@agenticmail/enterprise 0.5.375 → 0.5.376

package/dist/cli-serve-IOSXZHIK.js

@@ -0,0 +1,286 @@
+import "./chunk-KFQGP6VL.js";
+
+// src/cli-serve.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+function loadEnvFile() {
+  const candidates = [
+    join(process.cwd(), ".env"),
+    join(homedir(), ".agenticmail", ".env")
+  ];
+  for (const envPath of candidates) {
+    if (!existsSync(envPath)) continue;
+    try {
+      const content = readFileSync(envPath, "utf8");
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#")) continue;
+        const eq = trimmed.indexOf("=");
+        if (eq < 0) continue;
+        const key = trimmed.slice(0, eq).trim();
+        let val = trimmed.slice(eq + 1).trim();
+        if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
+          val = val.slice(1, -1);
+        }
+        if (!process.env[key]) process.env[key] = val;
+      }
+      console.log(`Loaded config from ${envPath}`);
+      return;
+    } catch {
+    }
+  }
+}
+async function ensureSecrets() {
+  const { randomUUID } = await import("crypto");
+  const envDir = join(homedir(), ".agenticmail");
+  const envPath = join(envDir, ".env");
+  let dirty = false;
+  if (!process.env.JWT_SECRET) {
+    process.env.JWT_SECRET = randomUUID() + randomUUID();
+    dirty = true;
+    console.log("[startup] Generated new JWT_SECRET (existing sessions will need to re-login)");
+  }
+  if (!process.env.AGENTICMAIL_VAULT_KEY) {
+    process.env.AGENTICMAIL_VAULT_KEY = randomUUID() + randomUUID();
+    dirty = true;
+    console.log("[startup] Generated new AGENTICMAIL_VAULT_KEY");
+    console.log("[startup] \u26A0\uFE0F  Previously encrypted credentials will need to be re-entered in the dashboard");
+  }
+  if (dirty) {
+    try {
+      if (!existsSync(envDir)) {
+        const { mkdirSync } = await import("fs");
+        mkdirSync(envDir, { recursive: true });
+      }
+      const { appendFileSync } = await import("fs");
+      const lines = [];
+      let existing = "";
+      if (existsSync(envPath)) {
+        existing = readFileSync(envPath, "utf8");
+      }
+      if (!existing.includes("JWT_SECRET=")) {
+        lines.push(`JWT_SECRET=${process.env.JWT_SECRET}`);
+      }
+      if (!existing.includes("AGENTICMAIL_VAULT_KEY=")) {
+        lines.push(`AGENTICMAIL_VAULT_KEY=${process.env.AGENTICMAIL_VAULT_KEY}`);
+      }
+      if (lines.length) {
+        appendFileSync(envPath, "\n" + lines.join("\n") + "\n", { mode: 384 });
+        console.log(`[startup] Saved secrets to ${envPath}`);
+      }
+    } catch (e) {
+      console.warn(`[startup] Could not save secrets to ${envPath}: ${e.message}`);
+    }
+  }
+}
+async function runServe(_args) {
+  loadEnvFile();
+  const DATABASE_URL = process.env.DATABASE_URL;
+  const PORT = parseInt(process.env.PORT || "8080", 10);
+  await ensureSecrets();
+  const JWT_SECRET = process.env.JWT_SECRET;
+  const _VAULT_KEY = process.env.AGENTICMAIL_VAULT_KEY;
+  if (!DATABASE_URL) {
+    console.error("ERROR: DATABASE_URL is required.");
+    console.error("");
+    console.error("Set it via environment variable or .env file:");
+    console.error("  DATABASE_URL=postgresql://user:pass@host:5432/db npx @agenticmail/enterprise start");
+    console.error("");
+    console.error("Or create a .env file (in cwd or ~/.agenticmail/.env):");
+    console.error("  DATABASE_URL=postgresql://user:pass@host:5432/db");
