@agenticmail/enterprise 0.5.295 → 0.5.297

package/dist/cli-verify-RKB6KQN4.js

@@ -0,0 +1,149 @@
+import {
+  DomainLock
+} from "./chunk-UPU23ZRG.js";
+import "./chunk-KFQGP6VL.js";
+
+// src/domain-lock/cli-verify.ts
+function getFlag(args, name) {
+  const idx = args.indexOf(name);
+  if (idx !== -1 && args[idx + 1]) return args[idx + 1];
+  return void 0;
+}
+function hasFlag(args, name) {
+  return args.includes(name);
+}
+function detectDbType(url) {
+  const u = url.toLowerCase().trim();
+  if (u.startsWith("postgres") || u.startsWith("pg:")) return "postgres";
+  if (u.startsWith("mysql")) return "mysql";
+  if (u.startsWith("mongodb")) return "mongodb";
+  if (u.startsWith("libsql") || u.includes(".turso.io")) return "turso";
+  if (u.endsWith(".db") || u.endsWith(".sqlite") || u.endsWith(".sqlite3") || u.startsWith("file:")) return "sqlite";
+  return "postgres";
+}
+async function runVerifyDomain(args) {
+  const { default: chalk } = await import("chalk");
+  const { default: ora } = await import("ora");
+  console.log("");
+  console.log(chalk.bold("  AgenticMail Enterprise \u2014 Domain Verification"));
+  console.log("");
+  let domain = getFlag(args, "--domain");
+  let dnsChallenge;
+  let db = null;
+  let dbConnected = false;
+  const envDbUrl = process.env.DATABASE_URL;
+  if (envDbUrl) {
+    const dbType = detectDbType(envDbUrl);
+    const spinner = ora(`Connecting to database (${dbType})...`).start();
+    try {
+      const { createAdapter } = await import("./factory-M6E7YAKW.js");
+      db = await createAdapter({ type: dbType, connectionString: envDbUrl });
+      await db.migrate();
+      const settings = await db.getSettings();
+      if (!domain && settings?.domain) domain = settings.domain;
+      if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+      dbConnected = true;
+      spinner.succeed(`Connected to ${dbType} database` + (domain ? ` (domain: ${domain})` : ""));
+    } catch (err) {
+      spinner.warn(`Could not connect via DATABASE_URL: ${err.message}`);
+      db = null;
+    }
+  }
+  if (!dbConnected) {
+    const dbPath = getFlag(args, "--db");
+    const dbType = getFlag(args, "--db-type") || "sqlite";
+    if (dbPath) {
+      const spinner = ora(`Connecting to ${dbType} database...`).start();
+      try {
+        const { createAdapter } = await import("./factory-M6E7YAKW.js");
+        db = await createAdapter({ type: dbType, connectionString: dbPath });
+        await db.migrate();
+        const settings = await db.getSettings();
+        if (!domain && settings?.domain) domain = settings.domain;
+        if (settings?.domainDnsChallenge) dnsChallenge = settings.domainDnsChallenge;
+        dbConnected = true;
+        spinner.succeed(`Connected to ${dbType} database`);
+      } catch {
+        spinner.warn("Could not read local database");
+      }
+    }
+  }
+  if (!domain) {
+    const { default: inquirer } = await import("inquirer");
+    const answer = await inquirer.prompt([{
+      type: "input",
+      name: "domain",
+      message: "Domain to verify:",
+      suffix: chalk.dim("  (e.g. agents.yourcompany.com)"),
+      validate: (v) => v.includes(".") || "Enter a valid domain",
+      filter: (v) => v.trim().toLowerCase()
+    }]);
+    domain = answer.domain;
+  }
+  const lock = new DomainLock();
+  const maxAttempts = hasFlag(args, "--poll") ? 5 : 1;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    const spinner = ora(
+      maxAttempts > 1 ? `Checking DNS verification (attempt ${attempt}/${maxAttempts})...` : "Checking DNS verification..."
+    ).start();
+    try {
+      const result = await lock.checkVerification(domain);
+      if (!result.success) {
+        spinner.fail("Verification check failed");
+        console.log("");
+        console.error(chalk.red(`  ${result.error}`));
+        console.log("");
+        if (db) await db.disconnect();
+        process.exit(1);
+      }
+      if (result.verified) {
+        spinner.succeed("Domain verified!");
+        if (dbConnected && db) {
+          try {
+            await db.updateSettings({
+              domainStatus: "verified",
+              domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString()
+            });
+            console.log(chalk.dim("  Database updated with verified status."));
+          } catch {
+          }
+        }
+        console.log("");
+        console.log(chalk.green.bold(`  \u2713 ${domain} is verified and protected.`));
+        console.log(chalk.dim("  Your deployment domain is locked. No other instance can claim it."));
+        console.log(chalk.dim("  The system now operates 100% offline \u2014 no outbound calls are made."));
+        console.log("");
+        if (db) await db.disconnect();
+        return;
+      }
+    } catch (err) {
+      spinner.warn(`Check failed: ${err.message}`);
+    }
+    if (attempt < maxAttempts) {
+      const waitSpinner = ora(`DNS record not found yet. Retrying in 10 seconds...`).start();
+      await new Promise((r) => setTimeout(r, 1e4));
+      waitSpinner.stop();
+    }
+  }
+  console.log("");
+  console.log(chalk.yellow("  DNS record not detected yet."));
+  console.log("");
+  console.log(chalk.bold("  Make sure this TXT record exists at your DNS provider:"));
+  console.log("");
+  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
+  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
+  if (dnsChallenge) {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
+  } else {
+    console.log(`  ${chalk.bold("Value:")}  ${chalk.dim("(check your dashboard or setup output)")}`);
+  }
+  console.log("");
+  console.log(chalk.dim("  DNS propagation can take up to 48 hours."));
+  console.log(chalk.dim("  Run with --poll to retry automatically:"));
+  console.log(chalk.dim(`    npx @agenticmail/enterprise verify-domain --domain ${domain} --poll`));
+  console.log("");
+  if (db) await db.disconnect();
+}
+export {
+  runVerifyDomain
+};

