@lead-routing/cli 0.1.13 → 0.3.0

package/dist/index.js

@@ -5,29 +5,16 @@ import { Command } from "commander";
 
 // src/commands/init.ts
 import { promises as dns } from "dns";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { join as join6 } from "path";
 import { intro, outro, note as note4, log as log9, confirm as confirm2, cancel as cancel3, isCancel as isCancel4, password as promptPassword } from "@clack/prompts";
 import chalk2 from "chalk";
 
 // src/steps/prerequisites.ts
 import { log } from "@clack/prompts";
-
-// src/utils/exec.ts
-import { execa } from "execa";
-import { spinner } from "@clack/prompts";
-async function runSilent(cmd, args, opts = {}) {
-  try {
-    const result = await execa(cmd, args, { cwd: opts.cwd, reject: false });
-    return result.stdout;
-  } catch {
-    return "";
-  }
-}
-
-// src/steps/prerequisites.ts
 async function checkPrerequisites() {
   const results = await Promise.all([
-    checkNodeVersion(),
-    checkSalesforceCLI()
+    checkNodeVersion()
   ]);
   const failed = results.filter((r) => !r.ok);
   for (const r of results) {
@@ -54,17 +41,6 @@ async function checkNodeVersion() {
   }
   return { ok: true, label: `Node.js ${version}` };
 }
-async function checkSalesforceCLI() {
-  const out = await runSilent("sf", ["--version"]);
-  if (!out) {
-    return {
-      ok: false,
-      label: "Salesforce CLI (sf) \u2014 not found",
-      detail: "install from https://developer.salesforce.com/tools/salesforcecli"
-    };
-  }
-  return { ok: true, label: `Salesforce CLI \u2014 ${out.trim()}` };
-}
 
 // src/steps/collect-ssh-config.ts
 import { existsSync } from "fs";
@@ -196,8 +172,9 @@ async function collectConfig(opts = {}) {
   const dbPassword = generateSecret(16);
   const managedDb = !opts.externalDb;
   const databaseUrl = opts.externalDb ?? `postgresql://leadrouting:${dbPassword}@postgres:5432/leadrouting`;
+  const redisPassword = generateSecret(16);
   const managedRedis = !opts.externalRedis;
-  const redisUrl = opts.externalRedis ?? "redis://redis:6379";
+  const redisUrl = opts.externalRedis ?? `redis://:${redisPassword}@redis:6379`;
   note2("This creates the first admin user for the web app.", "Admin Account");
   const adminEmail = await text2({
     message: "Admin email address",
@@ -219,6 +196,7 @@ async function collectConfig(opts = {}) {
   const sessionSecret = generateSecret(32);
   const engineWebhookSecret = generateSecret(32);
   const adminSecret = generateSecret(16);
+  const internalApiKey = generateSecret(32);
   return {
     appUrl: appUrl.trim().replace(/\/+$/, ""),
     engineUrl: engineUrl.trim().replace(/\/+$/, ""),
@@ -230,13 +208,15 @@ async function collectConfig(opts = {}) {
     dbPassword: managedDb ? dbPassword : "",
     managedRedis,
     redisUrl,
+    redisPassword: managedRedis ? redisPassword : "",
     adminEmail,
     adminPassword,
     resendApiKey: "",
     feedbackToEmail: "",
     sessionSecret,
     engineWebhookSecret,
-    adminSecret
+    adminSecret,
+    internalApiKey
   };
 }
 
@@ -269,14 +249,16 @@ function renderDockerCompose(c) {
       timeout: 5s
       retries: 10
 ` : "";
+  const redisPassword = c.redisPassword ?? "";
   const redisService = c.managedRedis ? `
   redis:
     image: redis:7-alpine
-    restart: unless-stopped
+    restart: unless-stopped${redisPassword ? `
+    command: redis-server --requirepass ${redisPassword}` : ""}
     volumes:
       - redis_data:/data
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: ["CMD-SHELL", "redis-cli${redisPassword ? ` -a ${redisPassword}` : ""} ping | grep PONG"]
       interval: 5s
       timeout: 3s
       retries: 10
@@ -389,6 +371,11 @@ function renderEnvWeb(c) {
     ``,
     `# Admin`,
     `ADMIN_SECRET=${c.adminSecret}`,
+    `ADMIN_EMAIL=${c.adminEmail}`,
+    `ADMIN_PASSWORD=${c.adminPassword}`,
+    ``,
+    `# Internal API key (shared with engine for analytics)`,
+    `INTERNAL_API_KEY=${c.internalApiKey}`,
     ``,
     `# Email (optional)`,
     `RESEND_API_KEY=${c.resendApiKey ?? ""}`,
@@ -419,7 +406,10 @@ function renderEnvEngine(c) {
     `SFDC_LOGIN_URL=${c.sfdcLoginUrl}`,
     ``,
     `# Webhook`,
-    `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`
+    `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`,
+    ``,
+    `# Internal API key (Bearer token for analytics endpoints)`,
+    `INTERNAL_API_KEY=${c.internalApiKey}`
   ].join("\n");
 }
 
