@lead-routing/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1916 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/init.ts
+import { intro, outro, note as note4, log as log8 } from "@clack/prompts";
+import chalk2 from "chalk";
+
+// src/steps/prerequisites.ts
+import { log } from "@clack/prompts";
+
+// src/utils/exec.ts
+import { execa } from "execa";
+import { spinner } from "@clack/prompts";
+async function runSilent(cmd, args, opts = {}) {
+  try {
+    const result = await execa(cmd, args, { cwd: opts.cwd, reject: false });
+    return result.stdout;
+  } catch {
+    return "";
+  }
+}
+
+// src/steps/prerequisites.ts
+async function checkPrerequisites() {
+  const results = await Promise.all([
+    checkNodeVersion(),
+    checkSalesforceCLI()
+  ]);
+  const failed = results.filter((r) => !r.ok);
+  for (const r of results) {
+    if (r.ok) {
+      log.success(r.label);
+    } else {
+      log.error(`${r.label}${r.detail ? ` \u2014 ${r.detail}` : ""}`);
+    }
+  }
+  if (failed.length > 0) {
+    throw new Error(
+      `Missing local prerequisites:
+${failed.map((r) => `  \u2022 ${r.label}`).join("\n")}
+
+Please install them and re-run lead-routing init.`
+    );
+  }
+}
+async function checkNodeVersion() {
+  const version = process.version;
+  const major = parseInt(version.slice(1), 10);
+  if (major < 20) {
+    return { ok: false, label: `Node.js ${version}`, detail: "version 20+ required" };
+  }
+  return { ok: true, label: `Node.js ${version}` };
+}
+async function checkSalesforceCLI() {
+  const out = await runSilent("sf", ["--version"]);
+  if (!out) {
+    return {
+      ok: false,
+      label: "Salesforce CLI (sf) \u2014 not found",
+      detail: "install from https://developer.salesforce.com/tools/salesforcecli"
+    };
+  }
+  return { ok: true, label: `Salesforce CLI \u2014 ${out.trim()}` };
+}
+
+// src/steps/collect-ssh-config.ts
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { text, password, select, note, cancel, isCancel } from "@clack/prompts";
+function bail(value) {
+  if (isCancel(value)) {
+    cancel("Setup cancelled.");
+    process.exit(0);
+  }
+  throw new Error("Unexpected cancel");
+}
+async function collectSshConfig() {
+  note(
+    "The CLI will SSH into your server to deploy the full stack.\nYou will need:\n  \u2022 Server hostname or IP address\n  \u2022 SSH access (key file recommended, password supported)\n  \u2022 Docker 24+ already installed on the server",
+    "Server connection"
+  );
+  const host = await text({
+    message: "Server hostname or IP address",
+    placeholder: "165.22.100.50  or  vps.acme.com",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (isCancel(host)) bail(host);
+  const portRaw = await text({
+    message: "SSH port",
+    placeholder: "22",
+    initialValue: "22",
+    validate: (v) => {
+      const n = parseInt(v, 10);
+      if (isNaN(n) || n < 1 || n > 65535) return "Must be a valid port (1\u201365535)";
+    }
+  });
+  if (isCancel(portRaw)) bail(portRaw);
+  const username = await text({
+    message: "SSH username",
+    placeholder: "root",
+    initialValue: "root",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (isCancel(username)) bail(username);
+  const authMethod = await select({
+    message: "SSH authentication method",
+    options: [
+      { value: "key", label: "SSH key file (recommended)" },
+      { value: "password", label: "Password" }
+    ]
+  });
+  if (isCancel(authMethod)) bail(authMethod);
+  let privateKeyPath;
+  let pwd;
+  if (authMethod === "key") {
+    const defaultKey = `${homedir()}/.ssh/id_rsa`;
+    const keyPath = await text({
+      message: "Path to SSH private key",
+      placeholder: defaultKey,
+      initialValue: `~/.ssh/id_rsa`,
+      validate: (v) => {
+        const resolved = v.startsWith("~") ? homedir() + v.slice(1) : v;
+        if (!existsSync(resolved)) return `Key file not found: ${resolved}`;
+      }
+    });
+    if (isCancel(keyPath)) bail(keyPath);
+    const raw = keyPath;
+    privateKeyPath = raw.startsWith("~") ? homedir() + raw.slice(1) : raw;
+  } else {
+    const p = await password({
+      message: "SSH password",
+      validate: (v) => !v ? "Required" : void 0
+    });
+    if (isCancel(p)) bail(p);
+    pwd = p;
+  }
+  const remoteDir = await text({
+    message: "Remote install directory on server",
+    placeholder: "~/lead-routing",
+    initialValue: "~/lead-routing",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (isCancel(remoteDir)) bail(remoteDir);
+  return {
+    host,
+    port: parseInt(portRaw, 10),
+    username,
+    privateKeyPath,
+    password: pwd,
+    remoteDir
+  };
+}
+
+// src/steps/collect-config.ts
+import {
+  text as text2,
+  password as password2,
+  select as select2,
+  confirm,
+  note as note2,
+  cancel as cancel2,
+  isCancel as isCancel2
+} from "@clack/prompts";
+
+// src/utils/crypto.ts
+import { randomBytes } from "crypto";
+function generateSecret(bytes = 32) {
+  return randomBytes(bytes).toString("hex");
+}
+
+// src/steps/collect-config.ts
+function bail2(value) {
+  if (isCancel2(value)) {
+    cancel2("Setup cancelled.");
+    process.exit(0);
+  }
+  throw new Error("Unexpected cancel");
+}
+async function collectConfig() {
+  note2(
+    "You will need:\n  \u2022 A Salesforce Connected App (Client ID + Secret) \u2014 instructions below\n  \u2022 A public URL or localhost for the app\n  \u2022 PostgreSQL + Redis (or let Docker manage them)",
+    "Before you begin"
+  );
+  const appUrl = await text2({
+    message: "App URL (public URL where the web app will be accessible)",
+    placeholder: "https://routing.acme.com",
+    validate: (v) => {
+      if (!v) return "Required";
+      try {
+        new URL(v);
+      } catch {
+        return "Must be a valid URL (e.g. https://routing.acme.com)";
+      }
+    }
+  });
+  if (isCancel2(appUrl)) bail2(appUrl);
+  const engineUrl = await text2({
+    message: "Engine URL (public URL Salesforce will use to route leads)",
+    placeholder: "https://engine.acme.com",
+    hint: "Subdomain: https://engine.acme.com  \u2022  Same domain + port: https://acme.com:3001",
+    validate: (v) => {
+      if (!v) return "Required";
+      try {
+        const u = new URL(v);
+        if (u.protocol !== "https:") return "Must be an HTTPS URL (Salesforce requires HTTPS)";
+      } catch {
+        return "Must be a valid URL (e.g. https://engine.acme.com)";
+      }
+    }
+  });
+  if (isCancel2(engineUrl)) bail2(engineUrl);
+  const callbackUrl = `${appUrl}/api/auth/callback`;
+  note2(
+    `You need a Salesforce Connected App. If you haven't created one yet:
+
+  1. Go to Salesforce Setup \u2192 App Manager \u2192 New Connected App
+  2. Connected App Name: Lead Routing
+  3. Check "Enable OAuth Settings"
+  4. Callback URL:
+       ${callbackUrl}
+  5. Selected Scopes: api  \u2022  refresh_token, offline_access  \u2022  openid
+  6. Check "Require Secret for Web Server Flow"
+  7. Save \u2014 wait ~2 min, then click "Manage Consumer Details"
+  8. Copy the Consumer Key (Client ID) and Consumer Secret below`,
+    "Salesforce Connected App setup"
+  );
+  const sfdcClientId = await text2({
+    message: 'Consumer Key (labelled "Client ID" in newer orgs)',
+    placeholder: "3MVG9...",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (isCancel2(sfdcClientId)) bail2(sfdcClientId);
+  const sfdcClientSecret = await password2({
+    message: 'Consumer Secret (labelled "Client Secret" in newer orgs)',
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (isCancel2(sfdcClientSecret)) bail2(sfdcClientSecret);
+  const sfdcLoginUrlChoice = await select2({
+    message: "Salesforce environment",
+    options: [
+      { value: "https://login.salesforce.com", label: "Production / Developer org" },
+      { value: "https://test.salesforce.com", label: "Sandbox" }
+    ]
+  });
+  if (isCancel2(sfdcLoginUrlChoice)) bail2(sfdcLoginUrlChoice);
+  const sfdcLoginUrl = sfdcLoginUrlChoice;
+  const orgAlias = await text2({
+    message: "Salesforce org alias (used by the sf CLI to identify this org)",
+    placeholder: "lead-routing",
+    initialValue: "lead-routing",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (isCancel2(orgAlias)) bail2(orgAlias);
+  const managedDb = await confirm({
+    message: "Manage PostgreSQL with Docker? (recommended \u2014 choose No to provide your own URL)",
+    initialValue: true
+  });
+  if (isCancel2(managedDb)) bail2(managedDb);
+  let databaseUrl = "";
+  let dbPassword = generateSecret(16);
+  if (managedDb) {
+    databaseUrl = "postgresql://leadrouting:" + dbPassword + "@postgres:5432/leadrouting";
+  } else {
+    const url = await text2({
+      message: "PostgreSQL connection URL",
+      placeholder: "postgresql://user:pass@host:5432/dbname",
+      validate: (v) => {
+        if (!v) return "Required";
+        if (!v.startsWith("postgresql://") && !v.startsWith("postgres://"))
+          return "Must start with postgresql:// or postgres://";
+      }
+    });
+    if (isCancel2(url)) bail2(url);
+    databaseUrl = url;
+    dbPassword = "";
+  }
+  const managedRedis = await confirm({
+    message: "Manage Redis with Docker? (recommended \u2014 choose No to provide your own URL)",
+    initialValue: true
+  });
+  if (isCancel2(managedRedis)) bail2(managedRedis);
+  let redisUrl = "";
+  if (managedRedis) {
+    redisUrl = "redis://redis:6379";
+  } else {
+    const url = await text2({
+      message: "Redis connection URL",
+      placeholder: "redis://user:pass@host:6379",
+      validate: (v) => {
+        if (!v) return "Required";
+        if (!v.startsWith("redis://") && !v.startsWith("rediss://"))
+          return "Must start with redis:// or rediss://";
+      }
+    });
+    if (isCancel2(url)) bail2(url);
+    redisUrl = url;
+  }
+  note2("This creates the first admin user for the web app.", "Admin Account");
+  const adminEmail = await text2({
+    message: "Admin email address",
+    placeholder: "admin@acme.com",
+    validate: (v) => {
+      if (!v) return "Required";
+      if (!v.includes("@")) return "Must be a valid email";
+    }
+  });
+  if (isCancel2(adminEmail)) bail2(adminEmail);
+  const adminPassword = await password2({
+    message: "Admin password (min 8 characters)",
+    validate: (v) => {
+      if (!v) return "Required";
+      if (v.length < 8) return "Must be at least 8 characters";
+    }
+  });
+  if (isCancel2(adminPassword)) bail2(adminPassword);
+  const wantResend = await confirm({
+    message: "Configure Resend for email invites? (optional)",
+    initialValue: false
+  });
+  if (isCancel2(wantResend)) bail2(wantResend);
+  let resendApiKey = "";
+  let feedbackToEmail = "";
+  if (wantResend) {
+    const key = await text2({
+      message: "Resend API key",
+      placeholder: "re_..."