package/dist/cli.js

@@ -14,10 +14,10 @@ switch (command) {
     import("./cli-submit-skill-LDFJGSKO.js").then((m) => m.runSubmitSkill(args.slice(1))).catch(fatal);
     break;
   case "recover":
-    import("./cli-recover-PMJRFJNY.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
+    import("./cli-recover-NXARYVSH.js").then((m) => m.runRecover(args.slice(1))).catch(fatal);
     break;
   case "verify-domain":
-    import("./cli-verify-HYUKQELV.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
+    import("./cli-verify-RKB6KQN4.js").then((m) => m.runVerifyDomain(args.slice(1))).catch(fatal);
     break;
   case "reset-password":
     import("./cli-reset-password-SO5Y6MW7.js").then((m) => m.runResetPassword(args.slice(1))).catch(fatal);
@@ -57,14 +57,14 @@ Skill Development:
     break;
   case "serve":
   case "start":
-    import("./cli-serve-TTN3XR4Q.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
+    import("./cli-serve-GTTDOLB7.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
     break;
   case "agent":
-    import("./cli-agent-BCISHZTV.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
+    import("./cli-agent-WSCDFYMU.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
     break;
   case "setup":
   default:
-    import("./setup-2VN7D4OT.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-HK4WDXUL.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/dashboard/pages/users.js

@@ -210,10 +210,93 @@ function PermissionEditor({ userId, userName, currentPerms, pageRegistry, onSave
   );
 }
 
