@agenticmail/enterprise 0.5.324 → 0.5.326

package/dist/chunk-RF2LGX3E.js

@@ -1,1519 +0,0 @@
-import {
-  getSupportedDatabases
-} from "./chunk-4EKXYIJF.js";
-
-// src/setup/index.ts
-import { execSync as execSync2 } from "child_process";
-import { createRequire } from "module";
-import { join as join2 } from "path";
-
-// src/setup/company.ts
-function toSlug(name) {
-  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").slice(0, 63);
-}
-function generateAlternatives(companyName) {
-  const base = toSlug(companyName);
-  const words = companyName.trim().split(/\s+/).map((w) => w.toLowerCase().replace(/[^a-z0-9]/g, "")).filter(Boolean);
-  const suggestions = /* @__PURE__ */ new Set();
-  suggestions.add(base);
-  if (words.length >= 2) {
-    const initials = words.map((w) => w[0]).join("");
-    if (initials.length >= 2) suggestions.add(initials);
-  }
-  if (words[0] && words[0] !== base) {
-    suggestions.add(words[0]);
-  }
-  if (words.length >= 3) {
-    suggestions.add(`${words[0]}-${words[words.length - 1]}`);
-  }
-  suggestions.add(`team-${base}`);
-  suggestions.add(`app-${base}`);
-  suggestions.add(`mail-${words[0] || base}`);
-  suggestions.add(`ai-${words[0] || base}`);
-  suggestions.add(`${words[0] || base}-hq`);
-  suggestions.delete(base);
-  return [...suggestions].map((s) => s.slice(0, 63)).slice(0, 5);
-}
-function validateSubdomain(v) {
-  const s = v.trim();
-  if (!s) return "Subdomain is required";
-  if (s.length < 2) return "Subdomain must be at least 2 characters";
-  if (s.length > 63) return "Subdomain must be 63 characters or fewer";
-  if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(s)) {
-    return "Subdomain must be lowercase letters, numbers, and hyphens (cannot start or end with a hyphen)";
-  }
-  return true;
-}
-async function promptCompanyInfo(inquirer, chalk) {
-  console.log(chalk.bold.cyan("  Step 1 of 5: Company Info"));
-  console.log(chalk.dim("  Tell us about your organization.\n"));
-  const { companyName, adminEmail, adminPassword } = await inquirer.prompt([
-    {
-      type: "input",
-      name: "companyName",
-      message: "Company name:",
-      validate: (v) => {
-        if (!v.trim()) return "Company name is required";
-        if (v.length > 100) return "Company name must be under 100 characters";
-        return true;
-      }
-    },
-    {
-      type: "input",
-      name: "adminEmail",
-      message: "Admin email:",
-      validate: (v) => {
-        if (!v.includes("@") || !v.includes(".")) return "Enter a valid email address";
-        return true;
-      }
-    },
-    {
-      type: "password",
-      name: "adminPassword",
-      message: "Admin password:",
-      mask: "*",
-      validate: (v) => {
-        if (v.length < 8) return "Password must be at least 8 characters";
-        if (!/[A-Z]/.test(v) && !/[0-9]/.test(v)) {
-          return "Password should contain at least one uppercase letter or number";
-        }
-        return true;
-      }
-    }
-  ]);
-  const suggested = toSlug(companyName);
-  const alternatives = generateAlternatives(companyName);
-  console.log("");
-  console.log(chalk.bold("  Subdomain"));
-  console.log(chalk.dim("  Used for your dashboard URL and internal routing.\n"));
-  const choices = [
-    { name: `${suggested}  ${chalk.dim("(recommended)")}`, value: suggested },
-    ...alternatives.map((alt) => ({ name: alt, value: alt })),
-    new inquirer.Separator(),
-    { name: `${chalk.italic("Enter my own...")}`, value: "__custom__" },
-    { name: `${chalk.italic("Generate more suggestions")}`, value: "__regenerate__" }
-  ];
-  let subdomain = suggested;
-  let choosing = true;
-  while (choosing) {
-    const { subdomainChoice } = await inquirer.prompt([{
-      type: "list",
-      name: "subdomainChoice",
-      message: "Choose a subdomain:",
-      choices
-    }]);
-    if (subdomainChoice === "__custom__") {
-      const { custom } = await inquirer.prompt([{
-        type: "input",
-        name: "custom",
-        message: "Custom subdomain:",
-        suffix: chalk.dim("  (lowercase, letters/numbers/hyphens)"),
-        validate: validateSubdomain,
-        filter: (v) => v.trim().toLowerCase()
-      }]);
-      subdomain = custom;
-      choosing = false;
-    } else if (subdomainChoice === "__regenerate__") {
-      const base = toSlug(companyName);
-      const words = companyName.trim().split(/\s+/).map((w2) => w2.toLowerCase().replace(/[^a-z0-9]/g, "")).filter(Boolean);
-      const w = words[0] || base;
-      const rand = () => Math.random().toString(36).slice(2, 5);
-      const fresh = [
-        `${w}-${rand()}`,
-        `${base}-${rand()}`,
-        `${w}-agents`,
-        `${w}-mail`,
-        `${w}-platform`
-      ];
-      choices.splice(
-        1,
-        alternatives.length,
-        ...fresh.map((alt) => ({ name: alt, value: alt }))
-      );
-    } else {
-      subdomain = subdomainChoice;
-      choosing = false;
-    }
-  }
-  console.log(chalk.dim(`  Your subdomain: ${chalk.white(subdomain)}
-`));
-  return { companyName, adminEmail, adminPassword, subdomain };
-}
-
-// src/setup/database.ts
-var CONNECTION_HINTS = {
-  postgres: "postgresql://user:pass@host:5432/dbname",
-  mysql: "mysql://user:pass@host:3306/dbname",
-  mongodb: "mongodb+srv://user:pass@cluster.mongodb.net/dbname",
-  supabase: "postgresql://postgres:pass@db.xxxx.supabase.co:5432/postgres",
-  neon: "postgresql://user:pass@ep-xxx.us-east-1.aws.neon.tech/dbname?sslmode=require",
-  planetscale: 'mysql://user:pass@aws.connect.psdb.cloud/dbname?ssl={"rejectUnauthorized":true}',
-  cockroachdb: "postgresql://user:pass@cluster.cockroachlabs.cloud:26257/dbname?sslmode=verify-full"
-};
-async function promptDatabase(inquirer, chalk) {
-  console.log("");
-  console.log(chalk.bold.cyan("  Step 2 of 4: Database"));
-  console.log(chalk.dim("  Where should your data live?\n"));
-  const databases = getSupportedDatabases();
-  const supabaseIdx = databases.findIndex((d) => d.type === "supabase");
-  const choices = databases.map((d, i) => ({
-    name: d.type === "supabase" ? `${d.label}  ${chalk.green("\u2190 recommended (free tier)")}  ${chalk.dim("(cloud)")}` : `${d.label}  ${chalk.dim(`(${d.group})`)}`,
-    value: d.type
-  }));
-  if (supabaseIdx > 0) {
-    const [sb] = choices.splice(supabaseIdx, 1);
-    choices.unshift(sb);
-  }
-  const { dbType } = await inquirer.prompt([
-    {
-      type: "list",
-      name: "dbType",
-      message: "Database backend:",
-      choices
-    }
-  ]);
-  if (dbType === "supabase") {
-    console.log("");
-    console.log(chalk.bold("  Supabase \u2014 Free PostgreSQL Database"));
-    console.log("");
-    console.log(chalk.dim("  If you don't have a Supabase account yet:"));
-    console.log("");
-    console.log(`  1. Go to ${chalk.cyan.underline("https://supabase.com/dashboard")}`);
-    console.log(`  2. Click ${chalk.bold('"Start your project"')} \u2014 sign up with GitHub or email`);
-    console.log(`  3. Create a new project (any name, choose a strong password)`);
-    console.log(`  4. Go to ${chalk.bold("Settings \u2192 Database \u2192 Connection string")}`);
-    console.log(`  5. Select ${chalk.bold('"URI"')} and copy the connection string`);
-    console.log(`  6. Replace ${chalk.yellow("[YOUR-PASSWORD]")} with your project password`);