@@ -436,7 +426,18 @@ function renderCaddyfile(appUrl, engineUrl) {
       `# Generated by lead-routing CLI`,
       `# Caddy auto-provisions SSL certificates via Let's Encrypt`,
       ``,
+      `(security_headers) {`,
+      `  header {`,
+      `    X-Content-Type-Options nosniff`,
+      `    X-Frame-Options DENY`,
+      `    Referrer-Policy strict-origin-when-cross-origin`,
+      `    Permissions-Policy interest-cohort=()`,
+      `    Strict-Transport-Security "max-age=31536000; includeSubDomains"`,
+      `  }`,
+      `}`,
+      ``,
       `${appHost} {`,
+      `  import security_headers`,
       `  reverse_proxy web:3000 {`,
       `    health_uri /api/health`,
       `    health_interval 15s`,
@@ -444,6 +445,7 @@ function renderCaddyfile(appUrl, engineUrl) {
       `}`,
       ``,
       `${appHost}:${enginePort} {`,
+      `  import security_headers`,
       `  reverse_proxy engine:3001 {`,
       `    health_uri /health`,
       `    health_interval 15s`,
@@ -456,7 +458,18 @@ function renderCaddyfile(appUrl, engineUrl) {
     `# Generated by lead-routing CLI`,
     `# Caddy auto-provisions SSL certificates via Let's Encrypt`,
     ``,
+    `(security_headers) {`,
+    `  header {`,
+    `    X-Content-Type-Options nosniff`,
+    `    X-Frame-Options DENY`,
+    `    Referrer-Policy strict-origin-when-cross-origin`,
+    `    Permissions-Policy interest-cohort=()`,
+    `    Strict-Transport-Security "max-age=31536000; includeSubDomains"`,
+    `  }`,
+    `}`,
+    ``,
     `${appHost} {`,
+    `  import security_headers`,
     `  reverse_proxy web:3000 {`,
     `    health_uri /api/health`,
     `    health_interval 15s`,
@@ -464,6 +477,7 @@ function renderCaddyfile(appUrl, engineUrl) {
     `}`,
     ``,
     `${engineHost} {`,
+    `  import security_headers`,
     `  reverse_proxy engine:3001 {`,
     `    health_uri /health`,
     `    health_interval 15s`,
@@ -479,10 +493,10 @@ function getConfigPath(dir) {
   return join(dir, "lead-routing.json");
 }
 function readConfig(dir) {
-  const path2 = getConfigPath(dir);
-  if (!existsSync2(path2)) return null;
+  const path = getConfigPath(dir);
+  if (!existsSync2(path)) return null;
   try {
-    return JSON.parse(readFileSync(path2, "utf8"));
+    return JSON.parse(readFileSync(path, "utf8"));
   } catch {
     return null;
   }
@@ -515,7 +529,8 @@ function generateFiles(cfg, sshCfg) {
   const composeContent = renderDockerCompose({
     managedDb: cfg.managedDb,
     managedRedis: cfg.managedRedis,
-    dbPassword: cfg.dbPassword
+    dbPassword: cfg.dbPassword,
+    redisPassword: cfg.redisPassword
   });
   const composeFile = join2(dir, "docker-compose.yml");
   writeFileSync2(composeFile, composeContent, "utf8");
@@ -535,6 +550,9 @@ function generateFiles(cfg, sshCfg) {
     sessionSecret: cfg.sessionSecret,
     engineWebhookSecret: cfg.engineWebhookSecret,
     adminSecret: cfg.adminSecret,
+    adminEmail: cfg.adminEmail,
+    adminPassword: cfg.adminPassword,
+    internalApiKey: cfg.internalApiKey,
     resendApiKey: cfg.resendApiKey || void 0,
     feedbackToEmail: cfg.feedbackToEmail || void 0
   });
@@ -547,7 +565,8 @@ function generateFiles(cfg, sshCfg) {
     sfdcClientId: cfg.sfdcClientId,
     sfdcClientSecret: cfg.sfdcClientSecret,
     sfdcLoginUrl: cfg.sfdcLoginUrl,
-    engineWebhookSecret: cfg.engineWebhookSecret
+    engineWebhookSecret: cfg.engineWebhookSecret,
+    internalApiKey: cfg.internalApiKey
   });
   const envEngine = join2(dir, ".env.engine");
   writeFileSync2(envEngine, envEngineContent, "utf8");
@@ -571,6 +590,7 @@ function generateFiles(cfg, sshCfg) {
     // Stored so `lead-routing sfdc deploy` can re-authenticate without re-prompting
     sfdcClientId: cfg.sfdcClientId,
     sfdcLoginUrl: cfg.sfdcLoginUrl,
+    engineWebhookSecret: cfg.engineWebhookSecret,
     installedAt: (/* @__PURE__ */ new Date()).toISOString(),
     version: getCliVersion()
   });
@@ -579,7 +599,7 @@ function generateFiles(cfg, sshCfg) {
 }
 
 // src/steps/check-remote-prerequisites.ts
-import { log as log4, spinner as spinner2 } from "@clack/prompts";
+import { log as log4, spinner } from "@clack/prompts";
 async function checkRemotePrerequisites(ssh) {
   const dockerResult = await checkOrInstallDocker(ssh);
   const composeResult = await checkRemoteDockerCompose(ssh);
@@ -620,7 +640,7 @@ async function checkOrInstallDocker(ssh) {
     }
     return { ok: true, label: `Docker \u2014 ${stdout.trim()}` };
   }
-  const s = spinner2();
+  const s = spinner();
   s.start("Docker not found \u2014 installing via get.docker.com (~2 min)\u2026");
   try {
     const { code: curlCode } = await ssh.execSilent("command -v curl 2>/dev/null");
@@ -719,9 +739,9 @@ async function checkRemotePort(ssh, port) {
 
 // src/steps/upload-files.ts
 import { join as join3 } from "path";
-import { spinner as spinner3 } from "@clack/prompts";
+import { spinner as spinner2 } from "@clack/prompts";
 async function uploadFiles(ssh, localDir, remoteDir) {
-  const s = spinner3();
+  const s = spinner2();
   s.start("Uploading config files to server");
   try {
     await ssh.mkdir(remoteDir);
@@ -746,7 +766,7 @@ async function uploadFiles(ssh, localDir, remoteDir) {
 }
 