+    });
+    if (isCancel2(key)) bail2(key);
+    resendApiKey = key ?? "";
+    const email = await text2({
+      message: "Email address to receive feedback",
+      placeholder: "feedback@acme.com"
+    });
+    if (isCancel2(email)) bail2(email);
+    feedbackToEmail = email ?? "";
+  }
+  const sessionSecret = generateSecret(32);
+  const engineWebhookSecret = generateSecret(32);
+  const adminSecret = generateSecret(16);
+  return {
+    appUrl: appUrl.trim().replace(/\/+$/, ""),
+    engineUrl: engineUrl.trim().replace(/\/+$/, ""),
+    sfdcClientId,
+    sfdcClientSecret,
+    sfdcLoginUrl,
+    orgAlias,
+    managedDb,
+    databaseUrl,
+    dbPassword,
+    managedRedis,
+    redisUrl,
+    adminEmail,
+    adminPassword,
+    resendApiKey,
+    feedbackToEmail,
+    sessionSecret,
+    engineWebhookSecret,
+    adminSecret
+  };
+}
+
+// src/steps/generate-files.ts
+import { mkdirSync, writeFileSync as writeFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { log as log2 } from "@clack/prompts";
+
+// src/templates/docker-compose.ts
+function renderDockerCompose(c) {
+  const webPort = c.webPort ?? 3e3;
+  const enginePort = c.enginePort ?? 3001;
+  const dbPassword = c.dbPassword ?? "leadrouting";
+  const postgresService = c.managedDb ? `
+  postgres:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:5432:5432"
+    environment:
+      POSTGRES_DB: leadrouting
+      POSTGRES_USER: leadrouting
+      POSTGRES_PASSWORD: ${dbPassword}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U leadrouting"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+` : "";
+  const redisService = c.managedRedis ? `
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+` : "";
+  const webDependsOn = buildDependsOn(c.managedDb, c.managedRedis);
+  const engineDependsOn = buildDependsOn(c.managedDb, c.managedRedis);
+  const webService = `
+  web:
+    image: ghcr.io/atgatzby/lead-routing-web:latest
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:${webPort}:3000"
+    env_file: .env.web
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://$(hostname -i):3000/api/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 6${webDependsOn}
+`;
+  const engineService = `
+  engine:
+    image: ghcr.io/atgatzby/lead-routing-engine:latest
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:${enginePort}:3001"
+    env_file: .env.engine
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://$(hostname -i):3001/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 6${engineDependsOn}
+`;
+  const caddyService = `
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    depends_on:
+      - web
+      - engine
+`;
+  const volumes = buildVolumes(c.managedDb, c.managedRedis);
+  return [
+    `# Lead Routing \u2014 Docker Compose`,
+    `# Generated by lead-routing CLI on ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    `# Do not edit manually \u2014 re-run \`lead-routing init\` to regenerate.`,
+    ``,
+    `services:`,
+    postgresService.trimEnd(),
+    redisService.trimEnd(),
+    webService.trimEnd(),
+    engineService.trimEnd(),
+    caddyService.trimEnd(),
+    volumes
+  ].filter(Boolean).join("\n");
+}
+function buildDependsOn(managedDb, managedRedis) {
+  const deps = [];
+  if (managedDb) deps.push("postgres");
+  if (managedRedis) deps.push("redis");
+  if (deps.length === 0) return "";
+  return "\n    depends_on:\n" + deps.map((d) => `      ${d}:
+        condition: service_healthy`).join("\n");
+}
+function buildVolumes(managedDb, managedRedis) {
+  const vols = [];
+  if (managedDb) vols.push("  postgres_data:");
+  if (managedRedis) vols.push("  redis_data:");
+  vols.push("  caddy_data:");
+  vols.push("  caddy_config:");
+  return "\nvolumes:\n" + vols.join("\n");
+}
+
+// src/templates/env-web.ts
+function renderEnvWeb(c) {
+  return [
+    `# Lead Routing \u2014 Web App Environment`,
+    `# Generated by lead-routing CLI on ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    ``,
+    `# App`,
+    `APP_URL=${c.appUrl}`,
+    `NODE_ENV=production`,
+    ``,
+    `# Engine`,
+    `ENGINE_URL=${c.engineUrl}`,
+    `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`,
+    ``,
+    `# Database`,
+    `DATABASE_URL=${c.databaseUrl}`,
+    ``,
+    `# Redis`,
+    `REDIS_URL=${c.redisUrl}`,
+    ``,
+    `# Salesforce OAuth`,
+    `SFDC_CLIENT_ID=${c.sfdcClientId}`,
+    `SFDC_CLIENT_SECRET=${c.sfdcClientSecret}`,
+    `SFDC_LOGIN_URL=${c.sfdcLoginUrl}`,
+    `SFDC_REDIRECT_URI=${c.appUrl.replace(/\/+$/, "")}/api/auth/sfdc/callback`,
+    ``,
+    `# Session`,
+    `SESSION_SECRET=${c.sessionSecret}`,
+    ``,
+    `# Admin`,
+    `ADMIN_SECRET=${c.adminSecret}`,
+    ``,
+    `# Email (optional)`,
+    `RESEND_API_KEY=${c.resendApiKey ?? ""}`,
+    `FEEDBACK_TO_EMAIL=${c.feedbackToEmail ?? ""}`
+  ].join("\n");
+}
+
+// src/templates/env-engine.ts
+function renderEnvEngine(c) {
+  return [
+    `# Lead Routing \u2014 Engine Environment`,
+    `# Generated by lead-routing CLI on ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    ``,
+    `# Server`,
+    `ENGINE_PORT=${c.enginePort ?? 3001}`,
+    `LOG_LEVEL=${c.logLevel ?? "info"}`,
+    `NODE_ENV=production`,
+    ``,
+    `# Database`,
+    `DATABASE_URL=${c.databaseUrl}`,
+    ``,
+    `# Redis`,
+    `REDIS_URL=${c.redisUrl}`,
+    ``,
+    `# Salesforce OAuth`,
+    `SFDC_CLIENT_ID=${c.sfdcClientId}`,
+    `SFDC_CLIENT_SECRET=${c.sfdcClientSecret}`,
+    `SFDC_LOGIN_URL=${c.sfdcLoginUrl}`,
+    ``,
+    `# Webhook`,
+    `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`
+  ].join("\n");
+}
+
+// src/templates/caddy.ts
+function renderCaddyfile(appUrl, engineUrl) {
+  const appHost = new URL(appUrl).hostname;
+  const engineParsed = new URL(engineUrl);
+  const engineHost = engineParsed.hostname;
+  const enginePort = engineParsed.port;
+  const isSameDomain = engineHost === appHost;
+  if (isSameDomain && enginePort) {
+    return [
+      `# Lead Routing \u2014 Caddyfile`,
+      `# Generated by lead-routing CLI`,
+      `# Caddy auto-provisions SSL certificates via Let's Encrypt`,
+      ``,
+      `${appHost} {`,
+      `  reverse_proxy web:3000 {`,
+      `    health_uri /api/health`,
+      `    health_interval 15s`,
+      `  }`,
+      `}`,
+      ``,
+      `${appHost}:${enginePort} {`,
+      `  reverse_proxy engine:3001 {`,
+      `    health_uri /health`,
+      `    health_interval 15s`,
+      `  }`,
+      `}`
+    ].join("\n");
+  }
+  return [
+    `# Lead Routing \u2014 Caddyfile`,
+    `# Generated by lead-routing CLI`,
+    `# Caddy auto-provisions SSL certificates via Let's Encrypt`,
+    ``,
+    `${appHost} {`,
+    `  reverse_proxy web:3000 {`,
+    `    health_uri /api/health`,
+    `    health_interval 15s`,
+    `  }`,
+    `}`,
+    ``,
+    `${engineHost} {`,
+    `  reverse_proxy engine:3001 {`,
+    `    health_uri /health`,
+    `    health_interval 15s`,
+    `  }`,
+    `}`
+  ].join("\n");
+}
+
+// src/utils/config.ts
+import { readFileSync, writeFileSync, existsSync as existsSync2 } from "fs";
+import { join } from "path";
+function getConfigPath(dir) {
+  return join(dir, "lead-routing.json");
+}
+function readConfig(dir) {
+  const path2 = getConfigPath(dir);
+  if (!existsSync2(path2)) return null;
+  try {
+    return JSON.parse(readFileSync(path2, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function writeConfig(dir, config2) {
+  writeFileSync(getConfigPath(dir), JSON.stringify(config2, null, 2), "utf8");
+}
+function findInstallDir(startDir = process.cwd()) {
+  const candidate = join(startDir, "lead-routing.json");
