@agenticmail/enterprise 0.5.447 → 0.5.448

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/chunk-4ABC6JOV.js +7577 -0
  2. package/dist/chunk-QYZ6DR35.js +1728 -0
  3. package/dist/cli-serve-X5MCWNFD.js +322 -0
  4. package/dist/cli.js +2 -2
  5. package/dist/index.js +2 -2
  6. package/dist/server-AXPNA3UP.js +36 -0
  7. package/dist/setup-WCSIIDUZ.js +20 -0
  8. package/package.json +1 -1
package/dist/chunk-QYZ6DR35.js ADDED
@@ -0,0 +1,1728 @@
1
+ import {
2
+ getSupportedDatabases
3
+ } from "./chunk-HPIK224M.js";
4
+
5
+ // src/setup/index.ts
6
+ import { execSync as execSync3 } from "child_process";
7
+ import { createRequire } from "module";
8
+ import { join as join3 } from "path";
9
+
10
+ // src/setup/company.ts
11
+ function toSlug(name) {
12
+ return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "").slice(0, 63);
13
+ }
14
+ function generateAlternatives(companyName) {
15
+ const base = toSlug(companyName);
16
+ const words = companyName.trim().split(/\s+/).map((w) => w.toLowerCase().replace(/[^a-z0-9]/g, "")).filter(Boolean);
17
+ const suggestions = /* @__PURE__ */ new Set();
18
+ suggestions.add(base);
19
+ if (words.length >= 2) {
20
+ const initials = words.map((w) => w[0]).join("");
21
+ if (initials.length >= 2) suggestions.add(initials);
22
+ }
23
+ if (words[0] && words[0] !== base) {
24
+ suggestions.add(words[0]);
25
+ }
26
+ if (words.length >= 3) {
27
+ suggestions.add(`${words[0]}-${words[words.length - 1]}`);
28
+ }
29
+ suggestions.add(`team-${base}`);
30
+ suggestions.add(`app-${base}`);
31
+ suggestions.add(`mail-${words[0] || base}`);
32
+ suggestions.add(`ai-${words[0] || base}`);
33
+ suggestions.add(`${words[0] || base}-hq`);
34
+ suggestions.delete(base);
35
+ return [...suggestions].map((s) => s.slice(0, 63)).slice(0, 5);
36
+ }
37
+ function validateSubdomain(v) {
38
+ const s = v.trim();
39
+ if (!s) return "Subdomain is required";
40
+ if (s.length < 2) return "Subdomain must be at least 2 characters";
41
+ if (s.length > 63) return "Subdomain must be 63 characters or fewer";
42
+ if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(s)) {
43
+ return "Subdomain must be lowercase letters, numbers, and hyphens (cannot start or end with a hyphen)";
44
+ }
45
+ return true;
46
+ }
47
+ async function promptCompanyInfo(inquirer, chalk) {
48
+ console.log(chalk.bold.cyan(" Step 1 of 5: Company Info"));
49
+ console.log(chalk.dim(" Tell us about your organization.\n"));
50
+ const { companyName, adminEmail, adminPassword } = await inquirer.prompt([
51
+ {
52
+ type: "input",
53
+ name: "companyName",
54
+ message: "Company name:",
55
+ validate: (v) => {
56
+ if (!v.trim()) return "Company name is required";
57
+ if (v.length > 100) return "Company name must be under 100 characters";
58
+ return true;
59
+ }
60
+ },
61
+ {
62
+ type: "input",
63
+ name: "adminEmail",
64
+ message: "Admin email:",
65
+ suffix: chalk.dim(" (you will use this to log in to your dashboard)"),
66
+ validate: (v) => {
67
+ if (!v.includes("@") || !v.includes(".")) return "Enter a valid email address";
68
+ return true;
69
+ }
70
+ },
71
+ {
72
+ type: "password",
73
+ name: "adminPassword",
74
+ message: "Admin password:",
75
+ suffix: chalk.dim(" (you will use this to log in to your dashboard)"),
76
+ mask: "*",
77
+ validate: (v) => {
78
+ if (v.length < 8) return "Password must be at least 8 characters";
79
+ if (!/[A-Z]/.test(v) && !/[0-9]/.test(v)) {
80
+ return "Password should contain at least one uppercase letter or number";
81
+ }
82
+ return true;
83
+ }
84
+ }
85
+ ]);
86
+ const suggested = toSlug(companyName);
87
+ const alternatives = generateAlternatives(companyName);
88
+ console.log("");
89
+ console.log(chalk.bold(" Subdomain"));
90
+ console.log(chalk.dim(" Used for your dashboard URL and internal routing.\n"));
91
+ const choices = [
92
+ { name: `${suggested} ${chalk.dim("(recommended)")}`, value: suggested },
93
+ ...alternatives.map((alt) => ({ name: alt, value: alt })),
94
+ new inquirer.Separator(),
95
+ { name: `${chalk.italic("Enter my own...")}`, value: "__custom__" },
96
+ { name: `${chalk.italic("Generate more suggestions")}`, value: "__regenerate__" }
97
+ ];
98
+ let subdomain = suggested;
99
+ let choosing = true;
100
+ while (choosing) {
101
+ const { subdomainChoice } = await inquirer.prompt([{
102
+ type: "list",
103
+ name: "subdomainChoice",
104
+ message: "Choose a subdomain:",
105
+ choices
106
+ }]);
107
+ if (subdomainChoice === "__custom__") {
108
+ const { custom } = await inquirer.prompt([{
109
+ type: "input",
110
+ name: "custom",
111
+ message: "Custom subdomain:",
112
+ suffix: chalk.dim(" (lowercase, letters/numbers/hyphens)"),
113
+ validate: validateSubdomain,
114
+ filter: (v) => v.trim().toLowerCase()
115
+ }]);
116
+ subdomain = custom;
117
+ choosing = false;
118
+ } else if (subdomainChoice === "__regenerate__") {
119
+ const base = toSlug(companyName);
120
+ const words = companyName.trim().split(/\s+/).map((w2) => w2.toLowerCase().replace(/[^a-z0-9]/g, "")).filter(Boolean);
121
+ const w = words[0] || base;
122
+ const rand = () => Math.random().toString(36).slice(2, 5);
123
+ const fresh = [
124
+ `${w}-${rand()}`,
125
+ `${base}-${rand()}`,
126
+ `${w}-agents`,
127
+ `${w}-mail`,
128
+ `${w}-platform`
129
+ ];
130
+ choices.splice(
131
+ 1,
132
+ alternatives.length,
133
+ ...fresh.map((alt) => ({ name: alt, value: alt }))
134
+ );
135
+ } else {
136
+ subdomain = subdomainChoice;
137
+ choosing = false;
138
+ }
139
+ }
140
+ console.log(chalk.dim(` Your subdomain: ${chalk.white(subdomain)}
141
+ `));
142
+ return { companyName, adminEmail, adminPassword, subdomain };
143
+ }
144
+
145
+ // src/setup/database.ts
146
+ var CONNECTION_HINTS = {
147
+ postgres: "postgresql://user:pass@host:5432/dbname",
148
+ mysql: "mysql://user:pass@host:3306/dbname",
149
+ mongodb: "mongodb+srv://user:pass@cluster.mongodb.net/dbname",
150
+ supabase: "postgresql://postgres:pass@db.xxxx.supabase.co:5432/postgres",
151
+ neon: "postgresql://user:pass@ep-xxx.us-east-1.aws.neon.tech/dbname?sslmode=require",
152
+ planetscale: 'mysql://user:pass@aws.connect.psdb.cloud/dbname?ssl={"rejectUnauthorized":true}',
153
+ cockroachdb: "postgresql://user:pass@cluster.cockroachlabs.cloud:26257/dbname?sslmode=verify-full"
154
+ };
155
+ async function promptDatabase(inquirer, chalk) {
156
+ console.log("");
157
+ console.log(chalk.bold.cyan(" Step 2 of 4: Database"));
158
+ console.log(chalk.dim(" Where should your data live?\n"));
159
+ const databases = getSupportedDatabases();
160
+ const supabaseIdx = databases.findIndex((d) => d.type === "supabase");
161
+ const choices = databases.map((d, _i) => ({
162
+ name: d.type === "supabase" ? `${d.label} ${chalk.green("\u2190 recommended (free tier)")} ${chalk.dim("(cloud)")}` : `${d.label} ${chalk.dim(`(${d.group})`)}`,
163
+ value: d.type
164
+ }));
165
+ if (supabaseIdx > 0) {
166
+ const [sb] = choices.splice(supabaseIdx, 1);
167
+ choices.unshift(sb);
168
+ }
169
+ const { dbType } = await inquirer.prompt([
170
+ {
171
+ type: "list",
172
+ name: "dbType",
173
+ message: "Database backend:",
174
+ choices
175
+ }
176
+ ]);
177
+ if (dbType === "supabase") {
178
+ console.log("");
179
+ console.log(chalk.bold(" Supabase \u2014 Free PostgreSQL Database"));
180
+ console.log("");
181
+ console.log(chalk.dim(" If you don't have a Supabase account yet:"));
182
+ console.log("");
183
+ console.log(` 1. Go to ${chalk.cyan.underline("https://supabase.com/dashboard")}`);
184
+ console.log(` 2. Click ${chalk.bold('"Start your project"')} \u2014 sign up with GitHub or email`);
185
+ console.log(` 3. Create a new project (any name, choose a strong password)`);
186
+ console.log(` 4. Go to ${chalk.bold("Settings \u2192 Database \u2192 Connection string")}`);
187
+ console.log(` 5. Select ${chalk.bold('"URI"')} and copy the connection string`);
188
+ console.log(` 6. Replace ${chalk.yellow("[YOUR-PASSWORD]")} with your project password`);
189
+ console.log("");
190
+ console.log(chalk.dim(" Free tier includes: 500MB storage, unlimited API requests, 2 projects"));
191
+ console.log(chalk.dim(" The connection string looks like:"));
192
+ console.log(chalk.dim(" postgresql://postgres.[ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres"));
193
+ console.log("");
194
+ }
195
+ if (dbType === "sqlite") {
196
+ const { dbPath } = await inquirer.prompt([{
197
+ type: "input",
198
+ name: "dbPath",
199
+ message: "Database file path:",
200
+ default: "./agenticmail-enterprise.db"
201
+ }]);
202
+ return { type: dbType, connectionString: dbPath };
203
+ }
204
+ if (dbType === "dynamodb") {
205
+ const answers = await inquirer.prompt([
206
+ {
207
+ type: "input",
208
+ name: "region",
209
+ message: "AWS Region:",
210
+ default: "us-east-1"
211
+ },
212
+ {
213
+ type: "input",
214
+ name: "accessKeyId",
215
+ message: "AWS Access Key ID:",
216
+ validate: (v) => v.length > 0 || "Required"
217
+ },
218
+ {
219
+ type: "password",
220
+ name: "secretAccessKey",
221
+ message: "AWS Secret Access Key:",
222
+ mask: "*",
223
+ validate: (v) => v.length > 0 || "Required"
224
+ }
225
+ ]);
226
+ return { type: dbType, ...answers };
227
+ }
228
+ if (dbType === "turso") {
229
+ const answers = await inquirer.prompt([
230
+ {
231
+ type: "input",
232
+ name: "connectionString",
233
+ message: "Turso database URL:",
234
+ suffix: chalk.dim(" (e.g. libsql://db-org.turso.io)"),