+    console.error("  JWT_SECRET=your-secret-here");
+    console.error("  PORT=3200");
+    process.exit(1);
+  }
+  const { createAdapter, smartDbConfig } = await import("./factory-XRYYBBCW.js");
+  const { createServer } = await import("./server-Q52YXWZD.js");
+  const db = await createAdapter(smartDbConfig(DATABASE_URL));
+  await db.migrate();
+  const server = createServer({
+    port: PORT,
+    db,
+    jwtSecret: JWT_SECRET,
+    corsOrigins: ["*"]
+  });
+  await server.start();
+  console.log(`AgenticMail Enterprise server running on :${PORT}`);
+  try {
+    const { startBackgroundUpdateCheck } = await import("./cli-update-6ZZTT5UR.js");
+    startBackgroundUpdateCheck();
+  } catch {
+  }
+  try {
+    const { startPreventSleep } = await import("./screen-unlock-4RPZBHOI.js");
+    const adminDb = server.getAdminDb?.() || server.adminDb;
+    if (adminDb) {
+      const settings = await adminDb.getSettings?.().catch(() => null);
+      const screenAccess = settings?.securityConfig?.screenAccess;
+      if (screenAccess?.enabled && screenAccess?.preventSleep) {
+        startPreventSleep();
+        console.log("[startup] Prevent-sleep enabled \u2014 system will stay awake while agents are active");
+      }
+    }
+  } catch {
+  }
+  try {
+    await setupSystemPersistence();
+  } catch (e) {
+    console.warn("[startup] System persistence setup skipped: " + e.message);
+  }
+  const tunnelToken = process.env.CLOUDFLARED_TOKEN;
+  if (tunnelToken) {
+    try {
+      const { execSync, spawn } = await import("child_process");
+      try {
+        execSync(process.platform === "win32" ? "where cloudflared" : "which cloudflared", { timeout: 3e3 });
+      } catch {
+        console.log("[startup] cloudflared not found \u2014 skipping tunnel auto-start");
+        console.log("[startup] Install cloudflared to enable tunnel: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/");
+        return;
+      }
+      try {
+        if (process.platform === "win32") {
+          const tasklist = execSync('tasklist /FI "IMAGENAME eq cloudflared.exe" /NH', { encoding: "utf8", timeout: 5e3 });
+          if (tasklist.includes("cloudflared.exe")) {
+            console.log("[startup] cloudflared tunnel already running");
+            return;
+          }
+        } else {
+          execSync('pgrep -f "cloudflared.*tunnel.*run"', { timeout: 3e3 });
+          console.log("[startup] cloudflared tunnel already running");
+          return;
+        }
+      } catch {
+      }
+      const subdomain = process.env.AGENTICMAIL_SUBDOMAIN || process.env.AGENTICMAIL_DOMAIN || "";
+      console.log(`[startup] Starting cloudflared tunnel${subdomain ? ` for ${subdomain}.agenticmail.io` : ""}...`);
+      let cfBin = "cloudflared";
+      if (process.platform === "win32") {
+        try {
+          cfBin = execSync("where cloudflared", { encoding: "utf8", timeout: 3e3 }).trim().split("\n")[0].trim();
+        } catch {
+          const candidate = `${process.env.LOCALAPPDATA || ""}\\cloudflared\\cloudflared.exe`;
+          try {
+            (await import("fs")).statSync(candidate);
+            cfBin = candidate;
+          } catch {
+          }
+        }
+      }
+      const child = spawn(cfBin, ["tunnel", "--no-autoupdate", "run", "--token", tunnelToken], {
+        detached: true,
+        stdio: "ignore"
+      });
+      child.unref();
+      console.log("[startup] cloudflared tunnel started (pid " + child.pid + ")");