 // src/steps/start-services.ts
-import { spinner as spinner4, log as log5 } from "@clack/prompts";
+import { spinner as spinner3, log as log5 } from "@clack/prompts";
 async function startServices(ssh, remoteDir) {
   await wipeStalePostgresVolume(ssh, remoteDir);
   await pullImages(ssh, remoteDir);
@@ -760,7 +780,7 @@ async function wipeStalePostgresVolume(ssh, remoteDir) {
   if (code !== 0) {
     return;
   }
-  const s = spinner4();
+  const s = spinner3();
   s.start("Removing existing database volume for clean install");
   try {
     await ssh.exec("docker compose down -v --remove-orphans", remoteDir);
@@ -774,7 +794,7 @@ async function wipeStalePostgresVolume(ssh, remoteDir) {
   }
 }
 async function pullImages(ssh, remoteDir) {
-  const s = spinner4();
+  const s = spinner3();
   s.start("Pulling Docker images on server (this may take a few minutes)");
   try {
     await ssh.exec("docker compose pull", remoteDir);
@@ -787,7 +807,7 @@ async function pullImages(ssh, remoteDir) {
   }
 }
 async function startContainers(ssh, remoteDir) {
-  const s = spinner4();
+  const s = spinner3();
   s.start("Starting services");
   try {
     await ssh.exec("docker compose up -d --remove-orphans", remoteDir);
@@ -798,7 +818,7 @@ async function startContainers(ssh, remoteDir) {
   }
 }
 async function waitForPostgres(ssh, remoteDir) {
-  const s = spinner4();
+  const s = spinner3();
   s.start("Waiting for PostgreSQL to be ready");
   const maxAttempts = 24;
   let containerReady = false;
@@ -834,119 +854,11 @@ async function waitForPostgres(ssh, remoteDir) {
   log5.warn("Host TCP port check timed out \u2014 tunnel may have issues. Proceeding anyway.");
 }
 function sleep(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
-}
-
-// src/steps/run-migrations.ts
-import * as fs from "fs";
-import * as path from "path";
-import * as crypto from "crypto";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { execa as execa2 } from "execa";
-import { spinner as spinner5 } from "@clack/prompts";
-var __filename = fileURLToPath2(import.meta.url);
-var __dirname2 = path.dirname(__filename);
-function readEnvVar(envFile, key) {
-  const content = fs.readFileSync(envFile, "utf8");
-  const match = content.match(new RegExp(`^${key}=(.+)$`, "m"));
-  if (!match) throw new Error(`${key} not found in ${envFile}`);
-  return match[1].trim().replace(/^["']|["']$/g, "");
-}
-function getTunneledDbUrl(localDir, localPort) {
-  const rawUrl = readEnvVar(path.join(localDir, ".env.web"), "DATABASE_URL");
-  const parsed = new URL(rawUrl);
-  parsed.hostname = "localhost";
-  parsed.port = String(localPort);
-  return parsed.toString();
-}
-function findPrismaBin() {
-  const candidates = [
-    // npx / npm global install: @lead-routing/cli is nested under the scope dir,
-    // so prisma lands 3 levels above dist/ in node_modules/.bin/
-    // e.g. ~/.npm/_npx/HASH/node_modules/.bin/prisma
-    path.join(__dirname2, "../../../.bin/prisma"),
-    path.join(__dirname2, "../../../prisma/bin/prisma.js"),
-    // Fallback: prisma nested inside the package's own node_modules (hoisted install)
-    path.join(__dirname2, "../node_modules/.bin/prisma"),
-    path.join(__dirname2, "../node_modules/prisma/bin/prisma.js"),
-    // Monorepo dev paths
-    path.resolve("packages/db/node_modules/.bin/prisma"),
-    path.resolve("node_modules/.bin/prisma"),
-    path.resolve("node_modules/.pnpm/node_modules/.bin/prisma")
-  ];
-  const found = candidates.find(fs.existsSync);
-  if (!found) throw new Error("Prisma binary not found \u2014 CLI may need to be reinstalled.");
-  return found;
-}
-async function runMigrations(ssh, localDir, adminEmail, adminPassword) {
-  const s = spinner5();
-  s.start("Opening secure tunnel to database");
-  let tunnelClose;
-  try {
-    const { localPort, close } = await ssh.tunnel(5432);
-    tunnelClose = close;
-    s.stop(`Database tunnel open (local port ${localPort})`);
-    await applyMigrations(localDir, localPort);
-    if (adminEmail && adminPassword) {
-      await seedAdminUser(localDir, localPort, adminEmail, adminPassword);
-    }
-  } finally {
-    tunnelClose?.();
-  }
-}
-async function applyMigrations(localDir, localPort) {
-  const s = spinner5();
-  s.start("Running database migrations");
-  try {
-    const DATABASE_URL = getTunneledDbUrl(localDir, localPort);
-    const prismaBin = findPrismaBin();
-    const bundledSchema = path.join(__dirname2, "prisma/schema.prisma");
-    const monoSchema = path.resolve("packages/db/prisma/schema.prisma");
-    const schemaPath = fs.existsSync(bundledSchema) ? bundledSchema : monoSchema;
-    await execa2(prismaBin, ["migrate", "deploy", "--schema", schemaPath], {
-      env: { ...process.env, DATABASE_URL }
-    });
-    s.stop("Database migrations applied");
-  } catch (err) {
-    s.stop("Migrations failed");
-    throw err;
-  }
-}
-async function seedAdminUser(localDir, localPort, adminEmail, adminPassword) {
-  const s = spinner5();
-  s.start("Creating admin user");
-  try {
-    const DATABASE_URL = getTunneledDbUrl(localDir, localPort);
-    const webhookSecret = readEnvVar(path.join(localDir, ".env.engine"), "ENGINE_WEBHOOK_SECRET");
-    const salt = crypto.randomBytes(16).toString("hex");
-    const pbkdf2Hash = crypto.pbkdf2Sync(adminPassword, salt, 31e4, 32, "sha256").toString("hex");
-    const passwordHash = `${salt}:${pbkdf2Hash}`;
-    const safeEmail = adminEmail.replace(/'/g, "''");
-    const safeWebhookSecret = webhookSecret.replace(/'/g, "''");
-    const sql = `
--- Create initial organisation if none exists (self-hosted defaults: PAID plan, unlimited seats)
-INSERT INTO organizations (id, "webhookSecret", plan, "seatsPurchased", "isActive", "createdAt", "updatedAt")
-SELECT gen_random_uuid(), '${safeWebhookSecret}', 'PAID', 9999, true, NOW(), NOW()
-WHERE NOT EXISTS (SELECT 1 FROM organizations);
-
--- Create admin AppUser under the first org (idempotent)
-INSERT INTO app_users (id, "orgId", email, name, "passwordHash", role, "isActive", "createdAt", "updatedAt")
-SELECT gen_random_uuid(), o.id, '${safeEmail}', 'Admin', '${passwordHash}', 'ADMIN', true, NOW(), NOW()
-FROM organizations o
-LIMIT 1
-ON CONFLICT ("orgId", email) DO NOTHING;
-`;
-    const prismaBin = findPrismaBin();
-    await execa2(prismaBin, ["db", "execute", "--stdin", "--url", DATABASE_URL], { input: sql });
-    s.stop("Admin user ready");
-  } catch (err) {
-    s.stop("Seed failed");
-    throw err;
-  }
+  return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
 // src/steps/verify-health.ts
-import { spinner as spinner6, log as log6 } from "@clack/prompts";
+import { spinner as spinner4, log as log6 } from "@clack/prompts";
 async function verifyHealth(appUrl, engineUrl, ssh, remoteDir) {
   const checks = [
     { service: "Web app", url: `${appUrl}/api/health` },
@@ -995,7 +907,7 @@ To resume once fixed:
   );
 }
 async function pollHealth(service, url, maxAttempts = 24, intervalMs = 5e3) {
-  const s = spinner6();
+  const s = spinner4();
   s.start(`Waiting for ${service}`);
   for (let i = 0; i < maxAttempts; i++) {
     try {
@@ -1020,44 +932,304 @@ async function pollHealth(service, url, maxAttempts = 24, intervalMs = 5e3) {
   };
 }
 function sleep2(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
 // src/steps/sfdc-deploy-inline.ts
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync4, cpSync, rmSync } from "fs";
-import { join as join5, dirname as dirname3 } from "path";
+import { join as join5, dirname as dirname2 } from "path";
 import { tmpdir } from "os";
-import { fileURLToPath as fileURLToPath3 } from "url";
-import { spinner as spinner7, log as log7 } from "@clack/prompts";
-import { execa as execa3 } from "execa";
-var __dirname3 = dirname3(fileURLToPath3(import.meta.url));
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { execSync } from "child_process";
+import { spinner as spinner5, log as log7 } from "@clack/prompts";
+
+// src/utils/sfdc-api.ts
+var API_VERSION = "v59.0";
+var SalesforceApi = class {
+  constructor(instanceUrl, accessToken) {
+    this.instanceUrl = instanceUrl;
+    this.accessToken = accessToken;
+    this.baseUrl = `${instanceUrl.replace(/\/+$/, "")}/services/data/${API_VERSION}`;
+  }
+  baseUrl;
+  headers(extra) {
+    return {
+      Authorization: `Bearer ${this.accessToken}`,
+      "Content-Type": "application/json",
+      ...extra
+    };
+  }
+  /** Execute a SOQL query and return records */
+  async query(soql) {
+    const url = `${this.baseUrl}/query?q=${encodeURIComponent(soql)}`;
+    const res = await fetch(url, { headers: this.headers() });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`SOQL query failed (${res.status}): ${body}`);
+    }
+    const data = await res.json();
+    return data.records;
+  }
+  /** Create an sObject record, returns the new record ID */
+  async create(sobject, data) {
+    const url = `${this.baseUrl}/sobjects/${sobject}`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify(data)
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      if (res.status === 400 && body.includes("Duplicate")) {
+        throw new DuplicateError(body);
+      }
+      throw new Error(`Create ${sobject} failed (${res.status}): ${body}`);
+    }
+    const result = await res.json();
+    return result.id;
+  }
+  /** Update an sObject record */
+  async update(sobject, id, data) {
+    const url = `${this.baseUrl}/sobjects/${sobject}/${id}`;
+    const res = await fetch(url, {
+      method: "PATCH",
+      headers: this.headers(),
+      body: JSON.stringify(data)
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Update ${sobject}/${id} failed (${res.status}): ${body}`);
+    }
+  }
+  /** Get current user info (for permission set assignment) */
+  async getCurrentUserId() {
+    const url = `${this.instanceUrl.replace(/\/+$/, "")}/services/oauth2/userinfo`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this.accessToken}` }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Get current user failed (${res.status}): ${body}`);
+    }
+    const data = await res.json();