235
+ validate: (v) => v.length > 0 || "Required"
236
+ },
237
+ {
238
+ type: "password",
239
+ name: "authToken",
240
+ message: "Turso auth token:",
241
+ mask: "*",
242
+ validate: (v) => v.length > 0 || "Required"
243
+ }
244
+ ]);
245
+ return { type: dbType, connectionString: answers.connectionString, authToken: answers.authToken };
246
+ }
247
+ const hint = CONNECTION_HINTS[dbType] || "";
248
+ const { connectionString } = await inquirer.prompt([{
249
+ type: "input",
250
+ name: "connectionString",
251
+ message: "Connection string:",
252
+ suffix: hint ? chalk.dim(` (e.g. ${hint})`) : "",
253
+ validate: (v) => v.length > 0 || "Connection string is required"
254
+ }]);
255
+ return { type: dbType, connectionString };
256
+ }
257
+
258
+ // src/setup/deployment.ts
259
+ import { execSync, exec as execCb } from "child_process";
260
+ import { promisify } from "util";
261
+ import { existsSync, writeFileSync, readFileSync, statSync } from "fs";
262
+ import { join } from "path";
263
+ import { homedir, platform, arch } from "os";
264
+ var execP = promisify(execCb);
265
+ function whichCmd(bin) {
266
+ const cmd = platform() === "win32" ? `where ${bin}` : `which ${bin}`;
267
+ return execSync(cmd, { encoding: "utf8", timeout: 5e3, stdio: ["pipe", "pipe", "pipe"] }).trim().split(/\r?\n/)[0];
268
+ }
269
+ var SUBDOMAIN_REGISTRY_URL = process.env.AGENTICMAIL_SUBDOMAIN_REGISTRY_URL || "https://registry.agenticmail.io";
270
+ async function promptDeployment(inquirer, chalk, existingSubdomain) {
271
+ console.log("");
272
+ console.log(chalk.bold.cyan(" Step 3 of 4: Deployment"));
273
+ console.log(chalk.dim(" Where should your dashboard run?\n"));
274
+ const { deployTarget } = await inquirer.prompt([{
275
+ type: "list",
276
+ name: "deployTarget",
277
+ message: "Deploy to:",
278
+ choices: [
279
+ {
280
+ name: `AgenticMail Cloud ${chalk.green("\u2190 recommended")} ${chalk.dim("(instant URL, zero config)")}`,
281
+ value: "cloud"
282
+ },
283
+ {
284
+ name: `Cloudflare Tunnel ${chalk.dim("(self-hosted, free, no ports)")}`,
285
+ value: "cloudflare-tunnel"
286
+ },
287
+ {
288
+ name: `Fly.io ${chalk.dim("(your account)")}`,
289
+ value: "fly"
290
+ },
291
+ {
292
+ name: `Railway ${chalk.dim("(your account)")}`,
293
+ value: "railway"
294
+ },
295
+ {
296
+ name: `Docker ${chalk.dim("(self-hosted)")}`,
297
+ value: "docker"
298
+ },
299
+ {
300
+ name: `Local ${chalk.dim("(dev/testing, runs here)")}`,
301
+ value: "local"
302
+ }
303
+ ]
304
+ }]);
305
+ if (deployTarget === "cloud") {
306
+ const cloud = await runCloudSetup(inquirer, chalk, existingSubdomain);
307
+ return { target: deployTarget, cloud };
308
+ }
309
+ if (deployTarget === "cloudflare-tunnel") {
310
+ const tunnel = await runTunnelSetup(inquirer, chalk);
311
+ return { target: deployTarget, tunnel };
312
+ }
313
+ return { target: deployTarget };
314
+ }
315
+ async function runCloudSetup(inquirer, chalk, existingSubdomain) {
316
+ console.log("");
317
+ console.log(chalk.bold(" AgenticMail Cloud Setup"));
318
+ console.log(chalk.dim(" Get a free subdomain on agenticmail.io \u2014 no Cloudflare account needed."));
319
+ console.log(chalk.dim(" Your instance will be live at https://yourname.agenticmail.io\n"));
320
+ let subdomain = "";
321
+ let claimResult = null;
322
+ while (!subdomain) {
323
+ let cleaned;
324
+ if (existingSubdomain) {
325
+ cleaned = existingSubdomain.toLowerCase().trim();
326
+ existingSubdomain = void 0;
327
+ console.log(chalk.dim(` Using subdomain from Step 1: ${chalk.white(cleaned)}.agenticmail.io`));
328
+ } else {
329
+ const { name } = await inquirer.prompt([{
330
+ type: "input",
331
+ name: "name",
332
+ message: "Choose your subdomain:",
333
+ suffix: chalk.dim(".agenticmail.io"),
334
+ validate: (input) => {
335
+ const c = input.toLowerCase().trim();
336
+ if (c.length < 3) return "Must be at least 3 characters";
337
+ if (c.length > 32) return "Must be 32 characters or fewer";
338
+ if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(c)) return "Only lowercase letters, numbers, and hyphens allowed";
339
+ return true;
340
+ }
341
+ }]);
342
+ cleaned = name.toLowerCase().trim();
343
+ }
344
+ process.stdout.write(chalk.dim(` Checking ${cleaned}.agenticmail.io... `));
345
+ try {
346
+ const checkResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/check?name=${encodeURIComponent(cleaned)}`);
347
+ const checkData = await checkResp.json();
348
+ if (!checkData.available) {
349
+ console.log(chalk.red("\u2717 " + (checkData.reason || "Not available")));
350
+ continue;
351
+ }
352
+ console.log(chalk.green("\u2713 Available!"));
353
+ } catch (err) {
354
+ console.log(chalk.yellow("\u26A0 Could not check availability: " + err.message));
355
+ console.log(chalk.dim(" Proceeding anyway \u2014 the claim step will verify.\n"));
356
+ }
357
+ const { confirmed } = await inquirer.prompt([{
358
+ type: "confirm",
359
+ name: "confirmed",
360
+ message: `Claim ${chalk.bold(cleaned + ".agenticmail.io")}?`,
361
+ default: true
362
+ }]);
363
+ if (!confirmed) continue;
364
+ const { createHash, randomUUID: randomUUID2 } = await import("crypto");
365
+ let vaultKey = process.env.AGENTICMAIL_VAULT_KEY;
366
+ if (!vaultKey) {
367
+ vaultKey = randomUUID2() + randomUUID2();
368
+ process.env.AGENTICMAIL_VAULT_KEY = vaultKey;
369
+ }
370
+ const vaultKeyHash = createHash("sha256").update(vaultKey).digest("hex");
371
+ process.stdout.write(chalk.dim(" Provisioning subdomain... "));
372
+ try {
373
+ const claimResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/claim`, {
374
+ method: "POST",
375
+ headers: { "Content-Type": "application/json" },
376
+ body: JSON.stringify({ name: cleaned, vaultKeyHash, port: parseInt(process.env.PORT || "8080", 10) })
377
+ });
378
+ claimResult = await claimResp.json();
379
+ if (claimResult.error) {
380
+ console.log(chalk.red("\u2717 " + claimResult.error));
381
+ if (claimResult.error.includes("already has subdomain")) {
382
+ const { wantsRecover } = await inquirer.prompt([{
383
+ type: "confirm",
384
+ name: "wantsRecover",
385
+ message: "Recover your existing subdomain instead?",
386
+ default: true
387
+ }]);
388
+ if (wantsRecover) {
389
+ const recoverResp = await fetch(`${SUBDOMAIN_REGISTRY_URL}/recover`, {
390
+ method: "POST",
391
+ headers: { "Content-Type": "application/json" },
392
+ body: JSON.stringify({ vaultKeyHash })
393
+ });
394
+ claimResult = await recoverResp.json();
395
+ if (claimResult.success) {
396
+ subdomain = claimResult.subdomain;
397
+ console.log(chalk.green(`\u2713 Recovered: ${claimResult.fqdn}`));
398
+ } else {
399
+ console.log(chalk.red("\u2717 Recovery failed: " + (claimResult.error || "Unknown error")));
400
+ }
401
+ }
402
+ }
403
+ continue;
404
+ }
405
+ if (claimResult.success) {
406
+ subdomain = claimResult.subdomain || cleaned;
407
+ if (claimResult.recovered) {
408
+ console.log(chalk.green("\u2713 Recovered existing subdomain"));
409
+ } else {
410
+ console.log(chalk.green("\u2713 Subdomain claimed!"));
411
+ }
412
+ }
413
+ } catch (err) {
414
+ console.log(chalk.red("\u2717 Failed: " + err.message));
415
+ console.log(chalk.dim(" Check your internet connection and try again.\n"));
416
+ }
417
+ }
418
+ console.log("");
419
+ console.log(chalk.bold(" Installing cloudflared connector..."));
420
+ let cloudflaredPath = "";
421
+ try {
422
+ cloudflaredPath = whichCmd("cloudflared");
423
+ console.log(chalk.green(` \u2713 cloudflared found at ${cloudflaredPath}`));
424
+ } catch {
425
+ console.log(chalk.dim(" cloudflared not found \u2014 installing..."));
426
+ try {
427
+ const os = platform();
428
+ if (os === "darwin") {
429
+ execSync("brew install cloudflared", { stdio: "pipe", timeout: 12e4 });
430
+ } else if (os === "linux") {
431
+ const archStr = arch() === "arm64" ? "arm64" : "amd64";
432
+ execSync(`curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${archStr} -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared`, { stdio: "pipe", timeout: 12e4 });
433
+ } else if (os === "win32") {
434
+ const localAppData = process.env.LOCALAPPDATA || `${process.env.USERPROFILE}\\AppData\\Local`;
435
+ const cfDir = `${localAppData}\\cloudflared`;
436
+ const cfExe = `${cfDir}\\cloudflared.exe`;
437
+ let found = false;
438
+ try {
439
+ statSync(cfExe);
440
+ found = true;
441
+ } catch {
442
+ }
443
+ if (!found) {
444
+ try {
445
+ execSync("winget install --id Cloudflare.cloudflared --accept-source-agreements --accept-package-agreements", { stdio: "pipe", timeout: 12e4 });
446
+ found = true;
447
+ } catch {
448
+ console.log(chalk.dim(" winget failed, trying direct download..."));
449
+ try {
450
+ const archStr = arch() === "arm64" ? "arm64" : "amd64";
451
+ const dlUrl = `https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-${archStr}.exe`;
452
+ execSync(`powershell -Command "New-Item -ItemType Directory -Force -Path '${cfDir.replace(/'/g, "''")}' | Out-Null; Invoke-WebRequest -Uri '${dlUrl}' -OutFile '${cfExe.replace(/'/g, "''")}'"`, { stdio: "inherit", timeout: 12e4 });
453
+ found = true;
454
+ } catch (dlErr) {
455
+ console.log(chalk.dim(` Download failed: ${dlErr.message?.substring(0, 100)}`));
456
+ }
457
+ }
458
+ }
459
+ if (found) {
460
+ process.env.PATH = `${cfDir};${process.env.PATH}`;
461
+ }
462
+ } else {
463
+ console.log(chalk.yellow(" Please install cloudflared manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/"));