+// ─── Inline Permission Picker (for create modal) ──
+
+function InlinePermissionPicker({ permissions, pageRegistry, onChange }) {
+  var [expandedPage, setExpandedPage] = useState(null);
+
+  // Resolve grants from permissions
+  var grants = permissions === '*' ? (function() { var a = {}; Object.keys(pageRegistry).forEach(function(p) { a[p] = true; }); return a; })() : (permissions || {});
+
+  var togglePage = function(pid) {
+    var next = Object.assign({}, grants);
+    if (next[pid]) { delete next[pid]; if (expandedPage === pid) setExpandedPage(null); }
+    else { next[pid] = true; }
+    onChange(Object.keys(next).length === Object.keys(pageRegistry).length ? '*' : next);
+  };
+
+  var toggleTab = function(pid, tabId) {
+    var next = Object.assign({}, grants);
+    var current = next[pid];
+    var allTabs = Object.keys(pageRegistry[pid].tabs || {});
+    if (current === true) {
+      var remaining = allTabs.filter(function(t) { return t !== tabId; });
+      next[pid] = remaining.length > 0 ? remaining : true;
+    } else if (Array.isArray(current)) {
+      var idx = current.indexOf(tabId);
+      if (idx >= 0) {
+        var arr = current.filter(function(t) { return t !== tabId; });
+        if (arr.length === 0) delete next[pid];
+        else next[pid] = arr;
+      } else {
+        var newArr = current.concat([tabId]);
+        next[pid] = newArr.length === allTabs.length ? true : newArr;
+      }
+    }
+    onChange(Object.keys(next).length === Object.keys(pageRegistry).length && Object.values(next).every(function(v) { return v === true; }) ? '*' : next);
+  };
+
+  var isTabChecked = function(pid, tabId) {
+    var g = grants[pid];
+    if (!g) return false;
+    if (g === true) return true;
+    return Array.isArray(g) && g.indexOf(tabId) >= 0;
+  };
+
+  var sections = { overview: 'Overview', management: 'Management', administration: 'Administration' };
+  var grouped = {};
+  Object.keys(pageRegistry).forEach(function(pid) { var s = pageRegistry[pid].section; if (!grouped[s]) grouped[s] = []; grouped[s].push(pid); });
+
+  return h('div', { style: { maxHeight: 250, overflowY: 'auto', border: '1px solid var(--border)', borderRadius: 6, marginTop: 8 } },
+    Object.keys(sections).map(function(sKey) {
+      var pids = grouped[sKey] || [];
+      if (!pids.length) return null;
+      return h(Fragment, { key: sKey },
+        h('div', { style: { fontSize: 10, fontWeight: 600, textTransform: 'uppercase', letterSpacing: '0.05em', color: 'var(--text-muted)', padding: '8px 10px 2px' } }, sections[sKey]),
+        pids.map(function(pid) {
+          var page = pageRegistry[pid];
+          var checked = !!grants[pid];
+          var hasTabs = page.tabs && Object.keys(page.tabs).length > 0;
+          var isExpanded = expandedPage === pid;
+          return h(Fragment, { key: pid },
+            h('div', { style: { display: 'flex', alignItems: 'center', gap: 8, padding: '4px 10px', fontSize: 12, cursor: 'pointer', background: checked ? 'var(--bg-tertiary)' : 'transparent' }, onClick: function(e) {
+              if (e.target.closest && e.target.closest('[data-expand]')) return;
+              togglePage(pid);
+            } },
+              h('input', { type: 'checkbox', checked: checked, readOnly: true, style: { width: 14, height: 14, accentColor: 'var(--primary)', cursor: 'pointer' } }),
+              h('span', { style: { flex: 1 } }, page.label),
+              hasTabs && checked && h('button', { 'data-expand': true, className: 'btn btn-ghost', style: { padding: '0 4px', minWidth: 0, fontSize: 10, lineHeight: 1 }, onClick: function(e) { e.stopPropagation(); setExpandedPage(isExpanded ? null : pid); } },
+                isExpanded ? I.chevronDown() : I.chevronRight()
+              )
+            ),
+            hasTabs && isExpanded && checked && Object.keys(page.tabs).map(function(tabId) {
+              return h('div', { key: tabId, style: { display: 'flex', alignItems: 'center', gap: 8, padding: '3px 10px 3px 34px', fontSize: 11, color: 'var(--text-secondary)', cursor: 'pointer' }, onClick: function() { toggleTab(pid, tabId); } },
+                h('input', { type: 'checkbox', checked: isTabChecked(pid, tabId), readOnly: true, style: { width: 13, height: 13, accentColor: 'var(--primary)', cursor: 'pointer' } }),
+                h('span', null, page.tabs[tabId])
+              );
+            })
+          );
+        })
+      );
+    })
+  );
+}
+
 // ─── Users Page ────────────────────────────────────
 
