permissions, pageRegistry, onChange }) {
+  var [expandedPage, setExpandedPage] = useState(null);
+
+  // Resolve grants from permissions
+  var grants = permissions === '*' ? (function() { var a = {}; Object.keys(pageRegistry).forEach(function(p) { a[p] = true; }); return a; })() : (permissions || {});
+
+  var togglePage = function(pid) {
+    var next = Object.assign({}, grants);
+    if (next[pid]) { delete next[pid]; if (expandedPage === pid) setExpandedPage(null); }
+    else { next[pid] = true; }
+    onChange(Object.keys(next).length === Object.keys(pageRegistry).length ? '*' : next);
+  };
+
+  var toggleTab = function(pid, tabId) {
+    var next = Object.assign({}, grants);
+    var current = next[pid];
+    var allTabs = Object.keys(pageRegistry[pid].tabs || {});
+    if (current === true) {
+      var remaining = allTabs.filter(function(t) { return t !== tabId; });
+      next[pid] = remaining.length > 0 ? remaining : true;
+    } else if (Array.isArray(current)) {
+      var idx = current.indexOf(tabId);
+      if (idx >= 0) {
+        var arr = current.filter(function(t) { return t !== tabId; });
+        if (arr.length === 0) delete next[pid];
+        else next[pid] = arr;
+      } else {
+        var newArr = current.concat([tabId]);
+        next[pid] = newArr.length === allTabs.length ? true : newArr;
+      }
+    }
+    onChange(Object.keys(next).length === Object.keys(pageRegistry).length && Object.values(next).every(function(v) { return v === true; }) ? '*' : next);
+  };
+
+  var isTabChecked = function(pid, tabId) {
+    var g = grants[pid];
+    if (!g) return false;
+    if (g === true) return true;
+    return Array.isArray(g) && g.indexOf(tabId) >= 0;
+  };
+
+  var sections = { overview: 'Overview', management: 'Management', administration: 'Administration' };
+  var grouped = {};
+  Object.keys(pageRegistry).forEach(function(pid) { var s = pageRegistry[pid].section; if (!grouped[s]) grouped[s] = []; grouped[s].push(pid); });
+
+  return h('div', { style: { maxHeight: 250, overflowY: 'auto', border: '1px solid var(--border)', borderRadius: 6, marginTop: 8 } },
+    Object.keys(sections).map(function(sKey) {
+      var pids = grouped[sKey] || [];
+      if (!pids.length) return null;
+      return h(Fragment, { key: sKey },
+        h('div', { style: { fontSize: 10, fontWeight: 600, textTransform: 'uppercase', letterSpacing: '0.05em', color: 'var(--text-muted)', padding: '8px 10px 2px' } }, sections[sKey]),
+        pids.map(function(pid) {
+          var page = pageRegistry[pid];
+          var checked = !!grants[pid];
+          var hasTabs = page.tabs && Object.keys(page.tabs).length > 0;
+          var isExpanded = expandedPage === pid;
+          return h(Fragment, { key: pid },
+            h('div', { style: { display: 'flex', alignItems: 'center', gap: 8, padding: '4px 10px', fontSize: 12, cursor: 'pointer', background: checked ? 'var(--bg-tertiary)' : 'transparent' }, onClick: function(e) {
+              if (e.target.closest && e.target.closest('[data-expand]')) return;
+              togglePage(pid);
+            } },
+              h('input', { type: 'checkbox', checked: checked, readOnly: true, style: { width: 14, height: 14, accentColor: 'var(--primary)', cursor: 'pointer' } }),
+              h('span', { style: { flex: 1 } }, page.label),
+              hasTabs && checked && h('button', { 'data-expand': true, className: 'btn btn-ghost', style: { padding: '0 4px', minWidth: 0, fontSize: 10, lineHeight: 1 }, onClick: function(e) { e.stopPropagation(); setExpandedPage(isExpanded ? null : pid); } },
+                isExpanded ? I.chevronDown() : I.chevronRight()
+              )
+            ),
+            hasTabs && isExpanded && checked && Object.keys(page.tabs).map(function(tabId) {
+              return h('div', { key: tabId, style: { display: 'flex', alignItems: 'center', gap: 8, padding: '3px 10px 3px 34px', fontSize: 11, color: 'var(--text-secondary)', cursor: 'pointer' }, onClick: function() { toggleTab(pid, tabId); } },
+                h('input', { type: 'checkbox', checked: isTabChecked(pid, tabId), readOnly: true, style: { width: 13, height: 13, accentColor: 'var(--primary)', cursor: 'pointer' } }),
+                h('span', null, page.tabs[tabId])
+              );
+            })
+          );
+        })
+      );
+    })
+  );
+}
+
 // ─── Users Page ────────────────────────────────────
 