464
+ }
465
+ cloudflaredPath = whichCmd("cloudflared");
466
+ console.log(chalk.green(` \u2713 cloudflared installed at ${cloudflaredPath}`));
467
+ } catch (e) {
468
+ console.log(chalk.yellow(" \u26A0 Could not auto-install cloudflared."));
469
+ console.log(chalk.dim(" Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/"));
470
+ }
471
+ }
472
+ const port = parseInt(process.env.PORT || "8080", 10);
473
+ const fqdn = claimResult?.fqdn || `${subdomain}.agenticmail.io`;
474
+ const tunnelToken = claimResult?.tunnelToken;
475
+ const tunnelId = claimResult?.tunnelId;
476
+ console.log("");
477
+ console.log(chalk.bold.green(" \u2713 Setup Complete!"));
478
+ console.log("");
479
+ console.log(` Your dashboard: ${chalk.bold.cyan("https://" + fqdn)}`);
480
+ console.log("");
481
+ console.log(chalk.yellow.bold(" \u26A0 BACK UP ~/.agenticmail/.env \u26A0 "));
482
+ console.log("");
483
+ console.log(chalk.yellow(" This file contains EVERYTHING needed to recover if your machine crashes:"));
484
+ console.log("");
485
+ console.log(chalk.yellow(" DATABASE_URL \u2014 your database connection"));
486
+ console.log(chalk.yellow(" JWT_SECRET \u2014 login session signing key"));
487
+ console.log(chalk.yellow(" AGENTICMAIL_VAULT_KEY \u2014 encrypted credentials + subdomain recovery"));
488
+ console.log(chalk.yellow(" CLOUDFLARED_TOKEN \u2014 tunnel connection token"));
489
+ console.log(chalk.yellow(" PORT \u2014 server port"));
490
+ console.log("");
491
+ console.log(chalk.bold.yellow(" Copy this file to a safe place (password manager, cloud drive, etc.)"));
492
+ console.log(chalk.bold.yellow(" Without it, you CANNOT recover your subdomain or encrypted data."));
493
+ console.log("");
494
+ console.log(chalk.dim(" To recover on a new machine:"));
495
+ console.log(chalk.cyan(" npx @agenticmail/enterprise recover --cloud"));
496
+ console.log("");
497
+ console.log("");
498
+ console.log(chalk.dim(" To start your instance, run these two processes:"));
499
+ console.log("");
500
+ console.log(` ${chalk.cyan("cloudflared tunnel --no-autoupdate run --token " + (tunnelToken || "<your-tunnel-token>"))}`);
501
+ console.log(` ${chalk.cyan("npx @agenticmail/enterprise start")}`);
502
+ console.log("");
503
+ console.log(chalk.dim(" Or let the setup wizard start them with PM2 (next step).\n"));
504
+ const envPath = join(homedir(), ".agenticmail", ".env");
505
+ try {
506
+ let envContent = "";
507
+ if (existsSync(envPath)) {
508
+ envContent = readFileSync(envPath, "utf8");
509
+ }
510
+ if (tunnelToken && !envContent.includes("CLOUDFLARED_TOKEN=")) {
511
+ envContent += `
512
+ CLOUDFLARED_TOKEN=${tunnelToken}
513
+ `;
514
+ }
515
+ if (!envContent.includes("AGENTICMAIL_SUBDOMAIN=")) {
516
+ envContent += `AGENTICMAIL_SUBDOMAIN=${subdomain}
517
+ `;
518
+ }
519
+ if (!envContent.includes("AGENTICMAIL_DOMAIN=")) {
520
+ envContent += `AGENTICMAIL_DOMAIN=${fqdn}
521
+ `;
522
+ }
523
+ const { mkdirSync } = await import("fs");
524
+ mkdirSync(join(homedir(), ".agenticmail"), { recursive: true });
525
+ writeFileSync(envPath, envContent, { mode: 384 });
526
+ } catch {
527
+ }
528
+ return {
529
+ subdomain,
530
+ fqdn,
531
+ tunnelId: tunnelId || "",
532
+ tunnelToken: tunnelToken || "",
533
+ port
534
+ };
535
+ }
536
+ async function runTunnelSetup(inquirer, chalk) {
537
+ console.log("");
538
+ console.log(chalk.bold(" Cloudflare Tunnel Setup"));
539
+ console.log(chalk.dim(" Exposes your local server to the internet via Cloudflare."));
540
+ console.log(chalk.dim(" No open ports, free TLS, auto-DNS.\n"));
541
+ console.log(chalk.bold(" 1. Cloudflared CLI"));
542
+ let installed = false;
543
+ let version = "";
544
+ try {
545
+ version = execSync("cloudflared --version 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
546
+ installed = true;
547
+ } catch {
548
+ }
549
+ if (installed) {
550
+ console.log(chalk.green(` \u2713 Installed (${version})
551
+ `));
552
+ } else {
553
+ console.log(chalk.yellow(" Not installed."));
554
+ const { doInstall } = await inquirer.prompt([{
555
+ type: "confirm",
556
+ name: "doInstall",
557
+ message: "Install cloudflared now?",
558
+ default: true
559
+ }]);
560
+ if (!doInstall) {
561
+ console.log(chalk.red("\n cloudflared is required for tunnel deployment."));
562
+ console.log(chalk.dim(" Install it manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/\n"));
563
+ process.exit(1);
564
+ }
565
+ console.log(chalk.dim(" Installing..."));
566
+ try {
567
+ await installCloudflared();
568
+ version = execSync("cloudflared --version 2>&1", { encoding: "utf8", timeout: 5e3 }).trim();
569
+ console.log(chalk.green(` \u2713 Installed (${version})
570
+ `));
571
+ } catch (err) {
572
+ console.log(chalk.red(` \u2717 Installation failed: ${err.message}`));
573
+ console.log(chalk.dim(" Install manually and re-run setup.\n"));
574
+ process.exit(1);
575
+ }
576
+ }
577
+ console.log(chalk.bold(" 2. Cloudflare Authentication"));
578
+ const cfDir = join(homedir(), ".cloudflared");
579
+ const certPath = join(cfDir, "cert.pem");
580
+ const loggedIn = existsSync(certPath);
581
+ if (loggedIn) {
582
+ console.log(chalk.green(" \u2713 Already authenticated\n"));
583
+ } else {
584
+ console.log(chalk.dim(" This will open your browser to authorize Cloudflare.\n"));
585
+ const { doLogin } = await inquirer.prompt([{
586
+ type: "confirm",
587
+ name: "doLogin",
588
+ message: "Open browser to login to Cloudflare?",
589
+ default: true
590
+ }]);
591
+ if (!doLogin) {
592
+ console.log(chalk.red("\n Cloudflare auth is required. Run `cloudflared tunnel login` manually.\n"));
593
+ process.exit(1);
594
+ }
595
+ console.log(chalk.dim(" Waiting for browser authorization..."));
596
+ try {
597
+ await execP("cloudflared tunnel login", { timeout: 12e4 });
598
+ console.log(chalk.green(" \u2713 Authenticated\n"));
599
+ } catch (err) {
600
+ console.log(chalk.red(` \u2717 Login failed or timed out: ${err.message}`));
601
+ console.log(chalk.dim(" Complete the browser authorization and try again.\n"));
602
+ process.exit(1);
603
+ }
604
+ }
605
+ console.log(chalk.bold(" 3. Tunnel Configuration"));
606
+ const { domain, port, tunnelName } = await inquirer.prompt([
607
+ {
608
+ type: "input",
609
+ name: "domain",
610
+ message: "Domain (e.g. dashboard.yourcompany.com):",
611
+ validate: (v) => v.includes(".") ? true : "Enter a valid domain"
612
+ },
613
+ {
614
+ type: "number",
615
+ name: "port",
616
+ message: "Local port:",
617
+ default: 3200
618
+ },
619
+ {
620
+ type: "input",
621
+ name: "tunnelName",
622
+ message: "Tunnel name:",
623
+ default: "agenticmail-enterprise"
624
+ }
625
+ ]);
626
+ console.log("");
627
+ console.log(chalk.bold(" 4. Deploying"));
628
+ let tunnelId = "";
629
+ try {
630
+ console.log(chalk.dim(" Creating tunnel..."));
631
+ const out = execSync(`cloudflared tunnel create ${tunnelName} 2>&1`, { encoding: "utf8", timeout: 3e4 });
632
+ const match = out.match(/Created tunnel .+ with id ([a-f0-9-]+)/);
633
+ tunnelId = match?.[1] || "";
634
+ console.log(chalk.green(` \u2713 Tunnel created: ${tunnelName} (${tunnelId})`));
635
+ } catch (e) {
636
+ if (e.message?.includes("already exists") || e.stderr?.includes("already exists")) {
637
+ try {
638
+ const listOut = execSync("cloudflared tunnel list --output json 2>&1", { encoding: "utf8", timeout: 15e3 });
639
+ const tunnels = JSON.parse(listOut);
640
+ const existing = tunnels.find((t) => t.name === tunnelName);
641
+ if (existing) {
642
+ tunnelId = existing.id;
643
+ console.log(chalk.green(` \u2713 Using existing tunnel: ${tunnelName} (${tunnelId})`));
644
+ }
645
+ } catch {
646
+ console.log(chalk.red(` \u2717 Tunnel "${tunnelName}" exists but couldn't read its ID`));
647
+ process.exit(1);
648
+ }
649
+ } else {
650
+ console.log(chalk.red(` \u2717 Failed to create tunnel: ${e.message}`));
651
+ process.exit(1);
652
+ }
653
+ }
654
+ if (!tunnelId) {
655
+ console.log(chalk.red(" \u2717 Could not determine tunnel ID"));
656
+ process.exit(1);
657
+ }
658
+ const config = [
659
+ `tunnel: ${tunnelId}`,
660
+ `credentials-file: ${join(cfDir, tunnelId + ".json")}`,
661
+ "",
662
+ "ingress:",
663
+ ` - hostname: ${domain}`,
664
+ ` service: http://localhost:${port}`,
665
+ " - service: http_status:404"
666
+ ].join("\n");
667
+ writeFileSync(join(cfDir, "config.yml"), config);
668
+ console.log(chalk.green(` \u2713 Config written: ${domain} \u2192 localhost:${port}`));
669
+ try {
670
+ execSync(`cloudflared tunnel route dns ${tunnelId} ${domain} 2>&1`, { encoding: "utf8", timeout: 3e4 });
671
+ console.log(chalk.green(` \u2713 DNS CNAME created: ${domain}`));
672
+ } catch (e) {
673
+ if (e.message?.includes("already exists") || e.stderr?.includes("already exists")) {
674
+ console.log(chalk.green(` \u2713 DNS CNAME already exists for ${domain}`));
675
+ } else {
676
+ console.log(chalk.yellow(` \u26A0 DNS routing failed \u2014 add CNAME manually: ${domain} \u2192 ${tunnelId}.cfargotunnel.com`));
677
+ }
678
+ }
679
+ let started = false;
680
+ try {
681
+ whichCmd("pm2");
682
+ try {
683
+ execSync("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
684
+ } catch {
685
+ }
686
+ execSync(`pm2 start cloudflared --name cloudflared -- tunnel run`, { encoding: "utf8", timeout: 15e3 });
687
+ try {
688
+ execSync("pm2 save 2>/dev/null", { timeout: 5e3 });
689
+ } catch {
690
+ }
691
+ try {
692