-    console.log("");
-    console.log(chalk.dim("  Free tier includes: 500MB storage, unlimited API requests, 2 projects"));
-    console.log(chalk.dim("  The connection string looks like:"));
-    console.log(chalk.dim("  postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres"));
-    console.log("");
-  }
-  if (dbType === "sqlite") {
-    const { dbPath } = await inquirer.prompt([{
-      type: "input",
-      name: "dbPath",
-      message: "Database file path:",
-      default: "./agenticmail-enterprise.db"
-    }]);
-    return { type: dbType, connectionString: dbPath };
-  }
-  if (dbType === "dynamodb") {
-    const answers = await inquirer.prompt([
-      {
-        type: "input",
-        name: "region",
-        message: "AWS Region:",
-        default: "us-east-1"
-      },
-      {
-        type: "input",
-        name: "accessKeyId",
-        message: "AWS Access Key ID:",
-        validate: (v) => v.length > 0 || "Required"
-      },
-      {
-        type: "password",
-        name: "secretAccessKey",
-        message: "AWS Secret Access Key:",
-        mask: "*",
-        validate: (v) => v.length > 0 || "Required"
-      }
-    ]);
-    return { type: dbType, ...answers };
-  }
-  if (dbType === "turso") {
-    const answers = await inquirer.prompt([
-      {
-        type: "input",
-        name: "connectionString",
-        message: "Turso database URL:",
-        suffix: chalk.dim("  (e.g. libsql://db-org.turso.io)"),
-        validate: (v) => v.length > 0 || "Required"
-      },
-      {
-        type: "password",
-        name: "authToken",
-        message: "Turso auth token:",
-        mask: "*",
-        validate: (v) => v.length > 0 || "Required"
-      }
-    ]);
-    return { type: dbType, connectionString: answers.connectionString, authToken: answers.authToken };
-  }
-  const hint = CONNECTION_HINTS[dbType] || "";
-  const { connectionString } = await inquirer.prompt([{
-    type: "input",
-    name: "connectionString",
-    message: "Connection string:",
-    suffix: hint ? chalk.dim(`  (e.g. ${hint})`) : "",
-    validate: (v) => v.length > 0 || "Connection string is required"
-  }]);
-  return { type: dbType, connectionString };
-}
-
-// src/setup/deployment.ts
-import { execSync, exec as execCb } from "child_process";
-import { promisify } from "util";
-import { existsSync, writeFileSync, readFileSync } from "fs";
-import { join } from "path";
-import { homedir, platform, arch } from "os";
-var execP = promisify(execCb);
-var SUBDOMAIN_REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL || "https://registry.agenticmail.io";
-async function promptDeployment(inquirer, chalk) {
-  console.log("");
-  console.log(chalk.bold.cyan("  Step 3 of 4: Deployment"));
-  console.log(chalk.dim("  Where should your dashboard run?\n"));
-  const { deployTarget } = await inquirer.prompt([{
-    type: "list",
-    name: "deployTarget",
-    message: "Deploy to:",
-    choices: [
-      {
-        name: `AgenticMail Cloud  ${chalk.green("\u2190 recommended")}  ${chalk.dim("(instant URL, zero config)")}`,
-        value: "cloud"
-      },
-      {
-        name: `Cloudflare Tunnel  ${chalk.dim("(self-hosted, free, no ports)")}`,
-        value: "cloudflare-tunnel"
-      },
-      {
-        name: `Fly.io  ${chalk.dim("(your account)")}`,
-        value: "fly"
-      },
-      {
-        name: `Railway  ${chalk.dim("(your account)")}`,
-        value: "railway"
-      },
-      {
-        name: `Docker  ${chalk.dim("(self-hosted)")}`,
-        value: "docker"
-      },
-      {
-        name: `Local  ${chalk.dim("(dev/testing, runs here)")}`,
-        value: "local"
-      }
-    ]
-  }]);
-  if (deployTarget === "cloud") {
-    const cloud = await runCloudSetup(inquirer, chalk);
-    return { target: deployTarget, cloud };
-  }
-  if (deployTarget === "cloudflare-tunnel") {
-    const tunnel = await runTunnelSetup(inquirer, chalk);
-    return { target: deployTarget, tunnel };
-  }
-  return { target: deployTarget };
-}
-async function runCloudSetup(inquirer, chalk) {
-  console.log("");
-  console.log(chalk.bold("  AgenticMail Cloud Setup"));
-  console.log(chalk.dim("  Get a free subdomain on agenticmail.io \u2014 no Cloudflare account needed."));
-  console.log(chalk.dim("  Your instance will be live at https://yourname.agenticmail.io\n"));
-  let subdomain = "";
-  let claimResult = null;
-  while (!subdomain) {
-    const { name } = await inquirer.prompt([{
-      type: "input",
-      name: "name",
-      message: "Choose your subdomain:",
-      suffix: chalk.dim(".agenticmail.io"),
-      validate: (input) => {
-        const cleaned2 = input.toLowerCase().trim();
-        if (cleaned2.length < 3) return "Must be at least 3 characters";
-        if (cleaned2.length > 32) return "Must be 32 characters or fewer";
-        if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(cleaned2)) return "Only lowercase letters, numbers, and hyphens allowed";
-        return true;
-      }
-    }]);
-    const cleaned = name.toLowerCase().trim();
-    process.stdout.write(chalk.dim(`  Checking ${cleaned}.agenticmail.io... `));
-    try {
-      const checkResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/check?name=${encodeURIComponent(cleaned)}`);
-      const checkData = await checkResp.json();
-      if (!checkData.available) {
-        console.log(chalk.red("\u2717 " + (checkData.reason || "Not available")));
-        continue;
-      }
-      console.log(chalk.green("\u2713 Available!"));
-    } catch (err) {
-      console.log(chalk.yellow("\u26A0 Could not check availability: " + err.message));
-      console.log(chalk.dim("  Proceeding anyway \u2014 the claim step will verify.\n"));
-    }
-    const { confirmed } = await inquirer.prompt([{
-      type: "confirm",
-      name: "confirmed",
-      message: `Claim ${chalk.bold(cleaned + ".agenticmail.io")}?`,
-      default: true
-    }]);
-    if (!confirmed) continue;
-    const { createHash, randomUUID: randomUUID2 } = await import("crypto");
-    let vaultKey = process.env.AGENTICMAIL_VAULT_KEY;
-    if (!vaultKey) {
-      vaultKey = randomUUID2() + randomUUID2();
-      process.env.AGENTICMAIL_VAULT_KEY = vaultKey;
-    }
-    const vaultKeyHash = createHash("sha256").update(vaultKey).digest("hex");
-    process.stdout.write(chalk.dim("  Provisioning subdomain... "));
-    try {
-      const claimResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/claim`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ name: cleaned, vaultKeyHash })
-      });
-      claimResult = await claimResp.json();
-      if (claimResult.error) {
-        console.log(chalk.red("\u2717 " + claimResult.error));
-        if (claimResult.error.includes("already has subdomain")) {
-          const { wantsRecover } = await inquirer.prompt([{
-            type: "confirm",
-            name: "wantsRecover",
-            message: "Recover your existing subdomain instead?",
-            default: true
-          }]);
-          if (wantsRecover) {
-            const recoverResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/recover`, {
-              method: "POST",
-              headers: { "Content-Type": "application/json" },
-              body: JSON.stringify({ vaultKeyHash })
-            });
