@agenticmail/enterprise 0.5.5 → 0.5.7

package/dist/turso-A7AO3JDH.js

@@ -0,0 +1,495 @@
+import {
+  getAllCreateStatements
+} from "./chunk-XMDE2NGH.js";
+import {
+  DatabaseAdapter
+} from "./chunk-FLRYMSKY.js";
+import "./chunk-2ESYSVXG.js";
+
+// src/db/turso.ts
+import { randomUUID, createHash } from "crypto";
+var libsqlClient;
+async function getClient() {
+  if (!libsqlClient) {
+    try {
+      libsqlClient = await import("@libsql/client");
+    } catch {
+      throw new Error("Turso driver not found. Install: npm install @libsql/client");
+    }
+  }
+  return libsqlClient;
+}
+var TursoAdapter = class extends DatabaseAdapter {
+  type = "turso";
+  client = null;
+  async connect(config) {
+    const lib = await getClient();
+    this.client = lib.createClient({
+      url: config.connectionString || "file:./agenticmail-enterprise.db",
+      authToken: config.authToken
+    });
+  }
+  async disconnect() {
+    if (this.client) this.client.close();
+  }
+  isConnected() {
+    return this.client !== null;
+  }
+  // ─── Engine Integration ──────────────────────────────────
+  getEngineDB() {
+    if (!this.client) return null;
+    const client = this.client;
+    return {
+      run: async (sql, params) => {
+        await client.execute({ sql, args: params || [] });
+      },
+      get: async (sql, params) => {
+        const result = await client.execute({ sql, args: params || [] });
+        return result.rows?.[0] || void 0;
+      },
+      all: async (sql, params) => {
+        const result = await client.execute({ sql, args: params || [] });
+        return result.rows || [];
+      }
+    };
+  }
+  getDialect() {
+    return "turso";
+  }
+  async run(sql, args = []) {
+    return this.client.execute({ sql, args });
+  }
+  async get(sql, args = []) {
+    const result = await this.run(sql, args);
+    if (!result.rows || result.rows.length === 0) return null;
+    return result.rows[0];
+  }
+  async all(sql, args = []) {
+    const result = await this.run(sql, args);
+    return result.rows || [];
+  }
+  async migrate() {
+    const stmts = getAllCreateStatements();
+    await this.client.batch(
+      stmts.map((sql) => ({ sql, args: [] })).concat([
+        { sql: `INSERT OR IGNORE INTO retention_policy (id) VALUES ('default')`, args: [] }
+      ]),
+      "write"
+    );
+  }
+  // ─── Company ─────────────────────────────────────────────
+  async getSettings() {
+    const r = await this.get("SELECT * FROM company_settings WHERE id = ?", ["default"]);
+    return r ? this.mapSettings(r) : null;
+  }
+  async updateSettings(updates) {
+    const map = {
+      name: "name",
+      domain: "domain",
+      subdomain: "subdomain",
+      smtpHost: "smtp_host",
+      smtpPort: "smtp_port",
+      smtpUser: "smtp_user",
+      smtpPass: "smtp_pass",
+      dkimPrivateKey: "dkim_private_key",
+      logoUrl: "logo_url",
+      primaryColor: "primary_color",
+      plan: "plan",
+      deploymentKeyHash: "deployment_key_hash",
+      domainRegistrationId: "domain_registration_id",
+      domainDnsChallenge: "domain_dns_challenge",
+      domainVerifiedAt: "domain_verified_at",
+      domainRegisteredAt: "domain_registered_at",
+      domainStatus: "domain_status"
+    };
+    const sets = [];
+    const vals = [];
+    for (const [key, col] of Object.entries(map)) {
+      if (updates[key] !== void 0) {
+        sets.push(`${col} = ?`);
+        vals.push(updates[key]);
+      }
+    }
+    if (updates.ssoConfig !== void 0) {
+      sets.push("sso_config = ?");
+      vals.push(JSON.stringify(updates.ssoConfig));
+    }
+    if (updates.toolSecurityConfig !== void 0) {
+      sets.push("tool_security_config = ?");