+ const startupOut = execSync("pm2 startup 2>&1", { encoding: "utf8", timeout: 15e3 });
693
+ const sudoMatch = startupOut.match(/sudo .+$/m);
694
+ if (sudoMatch) try {
695
+ execSync(sudoMatch[0], { timeout: 15e3, stdio: "pipe" });
696
+ } catch {
697
+ }
698
+ } catch {
699
+ }
700
+ console.log(chalk.green(" \u2713 Tunnel running via PM2 (auto-restarts on crash + reboot)"));
701
+ started = true;
702
+ } catch {
703
+ }
704
+ if (!started) {
705
+ try {
706
+ console.log(chalk.dim(" Installing PM2 for process management..."));
707
+ execSync("npm install -g pm2", { timeout: 6e4, stdio: "pipe" });
708
+ try {
709
+ execSync("pm2 delete cloudflared 2>/dev/null", { timeout: 5e3 });
710
+ } catch {
711
+ }
712
+ execSync(`pm2 start cloudflared --name cloudflared -- tunnel run`, { encoding: "utf8", timeout: 15e3 });
713
+ try {
714
+ execSync("pm2 save 2>/dev/null", { timeout: 5e3 });
715
+ } catch {
716
+ }
717
+ try {
718
+ const startupOut = execSync("pm2 startup 2>&1", { encoding: "utf8", timeout: 15e3 });
719
+ const sudoMatch = startupOut.match(/sudo .+$/m);
720
+ if (sudoMatch) try {
721
+ execSync(sudoMatch[0], { timeout: 15e3, stdio: "pipe" });
722
+ } catch {
723
+ }
724
+ } catch {
725
+ }
726
+ console.log(chalk.green(" \u2713 PM2 installed + tunnel running (auto-restarts on crash + reboot)"));
727
+ started = true;
728
+ } catch {
729
+ console.log(chalk.yellow(" \u26A0 PM2 not available \u2014 tunnel started in background"));
730
+ console.log(chalk.dim(" Install PM2 for auto-restart: npm install -g pm2"));
731
+ try {
732
+ const { spawn: spawn2 } = await import("child_process");
733
+ const child = spawn2("cloudflared", ["tunnel", "run"], { detached: true, stdio: "ignore" });
734
+ child.unref();
735
+ started = true;
736
+ } catch {
737
+ }
738
+ }
739
+ }
740
+ console.log("");
741
+ console.log(chalk.green.bold(` \u2713 Tunnel deployed! Your dashboard will be at https://${domain}`));
742
+ console.log("");
743
+ return { tunnelId, domain, port, tunnelName };
744
+ }
745
+ async function installCloudflared() {
746
+ const plat = platform();
747
+ const a = arch();
748
+ if (plat === "darwin") {
749
+ try {
750
+ whichCmd("brew");
751
+ execSync("brew install cloudflared 2>&1", { encoding: "utf8", timeout: 12e4 });
752
+ return;
753
+ } catch {
754
+ }
755
+ const cfArch = a === "arm64" ? "arm64" : "amd64";
756
+ execSync(
757
+ `curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-${cfArch} && chmod +x /usr/local/bin/cloudflared`,
758
+ { timeout: 6e4 }
759
+ );
760
+ } else if (plat === "linux") {
761
+ const cfArch = a === "arm64" ? "arm64" : "amd64";
762
+ execSync(
763
+ `curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${cfArch} && chmod +x /usr/local/bin/cloudflared`,
764
+ { timeout: 6e4 }
765
+ );
766
+ } else {
767
+ throw new Error("Unsupported platform: " + plat);
768
+ }
769
+ }
770
+
771
+ // src/setup/domain.ts
772
+ async function promptDomain(inquirer, chalk, deployTarget) {
773
+ if (deployTarget === "local") {
774
+ return {};
775
+ }
776
+ console.log("");
777
+ console.log(chalk.bold.cyan(" Step 4 of 5: Custom Domain"));
778
+ console.log(chalk.dim(" Configure how your team will access the dashboard.\n"));
779
+ const targetHints = {
780
+ cloud: "By default, your dashboard is at <subdomain>.agenticmail.io. Add a custom domain for a branded URL.",
781
+ docker: "Configure your reverse proxy (nginx, Caddy, etc.) to route your domain to the Docker container.",
782
+ fly: "After deploying, run `fly certs add <domain>` to provision TLS for your domain.",
783
+ railway: "Add your domain in Railway project settings after deploying."
784
+ };
785
+ if (targetHints[deployTarget]) {
786
+ console.log(chalk.dim(` ${targetHints[deployTarget]}`));
787
+ console.log("");
788
+ }
789
+ const { domainMode } = await inquirer.prompt([{
790
+ type: "list",
791
+ name: "domainMode",
792
+ message: "Domain setup:",
793
+ choices: [
794
+ {
795
+ name: `Use default subdomain only ${chalk.dim("(<subdomain>.agenticmail.io)")}`,
796
+ value: "subdomain_only"
797
+ },
798
+ {
799
+ name: `Add a custom subdomain ${chalk.dim("(e.g. agents.yourcompany.com)")}`,
800
+ value: "custom_subdomain"
801
+ },
802
+ {
803
+ name: `Deploy on my root domain ${chalk.dim("(e.g. yourcompany.com \u2014 no subdomain)")}`,
804
+ value: "root_domain"
805
+ }
806
+ ]
807
+ }]);
808
+ if (domainMode === "subdomain_only") {
809
+ return {};
810
+ }
811
+ const isRoot = domainMode === "root_domain";
812
+ const { domain } = await inquirer.prompt([{
813
+ type: "input",
814
+ name: "domain",
815
+ message: isRoot ? "Your domain:" : "Custom domain:",
816
+ suffix: isRoot ? chalk.dim(" (e.g. yourcompany.com)") : chalk.dim(" (e.g. agents.yourcompany.com)"),
817
+ validate: (v) => {
818
+ const d = v.trim().toLowerCase();
819
+ if (!d.includes(".")) return "Enter a valid domain (e.g. yourcompany.com)";
820
+ if (d.startsWith("http")) return "Enter just the domain, not a URL";
821
+ if (d.endsWith(".")) return "Do not include a trailing dot";
822
+ return true;
823
+ },
824
+ filter: (v) => v.trim().toLowerCase()
825
+ }]);
826
+ if (isRoot) {
827
+ console.log("");
828
+ console.log(chalk.bold(" Root Domain Deployment"));
829
+ console.log(chalk.dim(` Your dashboard will be accessible at: ${chalk.white("https://" + domain)}`));
830
+ console.log(chalk.dim(" This means the entire domain is dedicated to your AgenticMail deployment."));
831
+ console.log("");
832
+ }
833
+ console.log("");
834
+ console.log(chalk.dim(" After setup, you will need DNS records for this domain:"));
835
+ console.log("");
836
+ if (isRoot) {
837
+ console.log(chalk.dim(` 1. ${chalk.white("A record")} \u2014 point ${domain} to your server IP`));
838
+ console.log(chalk.dim(` (or CNAME if your provider allows it at the apex)`));
839
+ } else {
840
+ console.log(chalk.dim(` 1. ${chalk.white("CNAME or A record")} \u2014 routes traffic to your server`));
841
+ }
842
+ console.log(chalk.dim(` 2. ${chalk.white("TXT record")} \u2014 proves domain ownership (next step)`));
843
+ console.log("");
844
+ return {
845
+ customDomain: domain,
846
+ useRootDomain: isRoot || void 0
847
+ };
848
+ }
849
+
850
+ // src/setup/registration.ts
851
+ import { randomBytes } from "crypto";
852
+ var REGISTRY_BASE_URL = process.env.AGENTICMAIL_REGISTRY_URL || "https://agenticmail.io/enterprise/v1";
853
+ async function promptRegistration(inquirer, chalk, ora, domain, companyName, adminEmail) {
854
+ if (!domain) {
855
+ return { registered: false, verificationStatus: "skipped" };
856
+ }
857
+ console.log("");
858
+ console.log(chalk.bold.cyan(" Step 5 of 5: Domain Registration"));
859
+ console.log(chalk.dim(" Protect your deployment from unauthorized duplication.\n"));
860
+ const { wantsRegistration } = await inquirer.prompt([{
861
+ type: "confirm",
862
+ name: "wantsRegistration",
863
+ message: `Register ${chalk.bold(domain)} with AgenticMail?`,
864
+ default: true
865
+ }]);
866
+ if (!wantsRegistration) {
867
+ console.log(chalk.dim(" Skipped. You can register later from the dashboard.\n"));
868
+ return { registered: false, verificationStatus: "skipped" };
869
+ }
870
+ const spinner = ora("Generating deployment key...").start();
871
+ const { createHash } = await import("crypto");
872
+ const plaintextKey = randomBytes(32).toString("hex");
873
+ const keyHash = createHash("sha256").update(plaintextKey).digest("hex");
874
+ spinner.succeed("Deployment key generated");
875
+ spinner.start("Registering domain with AgenticMail registry...");
876
+ const registryUrl = REGISTRY_BASE_URL.replace(/\/$/, "");
877
+ let registrationId;
878
+ let dnsChallenge;
879
+ try {
880
+ const res = await fetch(`${registryUrl}/domains/register`, {
881
+ method: "POST",
882
+ headers: { "Content-Type": "application/json" },
883
+ body: JSON.stringify({
884
+ domain: domain.toLowerCase().trim(),
885
+ keyHash,
886
+ sha256Hash: keyHash,
887
+ orgName: companyName,
888
+ contactEmail: adminEmail
889
+ }),
890
+ signal: AbortSignal.timeout(15e3)
891
+ });
892
+ const data = await res.json().catch(() => ({}));
893
+ if (res.status === 409) {
894
+ spinner.info("Domain already registered \u2014 verifying ownership");
895
+ console.log("");
896
+ console.log(chalk.yellow(" This domain is already registered and verified."));
897
+ console.log(chalk.dim(" Enter your deployment key to prove ownership and continue.\n"));
898
+ const { deploymentKey } = await inquirer.prompt([{
899
+ type: "password",
900
+ name: "deploymentKey",
901
+ message: "Deployment key:",
902
+ mask: "*",
903
+ validate: (v) => v.length === 64 || "Deployment key should be 64 hex characters"
904
+ }]);
905
+ const recoverSpinner = ora("Verifying deployment key...").start();
906
+ try {
907
+ const recoverRes = await fetch(`${registryUrl}/domains/recover`, {
908
+ method: "POST",
909
+ headers: { "Content-Type": "application/json" },
910
+ body: JSON.stringify({
911
+ domain: domain.toLowerCase().trim(),
912
+ deploymentKey
913
+ }),
914
+ signal: AbortSignal.timeout(15e3)
915
+ });
916
+ const recoverData = await recoverRes.json().catch(() => ({}));
917
+ if (recoverRes.status === 403) {
918
+ recoverSpinner.fail("Invalid deployment key");
919
+ console.log("");
920
+ console.log(chalk.red(" The deployment key does not match this domain."));
921
+ console.log("");
922
+ const { continueAnyway } = await inquirer.prompt([{
923
+ type: "confirm",