+    } catch (e) {
+      console.warn("[startup] Could not auto-start cloudflared: " + e.message);
+    }
+  }
+}
+async function setupSystemPersistence() {
+  const { execSync, spawnSync } = await import("child_process");
+  const { existsSync: exists, writeFileSync, mkdirSync } = await import("fs");
+  const { join: pathJoin } = await import("path");
+  const platform = process.platform;
+  if (!process.env.PM2_HOME && !process.env.pm_id) {
+    return;
+  }
+  const markerDir = pathJoin(homedir(), ".agenticmail");
+  const markerFile = pathJoin(markerDir, ".persistence-configured");
+  if (exists(markerFile)) {
+    try {
+      execSync("pm2 save --silent", { timeout: 1e4, stdio: "ignore" });
+    } catch {
+    }
+    return;
+  }
+  console.log("[startup] Configuring system persistence (one-time setup)...");
+  try {
+    if (platform === "darwin") {
+      const result = spawnSync("pm2", ["startup", "launchd", "--silent"], {
+        timeout: 15e3,
+        stdio: "pipe",
+        encoding: "utf-8"
+      });
+      const output = (result.stdout || "") + (result.stderr || "");
+      const sudoMatch = output.match(/sudo\s+env\s+.*pm2\s+startup.*/);
+      if (sudoMatch) {
+        console.log("[startup] PM2 startup requires sudo. Run this once:");
+        console.log("  " + sudoMatch[0]);
+      } else {
+        console.log("[startup] PM2 startup configured (launchd)");
+      }
+      const plistPath = pathJoin(homedir(), "Library", "LaunchAgents", `pm2.${process.env.USER || "user"}.plist`);
+      if (exists(plistPath)) {
+        try {
+          execSync(`launchctl load -w "${plistPath}"`, { timeout: 5e3, stdio: "ignore" });
+        } catch {
+        }
+      }
+    } else if (platform === "linux") {
+      const result = spawnSync("pm2", ["startup", "systemd", "--silent"], {
+        timeout: 15e3,
+        stdio: "pipe",
+        encoding: "utf-8"
+      });
+      const output = (result.stdout || "") + (result.stderr || "");
+      const sudoMatch = output.match(/sudo\s+env\s+.*pm2\s+startup.*/);
+      if (sudoMatch) {
+        try {
+          execSync(sudoMatch[0], { timeout: 15e3, stdio: "ignore" });
+          console.log("[startup] PM2 startup configured (systemd)");
+        } catch {
+          console.log("[startup] PM2 startup requires root. Run this once:");
+          console.log("  " + sudoMatch[0]);
+        }
+      } else {
+        console.log("[startup] PM2 startup configured (systemd)");
+      }
+    } else if (platform === "win32") {
+      try {
+        execSync("npm list -g pm2-windows-startup", { timeout: 1e4, stdio: "ignore" });
+      } catch {
+        console.log("[startup] Installing pm2-windows-startup...");
+        try {
+          execSync("npm install -g pm2-windows-startup", { timeout: 6e4, stdio: "ignore" });
+          execSync("pm2-startup install", { timeout: 15e3, stdio: "ignore" });
+          console.log("[startup] PM2 startup configured (Windows Service)");
+        } catch (e) {
+          console.warn("[startup] Could not install pm2-windows-startup: " + e.message);
+        }
+      }
+    }
+  } catch (e) {
+    console.warn("[startup] PM2 startup setup: " + e.message);
+  }
+  try {
+    const moduleList = execSync("pm2 ls --silent 2>/dev/null || true", { timeout: 1e4, encoding: "utf-8" });
+    if (!moduleList.includes("pm2-logrotate")) {
+      console.log("[startup] Installing pm2-logrotate...");