 export function UsersPage() {
   var { toast } = useApp();
   var [users, setUsers] = useState([]);
   var [creating, setCreating] = useState(false);
-  var [form, setForm] = useState({ email: '', password: '', name: '', role: 'viewer' });
+  var [form, setForm] = useState({ email: '', password: '', name: '', role: 'viewer', permissions: '*' });
   var [resetTarget, setResetTarget] = useState(null);
   var [newPassword, setNewPassword] = useState('');
   var [resetting, setResetting] = useState(false);
@@ -230,10 +312,22 @@ export function UsersPage() {
     apiCall('/page-registry').then(function(d) { setPageRegistry(d); }).catch(function() {});
   }, []);
 
+  var generateCreatePassword = function() {
+    var chars = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789!@#$%';
+    var pw = '';
+    for (var i = 0; i < 16; i++) pw += chars[Math.floor(Math.random() * chars.length)];
+    setForm(function(f) { return Object.assign({}, f, { password: pw }); });
+  };
+
+  var [showCreatePerms, setShowCreatePerms] = useState(false);
+
   var create = async function() {
     try {
-      await apiCall('/users', { method: 'POST', body: JSON.stringify(form) });
-      toast('User created', 'success'); setCreating(false); setForm({ email: '', password: '', name: '', role: 'viewer' }); load();
+      var body = { email: form.email, password: form.password, name: form.name, role: form.role };
+      if (form.permissions !== '*') body.permissions = form.permissions;
+      await apiCall('/users', { method: 'POST', body: JSON.stringify(body) });
+      toast('User created. They will be prompted to set a new password on first login.', 'success');
+      setCreating(false); setForm({ email: '', password: '', name: '', role: 'viewer', permissions: '*' }); setShowCreatePerms(false); load();
     } catch (e) { toast(e.message, 'error'); }
   };
 