924
+ name: "continueAnyway",
925
+ message: "Continue setup without registration?",
926
+ default: true
927
+ }]);
928
+ if (continueAnyway) {
929
+ return { registered: false, verificationStatus: "skipped" };
930
+ }
931
+ process.exit(1);
932
+ }
933
+ if (!recoverRes.ok) {
934
+ throw new Error(recoverData.error || `HTTP ${recoverRes.status}`);
935
+ }
936
+ recoverSpinner.succeed("Ownership verified \u2014 domain recovered");
937
+ registrationId = recoverData.registrationId;
938
+ dnsChallenge = recoverData.dnsChallenge;
939
+ const verifyRes = await fetch(`${registryUrl}/domains/verify`, {
940
+ method: "POST",
941
+ headers: { "Content-Type": "application/json" },
942
+ body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
943
+ signal: AbortSignal.timeout(15e3)
944
+ });
945
+ const verifyData = await verifyRes.json().catch(() => ({}));
946
+ const { createHash: createHash2 } = await import("crypto");
947
+ const localKeyHash = createHash2("sha256").update(deploymentKey).digest("hex");
948
+ return {
949
+ registered: true,
950
+ deploymentKeyHash: localKeyHash,
951
+ dnsChallenge,
952
+ registrationId,
953
+ verificationStatus: verifyData?.verified ? "verified" : "pending_dns"
954
+ };
955
+ } catch (err) {
956
+ recoverSpinner.fail(`Recovery failed: ${err.message}`);
957
+ const { continueAnyway } = await inquirer.prompt([{
958
+ type: "confirm",
959
+ name: "continueAnyway",
960
+ message: "Continue setup without registration?",
961
+ default: true
962
+ }]);
963
+ if (continueAnyway) {
964
+ return { registered: false, verificationStatus: "skipped" };
965
+ }
966
+ process.exit(1);
967
+ }
968
+ }
969
+ if (!res.ok) {
970
+ throw new Error(data.error || `HTTP ${res.status}`);
971
+ }
972
+ registrationId = data.registrationId;
973
+ dnsChallenge = data.dnsChallenge;
974
+ spinner.succeed("Domain registered");
975
+ } catch (err) {
976
+ spinner.warn("Registry unavailable");
977
+ console.log("");
978
+ console.log(chalk.yellow(` Could not reach registry: ${err.message}`));
979
+ console.log(chalk.dim(" You can register later with: npx @agenticmail/enterprise verify-domain"));
980
+ console.log("");
981
+ const { continueAnyway } = await inquirer.prompt([{
982
+ type: "confirm",
983
+ name: "continueAnyway",
984
+ message: "Continue setup without registration?",
985
+ default: true
986
+ }]);
987
+ if (continueAnyway) {
988
+ return { registered: false, verificationStatus: "skipped" };
989
+ }
990
+ process.exit(1);
991
+ }
992
+ console.log("");
993
+ console.log(chalk.red.bold(" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
994
+ console.log(chalk.red.bold(" \u2551") + chalk.white.bold(" DEPLOYMENT KEY \u2014 SAVE THIS NOW ") + chalk.red.bold("\u2551"));
995
+ console.log(chalk.red.bold(" \u2551") + " " + chalk.red.bold("\u2551"));
996
+ console.log(chalk.red.bold(" \u2551") + ` ${chalk.green.bold(plaintextKey)} ` + chalk.red.bold("\u2551"));
997
+ console.log(chalk.red.bold(" \u2551") + " " + chalk.red.bold("\u2551"));
998
+ console.log(chalk.red.bold(" \u2551") + chalk.dim(" This key is shown ONCE. Store it securely (password manager, ") + chalk.red.bold("\u2551"));
999
+ console.log(chalk.red.bold(" \u2551") + chalk.dim(" vault, printed backup). You need it to recover this domain. ") + chalk.red.bold("\u2551"));
1000
+ console.log(chalk.red.bold(" \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
1001
+ console.log("");
1002
+ console.log(chalk.bold(" Add this DNS TXT record to prove domain ownership:"));
1003
+ console.log("");
1004
+ console.log(` ${chalk.bold("Host:")} ${chalk.cyan(`_agenticmail-verify.${domain}`)}`);
1005
+ console.log(` ${chalk.bold("Type:")} ${chalk.cyan("TXT")}`);
1006
+ console.log(` ${chalk.bold("Value:")} ${chalk.cyan(dnsChallenge)}`);
1007
+ console.log("");
1008
+ console.log(chalk.dim(" DNS changes can take up to 48 hours to propagate."));
1009
+ console.log("");
1010
+ await inquirer.prompt([{
1011
+ type: "confirm",
1012
+ name: "keySaved",
1013
+ message: "I have saved my deployment key",
1014
+ default: false
1015
+ }]);
1016
+ const { checkNow } = await inquirer.prompt([{
1017
+ type: "confirm",
1018
+ name: "checkNow",
1019
+ message: "Check DNS verification now?",
1020
+ default: false
1021
+ }]);
1022
+ let verificationStatus = "pending_dns";
1023
+ if (checkNow) {
1024
+ for (let attempt = 1; attempt <= 5; attempt++) {
1025
+ spinner.start(`Checking DNS (attempt ${attempt}/5)...`);
1026
+ try {
1027
+ const res = await fetch(`${registryUrl}/domains/verify`, {
1028
+ method: "POST",
1029
+ headers: { "Content-Type": "application/json" },
1030
+ body: JSON.stringify({ domain: domain.toLowerCase().trim() }),
1031
+ signal: AbortSignal.timeout(15e3)
1032
+ });
1033
+ const data = await res.json().catch(() => ({}));
1034
+ if (data.verified) {
1035
+ spinner.succeed("Domain verified!");
1036
+ verificationStatus = "verified";
1037
+ break;
1038
+ }
1039
+ } catch {
1040
+ }
1041
+ if (attempt < 5) {
1042
+ spinner.text = `DNS record not found yet. Retrying in 10s (attempt ${attempt}/5)...`;
1043
+ await new Promise((r) => setTimeout(r, 1e4));
1044
+ } else {
1045
+ spinner.info("DNS record not found yet");
1046
+ console.log(chalk.dim(" Run later: npx @agenticmail/enterprise verify-domain"));
1047
+ }
1048
+ }
1049
+ } else {
1050
+ console.log(chalk.dim(" Run when ready: npx @agenticmail/enterprise verify-domain"));
1051
+ }
1052
+ console.log("");
1053
+ return {
1054
+ registered: true,
1055
+ deploymentKeyHash: keyHash,
1056
+ dnsChallenge,
1057
+ registrationId,
1058
+ verificationStatus
1059
+ };
1060
+ }
1061
+
1062
+ // src/setup/provision.ts
1063
+ import { randomUUID, randomBytes as randomBytes2 } from "crypto";
1064
+ import { execSync as execSync2, spawn } from "child_process";
1065
+ import { statSync as statSync2, readFileSync as readFileSync2 } from "fs";
1066
+ import { join as join2 } from "path";
1067
+ import { homedir as homedir2 } from "os";
1068
+ function generateOrgId() {
1069
+ const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
1070
+ const bytes = randomBytes2(10);
1071
+ let id = "";
1072
+ for (let i = 0; i < 10; i++) id += chars[bytes[i] % chars.length];
1073
+ return id;
1074
+ }
1075
+ async function provision(config, ora, chalk) {
1076
+ const spinner = ora("Connecting to database...").start();
1077
+ const jwtSecret = randomUUID() + randomUUID();
1078
+ const vaultKey = randomUUID() + randomUUID();
1079
+ try {
1080
+ const { createAdapter } = await import("./factory-R6MMSC2X.js");
1081
+ const db = await createAdapter({
1082
+ type: config.database.type,
1083
+ connectionString: config.database.connectionString,
1084
+ region: config.database.region,
1085
+ accessKeyId: config.database.accessKeyId,
1086
+ secretAccessKey: config.database.secretAccessKey,
1087
+ authToken: config.database.authToken
1088
+ });
1089
+ spinner.text = "Running migrations...";
1090
+ await db.migrate();
1091
+ spinner.succeed("Database ready");
1092
+ const engineDbInterface = db.getEngineDB();
1093
+ if (engineDbInterface) {
1094
+ spinner.start("Initializing engine...");
1095
+ const { EngineDatabase } = await import("./db-adapter-W2DTNCAL.js");
1096
+ const dialectMap = {
1097
+ sqlite: "sqlite",
1098
+ postgres: "postgres",
1099
+ supabase: "postgres",
1100
+ neon: "postgres",
1101
+ cockroachdb: "postgres",
1102
+ mysql: "mysql",
1103
+ planetscale: "mysql",
1104
+ turso: "turso"
1105
+ };
1106
+ const engineDialect = dialectMap[db.getDialect()] || db.getDialect();
1107
+ const engineDb = new EngineDatabase(engineDbInterface, engineDialect);
1108
+ const migResult = await engineDb.migrate();
1109
+ spinner.succeed(`Engine ready (${migResult.applied} migrations applied)`);
1110
+ }
1111
+ spinner.start("Creating company...");
1112
+ const orgId = generateOrgId();
1113
+ const corsOrigins = [];
1114
+ if (config.domain.customDomain) {
1115
+ corsOrigins.push(`https://${config.domain.customDomain}`);
1116
+ }
1117
+ if (config.company.subdomain) {
1118
+ corsOrigins.push(`https://${config.company.subdomain}.agenticmail.io`);
1119
+ }
1120
+ if (config.deployTarget === "local") {
1121
+ corsOrigins.push("http://localhost:3000", "http://localhost:8080", "http://127.0.0.1:3000", "http://127.0.0.1:8080");
1122
+ }
1123
+ await db.updateSettings({
1124
+ name: config.company.companyName,
1125
+ subdomain: config.company.subdomain,
1126
+ domain: config.domain.customDomain,
1127
+ orgId,
1128
+ ...corsOrigins.length > 0 ? {
1129
+ firewallConfig: {
1130
+ network: { corsOrigins }
1131
+ }
1132
+ } : {}
1133
+ });
1134
+ spinner.succeed(`Company created (org: ${orgId})`);
1135
+ if (config.registration?.registered) {
1136
+ spinner.start("Saving domain registration...");
1137
+ await db.updateSettings({
1138
+ deploymentKeyHash: config.registration.deploymentKeyHash,
1139
+ domainRegistrationId: config.registration.registrationId,
1140
+ domainDnsChallenge: config.registration.dnsChallenge,
1141
+ domainRegisteredAt: (/* @__PURE__ */ new Date()).toISOString(),
1142
+ domainStatus: config.registration.verificationStatus === "verified" ? "verified" : "pending_dns",
1143
+ ...config.registration.verificationStatus === "verified" ? { domainVerifiedAt: (/* @__PURE__ */ new Date()).toISOString() } : {}
1144
+ });
1145
+ spinner.succeed("Domain registration saved");
1146
+ }
1147
+ spinner.start("Creating admin account...");
1148
+ let admin;
1149
+ try {
1150