+      execSync("pm2 install pm2-logrotate --silent", { timeout: 6e4, stdio: "ignore" });
+      execSync("pm2 set pm2-logrotate:max_size 10M --silent", { timeout: 5e3, stdio: "ignore" });
+      execSync("pm2 set pm2-logrotate:retain 5 --silent", { timeout: 5e3, stdio: "ignore" });
+      execSync("pm2 set pm2-logrotate:compress true --silent", { timeout: 5e3, stdio: "ignore" });
+      console.log("[startup] Log rotation configured (10MB, 5 files)");
+    }
+  } catch {
+  }
+  try {
+    execSync("pm2 save --silent", { timeout: 1e4, stdio: "ignore" });
+    console.log("[startup] Process list saved");
+  } catch {
+  }
+  try {
+    if (!exists(markerDir)) mkdirSync(markerDir, { recursive: true });
+    writeFileSync(markerFile, (/* @__PURE__ */ new Date()).toISOString() + `
+platform=${platform}
+`, { mode: 384 });
+    console.log("[startup] System persistence configured successfully");
+  } catch {
+  }
+}
+export {
+  runServe
+};

package/dist/cli-update-6ZZTT5UR.js

@@ -0,0 +1,246 @@
+import "./chunk-KFQGP6VL.js";
+
+// src/cli-update.ts
+import { execSync } from "child_process";
+import { readFileSync, writeFileSync, existsSync } from "fs";
+import { join } from "path";
+import { homedir, platform } from "os";
+var PKG_NAME = "@agenticmail/enterprise";
+function getCurrentVersion() {
+  try {
+    const pkgPath = join(import.meta.dirname || __dirname, "..", "package.json");
+    if (existsSync(pkgPath)) {
+      return JSON.parse(readFileSync(pkgPath, "utf-8")).version;
+    }
+  } catch {
+  }
+  try {
+    const out = execSync(`npm ls -g ${PKG_NAME} --json 2>/dev/null`, { encoding: "utf-8", timeout: 1e4 });
+    const data = JSON.parse(out);
+    return data.dependencies?.[PKG_NAME]?.version || "unknown";
+  } catch {
+  }
+  return "unknown";
+}
+async function getLatestVersion() {
+  try {
+    const res = await fetch(`https://registry.npmjs.org/${PKG_NAME}/latest`, {
+      headers: { "Accept": "application/json" },
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    const data = await res.json();
+    return data.version;
+  } catch {
+    try {
+      return execSync(`npm view ${PKG_NAME} version 2>/dev/null`, { encoding: "utf-8", timeout: 1e4 }).trim();
+    } catch {
+    }
+  }
+  return "unknown";
+}
+async function checkForUpdate() {
+  const current = getCurrentVersion();
+  const latest = await getLatestVersion();
+  const updateAvailable = latest !== "unknown" && current !== "unknown" && latest !== current;
+  const info = {
+    current,
+    latest,
+    updateAvailable,
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  try {
+    const cacheDir = join(homedir(), ".agenticmail");
+    const cachePath = join(cacheDir, "update-check.json");
+    writeFileSync(cachePath, JSON.stringify(info, null, 2));
+  } catch {
+  }
+  return info;
+}
+function getCachedUpdateCheck() {
+  try {
+    const cachePath = join(homedir(), ".agenticmail", "update-check.json");
+    if (existsSync(cachePath)) {
+      return JSON.parse(readFileSync(cachePath, "utf-8"));
+    }
+  } catch {
+  }
+  return null;
+}
+async function performUpdate(options) {
+  const current = getCurrentVersion();
+  console.log(`
+  \u{1F380} AgenticMail Enterprise Update
+`);
+  console.log(`  Current version: ${current}`);
+  const latest = await getLatestVersion();
+  console.log(`  Latest version:  ${latest}`);
+  if (latest === current) {
+    console.log(`
+  \u2705 Already up to date!