-            claimResult = await recoverResp.json();
-            if (claimResult.success) {
-              subdomain = claimResult.subdomain;
-              console.log(chalk.green(`\u2713 Recovered: ${claimResult.fqdn}`));
-            } else {
-              console.log(chalk.red("\u2717 Recovery failed: " + (claimResult.error || "Unknown error")));
-            }
-          }
-        }
-        continue;
-      }
-      if (claimResult.success) {
-        subdomain = claimResult.subdomain || cleaned;
-        if (claimResult.recovered) {
-          console.log(chalk.green("\u2713 Recovered existing subdomain"));
-        } else {
-          console.log(chalk.green("\u2713 Subdomain claimed!"));
-        }
-      }
-    } catch (err) {
-      console.log(chalk.red("\u2717 Failed: " + err.message));
-      console.log(chalk.dim("  Check your internet connection and try again.\n"));
-    }
-  }
-  console.log("");
-  console.log(chalk.bold("  Installing cloudflared connector..."));
-  let cloudflaredPath = "";
-  try {
-    cloudflaredPath = execSync("which cloudflared", { encoding: "utf8" }).trim();
-    console.log(chalk.green(`  \u2713 cloudflared found at ${cloudflaredPath}`));
-  } catch {
-    console.log(chalk.dim("  cloudflared not found \u2014 installing..."));
-    try {
-      const os = platform();
-      if (os === "darwin") {
-        execSync("brew install cloudflared", { stdio: "pipe" });
-      } else if (os === "linux") {
-        const archStr = arch() === "arm64" ? "arm64" : "amd64";
-        execSync(`curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${archStr} -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared`, { stdio: "pipe" });
-      } else {
-        console.log(chalk.yellow("  Please install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/"));
-      }
-      cloudflaredPath = execSync("which cloudflared", { encoding: "utf8" }).trim();
-      console.log(chalk.green(`  \u2713 cloudflared installed at ${cloudflaredPath}`));
-    } catch (e) {
-      console.log(chalk.yellow("  \u26A0 Could not auto-install cloudflared."));
-      console.log(chalk.dim("    Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/"));
-    }
-  }
-  const port = 3100;
-  const fqdn = claimResult?.fqdn || `${subdomain}.agenticmail.io`;
-  const tunnelToken = claimResult?.tunnelToken;
-  const tunnelId = claimResult?.tunnelId;
-  console.log("");
-  console.log(chalk.bold.green("  \u2713 Setup Complete!"));
-  console.log("");
-  console.log(`  Your dashboard: ${chalk.bold.cyan("https://" + fqdn)}`);
-  console.log("");
-  console.log(chalk.bgYellow.black.bold("  \u26A0  BACK UP ~/.agenticmail/.env  \u26A0  "));
-  console.log("");
-  console.log(chalk.yellow("  This file contains EVERYTHING needed to recover if your machine crashes:"));
-  console.log("");
-  console.log(chalk.yellow("    DATABASE_URL          \u2014 your database connection"));
-  console.log(chalk.yellow("    JWT_SECRET            \u2014 login session signing key"));
-  console.log(chalk.yellow("    AGENTICMAIL_VAULT_KEY \u2014 encrypted credentials + subdomain recovery"));
-  console.log(chalk.yellow("    CLOUDFLARED_TOKEN     \u2014 tunnel connection token"));
-  console.log(chalk.yellow("    PORT                  \u2014 server port"));
-  console.log("");
-  console.log(chalk.bold.yellow("  Copy this file to a safe place (password manager, cloud drive, etc.)"));
-  console.log(chalk.bold.yellow("  Without it, you CANNOT recover your subdomain or encrypted data."));
-  console.log("");
-  console.log(chalk.dim("  To recover on a new machine:"));
-  console.log(chalk.cyan("    npx @agenticmail/enterprise recover --cloud"));
-  console.log("");
-  console.log("");
-  console.log(chalk.dim("  To start your instance, run these two processes:"));
-  console.log("");
-  console.log(`    ${chalk.cyan("cloudflared tunnel --no-autoupdate run --token " + (tunnelToken || "<your-tunnel-token>"))}`);
-  console.log(`    ${chalk.cyan("npx @agenticmail/enterprise start")}`);
-  console.log("");
-  console.log(chalk.dim("  Or let the setup wizard start them with PM2 (next step).\n"));
-  const envPath = join(homedir(), ".agenticmail", ".env");
-  try {
-    let envContent = "";
-    if (existsSync(envPath)) {
-      envContent = readFileSync(envPath, "utf8");
-    }
-    if (tunnelToken && !envContent.includes("CLOUDFLARED_TOKEN=")) {
-      envContent += `
-CLOUDFLARED_TOKEN=${tunnelToken}
-`;
-    }
-    if (!envContent.includes("AGENTICMAIL_SUBDOMAIN=")) {
-      envContent += `AGENTICMAIL_SUBDOMAIN=${subdomain}
-`;
-    }
-    if (!envContent.includes("AGENTICMAIL_DOMAIN=")) {
-      envContent += `AGENTICMAIL_DOMAIN=${fqdn}
-`;
-    }
-    const { mkdirSync } = await import("fs");
-    mkdirSync(join(homedir(), ".agenticmail"), { recursive: true });
-    writeFileSync(envPath, envContent, { mode: 384 });
-  } catch {
-  }
-  return {
-    subdomain,
-    fqdn,
-    tunnelId: tunnelId || "",
-    tunnelToken: tunnelToken || "",
-    port
-  };
-}
-async function runTunnelSetup(inquirer, chalk) {
-  console.log("");
-  console.log(chalk.bold("  Cloudflare Tunnel Setup"));
-  console.log(chalk.dim("  Exposes your local server to the internet via Cloudflare."));
-  console.log(chalk.dim("  No open ports, free TLS, auto-DNS.\n"));
-  console.log(chalk.bold("  1. Cloudflared CLI"));
-  let installed = false;
-  let version = "";
-  try {
-    version = execSync("cloudflared --version 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
-    installed = true;
-  } catch {
-  }
-  if (installed) {
-    console.log(chalk.green(`     \u2713 Installed (${version})
-`));
-  } else {
-    console.log(chalk.yellow("     Not installed."));
-    const { doInstall } = await inquirer.prompt([{
-      type: "confirm",
-      name: "doInstall",
-      message: "Install cloudflared now?",
-      default: true
-    }]);
-    if (!doInstall) {
-      console.log(chalk.red("\n  cloudflared is required for tunnel deployment."));
-      console.log(chalk.dim("  Install it manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/\n"));
-      process.exit(1);
-    }
-    console.log(chalk.dim("     Installing..."));
-    try {
-      await installCloudflared();
-      version = execSync("cloudflared --version 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
-      console.log(chalk.green(`     \u2713 Installed (${version})
-`));
-    } catch (err) {
-      console.log(chalk.red(`     \u2717 Installation failed: ${err.message}`));
-      console.log(chalk.dim("     Install manually and re-run setup.\n"));
-      process.exit(1);
-    }
-  }
-  console.log(chalk.bold("  2. Cloudflare Authentication"));
-  const cfDir = join(homedir(), ".cloudflared");
-  const certPath = join(cfDir, "cert.pem");
-  const loggedIn = existsSync(certPath);
-  if (loggedIn) {
-    console.log(chalk.green("     \u2713 Already authenticated\n"));
-  } else {
-    console.log(chalk.dim("     This will open your browser to authorize Cloudflare.\n"));
-    const { doLogin } = await inquirer.prompt([{
-      type: "confirm",
-      name: "doLogin",
-      message: "Open browser to login to Cloudflare?",
-      default: true
-    }]);
-    if (!doLogin) {
-      console.log(chalk.red("\n  Cloudflare auth is required. Run `cloudflared tunnel login` manually.\n"));
-      process.exit(1);