 export function UsersPage() {
-  var { toast } = useApp();
+  var app = useApp();
+  var toast = app.toast;
   var [users, setUsers] = useState([]);
   var [creating, setCreating] = useState(false);
   var [form, setForm] = useState({ email: '', password: '', name: '', role: 'viewer', permissions: '*' });
@@ -261,22 +344,39 @@ export function UsersPage() {
     setResetting(false);
   };
 
-  var deleteUser = async function(user) {
+  var toggleActive = async function(user) {
+    var action = user.isActive === false ? 'reactivate' : 'deactivate';
     var ok = await showConfirm({
-      title: 'Delete User',
-      message: 'Are you sure you want to delete "' + (user.name || user.email) + '"? This cannot be undone.',
-      warning: 'The user will lose all access immediately.',
-      danger: true,
-      confirmText: 'Delete User'
+      title: action === 'deactivate' ? 'Deactivate User' : 'Reactivate User',
+      message: action === 'deactivate'
+        ? 'Deactivate "' + (user.name || user.email) + '"? They will be unable to log in and will see a message to contact their organization.'
+        : 'Reactivate "' + (user.name || user.email) + '"? They will be able to log in again.',
+      danger: action === 'deactivate',
+      confirmText: action === 'deactivate' ? 'Deactivate' : 'Reactivate'
     });
     if (!ok) return;
     try {
-      await apiCall('/users/' + user.id, { method: 'DELETE' });
-      toast('User deleted', 'success');
+      await apiCall('/users/' + user.id + '/' + action, { method: 'POST' });
+      toast('User ' + action + 'd', 'success');
       load();
     } catch (e) { toast(e.message, 'error'); }
   };
 
+  var [deleteStep, setDeleteStep] = useState(0);
+  var [deleteTarget, setDeleteTarget] = useState(null);
+  var [deleteTyped, setDeleteTyped] = useState('');
+
+  var startDelete = function(user) { setDeleteTarget(user); setDeleteStep(1); setDeleteTyped(''); };
+  var cancelDelete = function() { setDeleteTarget(null); setDeleteStep(0); setDeleteTyped(''); };
+
+  var confirmDelete = async function() {
+    try {
+      await apiCall('/users/' + deleteTarget.id, { method: 'DELETE', body: JSON.stringify({ confirmationToken: 'DELETE_USER_' + deleteTarget.email }) });
+      toast('User permanently deleted', 'success');
+      cancelDelete(); load();
+    } catch (e) { toast(e.message, 'error'); }
+  };
+
   var openPermissions = async function(user) {
     try {
       var d = await apiCall('/users/' + user.id + '/permissions');
@@ -357,24 +457,11 @@ export function UsersPage() {
           h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: function() { setShowCreatePerms(!showCreatePerms); }, style: { fontSize: 11 } }, showCreatePerms ? 'Hide' : 'Customize')
         ),
         !showCreatePerms && h('div', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 4 } }, 'Full access (default). Click "Customize" to restrict.'),
-        showCreatePerms && pageRegistry && h('div', { style: { maxHeight: 200, overflowY: 'auto', border: '1px solid var(--border)', borderRadius: 6, marginTop: 8 } },
-          Object.keys(pageRegistry).map(function(pid) {
-            var page = pageRegistry[pid];
-            var grants = form.permissions === '*' ? null : form.permissions;
-            var checked = !grants || (grants && grants[pid]);
-            return h('div', { key: pid, style: { display: 'flex', alignItems: 'center', gap: 8, padding: '4px 10px', fontSize: 12, cursor: 'pointer' }, onClick: function() {
-              setForm(function(f) {
-                var current = f.permissions === '*' ? (function() { var a = {}; Object.keys(pageRegistry).forEach(function(p) { a[p] = true; }); return a; })() : Object.assign({}, f.permissions);
-                if (current[pid]) { delete current[pid]; } else { current[pid] = true; }
-                if (Object.keys(current).length === Object.keys(pageRegistry).length) return Object.assign({}, f, { permissions: '*' });
-                return Object.assign({}, f, { permissions: current });
-              });
-            } },
-              h('input', { type: 'checkbox', checked: checked, readOnly: true, style: { width: 14, height: 14, accentColor: 'var(--primary)' } }),
-              h('span', null, page.label)
-            );
-          })
-        )
+        showCreatePerms && pageRegistry && h(InlinePermissionPicker, {
+          permissions: form.permissions,
+          pageRegistry: pageRegistry,
+          onChange: function(p) { setForm(function(f) { return Object.assign({}, f, { permissions: p }); }); }
+        })
       ),
       (form.role === 'owner' || form.role === 'admin') && h('div', { style: { marginTop: 8, padding: 8, background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 11, color: 'var(--info)' } },
         'Owner and Admin roles always have full access to all pages.'
@@ -416,18 +503,100 @@ export function UsersPage() {
       onClose: function() { setPermTarget(null); }
     }),
 