@@ -324,13 +418,35 @@ export function UsersPage() {
     ),
 
     // Create user modal
-    creating && h(Modal, { title: 'Add User', onClose: function() { setCreating(false); }, footer: h(Fragment, null, h('button', { className: 'btn btn-secondary', onClick: function() { setCreating(false); } }, 'Cancel'), h('button', { className: 'btn btn-primary', onClick: create, disabled: !form.email || !form.password }, 'Create')) },
-      h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Name'), h('input', { className: 'input', value: form.name, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { name: e.target.value }); }); } })),
+    creating && h(Modal, { title: 'Add User', onClose: function() { setCreating(false); setShowCreatePerms(false); }, width: 520, footer: h(Fragment, null, h('button', { className: 'btn btn-secondary', onClick: function() { setCreating(false); setShowCreatePerms(false); } }, 'Cancel'), h('button', { className: 'btn btn-primary', onClick: create, disabled: !form.email || !form.password }, 'Create User')) },
+      h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Name'), h('input', { className: 'input', value: form.name, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { name: e.target.value }); }); }, autoFocus: true })),
       h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Email *'), h('input', { className: 'input', type: 'email', value: form.email, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { email: e.target.value }); }); } })),
-      h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Password *'), h('input', { className: 'input', type: 'password', value: form.password, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { password: e.target.value }); }); } })),
+      h('div', { className: 'form-group' },
+        h('label', { className: 'form-label' }, 'Initial Password *'),
+        h('div', { style: { display: 'flex', gap: 8 } },
+          h('input', { className: 'input', type: 'text', value: form.password, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { password: e.target.value }); }); }, placeholder: 'Min 8 characters', style: { flex: 1, fontFamily: 'var(--font-mono)', fontSize: 13 } }),
+          h('button', { type: 'button', className: 'btn btn-secondary btn-sm', onClick: generateCreatePassword, title: 'Generate random password', style: { whiteSpace: 'nowrap' } }, I.refresh(), ' Generate')
+        ),
+        form.password && h('div', { style: { marginTop: 6, padding: 8, background: 'var(--warning-soft, rgba(245,158,11,0.08))', borderRadius: 6, fontSize: 11, color: 'var(--text-secondary)' } },
+          'The user will be required to change this password on their first login. Share it securely.'
+        )
+      ),
       h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Role'), h('select', { className: 'input', value: form.role, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { role: e.target.value }); }); } }, h('option', { value: 'viewer' }, 'Viewer'), h('option', { value: 'member' }, 'Member'), h('option', { value: 'admin' }, 'Admin'), h('option', { value: 'owner' }, 'Owner'))),
-      (form.role === 'member' || form.role === 'viewer') && h('div', { style: { marginTop: 8, padding: 10, background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)' } },
-        'After creating this user, click the shield icon to set their page permissions. By default, new Member/Viewer users have full access.'
+      // Inline permissions for member/viewer
+      (form.role === 'member' || form.role === 'viewer') && h('div', { style: { marginTop: 4 } },
+        h('div', { style: { display: 'flex', alignItems: 'center', justifyContent: 'space-between' } },
+          h('label', { className: 'form-label', style: { marginBottom: 0 } }, 'Page Permissions'),
+          h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: function() { setShowCreatePerms(!showCreatePerms); }, style: { fontSize: 11 } }, showCreatePerms ? 'Hide' : 'Customize')
+        ),
+        !showCreatePerms && h('div', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 4 } }, 'Full access (default). Click "Customize" to restrict.'),
+        showCreatePerms && pageRegistry && h(InlinePermissionPicker, {
+          permissions: form.permissions,
+          pageRegistry: pageRegistry,
+          onChange: function(p) { setForm(function(f) { return Object.assign({}, f, { permissions: p }); }); }
+        })
+      ),
+      (form.role === 'owner' || form.role === 'admin') && h('div', { style: { marginTop: 8, padding: 8, background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 11, color: 'var(--info)' } },
+        'Owner and Admin roles always have full access to all pages.'
       )
     ),
 

package/dist/factory-NTLTU26R.js

@@ -0,0 +1,9 @@
+import {
+  createAdapter,
+  getSupportedDatabases
+} from "./chunk-KWW53O2B.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createAdapter,
+  getSupportedDatabases
+};

package/dist/index.js

@@ -1,7 +1,7 @@
 import {
   provision,
   runSetupWizard
-} from "./chunk-LI5SE4WB.js";
+} from "./chunk-3YLLWCUC.js";
 import {
   AgenticMailManager,
   GoogleEmailProvider,
@@ -42,7 +42,7 @@ import {
   requireRole,
   securityHeaders,
   validate
-} from "./chunk-ZBZKO37Y.js";
+} from "./chunk-HGSWCMB7.js";
 import "./chunk-OF4MUWWS.js";
 import {
   PROVIDER_REGISTRY,
@@ -113,7 +113,7 @@ import {
 import {
   createAdapter,
   getSupportedDatabases
-} from "./chunk-DYARH3NM.js";
+} from "./chunk-KWW53O2B.js";
 import {
   AGENTICMAIL_TOOLS,
   ALL_TOOLS,