+      vals.push(JSON.stringify(updates.toolSecurityConfig));
+    }
+    if (updates.firewallConfig !== void 0) {
+      sets.push("firewall_config = ?");
+      vals.push(JSON.stringify(updates.firewallConfig));
+    }
+    if (updates.modelPricingConfig !== void 0) {
+      sets.push("model_pricing_config = ?");
+      vals.push(JSON.stringify(updates.modelPricingConfig));
+    }
+    sets.push("updated_at = datetime('now')");
+    vals.push("default");
+    await this.run(`UPDATE company_settings SET ${sets.join(", ")} WHERE id = ?`, vals);
+    return this.getSettings();
+  }
+  // ─── Agents ──────────────────────────────────────────────
+  async createAgent(input) {
+    const id = input.id || randomUUID();
+    const email = input.email || `${input.name.toLowerCase().replace(/\s+/g, "-")}@localhost`;
+    await this.run(
+      `INSERT INTO agents (id, name, email, role, metadata, created_by) VALUES (?, ?, ?, ?, ?, ?)`,
+      [id, input.name, email, input.role || "assistant", JSON.stringify(input.metadata || {}), input.createdBy]
+    );
+    return await this.getAgent(id);
+  }
+  async getAgent(id) {
+    const r = await this.get("SELECT * FROM agents WHERE id = ?", [id]);
+    return r ? this.mapAgent(r) : null;
+  }
+  async getAgentByName(name) {
+    const r = await this.get("SELECT * FROM agents WHERE name = ?", [name]);
+    return r ? this.mapAgent(r) : null;
+  }
+  async listAgents(opts) {
+    let q = "SELECT * FROM agents";
+    const params = [];
+    if (opts?.status) {
+      q += " WHERE status = ?";
+      params.push(opts.status);
+    }
+    q += " ORDER BY created_at DESC";
+    if (opts?.limit) q += ` LIMIT ${opts.limit}`;
+    if (opts?.offset) q += ` OFFSET ${opts.offset}`;
+    return (await this.all(q, params)).map((r) => this.mapAgent(r));
+  }
+  async updateAgent(id, updates) {
+    const fields = [];
+    const vals = [];
+    for (const [key, col] of Object.entries({ name: "name", email: "email", role: "role", status: "status" })) {
+      if (updates[key] !== void 0) {
+        fields.push(`${col} = ?`);
+        vals.push(updates[key]);
+      }
+    }
+    if (updates.metadata) {
+      fields.push("metadata = ?");
+      vals.push(JSON.stringify(updates.metadata));
+    }
+    fields.push("updated_at = datetime('now')");
+    vals.push(id);
+    await this.run(`UPDATE agents SET ${fields.join(", ")} WHERE id = ?`, vals);
+    return await this.getAgent(id);
+  }
+  async archiveAgent(id) {
+    await this.run("UPDATE agents SET status = 'archived', updated_at = datetime('now') WHERE id = ?", [id]);
+  }
+  async deleteAgent(id) {
+    await this.run("DELETE FROM agents WHERE id = ?", [id]);
+  }
+  async countAgents(status) {
+    const r = status ? await this.get("SELECT COUNT(*) as c FROM agents WHERE status = ?", [status]) : await this.get("SELECT COUNT(*) as c FROM agents", []);
+    return r.c;
+  }
+  // ─── Users ───────────────────────────────────────────────
+  async createUser(input) {
+    const id = randomUUID();
+    let passwordHash = null;
+    if (input.password) {
+      const { default: bcrypt } = await import("bcryptjs");
+      passwordHash = await bcrypt.hash(input.password, 12);
+    }
+    await this.run(
+      `INSERT INTO users (id, email, name, role, password_hash, sso_provider, sso_subject) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+      [id, input.email, input.name, input.role, passwordHash, input.ssoProvider || null, input.ssoSubject || null]
+    );
+    return await this.getUser(id);
+  }
+  async getUser(id) {
+    const r = await this.get("SELECT * FROM users WHERE id = ?", [id]);
+    return r ? this.mapUser(r) : null;
+  }
+  async getUserByEmail(email) {