+    // 5-step delete confirmation modal
+    deleteTarget && h(Modal, {
+      title: 'Delete User — Step ' + deleteStep + ' of 5',
+      onClose: cancelDelete,
+      width: 480,
+      footer: h(Fragment, null,
+        h('button', { className: 'btn btn-secondary', onClick: deleteStep === 1 ? cancelDelete : function() { setDeleteStep(deleteStep - 1); } }, deleteStep === 1 ? 'Cancel' : 'Back'),
+        deleteStep < 5
+          ? h('button', { className: 'btn btn-' + (deleteStep >= 3 ? 'danger' : 'primary'), onClick: function() { setDeleteStep(deleteStep + 1); } }, 'Continue')
+          : h('button', { className: 'btn btn-danger', onClick: confirmDelete, disabled: deleteTyped !== deleteTarget.email }, 'Permanently Delete')
+      )
+    },
+      // Step 1: Warning
+      deleteStep === 1 && h('div', null,
+        h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: 16, background: 'var(--danger-soft, rgba(220,38,38,0.08))', borderRadius: 8, marginBottom: 16 } },
+          h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger)', strokeWidth: 2 }, h('path', { d: 'M12 9v4m0 4h.01M10.29 3.86l-8.6 14.86A2 2 0 0 0 3.4 21h17.2a2 2 0 0 0 1.71-2.98L13.71 3.86a2 2 0 0 0-3.42 0z' })),
+          h('div', null,
+            h('strong', null, 'Permanent Deletion'),
+            h('div', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 2 } }, 'This action cannot be undone.')
+          )
+        ),
+        h('p', { style: { fontSize: 13 } }, 'You are about to permanently delete the user account for:'),
+        h('div', { style: { padding: 12, background: 'var(--bg-tertiary)', borderRadius: 8, marginTop: 8 } },
+          h('strong', null, deleteTarget.name || 'Unnamed'), h('br'),
+          h('span', { style: { fontSize: 12, color: 'var(--text-muted)', fontFamily: 'var(--font-mono)' } }, deleteTarget.email)
+        ),
+        h('p', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 12 } }, 'Consider deactivating instead — deactivated users can be reactivated later.')
+      ),
+      // Step 2: Data loss
+      deleteStep === 2 && h('div', null,
+        h('h4', { style: { marginBottom: 12 } }, 'Data That Will Be Lost'),
+        h('ul', { style: { paddingLeft: 20, fontSize: 13, lineHeight: 1.8 } },
+          h('li', null, 'All login sessions will be terminated immediately'),
+          h('li', null, 'Audit log entries will be orphaned (no user reference)'),
+          h('li', null, 'Any API keys created by this user will be revoked'),
+          h('li', null, 'Permission grants and role assignments will be removed'),
+          h('li', null, '2FA configuration and backup codes will be destroyed')
+        )
+      ),
+      // Step 3: Impact
+      deleteStep === 3 && h('div', null,
+        h('h4', { style: { marginBottom: 12 } }, 'Impact Assessment'),
+        h('div', { style: { padding: 12, background: 'var(--warning-soft, rgba(245,158,11,0.08))', borderRadius: 8, fontSize: 13, lineHeight: 1.6 } },
+          h('p', null, 'If this user manages or supervises any agents, those agents will lose their manager assignment.'),
+          h('p', { style: { marginTop: 8 } }, 'If this user created approval workflows, pending approvals may become orphaned.'),