+  if (existsSync2(candidate)) return startDir;
+  const nested = join(startDir, "lead-routing", "lead-routing.json");
+  if (existsSync2(nested)) return join(startDir, "lead-routing");
+  return null;
+}
+
+// src/steps/generate-files.ts
+function generateFiles(cfg, sshCfg) {
+  const dir = join2(process.cwd(), "lead-routing");
+  mkdirSync(dir, { recursive: true });
+  const dockerEngineUrl = `http://engine:3001`;
+  const composeContent = renderDockerCompose({
+    managedDb: cfg.managedDb,
+    managedRedis: cfg.managedRedis,
+    dbPassword: cfg.dbPassword
+  });
+  const composeFile = join2(dir, "docker-compose.yml");
+  writeFileSync2(composeFile, composeContent, "utf8");
+  log2.success("Generated docker-compose.yml");
+  const caddyfileContent = renderCaddyfile(cfg.appUrl, cfg.engineUrl);
+  writeFileSync2(join2(dir, "Caddyfile"), caddyfileContent, "utf8");
+  log2.success("Generated Caddyfile");
+  const envWebContent = renderEnvWeb({
+    appUrl: cfg.appUrl,
+    engineUrl: dockerEngineUrl,
+    databaseUrl: cfg.databaseUrl,
+    redisUrl: cfg.redisUrl,
+    sfdcClientId: cfg.sfdcClientId,
+    sfdcClientSecret: cfg.sfdcClientSecret,
+    sfdcLoginUrl: cfg.sfdcLoginUrl,
+    sessionSecret: cfg.sessionSecret,
+    engineWebhookSecret: cfg.engineWebhookSecret,
+    adminSecret: cfg.adminSecret,
+    resendApiKey: cfg.resendApiKey || void 0,
+    feedbackToEmail: cfg.feedbackToEmail || void 0
+  });
+  const envWeb = join2(dir, ".env.web");
+  writeFileSync2(envWeb, envWebContent, "utf8");
+  log2.success("Generated .env.web");
+  const envEngineContent = renderEnvEngine({
+    databaseUrl: cfg.databaseUrl,
+    redisUrl: cfg.redisUrl,
+    sfdcClientId: cfg.sfdcClientId,
+    sfdcClientSecret: cfg.sfdcClientSecret,
+    sfdcLoginUrl: cfg.sfdcLoginUrl,
+    engineWebhookSecret: cfg.engineWebhookSecret
+  });
+  const envEngine = join2(dir, ".env.engine");
+  writeFileSync2(envEngine, envEngineContent, "utf8");
+  log2.success("Generated .env.engine");
+  writeConfig(dir, {
+    appUrl: cfg.appUrl,
+    engineUrl: cfg.engineUrl,
+    installDir: dir,
+    remoteDir: sshCfg.remoteDir,
+    ssh: {
+      host: sshCfg.host,
+      port: sshCfg.port,
+      username: sshCfg.username,
+      privateKeyPath: sshCfg.privateKeyPath
+      // password intentionally not stored
+    },
+    dockerManaged: {
+      db: cfg.managedDb,
+      redis: cfg.managedRedis
+    },
+    // Stored so `lead-routing sfdc deploy` can re-authenticate without re-prompting
+    sfdcClientId: cfg.sfdcClientId,
+    sfdcLoginUrl: cfg.sfdcLoginUrl,
+    installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    version: "0.1.0"
+  });
+  log2.success("Generated lead-routing.json");
+  return { dir, composeFile, envWeb, envEngine, adminSecret: cfg.adminSecret };
+}
+
+// src/steps/check-remote-prerequisites.ts
+import { log as log3 } from "@clack/prompts";
+async function checkRemotePrerequisites(ssh) {
+  const results = await Promise.all([
+    checkRemoteDocker(ssh),
+    checkRemoteDockerCompose(ssh),
+    checkRemotePort(ssh, 80),
+    checkRemotePort(ssh, 443)
+  ]);
+  const failed = results.filter((r) => !r.ok && !r.warn);
+  const warnings = results.filter((r) => !r.ok && r.warn);
+  for (const r of results) {
+    if (r.ok) {
+      log3.success(r.label);
+    } else if (r.warn) {
+      log3.warn(r.label);
+    } else {
+      log3.error(r.label);
+    }
+  }
+  if (warnings.length > 0) {
+    log3.warn("Non-blocking warnings above \u2014 setup will continue.");
+  }
+  if (failed.length > 0) {
+    throw new Error(
+      `Remote server is missing required software:
+` + failed.map((r) => `  \u2022 ${r.label}`).join("\n") + `
+
+Install the missing software on your server and re-run lead-routing init.`
+    );
+  }
+}
+async function checkRemoteDocker(ssh) {
+  const { stdout, code } = await ssh.execSilent("docker --version");
+  if (code !== 0 || !stdout) {
+    return {
+      ok: false,
+      label: "Docker \u2014 not found on server (install Docker Engine 24+)"
+    };
+  }
+  const match = stdout.match(/Docker version (\d+)/);
+  if (match && parseInt(match[1], 10) < 24) {
+    return { ok: false, label: `Docker ${stdout.trim()} \u2014 version 24+ required` };
+  }
+  return { ok: true, label: `Docker \u2014 ${stdout.trim()}` };
+}
+async function checkRemoteDockerCompose(ssh) {
+  const { stdout, code } = await ssh.execSilent("docker compose version");
+  if (code !== 0 || !stdout) {
+    return {
+      ok: false,
+      label: "Docker Compose \u2014 not found on server (update Docker to include Compose v2)"
+    };
+  }
+  return { ok: true, label: `Docker Compose \u2014 ${stdout.trim()}` };
+}
+async function checkRemotePort(ssh, port) {
+  const { stdout } = await ssh.execSilent(
+    `ss -tlnp 2>/dev/null | grep ':${port} ' || netstat -tlnp 2>/dev/null | grep ':${port} ' || echo "free"`
+  );
+  const isBound = stdout.trim() !== "free" && stdout.trim() !== "";
+  if (isBound) {
+    return {
+      ok: false,
+      warn: true,
+      label: `Port ${port} \u2014 already in use on server (Caddy needs it for HTTPS \u2014 ensure nothing else is binding it)`
+    };
+  }
+  return { ok: true, label: `Port ${port} \u2014 available` };
+}
+
+// src/steps/upload-files.ts
+import { join as join3 } from "path";
+import { spinner as spinner2 } from "@clack/prompts";
+async function uploadFiles(ssh, localDir, remoteDir) {
+  const s = spinner2();
+  s.start("Uploading config files to server");
+  try {
+    await ssh.mkdir(remoteDir);
+    const filenames = [
+      "docker-compose.yml",
+      "Caddyfile",
+      ".env.web",
+      ".env.engine",
+      "lead-routing.json"
+    ];
+    await ssh.upload(
+      filenames.map((f) => ({
+        local: join3(localDir, f),
+        remote: `${remoteDir}/${f}`
+      }))
+    );
+    s.stop(`Config files uploaded to ${remoteDir}`);
+  } catch (err) {
+    s.stop("File upload failed");
+    throw err;
+  }
+}
+
+// src/steps/start-services.ts
+import { spinner as spinner3, log as log4 } from "@clack/prompts";
+async function startServices(ssh, remoteDir) {
+  await wipeStalePostgresVolume(ssh, remoteDir);
+  await pullImages(ssh, remoteDir);
+  await startContainers(ssh, remoteDir);
+  await waitForPostgres(ssh, remoteDir);
+}
+async function wipeStalePostgresVolume(ssh, remoteDir) {
+  const dirName = remoteDir.split("/").filter(Boolean).pop() ?? "lead-routing";
+  const volumeName = `${dirName}_postgres_data`;
+  const { code } = await ssh.execSilent(`docker volume inspect ${volumeName}`);
+  if (code !== 0) {
+    return;
+  }
+  const s = spinner3();
+  s.start("Removing existing database volume for clean install");
+  try {
+    await ssh.exec("docker compose down -v --remove-orphans", remoteDir);
+    s.stop("Old volumes removed \u2014 database will be initialised fresh");
+  } catch {
+    s.stop("Could not remove old volumes \u2014 proceeding anyway");
+    log4.warn(
+      `If migrations fail with "authentication error", remove the postgres_data volume manually:
+  ssh into your server and run: docker volume rm ${volumeName}`
+    );
+  }
+}
+async function pullImages(ssh, remoteDir) {
+  const s = spinner3();
+  s.start("Pulling Docker images on server (this may take a few minutes)");
+  try {
+    await ssh.exec("docker compose pull", remoteDir);
+    s.stop("Images pulled successfully");
+  } catch {
+    s.stop("Could not pull images from registry \u2014 using local images if available");
+    log4.warn(
+      "Registry pull failed. If images are available on the server locally, setup will continue."