+ admin = await db.createUser({
1151
+ email: config.company.adminEmail,
1152
+ name: "Admin",
1153
+ role: "owner",
1154
+ password: config.company.adminPassword
1155
+ });
1156
+ } catch (err) {
1157
+ if (err.message?.includes("duplicate key") || err.message?.includes("UNIQUE constraint") || err.code === "23505") {
1158
+ admin = await db.getUserByEmail(config.company.adminEmail);
1159
+ if (!admin) throw err;
1160
+ spinner.text = "Admin account already exists, reusing...";
1161
+ } else {
1162
+ throw err;
1163
+ }
1164
+ }
1165
+ await db.logEvent({
1166
+ actor: admin.id,
1167
+ actorType: "system",
1168
+ action: "setup.complete",
1169
+ resource: `company:${config.company.subdomain}`,
1170
+ details: {
1171
+ dbType: config.database.type,
1172
+ deployTarget: config.deployTarget,
1173
+ companyName: config.company.companyName
1174
+ }
1175
+ });
1176
+ spinner.succeed("Admin account created");
1177
+ try {
1178
+ const { writeFileSync: writeFileSync2, existsSync: existsSync2, mkdirSync } = await import("fs");
1179
+ const { join: join4 } = await import("path");
1180
+ const { homedir: homedir3 } = await import("os");
1181
+ const envDir = join4(homedir3(), ".agenticmail");
1182
+ if (!existsSync2(envDir)) mkdirSync(envDir, { recursive: true });
1183
+ const port = config.tunnel?.port || (config.deployTarget === "local" ? 3e3 : void 0) || (config.deployTarget === "docker" ? 3e3 : void 0) || 3200;
1184
+ let existingEnv = "";
1185
+ const envFilePath = join4(envDir, ".env");
1186
+ if (existsSync2(envFilePath)) {
1187
+ try {
1188
+ existingEnv = (await import("fs")).readFileSync(envFilePath, "utf8");
1189
+ } catch {
1190
+ }
1191
+ }
1192
+ const envMap = /* @__PURE__ */ new Map();
1193
+ for (const line of existingEnv.split("\n")) {
1194
+ const t = line.trim();
1195
+ if (!t || t.startsWith("#")) continue;
1196
+ const eq = t.indexOf("=");
1197
+ if (eq > 0) envMap.set(t.slice(0, eq).trim(), t.slice(eq + 1).trim());
1198
+ }
1199
+ envMap.set("DATABASE_URL", config.database.connectionString || "");
1200
+ envMap.set("JWT_SECRET", jwtSecret);
1201
+ envMap.set("AGENTICMAIL_VAULT_KEY", vaultKey);
1202
+ envMap.set("PORT", String(port));
1203
+ if (config.cloud?.tunnelToken) envMap.set("CLOUDFLARED_TOKEN", config.cloud.tunnelToken);
1204
+ if (config.cloud?.subdomain) envMap.set("AGENTICMAIL_SUBDOMAIN", config.cloud.subdomain);
1205
+ if (config.cloud?.fqdn) envMap.set("AGENTICMAIL_DOMAIN", config.cloud.fqdn);
1206
+ const envContent = [
1207
+ "# AgenticMail Enterprise \u2014 auto-generated by setup wizard",
1208
+ "# BACK UP THIS FILE! You need it to recover on a new machine.",
1209
+ ...Array.from(envMap.entries()).map(([k, v]) => `${k}=${v}`)
1210
+ ].join("\n") + "\n";
1211
+ writeFileSync2(join4(envDir, ".env"), envContent, { mode: 384 });
1212
+ spinner.succeed(`Config saved to ~/.agenticmail/.env`);
1213
+ } catch {
1214
+ }
1215
+ const result = await deploy(config, db, jwtSecret, vaultKey, spinner, chalk);
1216
+ return {
1217
+ success: true,
1218
+ url: result.url,
1219
+ jwtSecret,
1220
+ db,
1221
+ serverClose: result.close
1222
+ };
1223
+ } catch (err) {
1224
+ spinner.fail(`Setup failed: ${err.message}`);
1225
+ return {
1226
+ success: false,
1227
+ error: err.message,
1228
+ jwtSecret,
1229
+ db: null
1230
+ };
1231
+ }
1232
+ }
1233
+ async function deploy(config, db, jwtSecret, vaultKey, spinner, chalk) {
1234
+ const { deployTarget, company, database, domain, tunnel, cloud } = config;
1235
+ if (deployTarget === "cloudflare-tunnel" && tunnel) {
1236
+ spinner.start(`Starting local server on port ${tunnel.port}...`);
1237
+ const { createServer: createServer2 } = await import("./server-AXPNA3UP.js");
1238
+ const server2 = createServer2({ port: tunnel.port, db, jwtSecret });
1239
+ const handle2 = await server2.start();
1240
+ spinner.succeed("Server running");
1241
+ console.log("");
1242
+ console.log(chalk.green.bold(" AgenticMail Enterprise is live!"));
1243
+ console.log("");
1244
+ console.log(` ${chalk.bold("Public URL:")} ${chalk.cyan("https://" + tunnel.domain)}`);
1245
+ console.log(` ${chalk.bold("Local:")} ${chalk.cyan("http://localhost:" + tunnel.port)}`);
1246
+ console.log(` ${chalk.bold("Tunnel:")} ${tunnel.tunnelName} (${tunnel.tunnelId})`);
1247
+ console.log(` ${chalk.bold("Admin:")} ${company.adminEmail}`);
1248
+ console.log("");
1249
+ console.log(chalk.dim(" Tunnel is managed by PM2 \u2014 auto-restarts on crash."));
1250
+ console.log(chalk.dim(" Manage: pm2 status | pm2 logs cloudflared | pm2 restart cloudflared"));
1251
+ console.log(chalk.dim(" Press Ctrl+C to stop the server"));
1252
+ return { url: "https://" + tunnel.domain, close: handle2.close };
1253
+ }
1254
+ if (deployTarget === "cloud" && cloud) {
1255
+ spinner.start("Configuring agenticmail.io deployment...");
1256
+ try {
1257
+ const whichCmd2 = process.platform === "win32" ? "where" : "which";
1258
+ execSync2(`${whichCmd2} cloudflared`, { stdio: "pipe", timeout: 5e3 });
1259
+ } catch {
1260
+ spinner.text = "Installing cloudflared...";
1261
+ try {
1262
+ if (process.platform === "win32") {
1263
+ try {
1264
+ execSync2("winget install --id Cloudflare.cloudflared --accept-source-agreements --accept-package-agreements", { stdio: "pipe", timeout: 12e4 });
1265
+ } catch {
1266
+ const archStr = process.arch === "arm64" ? "arm64" : "amd64";
1267
+ const localAppData = process.env.LOCALAPPDATA || join2(process.env.USERPROFILE || homedir2(), "AppData", "Local");
1268
+ const cfDir = join2(localAppData, "cloudflared");
1269
+ const cfExe = join2(cfDir, "cloudflared.exe");
1270
+ const dlUrl = `https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-${archStr}.exe`;
1271
+ execSync2(`powershell -Command "New-Item -ItemType Directory -Force -Path '${cfDir.replace(/'/g, "''")}' | Out-Null; Invoke-WebRequest -Uri '${dlUrl}' -OutFile '${cfExe.replace(/'/g, "''")}'"`, { stdio: "pipe", timeout: 12e4 });
1272
+ process.env.PATH = `${cfDir};${process.env.PATH}`;
1273
+ }
1274
+ } else if (process.platform === "darwin") {
1275
+ execSync2("brew install cloudflared", { stdio: "pipe", timeout: 12e4 });
1276
+ } else {
1277
+ const archStr = process.arch === "arm64" ? "arm64" : "amd64";
1278
+ execSync2(`curl -L -o /usr/local/bin/cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-${archStr} && chmod +x /usr/local/bin/cloudflared`, { stdio: "pipe", timeout: 12e4 });
1279
+ }
1280
+ } catch {
1281
+ }
1282
+ }
1283
+ try {
1284
+ execSync2("npm ls -g pm2 --depth=0", { stdio: "pipe", timeout: 1e4 });
1285
+ } catch {
1286
+ spinner.text = "Installing PM2 process manager...";
1287
+ try {
1288
+ execSync2("npm install -g pm2", { stdio: "pipe", timeout: 6e4 });
1289
+ } catch {
1290
+ }
1291
+ }
1292
+ try {
1293
+ try {
1294
+ execSync2("pm2 delete cloudflared 2>&1", { stdio: "pipe", timeout: 1e4 });
1295
+ } catch {
1296
+ }
1297
+ try {
1298
+ execSync2("pm2 delete enterprise 2>&1", { stdio: "pipe", timeout: 1e4 });
1299
+ } catch {
1300
+ }
1301
+ let cfPath = "";
1302
+ try {
1303
+ const whichBin = process.platform === "win32" ? "where" : "which";
1304
+ cfPath = execSync2(`${whichBin} cloudflared`, { encoding: "utf8", timeout: 5e3 }).trim().split("\n")[0].trim();
1305
+ } catch {
1306
+ }
1307
+ if (!cfPath && process.platform === "win32") {
1308
+ const localAppData = process.env.LOCALAPPDATA || `${process.env.USERPROFILE}\\AppData\\Local`;
1309
+ const candidate = `${localAppData}\\cloudflared\\cloudflared.exe`;
1310
+ try {
1311
+ statSync2(candidate);
1312
+ cfPath = candidate;
1313
+ } catch {
1314
+ }
1315
+ }
1316
+ if (!cfPath) throw new Error("cloudflared not found \u2014 install it first");
1317
+ const amDir = join2(homedir2(), ".agenticmail");
1318
+ const { writeFileSync: writeFileSync2, mkdirSync } = await import("fs");
1319
+ try {
1320
+ mkdirSync(amDir, { recursive: true });
1321
+ } catch {
1322
+ }
1323
+ const startScript = join2(amDir, "start.cjs");
1324
+ writeFileSync2(startScript, [
1325
+ `// Auto-generated by AgenticMail setup \u2014 do not edit`,
1326
+ `const { readFileSync } = require('fs');`,
1327
+ `const { join } = require('path');`,
1328
+ `// Load .env`,
1329
+ `try {`,
1330
+ ` const envFile = join(__dirname, '.env');`,
1331
+ ` const lines = readFileSync(envFile, 'utf8').split('\\n');`,
1332
+ ` for (const line of lines) {`,
1333
+ ` const m = line.match(/^([A-Z_]+)=(.*)$/);`,
1334
+ ` if (m && !process.env[m[1]]) process.env[m[1]] = m[2];`,
1335
+ ` }`,
1336
+ `} catch {}`,
1337
+ `// Run via npx (shell:true handles .cmd on Windows)`,
1338
+ `const { spawnSync } = require('child_process');`,
1339
+ `const r = spawnSync('npx', ['@agenticmail/enterprise', 'start'], {`,
1340
+ ` stdio: 'inherit', env: process.env, shell: process.platform === 'win32'`,
1341
+ `});`,
1342
+ `process.exit(r.status || 0);`
1343
+ ].join("\n"));
1344
+ const cfScript = join2(amDir, "cloudflared.cjs");
1345
+ writeFileSync2(cfScript, [
1346
+ `// Auto-generated by AgenticMail setup \u2014 do not edit`,
1347
+ `const { spawnSync } = require('child_process');`,
1348
+ `const r = spawnSync(${JSON.stringify(cfPath)}, process.argv.slice(2), {`,
1349
+ ` stdio: 'inherit'`,
1350
+ `});`,
1351
+ `process.exit(r.status || 0);`
1352
+ ].join("\n"));
1353
+ const safeToken = String(cloud.tunnelToken || "").replace(/[^a-zA-Z0-9_.-]/g, "");
1354
+ execSync2(`pm2 start "${cfScript}" --name cloudflared -- tunnel --no-autoupdate run --token ${safeToken}`, { stdio: "pipe", timeout: 15e3 });