-    }
-    console.log(chalk.dim("     Waiting for browser authorization..."));
-    try {
-      await execP("cloudflared tunnel login", { timeout: 12e4 });
-      console.log(chalk.green("     \u2713 Authenticated\n"));
-    } catch (err) {
-      console.log(chalk.red(`     \u2717 Login failed or timed out: ${err.message}`));
-      console.log(chalk.dim("     Complete the browser authorization and try again.\n"));
-      process.exit(1);
-    }
-  }
-  console.log(chalk.bold("  3. Tunnel Configuration"));
-  const { domain, port, tunnelName } = await inquirer.prompt([
-    {
-      type: "input",
-      name: "domain",
-      message: "Domain (e.g. dashboard.yourcompany.com):",
-      validate: (v) => v.includes(".") ? true : "Enter a valid domain"
-    },
-    {
-      type: "number",
-      name: "port",
-      message: "Local port:",
-      default: 3200
-    },
-    {
-      type: "input",
-      name: "tunnelName",
-      message: "Tunnel name:",
-      default: "agenticmail-enterprise"
-    }
-  ]);
-  console.log("");
-  console.log(chalk.bold("  4. Deploying"));
-  let tunnelId = "";
-  try {
-    console.log(chalk.dim("     Creating tunnel..."));
-    const out = execSync(`cloudflared tunnel create ${tunnelName} 2>&1`, { encoding: "utf8", timeout: 3e4 });
-    const match = out.match(/Created tunnel .+ with id ([a-f0-9-]+)/);
-    tunnelId = match?.[1] || "";
-    console.log(chalk.green(`     \u2713 Tunnel created: ${tunnelName} (${tunnelId})`));
-  } catch (e) {
-    if (e.message?.includes("already exists") || e.stderr?.includes("already exists")) {
-      try {
-        const listOut = execSync("cloudflared tunnel list --output json 2>&1", { encoding: "utf8", timeout: 15e3 });
-        const tunnels = JSON.parse(listOut);
-        const existing = tunnels.find((t) => t.name === tunnelName);
-        if (existing) {
-          tunnelId = existing.id;
-          console.log(chalk.green(`     \u2713 Using existing tunnel: ${tunnelName} (${tunnelId})`));
-        }
-      } catch {
-        console.log(chalk.red(`     \u2717 Tunnel "${tunnelName}" exists but couldn't read its ID`));
-        process.exit(1);
-      }
-    } else {
-      console.log(chalk.red(`     \u2717 Failed to create tunnel: ${e.message}`));
-      process.exit(1);
-    }
-  }
-  if (!tunnelId) {
-    console.log(chalk.red("     \u2717 Could not determine tunnel ID"));
-    process.exit(1);
-  }
-  const config = [
-    `tunnel: ${tunnelId}`,
-    `credentials-file: ${join(cfDir, tunnelId + ".json")}`,
-    "",
-    "ingress:",
-    `  - hostname: ${domain}`,
-    `    service: http://localhost:${port}`,
-    "  - service: http_status:404"
-  ].join("\n");
-  writeFileSync(join(cfDir, "config.yml"), config);
-  console.log(chalk.green(`     \u2713 Config written: ${domain} \u2192 localhost:${port}`));
-  try {
-    execSync(`cloudflared tunnel route dns ${tunnelId} ${domain} 2>&1`, { encoding: "utf8", timeout: 3e4 });
-    console.log(chalk.green(`     \u2713 DNS CNAME created: ${domain}`));
-  } catch (e) {
-    if (e.message?.includes("already exists") || e.stderr?.includes("already exists")) {
-      console.log(chalk.green(`     \u2713 DNS CNAME already exists for ${domain}`));
-    } else {
-      console.log(chalk.yellow(`     \u26A0 DNS routing failed \u2014 add CNAME manually: ${domain} \u2192 ${tunnelId}.cfargotunnel.com`));
-    }
-  }
-  let started = false;
-  try {
-    execSync("which pm2", { timeout: 3e3 });
-    try {
-      execSync("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
-    } catch {
-    }
-    execSync(`pm2 start cloudflared --name cloudflared -- tunnel run`, { encoding: "utf8", timeout: 15e3 });
-    try {
-      execSync("pm2 save 2>/dev/null", { timeout: 5e3 });
-    } catch {
-    }
-    try {
-      const startupOut = execSync("pm2 startup 2>&1", { encoding: "utf8", timeout: 15e3 });
-      const sudoMatch = startupOut.match(/sudo .+$/m);
-      if (sudoMatch) try {
-        execSync(sudoMatch[0], { timeout: 15e3, stdio: "pipe" });
-      } catch {
-      }
-    } catch {
-    }
-    console.log(chalk.green("     \u2713 Tunnel running via PM2 (auto-restarts on crash + reboot)"));
-    started = true;
-  } catch {
-  }
-  if (!started) {
-    try {
-      console.log(chalk.dim("     Installing PM2 for process management..."));
-      execSync("npm install -g pm2", { timeout: 6e4, stdio: "pipe" });
-      try {
-        execSync("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
-      } catch {
-      }
-      execSync(`pm2 start cloudflared --name cloudflared -- tunnel run`, { encoding: "utf8", timeout: 15e3 });
-      try {
-        execSync("pm2 save 2>/dev/null", { timeout: 5e3 });
-      } catch {
-      }
-      try {
-        const startupOut = execSync("pm2 startup 2>&1", { encoding: "utf8", timeout: 15e3 });
-        const sudoMatch = startupOut.match(/sudo .+$/m);
-        if (sudoMatch) try {
-          execSync(sudoMatch[0], { timeout: 15e3, stdio: "pipe" });
-        } catch {
-        }
-      } catch {
-      }
-      console.log(chalk.green("     \u2713 PM2 installed + tunnel running (auto-restarts on crash + reboot)"));
-      started = true;
-    } catch {
-      console.log(chalk.yellow("     \u26A0 PM2 not available \u2014 tunnel started in background"));
-      console.log(chalk.dim("       Install PM2 for auto-restart: npm install -g pm2"));
-      try {
-        const { spawn } = await import("child_process");
-        const child = spawn("cloudflared", ["tunnel", "run"], { detached: true, stdio: "ignore" });
-        child.unref();
-        started = true;
-      } catch {
-      }
-    }
-  }
-  console.log("");
-  console.log(chalk.green.bold(`  \u2713 Tunnel deployed! Your dashboard will be at https://${domain}`));
-  console.log("");
-  return { tunnelId, domain, port, tunnelName };
-}
-async function installCloudflared() {
-  const plat = platform();
-  const a = arch();
-  if (plat === "darwin") {
-    try {
-      execSync("which brew", { timeout: 3e3 });
-      execSync("brew install cloudflared 2>&1", { encoding: "utf8", timeout: 12e4 });
-      return;
-    } catch {
-    }
-    const cfArch = a === "arm64" ? "arm64" : "amd64";
-    execSync(
-      `curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`,
-      { timeout: 6e4 }
-    );
-  } else if (plat === "linux") {
-    const cfArch = a === "arm64" ? "arm64" : "amd64";
-    execSync(
-      `curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`,
-      { timeout: 6e4 }
-    );
-  } else {
-    throw new Error("Unsupported platform: " + plat);
-  }
-}
-
-// src/setup/domain.ts
-async function promptDomain(inquirer, chalk, deployTarget) {
-  if (deployTarget === "local") {
-    return {};
-  }
-  console.log("");
-  console.log(chalk.bold.cyan("  Step 4 of 5: Custom Domain"));
-  console.log(chalk.dim("  Configure how your team will access the dashboard.\n"));
-  const targetHints = {
-    cloud: "By default, your dashboard is at <subdomain>.agenticmail.io. Add a custom domain for a branded URL.",
-    docker: "Configure your reverse proxy (nginx, Caddy, etc.) to route your domain to the Docker container.",
-    fly: "After deploying, run `fly certs add <domain>` to provision TLS for your domain.",
-    railway: "Add your domain in Railway project settings after deploying."