+    );
+  }
+}
+async function startContainers(ssh, remoteDir) {
+  const s = spinner3();
+  s.start("Starting services");
+  try {
+    await ssh.exec("docker compose up -d --remove-orphans", remoteDir);
+    s.stop("Services started");
+  } catch (err) {
+    s.stop("Failed to start services");
+    throw err;
+  }
+}
+async function waitForPostgres(ssh, remoteDir) {
+  const s = spinner3();
+  s.start("Waiting for PostgreSQL to be ready");
+  const maxAttempts = 24;
+  let containerReady = false;
+  for (let i = 0; i < maxAttempts; i++) {
+    const { code } = await ssh.execSilent(
+      "docker compose exec -T postgres pg_isready -U leadrouting",
+      remoteDir
+    );
+    if (code === 0) {
+      containerReady = true;
+      break;
+    }
+    s.message(`Waiting for PostgreSQL (${i + 1}/${maxAttempts})`);
+    await sleep(2500);
+  }
+  if (!containerReady) {
+    s.stop("PostgreSQL readiness check timed out \u2014 continuing anyway");
+    log4.warn("PostgreSQL may not be fully ready. If migrations fail, try `lead-routing deploy`.");
+    return;
+  }
+  for (let j = 0; j < 8; j++) {
+    const { code } = await ssh.execSilent(
+      "nc -z 127.0.0.1 5432 2>/dev/null || bash -c 'echo > /dev/tcp/127.0.0.1/5432' 2>/dev/null"
+    );
+    if (code === 0) {
+      s.stop("PostgreSQL is ready");
+      return;
+    }
+    s.message(`Waiting for PostgreSQL host port (${j + 1}/8)`);
+    await sleep(1e3);
+  }
+  s.stop("PostgreSQL is ready");
+  log4.warn("Host TCP port check timed out \u2014 tunnel may have issues. Proceeding anyway.");
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
+// src/steps/run-migrations.ts
+import * as fs from "fs";
+import * as path from "path";
+import * as crypto from "crypto";
+import { fileURLToPath } from "url";
+import { execa as execa2 } from "execa";
+import { spinner as spinner4 } from "@clack/prompts";
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = path.dirname(__filename);
+function readEnvVar(envFile, key) {
+  const content = fs.readFileSync(envFile, "utf8");
+  const match = content.match(new RegExp(`^${key}=(.+)$`, "m"));
+  if (!match) throw new Error(`${key} not found in ${envFile}`);
+  return match[1].trim().replace(/^["']|["']$/g, "");
+}
+function getTunneledDbUrl(localDir, localPort) {
+  const rawUrl = readEnvVar(path.join(localDir, ".env.web"), "DATABASE_URL");
+  const parsed = new URL(rawUrl);
+  parsed.hostname = "localhost";
+  parsed.port = String(localPort);
+  return parsed.toString();
+}
+function findPrismaBin() {
+  const candidates = [
+    path.join(__dirname, "../node_modules/.bin/prisma"),
+    path.join(__dirname, "../node_modules/prisma/bin/prisma.js"),
+    path.resolve("packages/db/node_modules/.bin/prisma"),
+    path.resolve("node_modules/.bin/prisma"),
+    path.resolve("node_modules/.pnpm/node_modules/.bin/prisma")
+  ];
+  const found = candidates.find(fs.existsSync);
+  if (!found) throw new Error("Prisma binary not found \u2014 CLI may need to be reinstalled.");
+  return found;
+}
+async function runMigrations(ssh, localDir, adminEmail, adminPassword) {
+  const s = spinner4();
+  s.start("Opening secure tunnel to database");
+  let tunnelClose;
+  try {
+    const { localPort, close } = await ssh.tunnel(5432);
+    tunnelClose = close;
+    s.stop(`Database tunnel open (local port ${localPort})`);
+    await applyMigrations(localDir, localPort);
+    await seedAdminUser(localDir, localPort, adminEmail, adminPassword);
+  } finally {
+    tunnelClose?.();
+  }
+}
+async function applyMigrations(localDir, localPort) {
+  const s = spinner4();
+  s.start("Running database migrations");
+  try {
+    const DATABASE_URL = getTunneledDbUrl(localDir, localPort);
+    const prismaBin = findPrismaBin();
+    const bundledSchema = path.join(__dirname, "prisma/schema.prisma");
+    const monoSchema = path.resolve("packages/db/prisma/schema.prisma");
+    const schemaPath = fs.existsSync(bundledSchema) ? bundledSchema : monoSchema;
+    await execa2(prismaBin, ["migrate", "deploy", "--schema", schemaPath], {
+      env: { ...process.env, DATABASE_URL }
+    });
+    s.stop("Database migrations applied");
+  } catch (err) {
+    s.stop("Migrations failed");
+    throw err;
+  }
+}
+async function seedAdminUser(localDir, localPort, adminEmail, adminPassword) {
+  const s = spinner4();
+  s.start("Creating admin user");
+  try {
+    const DATABASE_URL = getTunneledDbUrl(localDir, localPort);
+    const webhookSecret = readEnvVar(path.join(localDir, ".env.engine"), "ENGINE_WEBHOOK_SECRET");
+    const salt = crypto.randomBytes(16).toString("hex");
+    const pbkdf2Hash = crypto.pbkdf2Sync(adminPassword, salt, 31e4, 32, "sha256").toString("hex");
+    const passwordHash = `${salt}:${pbkdf2Hash}`;
+    const safeEmail = adminEmail.replace(/'/g, "''");
+    const safeWebhookSecret = webhookSecret.replace(/'/g, "''");
+    const sql = `
+-- Create initial organisation if none exists
+INSERT INTO organizations (id, "webhookSecret", "createdAt", "updatedAt")
+SELECT gen_random_uuid(), '${safeWebhookSecret}', NOW(), NOW()
+WHERE NOT EXISTS (SELECT 1 FROM organizations);
+
+-- Create admin AppUser under the first org (idempotent)
+INSERT INTO app_users (id, "orgId", email, name, "passwordHash", role, "isActive", "createdAt", "updatedAt")
+SELECT gen_random_uuid(), o.id, '${safeEmail}', 'Admin', '${passwordHash}', 'ADMIN', true, NOW(), NOW()
+FROM organizations o
+LIMIT 1
+ON CONFLICT ("orgId", email) DO NOTHING;
+`;
+    const prismaBin = findPrismaBin();
+    await execa2(prismaBin, ["db", "execute", "--stdin", "--url", DATABASE_URL], { input: sql });
+    s.stop("Admin user ready");
+  } catch (err) {
+    s.stop("Seed failed");
+    throw err;
+  }
+}
+
+// src/steps/verify-health.ts
+import { spinner as spinner5, log as log5 } from "@clack/prompts";
+async function verifyHealth(appUrl, engineUrl) {
+  const checks = [
+    { service: "Web app", url: `${appUrl}/api/health` },
+    { service: "Routing engine", url: `${engineUrl}/health` }
+  ];
+  const results = await Promise.all(checks.map(({ service, url }) => pollHealth(service, url)));
+  for (const r of results) {
+    if (r.ok) {
+      log5.success(`${r.service} \u2014 ${r.url}`);
+    } else {
+      log5.warn(`${r.service} not responding yet \u2014 ${r.detail}`);
+    }
+  }
+}
+async function pollHealth(service, url, maxAttempts = 24, intervalMs = 5e3) {
+  const s = spinner5();
+  s.start(`Waiting for ${service}`);
+  for (let i = 0; i < maxAttempts; i++) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(4e3) });
+      if (res.ok) {
+        s.stop(`${service} is up`);
+        return { service, url, ok: true, detail: `HTTP ${res.status}` };
+      }
+      s.message(`${service} \u2014 HTTP ${res.status}, retrying (${i + 1}/${maxAttempts})`);
+    } catch (err) {
+      const detail = err instanceof Error ? err.message : String(err);
+      s.message(`${service} \u2014 ${detail}, retrying (${i + 1}/${maxAttempts})`);
+    }
+    await sleep2(intervalMs);
+  }
+  s.stop(`${service} \u2014 did not respond after ${maxAttempts} attempts`);
+  return {
+    service,
+    url,
+    ok: false,
+    detail: `timed out after ${maxAttempts * intervalMs / 1e3}s`
+  };
+}
+function sleep2(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
+// src/steps/sfdc-deploy-inline.ts
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, cpSync, rmSync } from "fs";
+import { join as join5, dirname as dirname2 } from "path";
+import { tmpdir } from "os";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { spinner as spinner6, log as log6 } from "@clack/prompts";