1355
+ const envLines = [
1356
+ `PORT=${cloud.port || 8080}`,
1357
+ `DATABASE_URL=${database.connectionString || ""}`,
1358
+ `JWT_SECRET=${jwtSecret}`,
1359
+ `AGENTICMAIL_VAULT_KEY=${vaultKey}`,
1360
+ `AGENTICMAIL_DOMAIN=${cloud.fqdn}`
1361
+ ];
1362
+ const envFile = join2(amDir, ".env");
1363
+ try {
1364
+ const existing = readFileSync2(envFile, "utf8");
1365
+ for (const line of envLines) {
1366
+ const key = line.split("=")[0];
1367
+ if (!existing.includes(`${key}=`)) {
1368
+ writeFileSync2(envFile, existing.trimEnd() + "\n" + line + "\n");
1369
+ }
1370
+ }
1371
+ } catch {
1372
+ }
1373
+ execSync2(`pm2 start "${startScript}" --name enterprise`, {
1374
+ stdio: "pipe",
1375
+ timeout: 3e4,
1376
+ env: {
1377
+ ...process.env,
1378
+ PORT: String(cloud.port || 8080),
1379
+ DATABASE_URL: database.connectionString || "",
1380
+ JWT_SECRET: jwtSecret,
1381
+ AGENTICMAIL_VAULT_KEY: vaultKey,
1382
+ AGENTICMAIL_DOMAIN: cloud.fqdn
1383
+ }
1384
+ });
1385
+ await new Promise((r) => setTimeout(r, 5e3));
1386
+ const jlist = execSync2("pm2 jlist", { encoding: "utf8", timeout: 1e4 });
1387
+ const procs = JSON.parse(jlist);
1388
+ const cfOnline = procs.find((p) => p.name === "cloudflared")?.pm2_env?.status === "online";
1389
+ const entOnline = procs.find((p) => p.name === "enterprise")?.pm2_env?.status === "online";
1390
+ if (!cfOnline || !entOnline) throw new Error(`cloudflared=${cfOnline ? "ok" : "down"}, enterprise=${entOnline ? "ok" : "down"}`);
1391
+ try {
1392
+ execSync2("pm2 save", { timeout: 1e4, stdio: "pipe" });
1393
+ } catch {
1394
+ }
1395
+ try {
1396
+ const startupOut = execSync2("pm2 startup 2>&1", { encoding: "utf8", timeout: 15e3 });
1397
+ const sudoMatch = startupOut.match(/sudo .+$/m);
1398
+ if (sudoMatch) try {
1399
+ execSync2(sudoMatch[0], { timeout: 15e3, stdio: "pipe" });
1400
+ } catch {
1401
+ }
1402
+ } catch {
1403
+ }
1404
+ spinner.succeed(`Live at https://${cloud.fqdn}`);
1405
+ console.log(chalk.dim(" PM2 will auto-restart on crash and survive reboots."));
1406
+ } catch (e) {
1407
+ spinner.warn(`PM2 setup failed: ${e.message}`);
1408
+ console.log(chalk.dim(" Starting processes directly instead...\n"));
1409
+ let fallbackCfPath = "";
1410
+ try {
1411
+ const whichBin = process.platform === "win32" ? "where" : "which";
1412
+ fallbackCfPath = execSync2(`${whichBin} cloudflared`, { encoding: "utf8", timeout: 5e3 }).trim().split("\n")[0].trim();
1413
+ } catch {
1414
+ }
1415
+ if (!fallbackCfPath && process.platform === "win32") {
1416
+ const localAppData = process.env.LOCALAPPDATA || `${process.env.USERPROFILE}\\AppData\\Local`;
1417
+ const candidate = `${localAppData}\\cloudflared\\cloudflared.exe`;
1418
+ try {
1419
+ statSync2(candidate);
1420
+ fallbackCfPath = candidate;
1421
+ } catch {
1422
+ }
1423
+ }
1424
+ const serverEnv = {
1425
+ ...process.env,
1426
+ PORT: String(cloud.port || 8080),
1427
+ DATABASE_URL: database.connectionString || "",
1428
+ JWT_SECRET: jwtSecret,
1429
+ AGENTICMAIL_VAULT_KEY: vaultKey,
1430
+ AGENTICMAIL_DOMAIN: cloud.fqdn
1431
+ };
1432
+ if (fallbackCfPath) {
1433
+ const cfProc = spawn(fallbackCfPath, ["tunnel", "--no-autoupdate", "run", "--token", cloud.tunnelToken], {
1434
+ detached: true,
1435
+ stdio: "ignore",
1436
+ env: process.env
1437
+ });
1438
+ cfProc.unref();
1439
+ }
1440
+ const entProc = spawn("npx", ["@agenticmail/enterprise", "start"], {
1441
+ detached: true,
1442
+ stdio: "ignore",
1443
+ env: serverEnv,
1444
+ shell: true
1445
+ // Required on Windows for npx
1446
+ });
1447
+ entProc.unref();
1448
+ await new Promise((r) => setTimeout(r, 8e3));
1449
+ spinner.succeed(`Live at https://${cloud.fqdn}`);
1450
+ console.log(chalk.yellow(" Note: Processes running in background. They will stop when you close this terminal."));
1451
+ console.log(chalk.dim(" For persistence, install PM2: npm install -g pm2"));
1452
+ }
1453
+ console.log("");
1454
+ console.log(chalk.bold.green(" \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
1455
+ console.log(chalk.bold.green(" Your dashboard is ready!"));
1456
+ console.log(chalk.bold.green(" \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
1457
+ console.log("");
1458
+ console.log(` ${chalk.bold("URL:")} ${chalk.cyan("https://" + cloud.fqdn)}`);
1459
+ console.log(` ${chalk.bold("Email:")} ${chalk.white(config.company.adminEmail)}`);
1460
+ console.log(` ${chalk.bold("Password:")} ${chalk.white(config.company.adminPassword)}`);
1461
+ console.log("");
1462
+ console.log(chalk.dim(" Open the URL above and sign in with these credentials."));
1463
+ console.log(chalk.dim(" To recover on a new machine, keep your AGENTICMAIL_VAULT_KEY safe."));
1464
+ console.log("");
1465
+ return { url: `https://${cloud.fqdn}` };
1466
+ }
1467
+ if (deployTarget === "docker") {
1468
+ const { generateDockerCompose, generateEnvFile } = await import("./managed-T2RBYB2W.js");
1469
+ const compose = generateDockerCompose({ port: 3e3 });
1470
+ const envFile = generateEnvFile({
1471
+ dbType: database.type,
1472
+ dbConnectionString: database.connectionString || "",
1473
+ jwtSecret,
1474
+ vaultKey
1475
+ });
1476
+ const { writeFileSync: writeFileSync2, existsSync: existsSync2, appendFileSync } = await import("fs");
1477
+ writeFileSync2("docker-compose.yml", compose);
1478
+ writeFileSync2(".env", envFile);
1479
+ if (existsSync2(".gitignore")) {
1480
+ const content = await import("fs").then((f) => f.readFileSync(".gitignore", "utf-8"));
1481
+ if (!content.includes(".env")) {
1482
+ appendFileSync(".gitignore", "\n# Secrets\n.env\n");
1483
+ }
1484
+ } else {
1485
+ writeFileSync2(".gitignore", "# Secrets\n.env\nnode_modules/\n");
1486
+ }
1487
+ spinner.succeed("docker-compose.yml + .env generated");
1488
+ console.log("");
1489
+ console.log(chalk.green.bold(" Docker deployment ready!"));
1490
+ console.log("");
1491
+ console.log(` Run: ${chalk.cyan("docker compose up -d")}`);
1492
+ console.log(` Dashboard: ${chalk.cyan("http://localhost:3000")}`);
1493
+ console.log("");
1494
+ console.log(` ${chalk.bold("Login email:")} ${chalk.white(config.company.adminEmail)}`);
1495
+ console.log(` ${chalk.bold("Login password:")} ${chalk.white(config.company.adminPassword)}`);
1496
+ console.log("");
1497
+ console.log(chalk.dim(" Secrets stored in .env \u2014 do not commit to git"));
1498
+ if (domain.customDomain) {
1499
+ printCustomDomainInstructions(chalk, domain.customDomain, "docker");
1500
+ }
1501
+ return { url: "http://localhost:3000" };
1502
+ }
1503
+ if (deployTarget === "fly") {
1504
+ const { generateFlyToml } = await import("./managed-T2RBYB2W.js");
1505
+ const flyToml = generateFlyToml(`am-${company.subdomain}`, "iad");
1506
+ const { writeFileSync: writeFileSync2 } = await import("fs");
1507
+ writeFileSync2("fly.toml", flyToml);
1508
+ spinner.succeed("fly.toml generated");
1509
+ console.log("");
1510
+ console.log(chalk.green.bold(" Fly.io deployment ready!"));
1511
+ console.log("");
1512
+ console.log(` 1. ${chalk.cyan("fly launch --copy-config")}`);
1513
+ console.log(` 2. ${chalk.cyan(`fly secrets set DATABASE_URL="${database.connectionString}" JWT_SECRET="${jwtSecret}" AGENTICMAIL_VAULT_KEY="${vaultKey}"`)}`);
1514
+ console.log(` 3. ${chalk.cyan("fly deploy")}`);
1515
+ if (domain.customDomain) {
1516
+ console.log(` 4. ${chalk.cyan(`fly certs add ${domain.customDomain}`)}`);
1517
+ printCustomDomainInstructions(chalk, domain.customDomain, "fly", `am-${company.subdomain}.fly.dev`);
1518
+ }
1519
+ return {};
1520
+ }
1521
+ if (deployTarget === "railway") {
1522
+ const { generateRailwayConfig } = await import("./managed-T2RBYB2W.js");
1523
+ const railwayConfig = generateRailwayConfig();
1524
+ const { writeFileSync: writeFileSync2 } = await import("fs");
1525
+ writeFileSync2("railway.toml", railwayConfig);
1526
+ spinner.succeed("railway.toml generated");
1527
+ console.log("");
1528
+ console.log(chalk.green.bold(" Railway deployment ready!"));
1529
+ console.log("");
1530
+ console.log(` 1. ${chalk.cyan("railway init")}`);
1531
+ console.log(` 2. ${chalk.cyan("railway link")}`);
1532
+ console.log(` 3. ${chalk.cyan("railway up")}`);
1533
+ if (domain.customDomain) {
1534
+ printCustomDomainInstructions(chalk, domain.customDomain, "railway");
1535
+ }
1536
+ return {};
1537
+ }
1538
+ spinner.start("Starting local server...");
1539
+ const { createServer } = await import("./server-AXPNA3UP.js");
1540
+ const server = createServer({ port: 3e3, db, jwtSecret });
1541
+ const handle = await server.start();
1542
+ spinner.succeed("Server running");
1543
+ console.log("");
1544
+ console.log(chalk.green.bold(" AgenticMail Enterprise is running!"));
1545
+ console.log("");
1546
+ console.log(` ${chalk.bold("Dashboard:")} ${chalk.cyan("http://localhost:3000")}`);
1547
+ console.log(` ${chalk.bold("Email:")} ${chalk.white(company.adminEmail)}`);
1548
+ console.log(` ${chalk.bold("Password:")} ${chalk.white(company.adminPassword)}`);
1549
+ console.log("");
1550
+ console.log(chalk.dim(" Press Ctrl+C to stop"));
1551
+ return { url: "http://localhost:3000", close: handle.close };
1552
+ }
1553
+ function printCustomDomainInstructions(chalk, domain, target, cnameTarget) {
1554
+ console.log("");
1555
+ console.log(chalk.bold(" Custom Domain DNS Setup"));
1556
+ console.log(chalk.dim(` Route ${chalk.white(domain)} to your deployment.