+    const r = await this.get("SELECT * FROM users WHERE email = ?", [email]);
+    return r ? this.mapUser(r) : null;
+  }
+  async getUserBySso(provider, subject) {
+    const r = await this.get("SELECT * FROM users WHERE sso_provider = ? AND sso_subject = ?", [provider, subject]);
+    return r ? this.mapUser(r) : null;
+  }
+  async listUsers(opts) {
+    let q = "SELECT * FROM users ORDER BY created_at DESC";
+    if (opts?.limit) q += ` LIMIT ${opts.limit}`;
+    if (opts?.offset) q += ` OFFSET ${opts.offset}`;
+    return (await this.all(q)).map((r) => this.mapUser(r));
+  }
+  async updateUser(id, updates) {
+    const fields = [];
+    const vals = [];
+    for (const key of ["email", "name", "role"]) {
+      if (updates[key] !== void 0) {
+        fields.push(`${key} = ?`);
+        vals.push(updates[key]);
+      }
+    }
+    fields.push("updated_at = datetime('now')");
+    vals.push(id);
+    await this.run(`UPDATE users SET ${fields.join(", ")} WHERE id = ?`, vals);
+    return await this.getUser(id);
+  }
+  async deleteUser(id) {
+    await this.run("DELETE FROM users WHERE id = ?", [id]);
+  }
+  // ─── Audit ───────────────────────────────────────────────
+  async logEvent(event) {
+    await this.run(
+      `INSERT INTO audit_log (id, actor, actor_type, action, resource, details, ip) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+      [randomUUID(), event.actor, event.actorType, event.action, event.resource, JSON.stringify(event.details || {}), event.ip || null]
+    );
+  }
+  async queryAudit(filters) {
+    const where = [];
+    const params = [];
+    if (filters.actor) {
+      where.push("actor = ?");
+      params.push(filters.actor);
+    }
+    if (filters.action) {
+      where.push("action = ?");
+      params.push(filters.action);
+    }
+    if (filters.resource) {
+      where.push("resource LIKE ?");
+      params.push(`%${filters.resource}%`);
+    }
+    if (filters.from) {
+      where.push("timestamp >= ?");
+      params.push(filters.from.toISOString());
+    }
+    if (filters.to) {
+      where.push("timestamp <= ?");
+      params.push(filters.to.toISOString());
+    }
+    const wc = where.length > 0 ? `WHERE ${where.join(" AND ")}` : "";
+    const countRow = await this.get(`SELECT COUNT(*) as c FROM audit_log ${wc}`, params);
+    let q = `SELECT * FROM audit_log ${wc} ORDER BY timestamp DESC`;
+    if (filters.limit) q += ` LIMIT ${filters.limit}`;
+    if (filters.offset) q += ` OFFSET ${filters.offset}`;
+    const rows = await this.all(q, params);
+    return {
+      events: rows.map((r) => ({
+        id: r.id,
+        timestamp: new Date(r.timestamp),
+        actor: r.actor,
+        actorType: r.actor_type,
+        action: r.action,
+        resource: r.resource,
+        details: JSON.parse(r.details || "{}"),
+        ip: r.ip
+      })),
+      total: countRow.c
+    };
+  }
+  // ─── API Keys ────────────────────────────────────────────
+  async createApiKey(input) {
+    const id = randomUUID();
+    const plaintext = `ek_${randomUUID().replace(/-/g, "")}`;
+    const keyHash = createHash("sha256").update(plaintext).digest("hex");
+    const keyPrefix = plaintext.substring(0, 11);
+    await this.run(
+      `INSERT INTO api_keys (id, name, key_hash, key_prefix, scopes, created_by, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+      [id, input.name, keyHash, keyPrefix, JSON.stringify(input.scopes), input.createdBy, input.expiresAt?.toISOString() || null]
+    );
+    return { key: await this.getApiKey(id), plaintext };
+  }
+  async getApiKey(id) {
+    const r = await this.get("SELECT * FROM api_keys WHERE id = ?", [id]);
+    return r ? this.mapApiKey(r) : null;
+  }