+import { execa as execa3 } from "execa";
+var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+function patchXml(content, tag, value) {
+  const re = new RegExp(`(<${tag}>)[^<]*(</\\s*${tag}>)`, "g");
+  return content.replace(re, `$1${value}$2`);
+}
+async function sfdcDeployInline(params) {
+  const { appUrl, engineUrl, orgAlias, installDir } = params;
+  const s = spinner6();
+  const { code: authCheck } = await execa3(
+    "sf",
+    ["org", "display", "--target-org", orgAlias, "--json"],
+    { reject: false }
+  );
+  const alreadyAuthed = authCheck === 0;
+  if (alreadyAuthed) {
+    log6.success("Using existing Salesforce authentication");
+  } else {
+    await loginViaAppBridge(appUrl, orgAlias);
+  }
+  s.start("Copying Salesforce package\u2026");
+  const bundledPkg = join5(__dirname2, "..", "sfdc-package");
+  const destPkg = join5(installDir ?? tmpdir(), "lead-routing-sfdc-package");
+  if (!existsSync4(bundledPkg)) {
+    s.stop("sfdc-package not found in CLI bundle");
+    throw new Error(
+      `Expected bundle at: ${bundledPkg}
+The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
+    );
+  }
+  if (existsSync4(destPkg)) rmSync(destPkg, { recursive: true, force: true });
+  cpSync(bundledPkg, destPkg, { recursive: true });
+  s.stop("Package copied");
+  const ncPath = join5(
+    destPkg,
+    "force-app",
+    "main",
+    "default",
+    "namedCredentials",
+    "RoutingEngine.namedCredential-meta.xml"
+  );
+  if (existsSync4(ncPath)) {
+    const nc = patchXml(readFileSync3(ncPath, "utf8"), "endpoint", engineUrl);
+    writeFileSync3(ncPath, nc, "utf8");
+  }
+  const rssEnginePath = join5(
+    destPkg,
+    "force-app",
+    "main",
+    "default",
+    "remoteSiteSettings",
+    "LeadRouterEngine.remoteSite-meta.xml"
+  );
+  if (existsSync4(rssEnginePath)) {
+    let rss = patchXml(readFileSync3(rssEnginePath, "utf8"), "url", engineUrl);
+    rss = patchXml(rss, "description", "Lead Router Engine endpoint");
+    writeFileSync3(rssEnginePath, rss, "utf8");
+  }
+  const rssAppPath = join5(
+    destPkg,
+    "force-app",
+    "main",
+    "default",
+    "remoteSiteSettings",
+    "LeadRouterApp.remoteSite-meta.xml"
+  );
+  if (existsSync4(rssAppPath)) {
+    let rss = patchXml(readFileSync3(rssAppPath, "utf8"), "url", appUrl);
+    rss = patchXml(rss, "description", "Lead Router App URL");
+    writeFileSync3(rssAppPath, rss, "utf8");
+  }
+  log6.success("Remote Site Settings patched");
+  s.start("Deploying Salesforce package (this may take ~2 min)\u2026");
+  try {
+    await execa3(
+      "sf",
+      ["project", "deploy", "start", "--target-org", orgAlias, "--source-dir", "force-app"],
+      { cwd: destPkg, stdio: "inherit" }
+    );
+    s.stop("Package deployed");
+  } catch (err) {
+    s.stop("Deployment failed");
+    throw new Error(
+      `sf project deploy failed: ${String(err)}
+
+  Retry manually:
+  cd ${destPkg}
+  sf project deploy start --target-org ${orgAlias} --source-dir force-app`
+    );
+  }
+  s.start("Assigning LeadRouterAdmin permission set\u2026");
+  try {
+    await execa3(
+      "sf",
+      ["org", "assign", "permset", "--name", "LeadRouterAdmin", "--target-org", orgAlias],
+      { stdio: "inherit" }
+    );
+    s.stop("Permission set assigned \u2014 Lead Router Setup will appear in the App Launcher");
+  } catch (err) {
+    const msg = String(err);
+    if (msg.includes("Duplicate PermissionSetAssignment")) {
+      s.stop("Permission set already assigned");
+    } else {
+      s.stop("Permission set assignment failed (non-fatal)");
+      log6.warn(msg);
+      log6.info(
+        "Grant access manually:\n  Salesforce Setup \u2192 Users \u2192 Permission Sets \u2192 Lead Router Admin \u2192 Manage Assignments"
+      );
+    }
+  }
+  s.start("Writing org settings to Routing_Settings__c\u2026");
+  try {
+    let existingId;
+    try {
+      const qr = await execa3("sf", [
+        "data",
+        "query",
+        "--target-org",
+        orgAlias,
+        "--query",
+        "SELECT Id FROM Routing_Settings__c LIMIT 1",
+        "--json"
+      ]);
+      const parsed = JSON.parse(qr.stdout);
+      existingId = parsed?.result?.records?.[0]?.Id;
+    } catch {
+    }
+    if (existingId) {
+      await execa3("sf", [
+        "data",
+        "update",
+        "record",
+        "--target-org",
+        orgAlias,
+        "--sobject",
+        "Routing_Settings__c",
+        "--record-id",
+        existingId,
+        "--values",
+        `App_Url__c='${appUrl}' Engine_Endpoint__c='${engineUrl}'`
+      ], { stdio: "inherit" });
+    } else {
+      await execa3("sf", [
+        "data",
+        "create",
+        "record",
+        "--target-org",
+        orgAlias,
+        "--sobject",
+        "Routing_Settings__c",
+        "--values",
+        `App_Url__c='${appUrl}' Engine_Endpoint__c='${engineUrl}'`
+      ], { stdio: "inherit" });
+    }
+    s.stop("Org settings written");
+  } catch (err) {
+    s.stop("Org settings write failed (non-fatal)");
+    log6.warn(String(err));
+    log6.info("Set manually: Salesforce \u2192 Custom Settings \u2192 Routing Settings \u2192 Manage");
+  }
+}
+async function loginViaAppBridge(rawAppUrl, orgAlias) {
+  const appUrl = rawAppUrl.replace(/\/+$/, "");
+  const s = spinner6();
+  s.start("Starting Salesforce authentication via your Lead Router app\u2026");
+  let sessionId;
+  let authUrl;
+  try {
+    const res = await fetch(`${appUrl}/api/cli-auth/request`, { method: "POST" });
+    if (!res.ok) {
+      s.stop("Failed to start auth session");
+      throw new Error(
+        `Could not reach ${appUrl}/api/cli-auth/request (HTTP ${res.status}).
+Make sure the web app is running and accessible.`
+      );
+    }
+    const data = await res.json();
+    sessionId = data.sessionId;
+    authUrl = data.authUrl;
+  } catch (err) {
+    s.stop("Could not reach Lead Router app");
+    throw new Error(
+      `Failed to connect to ${appUrl}: ${String(err)}
+Ensure the app is running and the URL is correct.`
+    );
+  }
+  s.stop("Auth session started");
+  log6.info(`Open this URL in your browser to authenticate with Salesforce:
+
+  ${authUrl}
+`);
+  log6.info('If Chrome shows a "Dangerous site" warning with no proceed option, paste the URL into Safari or Firefox.');
+  const opener = process.platform === "win32" ? "start" : process.platform === "darwin" ? "open" : "xdg-open";
+  await execa3(opener, [authUrl], { reject: false }).catch(() => {
+  });
+  s.start("Waiting for Salesforce authentication in browser\u2026");
+  const maxPolls = 150;
+  let accessToken;
+  let instanceUrl;
+  for (let i = 0; i < maxPolls; i++) {
+    await new Promise((r) => setTimeout(r, 2e3));
+    try {
+      const pollRes = await fetch(`${appUrl}/api/cli-auth/poll/${sessionId}`);
+      if (pollRes.status === 410) {
+        s.stop("Auth session expired");
+        throw new Error("CLI auth session expired. Please re-run the command.");
+      }
+      const data = await pollRes.json();
+      if (data.status === "ok") {
+        accessToken = data.accessToken;
+        instanceUrl = data.instanceUrl;
+        break;
+      }
+    } catch (err) {
+      if (String(err).includes("session expired")) throw err;
+    }
+  }
+  if (!accessToken || !instanceUrl) {
+    s.stop("Timed out");
+    throw new Error(
+      "Timed out waiting for Salesforce authentication (5 minutes).\nPlease re-run the command and complete login within 5 minutes."