+    return data.user_id;
+  }
+  /**
+   * Deploy metadata using the Source Deploy API (same API that `sf project deploy start` uses).
+   * Accepts a ZIP buffer containing the source-format package.
+   * Returns the deploy request ID for polling.
+   */
+  async deployMetadata(zipBuffer) {
+    const url = `${this.baseUrl}/metadata/deployRequest`;
+    const boundary = `----FormBoundary${Date.now()}`;
+    const deployOptions = JSON.stringify({
+      deployOptions: {
+        rollbackOnError: true,
+        singlePackage: true
+      }
+    });
+    const parts = [];
+    parts.push(
+      Buffer.from(
+        `--${boundary}\r
+Content-Disposition: form-data; name="json"\r
+Content-Type: application/json\r
+\r
+${deployOptions}\r
+`
+      )
+    );
+    parts.push(
+      Buffer.from(
+        `--${boundary}\r
+Content-Disposition: form-data; name="file"; filename="deploy.zip"\r
+Content-Type: application/zip\r
+\r
+`
+      )
+    );
+    parts.push(zipBuffer);
+    parts.push(Buffer.from(`\r
+--${boundary}--\r
+`));
+    const body = Buffer.concat(parts);
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        "Content-Type": `multipart/form-data; boundary=${boundary}`
+      },
+      body
+    });
+    if (!res.ok) {
+      const text5 = await res.text();
+      throw new Error(
+        `Metadata deploy request failed (${res.status}): ${text5}`
+      );
+    }
+    const result = await res.json();
+    return result.id;
+  }
+  /**
+   * Poll deploy status until complete.
+   * Returns deploy result with success/failure info.
+   */
+  async waitForDeploy(deployId, timeoutMs = 3e5) {
+    const startTime = Date.now();
+    const pollInterval = 3e3;
+    while (Date.now() - startTime < timeoutMs) {
+      const url = `${this.baseUrl}/metadata/deployRequest/${deployId}?includeDetails=true`;
+      const res = await fetch(url, { headers: this.headers() });
+      if (!res.ok) {
+        const text5 = await res.text();
+        throw new Error(
+          `Deploy status check failed (${res.status}): ${text5}`
+        );
+      }
+      const data = await res.json();
+      const result = data.deployResult;
+      if (result.done) {
+        return result;
+      }
+      await new Promise((resolve) => setTimeout(resolve, pollInterval));
+    }
+    throw new Error(`Deploy timed out after ${timeoutMs / 1e3}s`);
+  }
+};
+var DuplicateError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DuplicateError";
+  }
+};
+
+// src/utils/zip-source.ts
+import { join as join4 } from "path";
+import { readdirSync, readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
+import archiver from "archiver";
+var META_TYPE_MAP = {
+  applications: "CustomApplication",
+  classes: "ApexClass",
+  triggers: "ApexTrigger",
+  lwc: "LightningComponentBundle",
+  permissionsets: "PermissionSet",
+  namedCredentials: "NamedCredential",
+  remoteSiteSettings: "RemoteSiteSetting",
+  tabs: "CustomTab"
+};
+async function zipSourcePackage(packageDir) {
+  const forceAppDefault = join4(packageDir, "force-app", "main", "default");
+  let apiVersion = "59.0";
+  try {
+    const proj = JSON.parse(readFileSync3(join4(packageDir, "sfdx-project.json"), "utf8"));
+    if (proj.sourceApiVersion) apiVersion = proj.sourceApiVersion;
+  } catch {
+  }
+  const members = /* @__PURE__ */ new Map();
+  const addMember = (type, name) => {
+    if (!members.has(type)) members.set(type, /* @__PURE__ */ new Set());
+    members.get(type).add(name);
+  };
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    const archive = archiver("zip", { zlib: { level: 9 } });
+    archive.on("data", (chunk) => chunks.push(chunk));
+    archive.on("end", () => resolve(Buffer.concat(chunks)));
+    archive.on("error", reject);
+    for (const [dirName, metaType] of Object.entries(META_TYPE_MAP)) {
+      const srcDir = join4(forceAppDefault, dirName);
+      if (!existsSync3(srcDir)) continue;
+      const entries = readdirSync(srcDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (dirName === "lwc" && entry.isDirectory()) {
+          addMember(metaType, entry.name);
+          archive.directory(join4(srcDir, entry.name), `${dirName}/${entry.name}`);
+        } else if (entry.isFile()) {
+          archive.file(join4(srcDir, entry.name), { name: `${dirName}/${entry.name}` });
+          if (!entry.name.endsWith("-meta.xml")) {
+            const memberName = entry.name.replace(/\.[^.]+$/, "");
+            addMember(metaType, memberName);
+          }
+        }
+      }
+    }
+    const objectsDir = join4(forceAppDefault, "objects");
+    if (existsSync3(objectsDir)) {
+      for (const objEntry of readdirSync(objectsDir, { withFileTypes: true })) {
+        if (!objEntry.isDirectory()) continue;
+        const objName = objEntry.name;
+        addMember("CustomObject", objName);
+        const objDir = join4(objectsDir, objName);
+        const objectXml = mergeObjectXml(objDir, objName, apiVersion);
+        archive.append(Buffer.from(objectXml, "utf8"), {
+          name: `objects/${objName}.object`
+        });
+      }
+    }
+    const packageXml = generatePackageXml(members, apiVersion);
+    archive.append(Buffer.from(packageXml, "utf8"), { name: "package.xml" });
+    archive.finalize();
+  });
+}
+function mergeObjectXml(objDir, objName, apiVersion) {
+  const lines = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    '<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">'
+  ];
+  const objMetaPath = join4(objDir, `${objName}.object-meta.xml`);
+  if (existsSync3(objMetaPath)) {
+    const content = readFileSync3(objMetaPath, "utf8");
+    const inner = content.replace(/<\?xml[^?]*\?>\s*/g, "").replace(/<CustomObject[^>]*>/g, "").replace(/<\/CustomObject>/g, "").trim();
+    if (inner) lines.push(inner);
+  }
+  const fieldsDir = join4(objDir, "fields");
+  if (existsSync3(fieldsDir)) {
+    for (const fieldFile of readdirSync(fieldsDir).sort()) {
+      if (!fieldFile.endsWith(".field-meta.xml")) continue;
+      const content = readFileSync3(join4(fieldsDir, fieldFile), "utf8");
+      const inner = content.replace(/<\?xml[^?]*\?>\s*/g, "").replace(/<CustomField[^>]*>/g, "").replace(/<\/CustomField>/g, "").trim();
+      if (inner) {
+        lines.push("    <fields>");
+        lines.push(`        ${inner}`);
+        lines.push("    </fields>");
+      }
+    }
+  }
+  lines.push("</CustomObject>");
+  return lines.join("\n");
+}
+function generatePackageXml(members, apiVersion) {
+  const lines = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    '<Package xmlns="http://soap.sforce.com/2006/04/metadata">'
+  ];
+  for (const [metaType, names] of [...members.entries()].sort((a, b) => a[0].localeCompare(b[0]))) {
+    lines.push("    <types>");
+    for (const name of [...names].sort()) {
+      lines.push(`        <members>${name}</members>`);
+    }
+    lines.push(`        <name>${metaType}</name>`);
+    lines.push("    </types>");
+  }
+  lines.push(`    <version>${apiVersion}</version>`);
+  lines.push("</Package>");
+  return lines.join("\n");
+}
+
+// src/steps/sfdc-deploy-inline.ts
+var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
 function patchXml(content, tag, value) {
   const re = new RegExp(`(<${tag}>)[^<]*(</\\s*${tag}>)`, "g");
   return content.replace(re, `$1${value}$2`);
 }
 async function sfdcDeployInline(params) {
-  const { appUrl, engineUrl, orgAlias, installDir } = params;
-  const s = spinner7();
-  const { exitCode: authCheck } = await execa3(
-    "sf",
-    ["org", "display", "--target-org", orgAlias, "--json"],
-    { reject: false }
-  );
-  const alreadyAuthed = authCheck === 0;
-  let sfCredEnv = {};
-  let targetOrgArgs = ["--target-org", orgAlias];
-  if (alreadyAuthed) {
-    log7.success("Using existing Salesforce authentication");
-  } else {
-    const { accessToken, instanceUrl, aliasStored } = await loginViaAppBridge(appUrl, orgAlias);
-    sfCredEnv = { SF_ACCESS_TOKEN: accessToken, SF_ORG_INSTANCE_URL: instanceUrl };
-    if (!aliasStored) {
-      targetOrgArgs = [];
-    }
-  }
+  const { appUrl, engineUrl, installDir } = params;
+  const s = spinner5();
+  const { accessToken, instanceUrl } = await loginViaAppBridge(appUrl);
+  const sf = new SalesforceApi(instanceUrl, accessToken);
   s.start("Copying Salesforce package\u2026");
-  const inDist = join5(__dirname3, "sfdc-package");
-  const nextToDist = join5(__dirname3, "..", "sfdc-package");
+  const inDist = join5(__dirname2, "sfdc-package");
+  const nextToDist = join5(__dirname2, "..", "sfdc-package");
   const bundledPkg = existsSync4(inDist) ? inDist : nextToDist;
   const destPkg = join5(installDir ?? tmpdir(), "lead-routing-sfdc-package");
   if (!existsSync4(bundledPkg)) {
@@ -1111,37 +1283,59 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
   log7.success("Remote Site Settings patched");
   s.start("Deploying Salesforce package (this may take ~2 min)\u2026");
   try {
-    await execa3(
-      "sf",
-      ["project", "deploy", "start", ...targetOrgArgs, "--source-dir", "force-app"],
-      { cwd: destPkg, stdio: "inherit", env: { ...process.env, ...sfCredEnv } }
-    );
-    s.stop("Package deployed");
+    const zipBuffer = await zipSourcePackage(destPkg);
+    const deployId = await sf.deployMetadata(zipBuffer);
+    const result = await sf.waitForDeploy(deployId);
+    if (!result.success) {
+      const failures = result.details?.componentFailures ?? [];
+      const failureMsg = failures.map((f) => `  ${f.componentType}/${f.fullName}: ${f.problem}`).join("\n");
+      s.stop("Deployment failed");
+      throw new Error(
+        `Metadata deploy failed (${result.numberComponentErrors} error(s)):
+${failureMsg || result.errorMessage || "Unknown error"}`
+      );
+    }
+    s.stop(`Package deployed (${result.numberComponentsDeployed} components)`);
   } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Metadata deploy failed")) {
+      throw err;
+    }
     s.stop("Deployment failed");
     throw new Error(
-      `sf project deploy failed: ${String(err)}
+      `Metadata deploy failed: ${String(err)}
 