1557
+ `));
1558
+ if (target === "cloud" && cnameTarget) {
1559
+ console.log(chalk.bold(" Add this DNS record at your domain registrar:"));
1560
+ console.log("");
1561
+ console.log(` ${chalk.bold("Type:")} ${chalk.cyan("CNAME")}`);
1562
+ console.log(` ${chalk.bold("Host:")} ${chalk.cyan(domain)}`);
1563
+ console.log(` ${chalk.bold("Value:")} ${chalk.cyan(cnameTarget)}`);
1564
+ } else if (target === "fly" && cnameTarget) {
1565
+ console.log(chalk.bold(" Add this DNS record at your domain registrar:"));
1566
+ console.log("");
1567
+ console.log(` ${chalk.bold("Type:")} ${chalk.cyan("CNAME")}`);
1568
+ console.log(` ${chalk.bold("Host:")} ${chalk.cyan(domain)}`);
1569
+ console.log(` ${chalk.bold("Value:")} ${chalk.cyan(cnameTarget)}`);
1570
+ console.log("");
1571
+ console.log(chalk.dim(" Fly.io will automatically provision a TLS certificate."));
1572
+ } else if (target === "railway") {
1573
+ console.log(chalk.bold(" After deploying:"));
1574
+ console.log("");
1575
+ console.log(` 1. Open your Railway project dashboard`);
1576
+ console.log(` 2. Go to ${chalk.bold("Settings")} \u2192 ${chalk.bold("Domains")}`);
1577
+ console.log(` 3. Add ${chalk.cyan(domain)} as a custom domain`);
1578
+ console.log(` 4. Railway will show you a ${chalk.bold("CNAME")} target \u2014 add it at your DNS provider`);
1579
+ } else if (target === "docker") {
1580
+ console.log(chalk.bold(" Configure your reverse proxy to route traffic:"));
1581
+ console.log("");
1582
+ console.log(` ${chalk.bold("Domain:")} ${chalk.cyan(domain)}`);
1583
+ console.log(` ${chalk.bold("Target:")} ${chalk.cyan("localhost:3000")} ${chalk.dim("(or your Docker host IP)")}`);
1584
+ console.log("");
1585
+ console.log(chalk.dim(" Example with nginx:"));
1586
+ console.log(chalk.dim(""));
1587
+ console.log(chalk.dim(" server {"));
1588
+ console.log(chalk.dim(` server_name ${domain};`));
1589
+ console.log(chalk.dim(" location / {"));
1590
+ console.log(chalk.dim(" proxy_pass http://localhost:3000;"));
1591
+ console.log(chalk.dim(" proxy_set_header Host $host;"));
1592
+ console.log(chalk.dim(" proxy_set_header X-Real-IP $remote_addr;"));
1593
+ console.log(chalk.dim(" }"));
1594
+ console.log(chalk.dim(" }"));
1595
+ console.log("");
1596
+ console.log(chalk.dim(" Then add a DNS A record pointing to your server IP,"));
1597
+ console.log(chalk.dim(" or a CNAME if you have an existing hostname."));
1598
+ }
1599
+ console.log("");
1600
+ console.log(chalk.dim(" Note: This CNAME/A record routes traffic. A separate TXT record"));
1601
+ console.log(chalk.dim(" for domain verification was (or will be) configured in Step 5."));
1602
+ console.log("");
1603
+ }
1604
+
1605
+ // src/setup/index.ts
1606
+ var DB_DRIVER_MAP = {
1607
+ postgres: ["pg"],
1608
+ supabase: ["pg"],
1609
+ neon: ["pg"],
1610
+ cockroachdb: ["pg"],
1611
+ mysql: ["mysql2"],
1612
+ planetscale: ["mysql2"],
1613
+ mongodb: ["mongodb"],
1614
+ sqlite: ["better-sqlite3"],
1615
+ turso: ["@libsql/client"],
1616
+ dynamodb: ["@aws-sdk/client-dynamodb", "@aws-sdk/lib-dynamodb"]
1617
+ };
1618
+ async function ensureDbDriver(dbType, ora, chalk) {
1619
+ const packages = DB_DRIVER_MAP[dbType];
1620
+ if (!packages?.length) return;
1621
+ const missing = [];
1622
+ for (const pkg of packages) {
1623
+ let found = false;
1624
+ try {
1625
+ await import(pkg);
1626
+ found = true;
1627
+ } catch {
1628
+ }
1629
+ if (!found) {
1630
+ try {
1631
+ const req = createRequire(join3(process.cwd(), "index.js"));
1632
+ req.resolve(pkg);
1633
+ found = true;
1634
+ } catch {
1635
+ }
1636
+ }
1637
+ if (!found) {
1638
+ try {
1639
+ const globalPrefix = execSync3("npm prefix -g", { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
1640
+ const req = createRequire(join3(globalPrefix, "lib", "node_modules", ".package-lock.json"));
1641
+ req.resolve(pkg);
1642
+ found = true;
1643
+ } catch {
1644
+ }
1645
+ }
1646
+ if (!found) missing.push(pkg);
1647
+ }
1648
+ if (!missing.length) return;
1649
+ const spinner = ora(`Installing database driver: ${missing.join(", ")}...`).start();
1650
+ try {
1651
+ execSync3(`npm install --no-save ${missing.join(" ")}`, {
1652
+ stdio: "pipe",
1653
+ timeout: 12e4,
1654
+ cwd: process.cwd()
1655
+ });
1656
+ spinner.succeed(`Database driver installed: ${missing.join(", ")}`);
1657
+ } catch (err) {
1658
+ spinner.fail(`Failed to install ${missing.join(", ")}`);
1659
+ console.error(chalk.red(`
1660
+ Run manually: npm install ${missing.join(" ")}
1661
+ `));
1662
+ process.exit(1);
1663
+ }
1664
+ }
1665
+ async function runSetupWizard() {
1666
+ const { default: inquirer } = await import("inquirer");
1667
+ const { default: ora } = await import("ora");
1668
+ const { default: chalk } = await import("chalk");
1669
+ console.log("");
1670
+ console.log(chalk.cyan(" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
1671
+ console.log(chalk.cyan(" \u2551") + chalk.bold.white(" \u{1F380} AgenticMail Enterprise \u{1F380} ") + chalk.cyan("\u2551"));
1672
+ console.log(chalk.cyan(" \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
1673
+ console.log("");
1674
+ console.log(chalk.bold.white(" The AI Agent Operating System for Organizations"));
1675
+ console.log("");
1676
+ console.log(chalk.dim(" You are about to set up a complete enterprise platform for"));
1677
+ console.log(chalk.dim(" deploying, managing, and securing AI agents at scale."));
1678
+ console.log("");
1679
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("AI agents with real email identities & inboxes")}`);
1680
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("Full dashboard \u2014 workforce, security, compliance")}`);
1681
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("Google & Microsoft 365 integration")}`);
1682
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("Telegram, WhatsApp, Slack & Discord channels")}`);
1683
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("DLP, guardrails, vault & audit logging")}`);
1684
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("Voice agents \u2014 join Google Meet calls")}`);
1685
+ console.log(` ${chalk.cyan("\u25CF")} ${chalk.white("Multi-tenant with client org isolation")}`);
1686
+ console.log("");
1687
+ console.log(chalk.dim(" \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
1688
+ console.log("");
1689
+ const company = await promptCompanyInfo(inquirer, chalk);
1690
+ const database = await promptDatabase(inquirer, chalk);
1691
+ const deploymentResult = await promptDeployment(inquirer, chalk, company.subdomain);
1692
+ const deployTarget = deploymentResult.target;
1693
+ const domain = deploymentResult.tunnel ? { customDomain: deploymentResult.tunnel.domain } : deploymentResult.cloud ? { customDomain: deploymentResult.cloud.fqdn } : await promptDomain(inquirer, chalk, deployTarget);
1694
+ const registration = deploymentResult.tunnel || deploymentResult.cloud ? { registered: true, verificationStatus: "verified" } : await promptRegistration(
1695
+ inquirer,
1696
+ chalk,
1697
+ ora,
1698
+ domain.customDomain,
1699
+ company.companyName,
1700
+ company.adminEmail
1701
+ );
1702
+ await ensureDbDriver(database.type, ora, chalk);
1703
+ console.log("");
1704
+ console.log(chalk.dim(" \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
1705
+ console.log("");
1706
+ const result = await provision(
1707
+ { company, database, deployTarget, domain, registration, tunnel: deploymentResult.tunnel, cloud: deploymentResult.cloud },
1708
+ ora,
1709
+ chalk
1710
+ );
1711
+ if (!result.success) {
1712
+ console.error("");
1713
+ console.error(chalk.red(` Setup failed: ${result.error}`));
1714
+ console.error(chalk.dim(" Check your database connection and try again."));
1715
+ process.exit(1);
1716
+ }
1717
+ console.log("");
1718
+ }
1719
+
1720
+ export {
1721
+ promptCompanyInfo,
1722
+ promptDatabase,
1723
+ promptDeployment,
1724
+ promptDomain,
1725
+ promptRegistration,
1726
+ provision,
1727
+ runSetupWizard
1728
+ };