+  async validateApiKey(plaintext) {
+    const keyHash = createHash("sha256").update(plaintext).digest("hex");
+    const r = await this.get("SELECT * FROM api_keys WHERE key_hash = ? AND revoked = 0", [keyHash]);
+    if (!r) return null;
+    const key = this.mapApiKey(r);
+    if (key.expiresAt && /* @__PURE__ */ new Date() > key.expiresAt) return null;
+    await this.run("UPDATE api_keys SET last_used_at = datetime('now') WHERE id = ?", [key.id]);
+    return key;
+  }
+  async listApiKeys(opts) {
+    let q = "SELECT * FROM api_keys";
+    const params = [];
+    if (opts?.createdBy) {
+      q += " WHERE created_by = ?";
+      params.push(opts.createdBy);
+    }
+    q += " ORDER BY created_at DESC";
+    return (await this.all(q, params)).map((r) => this.mapApiKey(r));
+  }
+  async revokeApiKey(id) {
+    await this.run("UPDATE api_keys SET revoked = 1 WHERE id = ?", [id]);
+  }
+  // ─── Rules ───────────────────────────────────────────────
+  async createRule(rule) {
+    const id = randomUUID();
+    await this.run(
+      `INSERT INTO email_rules (id, name, agent_id, conditions, actions, priority, enabled) VALUES (?, ?, ?, ?, ?, ?, ?)`,
+      [id, rule.name, rule.agentId || null, JSON.stringify(rule.conditions), JSON.stringify(rule.actions), rule.priority, rule.enabled ? 1 : 0]
+    );
+    const r = await this.get("SELECT * FROM email_rules WHERE id = ?", [id]);
+    return this.mapRule(r);
+  }
+  async getRules(agentId) {
+    let q = "SELECT * FROM email_rules";
+    const params = [];
+    if (agentId) {
+      q += " WHERE agent_id = ? OR agent_id IS NULL";
+      params.push(agentId);
+    }
+    q += " ORDER BY priority DESC";
+    return (await this.all(q, params)).map((r) => this.mapRule(r));
+  }
+  async updateRule(id, updates) {
+    const fields = [];
+    const vals = [];
+    if (updates.name !== void 0) {
+      fields.push("name = ?");
+      vals.push(updates.name);
+    }
+    if (updates.conditions) {
+      fields.push("conditions = ?");
+      vals.push(JSON.stringify(updates.conditions));
+    }
+    if (updates.actions) {
+      fields.push("actions = ?");
+      vals.push(JSON.stringify(updates.actions));
+    }
+    if (updates.priority !== void 0) {
+      fields.push("priority = ?");
+      vals.push(updates.priority);
+    }
+    if (updates.enabled !== void 0) {
+      fields.push("enabled = ?");
+      vals.push(updates.enabled ? 1 : 0);
+    }
+    fields.push("updated_at = datetime('now')");
+    vals.push(id);
+    await this.run(`UPDATE email_rules SET ${fields.join(", ")} WHERE id = ?`, vals);
+    const r = await this.get("SELECT * FROM email_rules WHERE id = ?", [id]);
+    return this.mapRule(r);
+  }
+  async deleteRule(id) {
+    await this.run("DELETE FROM email_rules WHERE id = ?", [id]);
+  }
+  // ─── Retention ───────────────────────────────────────────
+  async getRetentionPolicy() {
+    const r = await this.get("SELECT * FROM retention_policy WHERE id = ?", ["default"]);
+    if (!r) return { enabled: false, retainDays: 365, archiveFirst: true };
+    return { enabled: !!r.enabled, retainDays: r.retain_days, excludeTags: JSON.parse(r.exclude_tags || "[]"), archiveFirst: !!r.archive_first };
+  }
+  async setRetentionPolicy(policy) {
+    await this.run(
+      `UPDATE retention_policy SET enabled = ?, retain_days = ?, exclude_tags = ?, archive_first = ? WHERE id = 'default'`,
+      [policy.enabled ? 1 : 0, policy.retainDays, JSON.stringify(policy.excludeTags || []), policy.archiveFirst ? 1 : 0]
+    );
+  }
+  // ─── Stats ───────────────────────────────────────────────
+  async getStats() {
+    const [total, active, users, audit] = await Promise.all([
+      this.get("SELECT COUNT(*) as c FROM agents"),