-  Retry manually:
-  cd ${destPkg}
-  sf project deploy start --target-org ${orgAlias} --source-dir force-app`
+  The patched package is at: ${destPkg}
+  You can retry with: sf project deploy start --source-dir force-app`
     );
   }
   s.start("Assigning LeadRouterAdmin permission set\u2026");
   try {
-    await execa3(
-      "sf",
-      ["org", "assign", "permset", "--name", "LeadRouterAdmin", ...targetOrgArgs],
-      { stdio: "inherit", env: { ...process.env, ...sfCredEnv } }
+    const permSets = await sf.query(
+      "SELECT Id FROM PermissionSet WHERE Name = 'LeadRouterAdmin' LIMIT 1"
     );
-    s.stop("Permission set assigned \u2014 Lead Router Setup will appear in the App Launcher");
-  } catch (err) {
-    const msg = String(err);
-    if (msg.includes("Duplicate PermissionSetAssignment")) {
-      s.stop("Permission set already assigned");
+    if (permSets.length === 0) {
+      s.stop("LeadRouterAdmin permission set not found (non-fatal)");
+      log7.warn("The permission set may not have been included in the deploy.");
     } else {
+      const userId = await sf.getCurrentUserId();
+      try {
+        await sf.create("PermissionSetAssignment", {
+          AssigneeId: userId,
+          PermissionSetId: permSets[0].Id
+        });
+        s.stop("Permission set assigned \u2014 Lead Router Setup will appear in the App Launcher");
+      } catch (err) {
+        if (err instanceof DuplicateError) {
+          s.stop("Permission set already assigned");
+        } else {
+          throw err;
+        }
+      }
+    }
+  } catch (err) {
+    if (!(err instanceof DuplicateError)) {
       s.stop("Permission set assignment failed (non-fatal)");
-      log7.warn(msg);
+      log7.warn(String(err));
       log7.info(
         "Grant access manually:\n  Salesforce Setup \u2192 Users \u2192 Permission Sets \u2192 Lead Router Admin \u2192 Manage Assignments"
       );
@@ -1149,44 +1343,20 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
   }
   s.start("Writing org settings to Routing_Settings__c\u2026");
   try {
-    let existingId;
-    try {
-      const qr = await execa3("sf", [
-        "data",
-        "query",
-        ...targetOrgArgs,
-        "--query",
-        "SELECT Id FROM Routing_Settings__c LIMIT 1",
-        "--json"
-      ], { env: { ...process.env, ...sfCredEnv } });
-      const parsed = JSON.parse(qr.stdout);
-      existingId = parsed?.result?.records?.[0]?.Id;
-    } catch {
+    const existing = await sf.query(
+      "SELECT Id FROM Routing_Settings__c LIMIT 1"
+    );
+    const settingsData = {
+      App_Url__c: appUrl,
+      Engine_Endpoint__c: engineUrl
+    };
+    if (params.webhookSecret) {
+      settingsData.Webhook_Secret__c = params.webhookSecret;
     }
-    if (existingId) {
-      await execa3("sf", [
-        "data",
-        "update",
-        "record",
-        ...targetOrgArgs,
-        "--sobject",
-        "Routing_Settings__c",
-        "--record-id",
-        existingId,
-        "--values",
-        `App_Url__c='${appUrl}' Engine_Endpoint__c='${engineUrl}'`
-      ], { stdio: "inherit", env: { ...process.env, ...sfCredEnv } });
+    if (existing.length > 0) {
+      await sf.update("Routing_Settings__c", existing[0].Id, settingsData);
     } else {
-      await execa3("sf", [
-        "data",
-        "create",
-        "record",
-        ...targetOrgArgs,
-        "--sobject",
-        "Routing_Settings__c",
-        "--values",
-        `App_Url__c='${appUrl}' Engine_Endpoint__c='${engineUrl}'`
-      ], { stdio: "inherit", env: { ...process.env, ...sfCredEnv } });
+      await sf.create("Routing_Settings__c", settingsData);
     }
     s.stop("Org settings written");
   } catch (err) {
@@ -1195,9 +1365,9 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
     log7.info("Set manually: Salesforce \u2192 Custom Settings \u2192 Routing Settings \u2192 Manage");
   }
 }
-async function loginViaAppBridge(rawAppUrl, orgAlias) {
+async function loginViaAppBridge(rawAppUrl) {
   const appUrl = rawAppUrl.replace(/\/+$/, "");
-  const s = spinner7();
+  const s = spinner5();
   s.start("Starting Salesforce authentication via your Lead Router app\u2026");
   let sessionId;
   let authUrl;
@@ -1227,8 +1397,10 @@ Ensure the app is running and the URL is correct.`
 `);
   log7.info('If Chrome shows a "Dangerous site" warning with no proceed option, paste the URL into Safari or Firefox.');
   const opener = process.platform === "win32" ? "start" : process.platform === "darwin" ? "open" : "xdg-open";
-  await execa3(opener, [authUrl], { reject: false }).catch(() => {
-  });
+  try {
+    execSync(`${opener} "${authUrl}"`, { stdio: "ignore" });
+  } catch {
+  }
   s.start("Waiting for Salesforce authentication in browser\u2026");
   const maxPolls = 150;
   let accessToken;
@@ -1258,20 +1430,7 @@ Ensure the app is running and the URL is correct.`
     );
   }
   s.stop("Authenticated with Salesforce");
-  let aliasStored = false;
-  try {
-    await execa3(
-      "sf",
-      ["org", "login", "access-token", "--instance-url", instanceUrl, "--alias", orgAlias, "--no-prompt"],
-      { env: { ...process.env, SFDX_ACCESS_TOKEN: accessToken } }
-    );
-    log7.success(`Salesforce org saved as "${orgAlias}"`);
-    aliasStored = true;
-  } catch (err) {
-    log7.warn(`Could not persist sf CLI credentials: ${String(err)}`);
-    log7.info("Continuing with direct token auth for this session.");
-  }
-  return { accessToken, instanceUrl, aliasStored };
+  return { accessToken, instanceUrl };
 }
 