+          h('p', { style: { marginTop: 8 } }, 'Any scheduled tasks or cron jobs created by this user will continue to run but cannot be modified.')
+        )
+      ),
+      // Step 4: Alternative
+      deleteStep === 4 && h('div', null,
+        h('h4', { style: { marginBottom: 12 } }, 'Are You Sure?'),
+        h('div', { style: { padding: 16, background: 'var(--success-soft, rgba(21,128,61,0.08))', borderRadius: 8, marginBottom: 16 } },
+          h('strong', null, 'Recommended alternative: Deactivate'),
+          h('p', { style: { fontSize: 12, color: 'var(--text-secondary)', marginTop: 4 } }, 'Deactivating blocks login while preserving all data. The user can be reactivated at any time. This is the safe option.')
+        ),
+        h('div', { style: { padding: 16, background: 'var(--danger-soft, rgba(220,38,38,0.08))', borderRadius: 8 } },
+          h('strong', null, 'Permanent deletion'),
+          h('p', { style: { fontSize: 12, color: 'var(--text-secondary)', marginTop: 4 } }, 'Removes the user and all associated data forever. There is no recovery.')
+        )
+      ),
+      // Step 5: Type email to confirm
+      deleteStep === 5 && h('div', null,
+        h('h4', { style: { marginBottom: 12, color: 'var(--danger)' } }, 'Final Confirmation'),
+        h('p', { style: { fontSize: 13, marginBottom: 12 } }, 'Type the user\'s email address to confirm permanent deletion:'),
+        h('div', { style: { padding: 8, background: 'var(--bg-tertiary)', borderRadius: 6, fontFamily: 'var(--font-mono)', fontSize: 13, textAlign: 'center', marginBottom: 12 } }, deleteTarget.email),
+        h('input', {
+          className: 'input', type: 'text', value: deleteTyped,
+          onChange: function(e) { setDeleteTyped(e.target.value); },
+          placeholder: 'Type email to confirm',
+          autoFocus: true,
+          style: { fontFamily: 'var(--font-mono)', fontSize: 13, borderColor: deleteTyped === deleteTarget.email ? 'var(--danger)' : 'var(--border)' }
+        }),
+        deleteTyped && deleteTyped !== deleteTarget.email && h('div', { style: { fontSize: 11, color: 'var(--danger)', marginTop: 4 } }, 'Email does not match')
+      )
+    ),
+
     // Users table
     h('div', { className: 'card' },
       h('div', { className: 'card-body-flush' },
         users.length === 0 ? h('div', { style: { padding: 24, textAlign: 'center', color: 'var(--text-muted)' } }, 'No users')
         : h('table', null,
-            h('thead', null, h('tr', null, h('th', null, 'Name'), h('th', null, 'Email'), h('th', null, 'Role'), h('th', null, 'Access'), h('th', null, '2FA'), h('th', null, 'Created'), h('th', { style: { width: 180 } }, 'Actions'))),
+            h('thead', null, h('tr', null, h('th', null, 'Name'), h('th', null, 'Email'), h('th', null, 'Role'), h('th', null, 'Status'), h('th', null, 'Access'), h('th', null, '2FA'), h('th', null, 'Created'), h('th', { style: { width: 200 } }, 'Actions'))),
             h('tbody', null, users.map(function(u) {
               var isRestricted = u.role === 'member' || u.role === 'viewer';
-              return h('tr', { key: u.id },
+              var isDeactivated = u.isActive === false;