-  };
-  if (targetHints[deployTarget]) {
-    console.log(chalk.dim(`  ${targetHints[deployTarget]}`));
-    console.log("");
-  }
-  const { domainMode } = await inquirer.prompt([{
-    type: "list",
-    name: "domainMode",
-    message: "Domain setup:",
-    choices: [
-      {
-        name: `Use default subdomain only  ${chalk.dim("(<subdomain>.agenticmail.io)")}`,
-        value: "subdomain_only"
-      },
-      {
-        name: `Add a custom subdomain  ${chalk.dim("(e.g. agents.yourcompany.com)")}`,
-        value: "custom_subdomain"
-      },
-      {
-        name: `Deploy on my root domain  ${chalk.dim("(e.g. yourcompany.com \u2014 no subdomain)")}`,
-        value: "root_domain"
-      }
-    ]
-  }]);
-  if (domainMode === "subdomain_only") {
-    return {};
-  }
-  const isRoot = domainMode === "root_domain";
-  const { domain } = await inquirer.prompt([{
-    type: "input",
-    name: "domain",
-    message: isRoot ? "Your domain:" : "Custom domain:",
-    suffix: isRoot ? chalk.dim("  (e.g. yourcompany.com)") : chalk.dim("  (e.g. agents.yourcompany.com)"),
-    validate: (v) => {
-      const d = v.trim().toLowerCase();
-      if (!d.includes(".")) return "Enter a valid domain (e.g. yourcompany.com)";
-      if (d.startsWith("http")) return "Enter just the domain, not a URL";
-      if (d.endsWith(".")) return "Do not include a trailing dot";
-      return true;
-    },
-    filter: (v) => v.trim().toLowerCase()
-  }]);
-  if (isRoot) {
-    console.log("");
-    console.log(chalk.bold("  Root Domain Deployment"));
-    console.log(chalk.dim(`  Your dashboard will be accessible at: ${chalk.white("https://" + domain)}`));
-    console.log(chalk.dim("  This means the entire domain is dedicated to your AgenticMail deployment."));
-    console.log("");
-  }
-  console.log("");
-  console.log(chalk.dim("  After setup, you will need DNS records for this domain:"));
-  console.log("");
-  if (isRoot) {
-    console.log(chalk.dim(`  1. ${chalk.white("A record")}         \u2014 point ${domain} to your server IP`));
-    console.log(chalk.dim(`     (or CNAME if your provider allows it at the apex)`));
-  } else {
-    console.log(chalk.dim(`  1. ${chalk.white("CNAME or A record")}  \u2014 routes traffic to your server`));
-  }
-  console.log(chalk.dim(`  2. ${chalk.white("TXT record")}          \u2014 proves domain ownership (next step)`));
-  console.log("");
-  return {
-    customDomain: domain,
-    useRootDomain: isRoot || void 0
-  };
-}
-
-// src/setup/registration.ts
-import { randomBytes } from "crypto";
-var REGISTRY_BASE_URL = process.env.AGENTICMAIL_REGISTRY_URL || "https://agenticmail.io/enterprise/v1";
-async function promptRegistration(inquirer, chalk, ora, domain, companyName, adminEmail) {
-  if (!domain) {
-    return { registered: false, verificationStatus: "skipped" };
-  }
-  console.log("");
-  console.log(chalk.bold.cyan("  Step 5 of 5: Domain Registration"));
-  console.log(chalk.dim("  Protect your deployment from unauthorized duplication.\n"));
-  const { wantsRegistration } = await inquirer.prompt([{
-    type: "confirm",
-    name: "wantsRegistration",
-    message: `Register ${chalk.bold(domain)} with AgenticMail?`,
-    default: true
-  }]);
-  if (!wantsRegistration) {
-    console.log(chalk.dim("  Skipped. You can register later from the dashboard.\n"));
-    return { registered: false, verificationStatus: "skipped" };
-  }
-  const spinner = ora("Generating deployment key...").start();
-  const { createHash } = await import("crypto");
-  const plaintextKey = randomBytes(32).toString("hex");
-  const keyHash = createHash("sha256").update(plaintextKey).digest("hex");
-  spinner.succeed("Deployment key generated");
-  spinner.start("Registering domain with AgenticMail registry...");
-  const registryUrl = REGISTRY_BASE_URL.replace(/\/$/, "");
-  let registrationId;
-  let dnsChallenge;
-  try {
-    const res = await fetch(`${registryUrl}/domains/register`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        domain: domain.toLowerCase().trim(),
-        keyHash,
-        sha256Hash: keyHash,
-        orgName: companyName,
-        contactEmail: adminEmail
-      }),
-      signal: AbortSignal.timeout(15e3)
-    });
-    const data = await res.json().catch(() => ({}));
-    if (res.status === 409) {
-      spinner.info("Domain already registered \u2014 verifying ownership");
-      console.log("");
-      console.log(chalk.yellow("  This domain is already registered and verified."));
-      console.log(chalk.dim("  Enter your deployment key to prove ownership and continue.\n"));
-      const { deploymentKey } = await inquirer.prompt([{
-        type: "password",
-        name: "deploymentKey",
-        message: "Deployment key:",
-        mask: "*",
-        validate: (v) => v.length === 64 || "Deployment key should be 64 hex characters"
-      }]);
-      const recoverSpinner = ora("Verifying deployment key...").start();
-      try {
-        const recoverRes = await fetch(`${registryUrl}/domains/recover`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({
-            domain: domain.toLowerCase().trim(),
-            deploymentKey
-          }),
-          signal: AbortSignal.timeout(15e3)
-        });
-        const recoverData = await recoverRes.json().catch(() => ({}));
-        if (recoverRes.status === 403) {
-          recoverSpinner.fail("Invalid deployment key");
-          console.log("");
-          console.log(chalk.red("  The deployment key does not match this domain."));
-          console.log("");
-          const { continueAnyway } = await inquirer.prompt([{
-            type: "confirm",
-            name: "continueAnyway",
-            message: "Continue setup without registration?",
-            default: true
-          }]);
-          if (continueAnyway) {
-            return { registered: false, verificationStatus: "skipped" };
-          }
-          process.exit(1);
-        }
-        if (!recoverRes.ok) {
-          throw new Error(recoverData.error || `HTTP ${recoverRes.status}`);
-        }
-        recoverSpinner.succeed("Ownership verified \u2014 domain recovered");
-        registrationId = recoverData.registrationId;
-        dnsChallenge = recoverData.dnsChallenge;
-        const verifyRes = await fetch(`${registryUrl}/domains/verify`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
-          signal: AbortSignal.timeout(15e3)
-        });
-        const verifyData = await verifyRes.json().catch(() => ({}));
-        const { createHash: createHash2 } = await import("crypto");
-        const localKeyHash = createHash2("sha256").update(deploymentKey).digest("hex");
-        return {
-          registered: true,
-          deploymentKeyHash: localKeyHash,
-          dnsChallenge,
-          registrationId,
-          verificationStatus: verifyData?.verified ? "verified" : "pending_dns"
-        };
-      } catch (err) {
-        recoverSpinner.fail(`Recovery failed: ${err.message}`);
-        const { continueAnyway } = await inquirer.prompt([{
-          type: "confirm",
-          name: "continueAnyway",
-          message: "Continue setup without registration?",
-          default: true
-        }]);
-        if (continueAnyway) {
-          return { registered: false, verificationStatus: "skipped" };
-        }
-        process.exit(1);
-      }
-    }
-    if (!res.ok) {
-      throw new Error(data.error || `HTTP ${res.status}`);
-    }
-    registrationId = data.registrationId;
-    dnsChallenge = data.dnsChallenge;
-    spinner.succeed("Domain registered");
-  } catch (err) {
-    spinner.warn("Registry unavailable");
-    console.log("");
-    console.log(chalk.yellow(`  Could not reach registry: ${err.message}`));
-    console.log(chalk.dim("  You can register later with: npx @agenticmail/enterprise verify-domain"));
-    console.log("");
-    const { continueAnyway } = await inquirer.prompt([{
-      type: "confirm",
-      name: "continueAnyway",
-      message: "Continue setup without registration?",
-      default: true
-    }]);
-    if (continueAnyway) {
-      return { registered: false, verificationStatus: "skipped" };
-    }
-    process.exit(1);
-  }
-  console.log("");
-  console.log(chalk.red.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-  console.log(chalk.red.bold("  \u2551") + chalk.white.bold("  DEPLOYMENT KEY \u2014 SAVE THIS NOW                                     ") + chalk.red.bold("\u2551"));
-  console.log(chalk.red.bold("  \u2551") + "                                                                      " + chalk.red.bold("\u2551"));
-  console.log(chalk.red.bold("  \u2551") + `  ${chalk.green.bold(plaintextKey)}  ` + chalk.red.bold("\u2551"));