 // src/steps/app-launcher-guide.ts
@@ -1412,10 +1571,10 @@ ${result.stderr || result.stdout}`
         }
       );
     });
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve, reject) => {
       server.listen(0, "127.0.0.1", () => {
         const { port } = server.address();
-        resolve2({
+        resolve({
           localPort: port,
           close: () => server.close()
         });
@@ -1490,16 +1649,17 @@ async function runInit(options = {}) {
       });
       log9.success(`Connected to ${saved.ssh.host}`);
       const remoteDir = await ssh.resolveHome(saved.remoteDir);
-      log9.step("Step 8/9  Verifying health");
+      log9.step("Step 7/8  Verifying health");
       await verifyHealth(saved.appUrl, saved.engineUrl, ssh, remoteDir);
-      log9.step("Step 9/9  Deploying Salesforce package");
+      log9.step("Step 8/8  Deploying Salesforce package");
       await sfdcDeployInline({
         appUrl: saved.appUrl,
         engineUrl: saved.engineUrl,
         orgAlias: "lead-routing",
         sfdcClientId: saved.sfdcClientId ?? "",
         sfdcLoginUrl: saved.sfdcLoginUrl ?? "https://login.salesforce.com",
-        installDir: dir
+        installDir: dir,
+        webhookSecret: saved.engineWebhookSecret
       });
       await guideAppLauncherSetup(saved.appUrl);
       outro(
@@ -1524,9 +1684,9 @@ async function runInit(options = {}) {
     return;
   }
   try {
-    log9.step("Step 1/9  Checking local prerequisites");
+    log9.step("Step 1/8  Checking local prerequisites");
     await checkPrerequisites();
-    log9.step("Step 2/9  SSH connection");
+    log9.step("Step 2/8  SSH connection");
     const sshCfg = await collectSshConfig({
       sshPort: options.sshPort,
       sshUser: options.sshUser,
@@ -1543,14 +1703,14 @@ async function runInit(options = {}) {
         process.exit(1);
       }
     }
-    log9.step("Step 3/9  Configuration");
+    log9.step("Step 3/8  Configuration");
     const cfg = await collectConfig({
       sandbox: options.sandbox,
       externalDb: options.externalDb,
       externalRedis: options.externalRedis
     });
     await checkDnsResolvable(cfg.appUrl, cfg.engineUrl);
-    log9.step("Step 4/9  Generating config files");
+    log9.step("Step 4/8  Generating config files");
     const { dir, adminSecret } = generateFiles(cfg, sshCfg);
     note4(
       `Local config directory: ${chalk2.cyan(dir)}
@@ -1567,24 +1727,31 @@ Files created: docker-compose.yml, Caddyfile, .env.web, .env.engine, lead-routin
       );
       return;
     }
-    log9.step("Step 5/9  Remote setup");
+    log9.step("Step 5/8  Remote setup");
     const remoteDir = await ssh.resolveHome(sshCfg.remoteDir);
     await checkRemotePrerequisites(ssh);
     await uploadFiles(ssh, dir, remoteDir);
-    log9.step("Step 6/9  Starting services");
+    log9.step("Step 6/8  Starting services");
     await startServices(ssh, remoteDir);
-    log9.step("Step 7/9  Database migrations");
-    await runMigrations(ssh, dir, cfg.adminEmail, cfg.adminPassword);
-    log9.step("Step 8/9  Verifying health");
+    log9.step("Step 7/8  Verifying health");
     await verifyHealth(cfg.appUrl, cfg.engineUrl, ssh, remoteDir);
-    log9.step("Step 9/9  Deploying Salesforce package");
+    try {
+      const envWebPath = join6(dir, ".env.web");
+      const envContent = readFileSync5(envWebPath, "utf-8");
+      const cleaned = envContent.split("\n").filter((line) => !line.startsWith("ADMIN_PASSWORD=")).join("\n");
+      writeFileSync4(envWebPath, cleaned, "utf-8");
+      log9.success("Removed ADMIN_PASSWORD from .env.web (no longer needed after seed)");
+    } catch {
+    }
+    log9.step("Step 8/8  Deploying Salesforce package");
     await sfdcDeployInline({
       appUrl: cfg.appUrl,
       engineUrl: cfg.engineUrl,
       orgAlias: "lead-routing",
       sfdcClientId: cfg.sfdcClientId,
       sfdcLoginUrl: cfg.sfdcLoginUrl,
-      installDir: dir
+      installDir: dir,
+      webhookSecret: cfg.engineWebhookSecret
     });
     await guideAppLauncherSetup(cfg.appUrl);
     outro(
@@ -1613,8 +1780,8 @@ Files created: docker-compose.yml, Caddyfile, .env.web, .env.engine, lead-routin
 }
 