+`);
+    return { success: true, from: current, to: current, message: "Already up to date" };
+  }
+  if (latest === "unknown") {
+    console.log(`
+  \u274C Could not determine latest version
+`);
+    return { success: false, from: current, to: "unknown", message: "Could not determine latest version" };
+  }
+  console.log(`
+  \u{1F4E6} Installing ${PKG_NAME}@${latest}...`);
+  try {
+    execSync(`npm install -g ${PKG_NAME}@${latest}`, {
+      stdio: "inherit",
+      timeout: 12e4
+    });
+  } catch (err) {
+    console.error(`
+  \u274C Update failed: ${err.message}
+`);
+    return { success: false, from: current, to: latest, message: `npm install failed: ${err.message}` };
+  }
+  const newVersion = getCurrentVersion();
+  console.log(`
+  \u2705 Updated to v${newVersion}`);
+  if (options?.restart !== false) {
+    console.log(`  \u{1F504} Restarting services...`);
+    try {
+      const jlist = execSync('pm2 jlist 2>/dev/null || echo "[]"', { encoding: "utf-8", timeout: 1e4 });
+      const procs = JSON.parse(jlist);
+      const amProcs = procs.filter((p) => {
+        const script = p.pm2_env?.pm_exec_path || "";
+        return script.includes("agenticmail") || script.includes("enterprise");
+      });
+      if (amProcs.length > 0) {
+        const names = amProcs.map((p) => p.name).join(" ");
+        console.log(`  Restarting: ${names}`);
+        execSync(`pm2 restart ${names}`, { stdio: "inherit", timeout: 3e4 });
+        execSync("pm2 save", { stdio: "ignore", timeout: 1e4 });
+        console.log(`  \u2705 All services restarted`);
+      } else {
+        console.log(`  \u26A0\uFE0F  No PM2 processes found \u2014 restart manually if needed`);
+      }
+    } catch (err) {
+      console.log(`  \u26A0\uFE0F  Could not restart PM2: ${err.message}`);
+      console.log(`  Run manually: pm2 restart enterprise && pm2 save`);
+    }
+  }
+  console.log("");
+  return { success: true, from: current, to: newVersion, message: `Updated from ${current} to ${newVersion}` };
+}
+function setupAutoUpdateCron() {
+  console.log(`
+  \u{1F380} Auto-Update Cron Setup
+`);
+  const isWindows = platform() === "win32";
+  if (isWindows) {
+    const taskName = "AgenticMailEnterprise-AutoUpdate";
+    const cmd = `npm install -g ${PKG_NAME}@latest && pm2 restart enterprise && pm2 save`;
+    console.log(`  Creating Windows Task Scheduler entry...`);
+    console.log(`  Task: ${taskName}`);
+    console.log(`  Schedule: Every 6 hours
+`);
+    try {
+      execSync(
+        `schtasks /create /tn "${taskName}" /tr "cmd /c ${cmd}" /sc HOURLY /mo 6 /f`,
+        { stdio: "inherit" }
+      );
+      console.log(`  \u2705 Auto-update scheduled!`);
+      console.log(`  To remove: schtasks /delete /tn "${taskName}" /f
+`);
+    } catch (err) {
+      console.error(`  \u274C Failed: ${err.message}`);
+      console.log(`  Manual alternative:`);
+      console.log(`  schtasks /create /tn "${taskName}" /tr "cmd /c ${cmd}" /sc HOURLY /mo 6
+`);
+    }
+  } else {
+    const npmPath = execSync("which npm", { encoding: "utf-8" }).trim();
+    const pm2Path = execSync("which pm2 2>/dev/null || echo pm2", { encoding: "utf-8" }).trim();
+    const cronLine = `0 */6 * * * ${npmPath} install -g ${PKG_NAME}@latest && ${pm2Path} restart enterprise && ${pm2Path} save 2>/dev/null`;
+    const cronTag = "# agenticmail-auto-update";
+    console.log(`  Adding cron job (every 6 hours):
+`);
+    console.log(`  ${cronLine}
+`);
+    try {
+      const existing = execSync('crontab -l 2>/dev/null || echo ""', { encoding: "utf-8" });
+      if (existing.includes(cronTag)) {
+        console.log(`  \u26A0\uFE0F  Auto-update cron already installed. Replacing...`);
+        const filtered = existing.split("\n").filter((l) => !l.includes(cronTag) && !l.includes("agenticmail")).join("\n");
+        const newCron = `${filtered.trimEnd()}