-  console.log(chalk.red.bold("  \u2551") + "                                                                      " + chalk.red.bold("\u2551"));
-  console.log(chalk.red.bold("  \u2551") + chalk.dim("  This key is shown ONCE. Store it securely (password manager,       ") + chalk.red.bold("\u2551"));
-  console.log(chalk.red.bold("  \u2551") + chalk.dim("  vault, printed backup). You need it to recover this domain.        ") + chalk.red.bold("\u2551"));
-  console.log(chalk.red.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
-  console.log("");
-  console.log(chalk.bold("  Add this DNS TXT record to prove domain ownership:"));
-  console.log("");
-  console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
-  console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("TXT")}`);
-  console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(dnsChallenge)}`);
-  console.log("");
-  console.log(chalk.dim("  DNS changes can take up to 48 hours to propagate."));
-  console.log("");
-  await inquirer.prompt([{
-    type: "confirm",
-    name: "keySaved",
-    message: "I have saved my deployment key",
-    default: false
-  }]);
-  const { checkNow } = await inquirer.prompt([{
-    type: "confirm",
-    name: "checkNow",
-    message: "Check DNS verification now?",
-    default: false
-  }]);
-  let verificationStatus = "pending_dns";
-  if (checkNow) {
-    for (let attempt = 1; attempt <= 5; attempt++) {
-      spinner.start(`Checking DNS (attempt ${attempt}/5)...`);
-      try {
-        const res = await fetch(`${registryUrl}/domains/verify`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
-          signal: AbortSignal.timeout(15e3)
-        });
-        const data = await res.json().catch(() => ({}));
-        if (data.verified) {
-          spinner.succeed("Domain verified!");
-          verificationStatus = "verified";
-          break;
-        }
-      } catch {
-      }
-      if (attempt < 5) {
-        spinner.text = `DNS record not found yet. Retrying in 10s (attempt ${attempt}/5)...`;
-        await new Promise((r) => setTimeout(r, 1e4));
-      } else {
-        spinner.info("DNS record not found yet");
-        console.log(chalk.dim("  Run later: npx @agenticmail/enterprise verify-domain"));
-      }
-    }
-  } else {
-    console.log(chalk.dim("  Run when ready: npx @agenticmail/enterprise verify-domain"));
-  }
-  console.log("");
-  return {
-    registered: true,
-    deploymentKeyHash: keyHash,
-    dnsChallenge,
-    registrationId,
-    verificationStatus
-  };
-}
-
-// src/setup/provision.ts
-import { randomUUID, randomBytes as randomBytes2 } from "crypto";
-function generateOrgId() {
-  const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
-  const bytes = randomBytes2(10);
-  let id = "";
-  for (let i = 0; i < 10; i++) id += chars[bytes[i] % chars.length];
-  return id;
-}
-async function provision(config, ora, chalk) {
-  const spinner = ora("Connecting to database...").start();
-  const jwtSecret = randomUUID() + randomUUID();
-  const vaultKey = randomUUID() + randomUUID();
-  try {
-    const { createAdapter } = await import("./factory-MQASIPEB.js");
-    const db = await createAdapter({
-      type: config.database.type,
-      connectionString: config.database.connectionString,
-      region: config.database.region,
-      accessKeyId: config.database.accessKeyId,
-      secretAccessKey: config.database.secretAccessKey,
-      authToken: config.database.authToken
-    });
-    spinner.text = "Running migrations...";
-    await db.migrate();
-    spinner.succeed("Database ready");
-    const engineDbInterface = db.getEngineDB();
-    if (engineDbInterface) {
-      spinner.start("Initializing engine...");
-      const { EngineDatabase } = await import("./db-adapter-2T56ORSD.js");
-      const dialectMap = {
-        sqlite: "sqlite",
-        postgres: "postgres",
-        supabase: "postgres",
-        neon: "postgres",
-        cockroachdb: "postgres",
-        mysql: "mysql",
-        planetscale: "mysql",
-        turso: "turso"
-      };
-      const engineDialect = dialectMap[db.getDialect()] || db.getDialect();
-      const engineDb = new EngineDatabase(engineDbInterface, engineDialect);
-      const migResult = await engineDb.migrate();
-      spinner.succeed(`Engine ready (${migResult.applied} migrations applied)`);
-    }
-    spinner.start("Creating company...");
-    const orgId = generateOrgId();
-    const corsOrigins = [];
-    if (config.domain.customDomain) {
-      corsOrigins.push(`https://${config.domain.customDomain}`);
-    }
-    if (config.company.subdomain) {
-      corsOrigins.push(`https://${config.company.subdomain}.agenticmail.io`);
-    }
-    if (config.deployTarget === "local") {
-      corsOrigins.push("http://localhost:3000", "http://localhost:8080", "http://127.0.0.1:3000", "http://127.0.0.1:8080");
-    }
-    await db.updateSettings({
-      name: config.company.companyName,
-      subdomain: config.company.subdomain,
-      domain: config.domain.customDomain,
-      orgId,
-      ...corsOrigins.length > 0 ? {
-        firewallConfig: {
-          network: { corsOrigins }
-        }
-      } : {}
-    });
-    spinner.succeed(`Company created (org: ${orgId})`);
-    if (config.registration?.registered) {
-      spinner.start("Saving domain registration...");
-      await db.updateSettings({
-        deploymentKeyHash: config.registration.deploymentKeyHash,
-        domainRegistrationId: config.registration.registrationId,
-        domainDnsChallenge: config.registration.dnsChallenge,
-        domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
-        domainStatus: config.registration.verificationStatus === "verified" ? "verified" : "pending_dns",
-        ...config.registration.verificationStatus === "verified" ? { domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString() } : {}
-      });
-      spinner.succeed("Domain registration saved");
-    }
-    spinner.start("Creating admin account...");
-    let admin;
-    try {
-      admin = await db.createUser({
-        email: config.company.adminEmail,
-        name: "Admin",
-        role: "owner",
-        password: config.company.adminPassword
-      });
-    } catch (err) {
-      if (err.message?.includes("duplicate key") || err.message?.includes("UNIQUE constraint") || err.code === "23505") {
-        admin = await db.getUserByEmail(config.company.adminEmail);
-        if (!admin) throw err;
-        spinner.text = "Admin account already exists, reusing...";
-      } else {
-        throw err;
-      }
-    }
-    await db.logEvent({
-      actor: admin.id,
-      actorType: "system",
-      action: "setup.complete",
-      resource: `company:${config.company.subdomain}`,
-      details: {
-        dbType: config.database.type,
-        deployTarget: config.deployTarget,
-        companyName: config.company.companyName
-      }
-    });
-    spinner.succeed("Admin account created");
-    try {
-      const { writeFileSync: writeFileSync2, existsSync: existsSync2, mkdirSync } = await import("fs");
-      const { join: join3 } = await import("path");
-      const { homedir: homedir2 } = await import("os");
-      const envDir = join3(homedir2(), ".agenticmail");
-      if (!existsSync2(envDir)) mkdirSync(envDir, { recursive: true });
-      const port = config.tunnel?.port || (config.deployTarget === "local" ? 3e3 : void 0) || (config.deployTarget === "docker" ? 3e3 : void 0) || 3200;
-      let existingEnv = "";
-      const envFilePath = join3(envDir, ".env");
-      if (existsSync2(envFilePath)) {
-        try {
-          existingEnv = (await import("fs")).readFileSync(envFilePath, "utf8");
-        } catch {
-        }
-      }
-      const envMap = /* @__PURE__ */ new Map();
-      for (const line of existingEnv.split("\n")) {
-        const t = line.trim();
-        if (!t || t.startsWith("#")) continue;
-        const eq = t.indexOf("=");
-        if (eq > 0) envMap.set(t.slice(0, eq).trim(), t.slice(eq + 1).trim());
-      }
-      envMap.set("DATABASE_URL", config.database.connectionString || "");
-      envMap.set("JWT_SECRET", jwtSecret);
-      envMap.set("AGENTICMAIL_VAULT_KEY", vaultKey);
-      envMap.set("PORT", String(port));
-      if (config.cloud?.tunnelToken) envMap.set("CLOUDFLARED_TOKEN", config.cloud.tunnelToken);
-      if (config.cloud?.subdomain) envMap.set("AGENTICMAIL_SUBDOMAIN", config.cloud.subdomain);
-      if (config.cloud?.fqdn) envMap.set("AGENTICMAIL_DOMAIN", config.cloud.fqdn);
-      const envContent = [
-        "# AgenticMail Enterprise \u2014 auto-generated by setup wizard",
-        "# BACK UP THIS FILE! You need it to recover on a new machine.",