+      this.get("SELECT COUNT(*) as c FROM agents WHERE status = 'active'"),
+      this.get("SELECT COUNT(*) as c FROM users"),
+      this.get("SELECT COUNT(*) as c FROM audit_log")
+    ]);
+    return {
+      totalAgents: total.c,
+      activeAgents: active.c,
+      totalUsers: users.c,
+      totalEmails: 0,
+      totalAuditEvents: audit.c
+    };
+  }
+  // ─── Mappers ─────────────────────────────────────────────
+  mapAgent(r) {
+    return {
+      id: r.id,
+      name: r.name,
+      email: r.email,
+      role: r.role,
+      status: r.status,
+      metadata: typeof r.metadata === "string" ? JSON.parse(r.metadata) : r.metadata || {},
+      createdAt: new Date(r.created_at),
+      updatedAt: new Date(r.updated_at),
+      createdBy: r.created_by
+    };
+  }
+  mapUser(r) {
+    return {
+      id: r.id,
+      email: r.email,
+      name: r.name,
+      role: r.role,
+      passwordHash: r.password_hash,
+      ssoProvider: r.sso_provider,
+      ssoSubject: r.sso_subject,
+      createdAt: new Date(r.created_at),
+      updatedAt: new Date(r.updated_at),
+      lastLoginAt: r.last_login_at ? new Date(r.last_login_at) : void 0
+    };
+  }
+  mapApiKey(r) {
+    return {
+      id: r.id,
+      name: r.name,
+      keyHash: r.key_hash,
+      keyPrefix: r.key_prefix,
+      scopes: typeof r.scopes === "string" ? JSON.parse(r.scopes) : r.scopes || [],
+      createdBy: r.created_by,
+      createdAt: new Date(r.created_at),
+      lastUsedAt: r.last_used_at ? new Date(r.last_used_at) : void 0,
+      expiresAt: r.expires_at ? new Date(r.expires_at) : void 0,
+      revoked: !!r.revoked
+    };
+  }
+  mapRule(r) {
+    return {
+      id: r.id,
+      name: r.name,
+      agentId: r.agent_id,
+      conditions: typeof r.conditions === "string" ? JSON.parse(r.conditions) : r.conditions || {},
+      actions: typeof r.actions === "string" ? JSON.parse(r.actions) : r.actions || {},
+      priority: r.priority,
+      enabled: !!r.enabled,
+      createdAt: new Date(r.created_at),
+      updatedAt: new Date(r.updated_at)
+    };
+  }
+  mapSettings(r) {
+    return {
+      id: r.id,
+      name: r.name,
+      domain: r.domain,
+      subdomain: r.subdomain,
+      smtpHost: r.smtp_host,
+      smtpPort: r.smtp_port,
+      smtpUser: r.smtp_user,
+      smtpPass: r.smtp_pass,
+      dkimPrivateKey: r.dkim_private_key,
+      logoUrl: r.logo_url,
+      primaryColor: r.primary_color,
+      ssoConfig: r.sso_config ? typeof r.sso_config === "string" ? JSON.parse(r.sso_config) : r.sso_config : void 0,
+      toolSecurityConfig: r.tool_security_config ? typeof r.tool_security_config === "string" ? JSON.parse(r.tool_security_config) : r.tool_security_config : {},
+      firewallConfig: r.firewall_config ? typeof r.firewall_config === "string" ? JSON.parse(r.firewall_config) : r.firewall_config : {},
+      modelPricingConfig: r.model_pricing_config ? typeof r.model_pricing_config === "string" ? JSON.parse(r.model_pricing_config) : r.model_pricing_config : {},
+      plan: r.plan,
+      createdAt: new Date(r.created_at),
+      updatedAt: new Date(r.updated_at),
+      deploymentKeyHash: r.deployment_key_hash,
+      domainRegistrationId: r.domain_registration_id,
+      domainDnsChallenge: r.domain_dns_challenge,
+      domainVerifiedAt: r.domain_verified_at || void 0,
+      domainRegisteredAt: r.domain_registered_at || void 0,
+      domainStatus: r.domain_status || "unregistered"
+    };
+  }
+};
+export {
+  TursoAdapter
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/enterprise",
-  "version": "0.5.5",
+  "version": "0.5.7",
   "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
   "type": "module",
   "bin": {