+              var isSelf = u.id === ((app || {}).user || {}).id;
+              return h('tr', { key: u.id, style: isDeactivated ? { opacity: 0.6 } : {} },
                 h('td', null, h('strong', null, u.name || '-')),
                 h('td', null, h('span', { style: { fontFamily: 'var(--font-mono)', fontSize: 12 } }, u.email)),
                 h('td', null, h('span', { className: 'badge badge-' + (u.role === 'owner' ? 'warning' : u.role === 'admin' ? 'primary' : 'neutral') }, u.role)),
+                h('td', null, isDeactivated
+                  ? h('span', { className: 'badge badge-danger', style: { fontSize: 10 } }, 'Deactivated')
+                  : h('span', { className: 'badge badge-success', style: { fontSize: 10 } }, 'Active')
+                ),
                 h('td', null, permBadge(u)),
                 h('td', null, u.totpEnabled ? h('span', { className: 'badge badge-success' }, 'On') : h('span', { className: 'badge badge-neutral' }, 'Off')),
                 h('td', { style: { fontSize: 12, color: 'var(--text-muted)' } }, u.createdAt ? new Date(u.createdAt).toLocaleDateString() : '-'),
@@ -440,7 +609,15 @@ export function UsersPage() {
                       style: !isRestricted ? { opacity: 0.4 } : {}
                     }, I.shield()),
                     h('button', { className: 'btn btn-ghost btn-sm', title: 'Reset Password', onClick: function() { setResetTarget(u); setNewPassword(''); } }, I.lock()),
-                    h('button', { className: 'btn btn-ghost btn-sm', title: 'Delete User', onClick: function() { deleteUser(u); }, style: { color: 'var(--danger)' } }, I.trash())
+                    // Deactivate / Reactivate
+                    !isSelf && h('button', {
+                      className: 'btn btn-ghost btn-sm',
+                      title: isDeactivated ? 'Reactivate User' : 'Deactivate User',
+                      onClick: function() { toggleActive(u); },
+                      style: { color: isDeactivated ? 'var(--success, #15803d)' : 'var(--warning, #f59e0b)' }
+                    }, isDeactivated ? I.check() : I.pause()),
+                    // Delete (owner only)
+                    !isSelf && h('button', { className: 'btn btn-ghost btn-sm', title: 'Delete User Permanently', onClick: function() { startDelete(u); }, style: { color: 'var(--danger)' } }, I.trash())
                   )
                 )
               );

package/dist/factory-M6E7YAKW.js

@@ -0,0 +1,9 @@
+import {
+  createAdapter,
+  getSupportedDatabases
+} from "./chunk-Y3WLLVOK.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createAdapter,
+  getSupportedDatabases
+};

package/dist/index.js

@@ -1,7 +1,7 @@
 import {
   provision,
   runSetupWizard
-} from "./chunk-3YLLWCUC.js";
+} from "./chunk-A5LURBEY.js";
 import {
   AgenticMailManager,
   GoogleEmailProvider,
@@ -42,7 +42,7 @@ import {
   requireRole,
   securityHeaders,
   validate
-} from "./chunk-HGSWCMB7.js";
+} from "./chunk-WQRGOMQJ.js";
 import "./chunk-OF4MUWWS.js";
 import {
   PROVIDER_REGISTRY,
@@ -113,7 +113,7 @@ import {
 import {
   createAdapter,
   getSupportedDatabases
-} from "./chunk-KWW53O2B.js";
+} from "./chunk-Y3WLLVOK.js";
 import {
   AGENTICMAIL_TOOLS,
   ALL_TOOLS,