-        ...Array.from(envMap.entries()).map(([k, v]) => `${k}=${v}`)
-      ].join("\n") + "\n";
-      writeFileSync2(join3(envDir, ".env"), envContent, { mode: 384 });
-      spinner.succeed(`Config saved to ~/.agenticmail/.env`);
-    } catch {
-    }
-    const result = await deploy(config, db, jwtSecret, vaultKey, spinner, chalk);
-    return {
-      success: true,
-      url: result.url,
-      jwtSecret,
-      db,
-      serverClose: result.close
-    };
-  } catch (err) {
-    spinner.fail(`Setup failed: ${err.message}`);
-    return {
-      success: false,
-      error: err.message,
-      jwtSecret,
-      db: null
-    };
-  }
-}
-async function deploy(config, db, jwtSecret, vaultKey, spinner, chalk) {
-  const { deployTarget, company, database, domain, tunnel, cloud } = config;
-  if (deployTarget === "cloudflare-tunnel" && tunnel) {
-    spinner.start(`Starting local server on port ${tunnel.port}...`);
-    const { createServer: createServer2 } = await import("./server-6NDO2S52.js");
-    const server2 = createServer2({ port: tunnel.port, db, jwtSecret });
-    const handle2 = await server2.start();
-    spinner.succeed("Server running");
-    console.log("");
-    console.log(chalk.green.bold("  AgenticMail Enterprise is live!"));
-    console.log("");
-    console.log(`  ${chalk.bold("Public URL:")}  ${chalk.cyan("https://" + tunnel.domain)}`);
-    console.log(`  ${chalk.bold("Local:")}       ${chalk.cyan("http://localhost:" + tunnel.port)}`);
-    console.log(`  ${chalk.bold("Tunnel:")}      ${tunnel.tunnelName} (${tunnel.tunnelId})`);
-    console.log(`  ${chalk.bold("Admin:")}       ${company.adminEmail}`);
-    console.log("");
-    console.log(chalk.dim("  Tunnel is managed by PM2 \u2014 auto-restarts on crash."));
-    console.log(chalk.dim("  Manage: pm2 status | pm2 logs cloudflared | pm2 restart cloudflared"));
-    console.log(chalk.dim("  Press Ctrl+C to stop the server"));
-    return { url: "https://" + tunnel.domain, close: handle2.close };
-  }
-  if (deployTarget === "cloud" && cloud) {
-    spinner.start("Configuring agenticmail.io deployment...");
-    try {
-      const pm2 = await import("pm2");
-      await new Promise((resolve, reject) => {
-        pm2.connect((err) => {
-          if (err) {
-            reject(err);
-            return;
-          }
-          pm2.start({
-            name: "cloudflared",
-            script: "cloudflared",
-            args: `tunnel --no-autoupdate run --token ${cloud.tunnelToken}`,
-            interpreter: "none",
-            autorestart: true
-          }, (e) => {
-            if (e) console.warn(`PM2 cloudflared start: ${e.message}`);
-            pm2.start({
-              name: "enterprise",
-              script: "npx",
-              args: "@agenticmail/enterprise start",
-              env: {
-                PORT: String(cloud.port || 3100),
-                DATABASE_URL: database.connectionString || "",
-                JWT_SECRET: jwtSecret,
-                AGENTICMAIL_VAULT_KEY: vaultKey,
-                AGENTICMAIL_DOMAIN: cloud.fqdn
-              },
-              autorestart: true
-            }, (e2) => {
-              pm2.disconnect();
-              if (e2) reject(e2);
-              else resolve();
-            });
-          });
-        });
-      });
-      try {
-        const { execSync: execSync3 } = await import("child_process");
-        execSync3("pm2 save", { timeout: 1e4, stdio: "pipe" });
-        try {
-          const startupOut = execSync3("pm2 startup 2>&1", { encoding: "utf8", timeout: 15e3 });
-          const sudoMatch = startupOut.match(/sudo .+$/m);
-          if (sudoMatch) {
-            try {
-              execSync3(sudoMatch[0], { timeout: 15e3, stdio: "pipe" });
-            } catch {
-            }
-          }
-        } catch {
-        }
-      } catch {
-      }
-      spinner.succeed(`Live at https://${cloud.fqdn}`);
-      console.log(chalk.dim("  PM2 will auto-restart on crash and survive reboots."));
-    } catch (e) {
-      spinner.warn(`PM2 setup failed: ${e.message}`);
-      console.log(`  Start manually:`);
-      console.log(`    cloudflared tunnel --no-autoupdate run --token ${cloud.tunnelToken}`);
-      console.log(`    npx @agenticmail/enterprise start`);
-    }
-    console.log("");
-    console.log(`  Dashboard: https://${cloud.fqdn}`);
-    console.log(`  To recover on a new machine, keep your AGENTICMAIL_VAULT_KEY safe.`);
-    console.log("");
-    return { url: `https://${cloud.fqdn}` };
-  }
-  if (deployTarget === "docker") {
-    const { generateDockerCompose, generateEnvFile } = await import("./managed-T2RBYB2W.js");
-    const compose = generateDockerCompose({ port: 3e3 });
-    const envFile = generateEnvFile({
-      dbType: database.type,
-      dbConnectionString: database.connectionString || "",
-      jwtSecret,
-      vaultKey
-    });
-    const { writeFileSync: writeFileSync2, existsSync: existsSync2, appendFileSync } = await import("fs");
-    writeFileSync2("docker-compose.yml", compose);
-    writeFileSync2(".env", envFile);
-    if (existsSync2(".gitignore")) {
-      const content = await import("fs").then((f) => f.readFileSync(".gitignore", "utf-8"));
-      if (!content.includes(".env")) {
-        appendFileSync(".gitignore", "\n# Secrets\n.env\n");
-      }
-    } else {
-      writeFileSync2(".gitignore", "# Secrets\n.env\nnode_modules/\n");
-    }
-    spinner.succeed("docker-compose.yml + .env generated");
-    console.log("");
-    console.log(chalk.green.bold("  Docker deployment ready!"));
-    console.log("");
-    console.log(`  Run:       ${chalk.cyan("docker compose up -d")}`);
-    console.log(`  Dashboard: ${chalk.cyan("http://localhost:3000")}`);
-    console.log(chalk.dim("  Secrets stored in .env \u2014 do not commit to git"));
-    if (domain.customDomain) {
-      printCustomDomainInstructions(chalk, domain.customDomain, "docker");
-    }
-    return { url: "http://localhost:3000" };
-  }
-  if (deployTarget === "fly") {
-    const { generateFlyToml } = await import("./managed-T2RBYB2W.js");
-    const flyToml = generateFlyToml(`am-${company.subdomain}`, "iad");
-    const { writeFileSync: writeFileSync2 } = await import("fs");
-    writeFileSync2("fly.toml", flyToml);
-    spinner.succeed("fly.toml generated");
-    console.log("");
-    console.log(chalk.green.bold("  Fly.io deployment ready!"));
-    console.log("");
-    console.log(`  1. ${chalk.cyan("fly launch --copy-config")}`);
-    console.log(`  2. ${chalk.cyan(`fly secrets set DATABASE_URL="${database.connectionString}" JWT_SECRET="${jwtSecret}" AGENTICMAIL_VAULT_KEY="${vaultKey}"`)}`);
-    console.log(`  3. ${chalk.cyan("fly deploy")}`);
-    if (domain.customDomain) {
-      console.log(`  4. ${chalk.cyan(`fly certs add ${domain.customDomain}`)}`);
-      printCustomDomainInstructions(chalk, domain.customDomain, "fly", `am-${company.subdomain}.fly.dev`);
-    }
-    return {};
-  }
-  if (deployTarget === "railway") {
-    const { generateRailwayConfig } = await import("./managed-T2RBYB2W.js");
-    const railwayConfig = generateRailwayConfig();
-    const { writeFileSync: writeFileSync2 } = await import("fs");
-    writeFileSync2("railway.toml", railwayConfig);
-    spinner.succeed("railway.toml generated");
-    console.log("");
-    console.log(chalk.green.bold("  Railway deployment ready!"));
-    console.log("");
-    console.log(`  1. ${chalk.cyan("railway init")}`);
-    console.log(`  2. ${chalk.cyan("railway link")}`);
-    console.log(`  3. ${chalk.cyan("railway up")}`);
-    if (domain.customDomain) {
-      printCustomDomainInstructions(chalk, domain.customDomain, "railway");
-    }
-    return {};
-  }
-  spinner.start("Starting local server...");
-  const { createServer } = await import("./server-6NDO2S52.js");
-  const server = createServer({ port: 3e3, db, jwtSecret });
-  const handle = await server.start();
-  spinner.succeed("Server running");
-  console.log("");
-  console.log(chalk.green.bold("  AgenticMail Enterprise is running!"));
-  console.log("");
-  console.log(`  ${chalk.bold("Dashboard:")}  ${chalk.cyan("http://localhost:3000")}`);
-  console.log(`  ${chalk.bold("API:")}        ${chalk.cyan("http://localhost:3000/api")}`);
-  console.log(`  ${chalk.bold("Admin:")}      ${company.adminEmail}`);
-  console.log("");
-  console.log(chalk.dim("  Press Ctrl+C to stop"));
-  return { url: "http://localhost:3000", close: handle.close };
-}
-function printCustomDomainInstructions(chalk, domain, target, cnameTarget) {
-  console.log("");
-  console.log(chalk.bold("  Custom Domain DNS Setup"));
-  console.log(chalk.dim(`  Route ${chalk.white(domain)} to your deployment.