+${cronLine} ${cronTag}
+`;
+        execSync(`echo "${newCron}" | crontab -`, { timeout: 5e3 });
+      } else {
+        const newCron = `${existing.trimEnd()}
+${cronLine} ${cronTag}
+`;
+        execSync(`echo "${newCron}" | crontab -`, { timeout: 5e3 });
+      }
+      console.log(`  \u2705 Auto-update cron installed!`);
+      console.log(`  To remove: crontab -e and delete the agenticmail line
+`);
+    } catch (err) {
+      console.error(`  \u274C Failed to install cron: ${err.message}`);
+      console.log(`  Manual alternative:`);
+      console.log(`  crontab -e`);
+      console.log(`  Add: ${cronLine}
+`);
+    }
+  }
+}
+function startBackgroundUpdateCheck() {
+  setTimeout(async () => {
+    try {
+      const info = await checkForUpdate();
+      if (info.updateAvailable) {
+        console.log(`[update] \u{1F380} New version available: v${info.latest} (current: v${info.current})`);
+        console.log(`[update] Run: agenticmail-enterprise update`);
+      }
+    } catch {
+    }
+  }, 3e4);
+  setInterval(async () => {
+    try {
+      const info = await checkForUpdate();
+      if (info.updateAvailable) {
+        console.log(`[update] \u{1F380} New version available: v${info.latest} (current: v${info.current})`);
+      }
+    } catch {
+    }
+  }, 6 * 60 * 6e4);
+}
+async function runUpdate(args) {
+  if (args.includes("--cron")) {
+    setupAutoUpdateCron();
+    return;
+  }
+  if (args.includes("--check")) {
+    const info = await checkForUpdate();
+    if (info.updateAvailable) {
+      console.log(`
+  \u{1F380} Update available: v${info.current} \u2192 v${info.latest}`);
+      console.log(`  Run: agenticmail-enterprise update
+`);
+    } else {
+      console.log(`
+  \u2705 Up to date (v${info.current})
+`);
+    }
+    return;
+  }
+  const noRestart = args.includes("--no-restart");
+  await performUpdate({ restart: !noRestart });
+}
+export {
+  checkForUpdate,
+  getCachedUpdateCheck,
+  getCurrentVersion,
+  getLatestVersion,
+  performUpdate,
+  runUpdate,
+  setupAutoUpdateCron,
+  startBackgroundUpdateCheck
+};

package/dist/cli.js

@@ -38,6 +38,10 @@ Commands:
   recover                 Recover a domain/subdomain on a new machine
   reset-password          Reset admin password directly in the database
   verify-domain           Check DNS verification for your domain
+  update / upgrade        Update to the latest version
+    --check               Check for updates without installing
+    --cron                Set up automatic updates (cron/task scheduler)
+    --no-restart          Update without restarting PM2 services
 
 Domain Recovery & Verification:
   npx @agenticmail/enterprise recover
@@ -55,16 +59,20 @@ Skill Development:
   npx @agenticmail/enterprise submit-skill ./community-skills/my-skill/
 `);
     break;
+  case "update":
+  case "upgrade":
+    import("./cli-update-6ZZTT5UR.js").then((m) => m.runUpdate(args.slice(1))).catch(fatal);
+    break;
   case "serve":
   case "start":
-    import("./cli-serve-COPCKGDT.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
+    import("./cli-serve-IOSXZHIK.js").then((m) => m.runServe(args.slice(1))).catch(fatal);
     break;
   case "agent":
-    import("./cli-agent-XCILLLBL.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
+    import("./cli-agent-HWRINZSE.js").then((m) => m.runAgent(args.slice(1))).catch(fatal);
     break;
   case "setup":
   default:
-    import("./setup-LQT3AYBX.js").then((m) => m.runSetupWizard()).catch(fatal);
+    import("./setup-C22ILWUJ.js").then((m) => m.runSetupWizard()).catch(fatal);
     break;
 }
 function fatal(err) {

package/dist/dashboard/app.js

@@ -135,6 +135,8 @@ function App() {
   const [permissions, setPermissions] = useState('*'); // '*' = full access, or { pageId: true | ['tab1','tab2'] }
   const [mustResetPassword, setMustResetPassword] = useState(false);