+    );
+  }
+  s.stop("Authenticated with Salesforce");
+  try {
+    await execa3(
+      "sf",
+      ["org", "login", "access-token", "--instance-url", instanceUrl, "--alias", orgAlias, "--no-prompt"],
+      { input: accessToken + "\n" }
+    );
+    log6.success(`Salesforce org saved as "${orgAlias}"`);
+  } catch (err) {
+    log6.warn(`Could not store sf CLI credentials: ${String(err)}`);
+    log6.info("Re-authenticate manually if deploy commands fail: sf org login web");
+  }
+}
+
+// src/steps/app-launcher-guide.ts
+import { note as note3, confirm as confirm2, isCancel as isCancel3, log as log7 } from "@clack/prompts";
+import chalk from "chalk";
+async function guideAppLauncherSetup(appUrl) {
+  note3(
+    `Complete the following steps in Salesforce now:
+
+  ${chalk.cyan("1.")} Open ${chalk.bold("App Launcher")} (grid icon, top-left in Salesforce)
+  ${chalk.cyan("2.")} Search for ${chalk.white('"Lead Router Setup"')} and click it
+  ${chalk.cyan("3.")} Click ${chalk.white('"Connect to Lead Router"')}
+     \u2192 You will be redirected to ${chalk.dim(appUrl)} and back
+     \u2192 Authorize the OAuth connection when prompted
+
+  ${chalk.cyan("4.")} ${chalk.bold("Step 1")} \u2014 wait for the ${chalk.green('"Connected"')} checkmark (~5 sec)
+  ${chalk.cyan("5.")} ${chalk.bold("Step 2")} \u2014 click ${chalk.white("Activate")} to enable Lead triggers
+  ${chalk.cyan("6.")} ${chalk.bold("Step 3")} \u2014 click ${chalk.white("Sync Fields")} to index your Lead field schema
+  ${chalk.cyan("7.")} ${chalk.bold("Step 4")} \u2014 click ${chalk.white("Send Test")} to fire a test routing event
+     \u2192 ${chalk.dim('"Test successful"')} or ${chalk.dim('"No matching rule"')} are both valid
+
+` + chalk.dim("Keep this terminal open while you complete the wizard."),
+    "Complete Salesforce setup"
+  );
+  const done = await confirm2({
+    message: "Have you completed the App Launcher wizard?",
+    initialValue: false
+  });
+  if (isCancel3(done)) {
+    log7.warn(
+      "Wizard skipped. Run `lead-routing sfdc deploy` to retry the Salesforce setup."
+    );
+    return;
+  }
+  if (!done) {
+    log7.warn(
+      `No problem \u2014 complete it at your own pace.
+  Open App Launcher \u2192 Lead Router Setup \u2192 Connect to Lead Router
+  Dashboard: ${appUrl}`
+    );
+  } else {
+    log7.success("Salesforce setup complete");
+  }
+}
+
+// src/utils/ssh.ts
+import net from "net";
+import { NodeSSH } from "node-ssh";
+var SshConnection = class {
+  ssh = new NodeSSH();
+  _connected = false;
+  async connect(config2) {
+    const opts = {
+      host: config2.host,
+      port: config2.port,
+      username: config2.username,
+      // Reduce connection timeout to fail fast on bad creds
+      readyTimeout: 15e3
+    };
+    if (config2.privateKeyPath) {
+      opts.privateKeyPath = config2.privateKeyPath;
+    } else if (config2.password) {
+      opts.password = config2.password;
+    }
+    await this.ssh.connect(opts);
+    this._connected = true;
+  }
+  get isConnected() {
+    return this._connected;
+  }
+  /**
+   * Run a command remotely. Throws if exit code is non-zero.
+   */
+  async exec(cmd, cwd) {
+    const result = await this.ssh.execCommand(cmd, cwd ? { cwd } : {});
+    if (result.code !== 0) {
+      throw new Error(
+        `Remote command failed (exit ${result.code}): ${cmd}
+${result.stderr || result.stdout}`
+      );
+    }
+    return { stdout: result.stdout, stderr: result.stderr };
+  }
+  /**
+   * Run a command remotely without throwing — returns code + output.
+   */
+  async execSilent(cmd, cwd) {
+    const result = await this.ssh.execCommand(cmd, cwd ? { cwd } : {});
+    return { stdout: result.stdout, stderr: result.stderr, code: result.code ?? 1 };
+  }
+  /**
+   * Create a remote directory (including parents).
+   */
+  async mkdir(remotePath) {
+    await this.exec(`mkdir -p ${remotePath}`);
+  }
+  /**
+   * Upload local files to the remote server via SFTP.
+   */
+  async upload(files) {
+    await this.ssh.putFiles(files);
+  }
+  /**
+   * Resolve ~ in a remote path by querying $HOME on the server.
+   */
+  async resolveHome(remotePath) {
+    if (!remotePath.startsWith("~")) return remotePath;
+    const { stdout } = await this.exec("echo $HOME");
+    return stdout.trim() + remotePath.slice(1);
+  }
+  /**
+   * Open an SSH port-forward tunnel.
+   * Creates a local TCP server that pipes connections through to
+   * localhost:{remotePort} on the remote machine.
+   *
+   * Returns the local port and a close() function.
+   * Call close() when migrations are done.
+   */
+  async tunnel(remotePort) {
+    const sshClient = this.ssh.connection;
+    if (!sshClient) throw new Error("SSH not connected \u2014 cannot open tunnel");
+    const server = net.createServer((socket) => {
+      ;
+      sshClient.forwardOut(
+        "127.0.0.1",
+        0,
+        "localhost",
+        remotePort,
+        (err, stream) => {
+          if (err) {
+            socket.destroy();
+            return;
+          }
+          socket.pipe(stream);
+          stream.pipe(socket);
+          socket.on("close", () => stream.destroy());
+          stream.on("close", () => socket.destroy());
+        }
+      );
+    });
+    return new Promise((resolve2, reject) => {
+      server.listen(0, "127.0.0.1", () => {
+        const { port } = server.address();
+        resolve2({
+          localPort: port,
+          close: () => server.close()
+        });
+      });
+      server.on("error", reject);
+    });
+  }
+  async disconnect() {
+    if (this._connected) {
+      this.ssh.dispose();
+      this._connected = false;
+    }
+  }
+};
+
+// src/commands/init.ts
+async function runInit(options = {}) {
+  const dryRun = options.dryRun ?? false;
+  console.log();
+  intro(
+    chalk2.bold.cyan("Lead Routing \u2014 Self-Hosted Setup") + (dryRun ? chalk2.yellow("  [dry run]") : "")
+  );
+  const ssh = new SshConnection();
+  try {
+    log8.step("Step 1/9  Checking local prerequisites");
+    await checkPrerequisites();
+    log8.step("Step 2/9  Server connection");
+    const sshCfg = await collectSshConfig();
+    log8.step("Step 3/9  Configuration");
+    const cfg = await collectConfig();
+    log8.step("Step 4/9  Generating config files");
+    const { dir, adminSecret } = generateFiles(cfg, sshCfg);
+    note4(
+      `Local config directory: ${chalk2.cyan(dir)}
+Files created: docker-compose.yml, Caddyfile, .env.web, .env.engine, lead-routing.json`,
+      "Files"
+    );
+    if (dryRun) {
+      outro(
+        chalk2.yellow("Dry run complete \u2014 no connection made, no services started.") + `
+
+  Config files written to: ${chalk2.cyan(dir)}
+
+  When ready, run ${chalk2.cyan("lead-routing init")} (without --dry-run) to deploy.`
+      );
+      return;
+    }
+    log8.step("Step 5/9  Connecting to server");
+    await ssh.connect(sshCfg);
+    const remoteDir = await ssh.resolveHome(sshCfg.remoteDir);
+    await checkRemotePrerequisites(ssh);
+    await uploadFiles(ssh, dir, remoteDir);
+    log8.step("Step 6/9  Starting services");
+    await startServices(ssh, remoteDir);
+    log8.step("Step 7/9  Database migrations");
+    await runMigrations(ssh, dir, cfg.adminEmail, cfg.adminPassword);
+    log8.step("Step 8/9  Verifying health");
+    await verifyHealth(cfg.appUrl, cfg.engineUrl);
+    log8.step("Step 9/9  Deploying Salesforce package");
+    await sfdcDeployInline({
+      appUrl: cfg.appUrl,
+      engineUrl: cfg.engineUrl,
+      orgAlias: cfg.orgAlias,
+      sfdcClientId: cfg.sfdcClientId,
+      sfdcLoginUrl: cfg.sfdcLoginUrl,
+      installDir: dir
+    });
+    await guideAppLauncherSetup(cfg.appUrl);
+    outro(
+      chalk2.green("\u2714  You're live!") + `
+
+  Dashboard:      ${chalk2.cyan(cfg.appUrl)}
+  Routing engine: ${chalk2.cyan(cfg.engineUrl)}
+
+  Admin email:    ${chalk2.white(cfg.adminEmail)}
+  Admin secret:   ${chalk2.yellow(adminSecret)}
+                  ${chalk2.dim("run `lead-routing config show` to retrieve later")}
+
+` + chalk2.bold("  Next steps:\n") + `  ${chalk2.cyan("1.")} Open ${chalk2.cyan(cfg.appUrl)} and log in
+  ${chalk2.cyan("2.")} Create your first routing rule to start routing leads
+
+  Run ${chalk2.cyan("lead-routing doctor")} to check service health at any time.