 // src/commands/deploy.ts
-import { writeFileSync as writeFileSync4, unlinkSync } from "fs";
-import { join as join6 } from "path";
+import { writeFileSync as writeFileSync5, unlinkSync } from "fs";
+import { join as join7 } from "path";
 import { tmpdir as tmpdir2 } from "os";
 import { intro as intro2, outro as outro2, log as log10, password as promptPassword2 } from "@clack/prompts";
 import chalk3 from "chalk";
@@ -1656,8 +1823,8 @@ async function runDeploy() {
     const remoteDir = await ssh.resolveHome(cfg.remoteDir);
     log10.step("Syncing Caddyfile");
     const caddyContent = renderCaddyfile(cfg.appUrl, cfg.engineUrl);
-    const tmpCaddy = join6(tmpdir2(), "lead-routing-Caddyfile");
-    writeFileSync4(tmpCaddy, caddyContent, "utf8");
+    const tmpCaddy = join7(tmpdir2(), "lead-routing-Caddyfile");
+    writeFileSync5(tmpCaddy, caddyContent, "utf8");
     await ssh.upload([{ local: tmpCaddy, remote: `${remoteDir}/Caddyfile` }]);
     unlinkSync(tmpCaddy);
     await ssh.exec("docker compose restart caddy", remoteDir);
@@ -1668,8 +1835,6 @@ async function runDeploy() {
     log10.step("Restarting services");
     await ssh.exec("docker compose up -d --remove-orphans", remoteDir);
     log10.success("Services restarted");
-    log10.step("Running database migrations");
-    await runMigrations(ssh, dir);
     outro2(
       chalk3.green("\u2714  Deployment complete!") + `
 