   const [show2faReminder, setShow2faReminder] = useState(false);
+  const [updateInfo, setUpdateInfo] = useState(null);
+  const [updating, setUpdating] = useState(false);
   const [impersonating, _setImpersonating] = useState(function() {
     try { var s = localStorage.getItem('em_impersonating'); return s ? JSON.parse(s) : null; } catch { return null; }
   });
@@ -329,7 +331,14 @@ function App() {
   if (!authChecked) return h('div', { style: { minHeight: '100vh', display: 'flex', alignItems: 'center', justifyContent: 'center', background: 'var(--bg-primary)', color: 'var(--text-muted)' } }, 'Loading...');
   if (needsSetup === true && !authed) return h(OnboardingWizard, { onComplete: () => { setNeedsSetup(false); setAuthed(true); authCall('/me').then(d => { setUser(d.user || d); }).catch(() => {}); } });
   if (!authed) return h(LoginPage, { onLogin: async (d) => {
-    if (d?.user) { setUser(d.user); if (!d.user.totpEnabled) setShow2faReminder(true); }
+    if (d?.user) {
+      setUser(d.user);
+      if (!d.user.totpEnabled) setShow2faReminder(true);
+      // Check for updates (admin only)
+      if (d.user.role === 'admin' || d.user.role === 'owner') {
+        apiCall('/admin/system/update-check').then(u => { if (u?.updateAvailable) setUpdateInfo(u); }).catch(() => {});
+      }
+    }
     if (d?.mustResetPassword) setMustResetPassword(true);
     // Init encryption before enabling dashboard
     try {
@@ -544,6 +553,37 @@ function App() {
             h('button', { className: 'btn btn-warning btn-sm', onClick: () => { setPage('settings'); setShow2faReminder(false); history.pushState(null, '', '/dashboard/settings'); } }, 'Set Up 2FA'),
             h('button', { className: 'btn btn-ghost btn-sm', onClick: () => setShow2faReminder(false), style: { padding: '2px 6px', minWidth: 0 } }, '\u00d7')
           ),
+          // Update available banner
+          updateInfo && h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: '10px 16px', margin: '0 0 16px', background: 'rgba(16,185,129,0.1)', border: '1px solid rgba(16,185,129,0.4)', borderRadius: 8, fontSize: 13 } },
+            h('span', { style: { fontSize: 18 } }, '\uD83C\uDF80'),
+            h('div', { style: { flex: 1 } },
+              h('strong', null, 'Update Available'),
+              h('span', { style: { color: 'var(--text-secondary)', marginLeft: 6 } },
+                'v' + updateInfo.current + ' \u2192 v' + updateInfo.latest
+              )
+            ),
+            h('button', {
+              className: 'btn btn-sm',
+              disabled: updating,
+              style: { background: 'rgba(16,185,129,0.9)', color: '#fff', border: 'none' },
+              onClick: async () => {
+                setUpdating(true);
+                try {
+                  const r = await apiCall('/admin/system/update', { method: 'POST' });
+                  if (r?.success) {
+                    setUpdateInfo(null);
+                    showToast && showToast('Updated to v' + r.to + ' — services restarting...', 'success');
+                  } else {
+                    showToast && showToast('Update failed: ' + (r?.message || 'unknown'), 'error');
+                  }
+                } catch (e) {
+                  showToast && showToast('Update failed: ' + e.message, 'error');
+                }
+                setUpdating(false);
+              }
+            }, updating ? 'Updating...' : 'Update Now'),
+            h('button', { className: 'btn btn-ghost btn-sm', onClick: () => setUpdateInfo(null), style: { padding: '2px 6px', minWidth: 0 } }, '\u00d7')
+          ),
           selectedAgentId
             ? h(AgentDetailPage, { agentId: selectedAgentId, onBack: () => { _setSelectedAgentId(null); _setPage('agents'); history.pushState(null, '', '/dashboard/agents'); } })
             : page === 'agents'