+  Run ${chalk2.cyan("lead-routing deploy")} to update to a new version.`
+    );
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log8.error(`Setup failed: ${message}`);
+    process.exit(1);
+  } finally {
+    await ssh.disconnect();
+  }
+}
+
+// src/commands/deploy.ts
+import { writeFileSync as writeFileSync4, unlinkSync } from "fs";
+import { join as join6 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+import { intro as intro2, outro as outro2, log as log9, password as promptPassword } from "@clack/prompts";
+import chalk3 from "chalk";
+async function runDeploy() {
+  console.log();
+  intro2(chalk3.bold.cyan("Lead Routing \u2014 Deploy"));
+  const dir = findInstallDir();
+  if (!dir) {
+    log9.error(
+      "No lead-routing.json found. Run `lead-routing init` first, or run this command from your install directory."
+    );
+    process.exit(1);
+  }
+  const cfg = readConfig(dir);
+  const ssh = new SshConnection();
+  let sshPassword;
+  if (!cfg.ssh.privateKeyPath) {
+    const pw = await promptPassword({
+      message: `SSH password for ${cfg.ssh.username}@${cfg.ssh.host}`
+    });
+    if (typeof pw === "symbol") process.exit(0);
+    sshPassword = pw;
+  }
+  try {
+    await ssh.connect({
+      host: cfg.ssh.host,
+      port: cfg.ssh.port,
+      username: cfg.ssh.username,
+      privateKeyPath: cfg.ssh.privateKeyPath,
+      password: sshPassword,
+      remoteDir: cfg.remoteDir
+    });
+    log9.success(`Connected to ${cfg.ssh.host}`);
+  } catch (err) {
+    log9.error(`SSH connection failed: ${String(err)}`);
+    process.exit(1);
+  }
+  try {
+    const remoteDir = await ssh.resolveHome(cfg.remoteDir);
+    log9.step("Syncing Caddyfile");
+    const caddyContent = renderCaddyfile(cfg.appUrl, cfg.engineUrl);
+    const tmpCaddy = join6(tmpdir2(), "lead-routing-Caddyfile");
+    writeFileSync4(tmpCaddy, caddyContent, "utf8");
+    await ssh.upload([{ local: tmpCaddy, remote: `${remoteDir}/Caddyfile` }]);
+    unlinkSync(tmpCaddy);
+    await ssh.exec("docker compose restart caddy", remoteDir);
+    log9.success("Caddyfile synced \u2014 waiting for TLS cert (~30s)");
+    log9.step("Pulling latest Docker images");
+    await ssh.exec("docker compose pull", remoteDir);
+    log9.success("Images pulled");
+    log9.step("Restarting services");
+    await ssh.exec("docker compose up -d --remove-orphans", remoteDir);
+    log9.success("Services restarted");
+    log9.step("Running database migrations");
+    await runMigrations(ssh, dir, "", "");
+    outro2(
+      chalk3.green("\u2714  Deployment complete!") + `
+
+  ${chalk3.cyan(cfg.appUrl)}`
+    );
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log9.error(`Deploy failed: ${message}`);
+    process.exit(1);
+  } finally {
+    await ssh.disconnect();
+  }
+}
+
+// src/commands/doctor.ts
+import { intro as intro3, outro as outro3, log as log10 } from "@clack/prompts";
+import chalk4 from "chalk";
+import { execa as execa4 } from "execa";
+async function runDoctor() {
+  console.log();
+  intro3(chalk4.bold.cyan("Lead Routing \u2014 Health Check"));
+  const dir = findInstallDir();
+  if (!dir) {
+    log10.error("No lead-routing.json found. Run `lead-routing init` first.");
+    process.exit(1);
+  }
+  const cfg = readConfig(dir);
+  const checks = [];
+  checks.push(await checkDockerDaemon());
+  const containers = ["web", "engine"];
+  if (cfg.dockerManaged.db) containers.push("postgres");
+  if (cfg.dockerManaged.redis) containers.push("redis");
+  for (const name of containers) {
+    checks.push(await checkContainer(name, dir));
+  }
+  checks.push(await checkEndpoint("Web app", `${cfg.appUrl}/api/health`));
+  checks.push(await checkEndpoint("Routing engine", `${cfg.engineUrl}/health`));
+  console.log();
+  for (const c of checks) {
+    const icon = c.pass ? chalk4.green("\u2714") : chalk4.red("\u2717");
+    const label = c.pass ? chalk4.white(c.label) : chalk4.red(c.label);
+    const detail = c.detail ? chalk4.dim(` \u2014 ${c.detail}`) : "";
+    console.log(`  ${icon}  ${label}${detail}`);
+  }
+  console.log();
+  const failed = checks.filter((c) => !c.pass);
+  if (failed.length === 0) {
+    outro3(chalk4.green("All checks passed"));
+  } else {
+    outro3(chalk4.yellow(`${failed.length} check(s) failed`));
+    process.exit(1);
+  }
+}
+async function checkDockerDaemon() {
+  try {
+    await execa4("docker", ["info"], { reject: true });
+    return { label: "Docker daemon", pass: true };
+  } catch {
+    return { label: "Docker daemon", pass: false, detail: "not running" };
+  }
+}
+async function checkContainer(name, dir) {
+  try {
+    const result = await execa4(
+      "docker",
+      ["compose", "ps", "--format", "json", name],
+      { cwd: dir, reject: false }
+    );
+    const output = result.stdout.trim();
+    if (!output) {
+      return { label: `Container: ${name}`, pass: false, detail: "not found" };
+    }
+    const rows = output.split("\n").map((l) => {
+      try {
+        return JSON.parse(l);
+      } catch {
+        return null;
+      }
+    }).filter(Boolean);
+    const running = rows.some(
+      (r) => r.State === "running" || r.Status && r.Status.toLowerCase().includes("up")
+    );
+    return {
+      label: `Container: ${name}`,
+      pass: running,
+      detail: running ? "running" : "not running"
+    };
+  } catch {
+    return { label: `Container: ${name}`, pass: false, detail: "error checking status" };
+  }
+}
+async function checkEndpoint(label, url) {
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
+    return {
+      label: `Health: ${label}`,
+      pass: res.ok,
+      detail: `HTTP ${res.status}`
+    };
+  } catch (err) {
+    const detail = err instanceof Error ? err.message : String(err);
+    return { label: `Health: ${label}`, pass: false, detail };
+  }
+}
+
+// src/commands/logs.ts
+import { log as log11 } from "@clack/prompts";
+import { execa as execa5 } from "execa";
+var VALID_SERVICES = ["web", "engine", "postgres", "redis"];
+async function runLogs(service = "engine") {
+  if (!VALID_SERVICES.includes(service)) {
+    log11.error(`Unknown service "${service}". Valid options: ${VALID_SERVICES.join(", ")}`);
+    process.exit(1);
+  }
+  const dir = findInstallDir();
+  if (!dir) {
+    log11.error("No lead-routing.json found. Run `lead-routing init` first.");
+    process.exit(1);
+  }
+  console.log(`
+Streaming logs for ${service} (Ctrl+C to stop)...