-`));
-  if (target === "cloud" && cnameTarget) {
-    console.log(chalk.bold("  Add this DNS record at your domain registrar:"));
-    console.log("");
-    console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("CNAME")}`);
-    console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(domain)}`);
-    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(cnameTarget)}`);
-  } else if (target === "fly" && cnameTarget) {
-    console.log(chalk.bold("  Add this DNS record at your domain registrar:"));
-    console.log("");
-    console.log(`  ${chalk.bold("Type:")}   ${chalk.cyan("CNAME")}`);
-    console.log(`  ${chalk.bold("Host:")}   ${chalk.cyan(domain)}`);
-    console.log(`  ${chalk.bold("Value:")}  ${chalk.cyan(cnameTarget)}`);
-    console.log("");
-    console.log(chalk.dim("  Fly.io will automatically provision a TLS certificate."));
-  } else if (target === "railway") {
-    console.log(chalk.bold("  After deploying:"));
-    console.log("");
-    console.log(`  1. Open your Railway project dashboard`);
-    console.log(`  2. Go to ${chalk.bold("Settings")} \u2192 ${chalk.bold("Domains")}`);
-    console.log(`  3. Add ${chalk.cyan(domain)} as a custom domain`);
-    console.log(`  4. Railway will show you a ${chalk.bold("CNAME")} target \u2014 add it at your DNS provider`);
-  } else if (target === "docker") {
-    console.log(chalk.bold("  Configure your reverse proxy to route traffic:"));
-    console.log("");
-    console.log(`  ${chalk.bold("Domain:")}  ${chalk.cyan(domain)}`);
-    console.log(`  ${chalk.bold("Target:")}  ${chalk.cyan("localhost:3000")}  ${chalk.dim("(or your Docker host IP)")}`);
-    console.log("");
-    console.log(chalk.dim("  Example with nginx:"));
-    console.log(chalk.dim(""));
-    console.log(chalk.dim("    server {"));
-    console.log(chalk.dim(`      server_name ${domain};`));
-    console.log(chalk.dim("      location / {"));
-    console.log(chalk.dim("        proxy_pass http://localhost:3000;"));
-    console.log(chalk.dim("        proxy_set_header Host $host;"));
-    console.log(chalk.dim("        proxy_set_header X-Real-IP $remote_addr;"));
-    console.log(chalk.dim("      }"));
-    console.log(chalk.dim("    }"));
-    console.log("");
-    console.log(chalk.dim("  Then add a DNS A record pointing to your server IP,"));
-    console.log(chalk.dim("  or a CNAME if you have an existing hostname."));
-  }
-  console.log("");
-  console.log(chalk.dim("  Note: This CNAME/A record routes traffic. A separate TXT record"));
-  console.log(chalk.dim("  for domain verification was (or will be) configured in Step 5."));
-  console.log("");
-}
-
-// src/setup/index.ts
-var DB_DRIVER_MAP = {
-  postgres: ["pg"],
-  supabase: ["pg"],
-  neon: ["pg"],
-  cockroachdb: ["pg"],
-  mysql: ["mysql2"],
-  planetscale: ["mysql2"],
-  mongodb: ["mongodb"],
-  sqlite: ["better-sqlite3"],
-  turso: ["@libsql/client"],
-  dynamodb: ["@aws-sdk/client-dynamodb", "@aws-sdk/lib-dynamodb"]
-};
-async function ensureDbDriver(dbType, ora, chalk) {
-  const packages = DB_DRIVER_MAP[dbType];
-  if (!packages?.length) return;
-  const missing = [];
-  for (const pkg of packages) {
-    let found = false;
-    try {
-      await import(pkg);
-      found = true;
-    } catch {
-    }
-    if (!found) {
-      try {
-        const req = createRequire(join2(process.cwd(), "index.js"));
-        req.resolve(pkg);
-        found = true;
-      } catch {
-      }
-    }
-    if (!found) {
-      try {
-        const globalPrefix = execSync2("npm prefix -g", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
-        const req = createRequire(join2(globalPrefix, "lib", "node_modules", ".package-lock.json"));
-        req.resolve(pkg);
-        found = true;
-      } catch {
-      }
-    }
-    if (!found) missing.push(pkg);
-  }
-  if (!missing.length) return;
-  const spinner = ora(`Installing database driver: ${missing.join(", ")}...`).start();
-  try {
-    execSync2(`npm install --no-save ${missing.join(" ")}`, {
-      stdio: "pipe",
-      timeout: 12e4,
-      cwd: process.cwd()
-    });
-    spinner.succeed(`Database driver installed: ${missing.join(", ")}`);
-  } catch (err) {
-    spinner.fail(`Failed to install ${missing.join(", ")}`);
-    console.error(chalk.red(`
-  Run manually: npm install ${missing.join(" ")}
-`));
-    process.exit(1);
-  }
-}
-async function runSetupWizard() {
-  const { default: inquirer } = await import("inquirer");
-  const { default: ora } = await import("ora");
-  const { default: chalk } = await import("chalk");
-  console.log("");
-  console.log(chalk.bold("  AgenticMail Enterprise"));
-  console.log(chalk.dim("  AI Agent Identity & Email for Organizations"));
-  console.log("");
-  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log("");
-  const company = await promptCompanyInfo(inquirer, chalk);
-  const database = await promptDatabase(inquirer, chalk);
-  const deploymentResult = await promptDeployment(inquirer, chalk);
-  const deployTarget = deploymentResult.target;
-  const domain = deploymentResult.tunnel ? { customDomain: deploymentResult.tunnel.domain } : deploymentResult.cloud ? { customDomain: deploymentResult.cloud.fqdn } : await promptDomain(inquirer, chalk, deployTarget);
-  const registration = deploymentResult.tunnel || deploymentResult.cloud ? { registered: true, verificationStatus: "verified" } : await promptRegistration(
-    inquirer,
-    chalk,
-    ora,
-    domain.customDomain,
-    company.companyName,
-    company.adminEmail
-  );
-  await ensureDbDriver(database.type, ora, chalk);
-  console.log("");
-  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log("");
-  const result = await provision(
-    { company, database, deployTarget, domain, registration, tunnel: deploymentResult.tunnel, cloud: deploymentResult.cloud },
-    ora,
-    chalk
-  );
-  if (!result.success) {
-    console.error("");
-    console.error(chalk.red(`  Setup failed: ${result.error}`));
-    console.error(chalk.dim("  Check your database connection and try again."));
-    process.exit(1);
-  }
-  console.log("");
-}
-
-export {
-  promptCompanyInfo,
-  promptDatabase,
-  promptDeployment,
-  promptDomain,
-  promptRegistration,
-  provision,
-  runSetupWizard
-};