package/src/setup/index.ts

@@ -15,6 +15,9 @@
  */
 
 import { execSync } from 'child_process';
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
 import { promptCompanyInfo } from './company.js';
 import { promptDatabase } from './database.js';
 import { promptDeployment } from './deployment.js';
@@ -54,26 +57,39 @@ async function ensureDbDriver(dbType: string, ora: any, chalk: any): Promise<voi
   const packages = DB_DRIVER_MAP[dbType];
   if (!packages?.length) return;
 
+  // Resolve the enterprise package's own directory for installing drivers
+  const __filename = fileURLToPath(import.meta.url);
+  const pkgDir = join(dirname(__filename), '..');
+
   const missing: string[] = [];
   for (const pkg of packages) {
     try {
-      await import(pkg);
+      // Check if resolvable from the package directory
+      const require = createRequire(join(pkgDir, 'node_modules', '.package-lock.json'));
+      require.resolve(pkg);
     } catch {
-      missing.push(pkg);
+      // Also try dynamic import as fallback
+      try {
+        await import(pkg);
+      } catch {
+        missing.push(pkg);
+      }
     }
   }
   if (!missing.length) return;
 
   const spinner = ora(`Installing database driver: ${missing.join(', ')}...`).start();
   try {
+    // Install into the enterprise package's node_modules so dynamic imports find them
     execSync(`npm install --no-save ${missing.join(' ')}`, {
       stdio: 'pipe',
       timeout: 120_000,
+      cwd: pkgDir,
     });
     spinner.succeed(`Database driver installed: ${missing.join(', ')}`);
   } catch (err: any) {
     spinner.fail(`Failed to install ${missing.join(', ')}`);
-    console.error(chalk.red(`\n  Run manually: npm install ${missing.join(' ')}\n`));
+    console.error(chalk.red(`\n  Run manually: cd ${pkgDir} && npm install ${missing.join(' ')}\n`));
     process.exit(1);
   }
 }

package/src/setup/registration.ts

@@ -91,23 +91,97 @@ export async function promptRegistration(
     const data = await res.json().catch(() => ({})) as any;
 
     if (res.status === 409) {
-      spinner.fail('Domain already registered');
+      spinner.info('Domain already registered — verifying ownership');
       console.log('');
       console.log(chalk.yellow('  This domain is already registered and verified.'));
-      console.log(chalk.dim('  If this is your domain, use: npx @agenticmail/enterprise recover'));
-      console.log('');
-
-      const { continueAnyway } = await inquirer.prompt([{
-        type: 'confirm',
-        name: 'continueAnyway',
-        message: 'Continue setup without registration?',
-        default: true,
+      console.log(chalk.dim('  Enter your deployment key to prove ownership and continue.\n'));
+
+      const { deploymentKey } = await inquirer.prompt([{
+        type: 'password',
+        name: 'deploymentKey',
+        message: 'Deployment key:',
+        mask: '*',
+        validate: (v: string) => v.length === 64 || 'Deployment key should be 64 hex characters',
       }]);
 
-      if (continueAnyway) {
-        return { registered: false, verificationStatus: 'skipped' };
+      // Recover via registry — this re-registers with a new challenge
+      const recoverSpinner = ora('Verifying deployment key...').start();
+      try {
+        const recoverRes = await fetch(`${registryUrl}/domains/recover`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            domain: domain!.toLowerCase().trim(),
+            deploymentKey,
+          }),
+          signal: AbortSignal.timeout(15_000),
+        });
+
+        const recoverData = await recoverRes.json().catch(() => ({})) as any;
+
+        if (recoverRes.status === 403) {
+          recoverSpinner.fail('Invalid deployment key');
+          console.log('');
+          console.log(chalk.red('  The deployment key does not match this domain.'));
+          console.log('');
+
+          const { continueAnyway } = await inquirer.prompt([{
+            type: 'confirm',
+            name: 'continueAnyway',
+            message: 'Continue setup without registration?',
+            default: true,
+          }]);
+
+          if (continueAnyway) {
+            return { registered: false, verificationStatus: 'skipped' };
+          }
+          process.exit(1);
+        }
+
+        if (!recoverRes.ok) {
+          throw new Error(recoverData.error || `HTTP ${recoverRes.status}`);
+        }
+
+        recoverSpinner.succeed('Ownership verified — domain recovered');
+
+        // Now verify DNS with the new challenge
+        registrationId = recoverData.registrationId;
+        dnsChallenge = recoverData.dnsChallenge;
+
+        // Auto-verify DNS since they already own the domain
+        const verifyRes = await fetch(`${registryUrl}/domains/verify`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ domain: domain!.toLowerCase().trim() }),
+          signal: AbortSignal.timeout(15_000),
+        });
+        const verifyData = await verifyRes.json().catch(() => ({})) as any;
+
+        // Re-hash the provided key for local storage
+        const { createHash } = await import('crypto');
+        const localKeyHash = createHash('sha256').update(deploymentKey).digest('hex');
+
+        return {
+          registered: true,
+          deploymentKeyHash: localKeyHash,
+          dnsChallenge,
+          registrationId,
+          verificationStatus: verifyData?.verified ? 'verified' : 'pending_dns',
+        };
+      } catch (err: any) {
+        recoverSpinner.fail(`Recovery failed: ${err.message}`);
+        const { continueAnyway } = await inquirer.prompt([{
+          type: 'confirm',
+          name: 'continueAnyway',
+          message: 'Continue setup without registration?',
+          default: true,
+        }]);
+
+        if (continueAnyway) {
+          return { registered: false, verificationStatus: 'skipped' };
+        }
+        process.exit(1);
       }
-      process.exit(1);
     }
 
     if (!res.ok) {