+`);
+  const child = execa5("docker", ["compose", "logs", "-f", "--tail=100", service], {
+    cwd: dir,
+    stdio: "inherit",
+    reject: false
+  });
+  await child;
+}
+
+// src/commands/status.ts
+import { log as log12 } from "@clack/prompts";
+import { execa as execa6 } from "execa";
+async function runStatus() {
+  const dir = findInstallDir();
+  if (!dir) {
+    log12.error("No lead-routing.json found. Run `lead-routing init` first.");
+    process.exit(1);
+  }
+  const result = await execa6("docker", ["compose", "ps"], {
+    cwd: dir,
+    stdio: "inherit",
+    reject: false
+  });
+  if (result.exitCode !== 0) {
+    log12.error("Failed to get container status. Is Docker running?");
+    process.exit(1);
+  }
+}
+
+// src/commands/config.ts
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync5, existsSync as existsSync5 } from "fs";
+import { join as join7 } from "path";
+import { intro as intro4, outro as outro4, text as text3, password as password3, spinner as spinner7, log as log13 } from "@clack/prompts";
+import chalk5 from "chalk";
+import { execa as execa7 } from "execa";
+function parseEnv(filePath) {
+  const map = /* @__PURE__ */ new Map();
+  if (!existsSync5(filePath)) return map;
+  for (const line of readFileSync4(filePath, "utf8").split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    map.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
+  }
+  return map;
+}
+function writeEnv(filePath, updates) {
+  const lines = existsSync5(filePath) ? readFileSync4(filePath, "utf8").split("\n") : [];
+  const updated = /* @__PURE__ */ new Set();
+  const result = lines.map((line) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) return line;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) return line;
+    const key = trimmed.slice(0, eq);
+    if (key in updates) {
+      updated.add(key);
+      return `${key}=${updates[key]}`;
+    }
+    return line;
+  });
+  for (const [key, val] of Object.entries(updates)) {
+    if (!updated.has(key)) result.push(`${key}=${val}`);
+  }
+  writeFileSync5(filePath, result.join("\n"), "utf8");
+}
+async function runConfigSfdc() {
+  intro4("Lead Routing \u2014 Update Salesforce Credentials");
+  const dir = findInstallDir();
+  if (!dir) {
+    log13.error("No lead-routing installation found in the current directory.");
+    log13.info("Run `lead-routing init` first, or cd into your installation directory.");
+    process.exit(1);
+  }
+  const envWeb = join7(dir, ".env.web");
+  const envEngine = join7(dir, ".env.engine");
+  const currentWeb = parseEnv(envWeb);
+  const currentClientId = currentWeb.get("SFDC_CLIENT_ID") ?? "";
+  const currentLoginUrl = currentWeb.get("SFDC_LOGIN_URL") ?? "https://login.salesforce.com";
+  const currentAppUrl = currentWeb.get("APP_URL") ?? "";
+  const callbackUrl = `${currentAppUrl}/api/auth/callback`;
+  log13.info(
+    `Paste the credentials from your Salesforce Connected App.
+Callback URL for your Connected App: ${callbackUrl}`
+  );
+  const clientId = await text3({
+    message: "Consumer Key (Client ID)",
+    initialValue: currentClientId,
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (clientId === null || typeof clientId === "symbol") {
+    process.exit(0);
+  }
+  const clientSecret = await password3({
+    message: "Consumer Secret (Client Secret)",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (clientSecret === null || typeof clientSecret === "symbol") {
+    process.exit(0);
+  }
+  const updates = {
+    SFDC_CLIENT_ID: clientId,
+    SFDC_CLIENT_SECRET: clientSecret
+  };
+  writeEnv(envWeb, updates);
+  writeEnv(envEngine, updates);
+  log13.success("Updated .env.web and .env.engine");
+  const s = spinner7();
+  s.start("Restarting web and engine containers\u2026");
+  try {
+    await execa7("docker", ["compose", "up", "-d", "--force-recreate", "web", "engine"], {
+      cwd: dir
+    });
+    s.stop("Containers restarted");
+  } catch (err) {
+    s.stop("Restart failed \u2014 run `docker compose up -d --force-recreate web engine` manually");
+    log13.warn(String(err));
+  }
+  outro4(
+    "Salesforce credentials updated!\n\nNext: go to the web app \u2192 Settings \u2192 Connect Salesforce to refresh your OAuth tokens."
+  );
+}
+function runConfigShow() {
+  const dir = findInstallDir();
+  if (!dir) {
+    console.error("No lead-routing installation found in the current directory.");
+    process.exit(1);
+  }
+  const envWeb = join7(dir, ".env.web");
+  const cfg = parseEnv(envWeb);
+  const adminSecret = cfg.get("ADMIN_SECRET") ?? "(not found)";
+  const appUrl = cfg.get("APP_URL") ?? "(not found)";
+  const sfdcClientId = cfg.get("SFDC_CLIENT_ID") ?? "(not found)";
+  console.log();
+  console.log(chalk5.bold("Lead Routing \u2014 Installation Config"));
+  console.log();
+  console.log(`  Admin panel:   ${chalk5.cyan(appUrl + "/admin")}`);
+  console.log(`  Admin secret:  ${chalk5.yellow(adminSecret)}`);
+  console.log();
+  console.log(`  SFDC Client ID: ${chalk5.white(sfdcClientId)}`);
+  console.log();
+}
+
+// src/commands/sfdc.ts
+import { intro as intro5, outro as outro5, text as text4, spinner as spinner8, log as log14 } from "@clack/prompts";
+import chalk6 from "chalk";
+import { execa as execa8 } from "execa";
+async function runSfdcDeploy() {
+  intro5("Lead Routing \u2014 Deploy Salesforce Package");
+  let appUrl;
+  let engineUrl;
+  const dir = findInstallDir();
+  const config2 = dir ? readConfig(dir) : null;
+  if (config2?.appUrl && config2?.engineUrl) {
+    appUrl = config2.appUrl;
+    engineUrl = config2.engineUrl;
+    log14.info(`Using config from ${dir}/lead-routing.json`);
+  } else {
+    log14.warn("No lead-routing.json found \u2014 enter the URLs from your installation.");
+    const rawApp = await text4({
+      message: "App URL (e.g. https://leads.acme.com)",
+      validate: (v) => !v ? "Required" : void 0
+    });
+    if (typeof rawApp === "symbol") process.exit(0);
+    appUrl = rawApp.trim();
+    const rawEngine = await text4({
+      message: "Engine URL (e.g. https://engine.acme.com or https://acme.com:3001)",
+      validate: (v) => !v ? "Required" : void 0
+    });
+    if (typeof rawEngine === "symbol") process.exit(0);
+    engineUrl = rawEngine.trim();
+  }
+  const s = spinner8();
+  s.start("Checking Salesforce CLI\u2026");
+  try {
+    await execa8("sf", ["--version"], { all: true });
+    s.stop("Salesforce CLI found");
+  } catch {
+    s.stop("Salesforce CLI (sf) not found");
+    log14.error(
+      "Install the Salesforce CLI and re-run this command:\n  https://developer.salesforce.com/tools/salesforcecli"
+    );
+    process.exit(1);
+  }
+  const alias = await text4({
+    message: "Salesforce org alias (used to log in)",
+    placeholder: "lead-routing",
+    initialValue: "lead-routing",
+    validate: (v) => !v ? "Required" : void 0
+  });
+  if (typeof alias === "symbol") process.exit(0);
+  try {
+    await sfdcDeployInline({
+      appUrl,
+      engineUrl,
+      orgAlias: alias,
+      // Read from config if available; alreadyAuthed check will skip login if already logged in
+      sfdcClientId: config2?.sfdcClientId ?? "",
+      sfdcLoginUrl: config2?.sfdcLoginUrl ?? "https://login.salesforce.com",
+      installDir: dir ?? void 0
+    });
+  } catch (err) {
+    log14.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
+  outro5(
+    chalk6.green("\u2714  Salesforce package deployed!") + `
+
+  Next steps:
+  1. In Salesforce, open App Launcher \u2192 search "Lead Router Setup"
+  2. Click "Connect to Lead Router" to authorise the OAuth connection
+  3. Follow the 4-step wizard to activate triggers and sync field schema
+
+  Your Lead Router dashboard: ${chalk6.cyan(appUrl)}`
+  );
+}
+
+// src/index.ts
+var program = new Command();
+program.name("lead-routing").description("Self-hosted Lead Routing \u2014 scaffold, deploy, and manage your installation").version("0.1.0");
+program.command("init").description("Interactive setup wizard \u2014 configure and deploy the full Lead Routing stack").option("--dry-run", "Run the wizard and generate config files without starting Docker services").action((opts) => runInit({ dryRun: opts.dryRun }));
+program.command("deploy").description("Pull latest images, restart services, and run any pending migrations").action(runDeploy);
+program.command("doctor").description("Check the health of all services in your installation").action(runDoctor);
+program.command("logs [service]").description("Stream logs from a service (web, engine, postgres, redis). Defaults to engine.").action((service) => runLogs(service));
+program.command("status").description("Show the running state of all Docker containers").action(runStatus);
+var config = program.command("config").description("Update configuration values in a live installation");
+config.command("show").description("Print key config values for this installation (admin secret, app URL, SFDC client ID)").action(runConfigShow);
+config.command("sfdc").description("Update Salesforce Connected App credentials (Consumer Key + Secret)").action(runConfigSfdc);
+var sfdc = program.command("sfdc").description("Manage the Salesforce package for this installation");
+sfdc.command("deploy").description("Deploy (or redeploy) the Lead Router Salesforce package to your Salesforce org").action(runSfdcDeploy);
+program.parseAsync(process.argv).catch((err) => {
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+});