@@ -1687,7 +1852,7 @@ async function runDeploy() {
 // src/commands/doctor.ts
 import { intro as intro3, outro as outro3, log as log11 } from "@clack/prompts";
 import chalk4 from "chalk";
-import { execa as execa4 } from "execa";
+import { execa } from "execa";
 async function runDoctor() {
   console.log();
   intro3(chalk4.bold.cyan("Lead Routing \u2014 Health Check"));
@@ -1725,7 +1890,7 @@ async function runDoctor() {
 }
 async function checkDockerDaemon() {
   try {
-    await execa4("docker", ["info"], { reject: true });
+    await execa("docker", ["info"], { reject: true });
     return { label: "Docker daemon", pass: true };
   } catch {
     return { label: "Docker daemon", pass: false, detail: "not running" };
@@ -1733,7 +1898,7 @@ async function checkDockerDaemon() {
 }
 async function checkContainer(name, dir) {
   try {
-    const result = await execa4(
+    const result = await execa(
       "docker",
       ["compose", "ps", "--format", "json", name],
       { cwd: dir, reject: false }
@@ -1777,7 +1942,7 @@ async function checkEndpoint(label, url) {
 
 // src/commands/logs.ts
 import { log as log12 } from "@clack/prompts";
-import { execa as execa5 } from "execa";
+import { execa as execa2 } from "execa";
 var VALID_SERVICES = ["web", "engine", "postgres", "redis"];
 async function runLogs(service = "engine") {
   if (!VALID_SERVICES.includes(service)) {
@@ -1792,7 +1957,7 @@ async function runLogs(service = "engine") {
   console.log(`
 Streaming logs for ${service} (Ctrl+C to stop)...
 `);
-  const child = execa5("docker", ["compose", "logs", "-f", "--tail=100", service], {
+  const child = execa2("docker", ["compose", "logs", "-f", "--tail=100", service], {
     cwd: dir,
     stdio: "inherit",
     reject: false
@@ -1802,14 +1967,14 @@ Streaming logs for ${service} (Ctrl+C to stop)...
 
 // src/commands/status.ts
 import { log as log13 } from "@clack/prompts";
-import { execa as execa6 } from "execa";
+import { execa as execa3 } from "execa";
 async function runStatus() {
   const dir = findInstallDir();
   if (!dir) {
     log13.error("No lead-routing.json found. Run `lead-routing init` first.");
     process.exit(1);
   }
-  const result = await execa6("docker", ["compose", "ps"], {
+  const result = await execa3("docker", ["compose", "ps"], {
     cwd: dir,
     stdio: "inherit",
     reject: false
@@ -1821,15 +1986,15 @@ async function runStatus() {
 }
 
 // src/commands/config.ts
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, existsSync as existsSync5 } from "fs";
-import { join as join7 } from "path";
-import { intro as intro4, outro as outro4, text as text3, password as password3, spinner as spinner8, log as log14 } from "@clack/prompts";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync6, existsSync as existsSync5 } from "fs";
+import { join as join8 } from "path";
+import { intro as intro4, outro as outro4, text as text3, password as password3, spinner as spinner6, log as log14 } from "@clack/prompts";
 import chalk5 from "chalk";
-import { execa as execa7 } from "execa";
+import { execa as execa4 } from "execa";
 function parseEnv(filePath) {
   const map = /* @__PURE__ */ new Map();
   if (!existsSync5(filePath)) return map;
-  for (const line of readFileSync5(filePath, "utf8").split("\n")) {
+  for (const line of readFileSync6(filePath, "utf8").split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
     const eq = trimmed.indexOf("=");
@@ -1839,7 +2004,7 @@ function parseEnv(filePath) {
   return map;
 }
 function writeEnv(filePath, updates) {
-  const lines = existsSync5(filePath) ? readFileSync5(filePath, "utf8").split("\n") : [];
+  const lines = existsSync5(filePath) ? readFileSync6(filePath, "utf8").split("\n") : [];
   const updated = /* @__PURE__ */ new Set();
   const result = lines.map((line) => {
     const trimmed = line.trim();
@@ -1856,7 +2021,7 @@ function writeEnv(filePath, updates) {
   for (const [key, val] of Object.entries(updates)) {
     if (!updated.has(key)) result.push(`${key}=${val}`);
   }
-  writeFileSync5(filePath, result.join("\n"), "utf8");
+  writeFileSync6(filePath, result.join("\n"), "utf8");
 }
 async function runConfigSfdc() {
   intro4("Lead Routing \u2014 Update Salesforce Credentials");
@@ -1866,8 +2031,8 @@ async function runConfigSfdc() {
     log14.info("Run `lead-routing init` first, or cd into your installation directory.");
     process.exit(1);
   }
-  const envWeb = join7(dir, ".env.web");
-  const envEngine = join7(dir, ".env.engine");
+  const envWeb = join8(dir, ".env.web");
+  const envEngine = join8(dir, ".env.engine");
   const currentWeb = parseEnv(envWeb);
   const currentClientId = currentWeb.get("SFDC_CLIENT_ID") ?? "";
   const currentLoginUrl = currentWeb.get("SFDC_LOGIN_URL") ?? "https://login.salesforce.com";
@@ -1899,10 +2064,10 @@ Callback URL for your Connected App: ${callbackUrl}`
   writeEnv(envWeb, updates);
   writeEnv(envEngine, updates);
   log14.success("Updated .env.web and .env.engine");
-  const s = spinner8();
+  const s = spinner6();
   s.start("Restarting web and engine containers\u2026");
   try {
-    await execa7("docker", ["compose", "up", "-d", "--force-recreate", "web", "engine"], {
+    await execa4("docker", ["compose", "up", "-d", "--force-recreate", "web", "engine"], {
       cwd: dir
     });
     s.stop("Containers restarted");
@@ -1920,7 +2085,7 @@ function runConfigShow() {
     console.error("No lead-routing installation found in the current directory.");
     process.exit(1);
   }
-  const envWeb = join7(dir, ".env.web");
+  const envWeb = join8(dir, ".env.web");
   const cfg = parseEnv(envWeb);
   const adminSecret = cfg.get("ADMIN_SECRET") ?? "(not found)";
   const appUrl = cfg.get("APP_URL") ?? "(not found)";
@@ -1936,9 +2101,8 @@ function runConfigShow() {
 }
 
 // src/commands/sfdc.ts
-import { intro as intro5, outro as outro5, text as text4, spinner as spinner9, log as log15 } from "@clack/prompts";
+import { intro as intro5, outro as outro5, text as text4, log as log15 } from "@clack/prompts";
 import chalk6 from "chalk";
-import { execa as execa8 } from "execa";
 async function runSfdcDeploy() {
   intro5("Lead Routing \u2014 Deploy Salesforce Package");
   let appUrl;
@@ -1964,18 +2128,6 @@ async function runSfdcDeploy() {
     if (typeof rawEngine === "symbol") process.exit(0);
     engineUrl = rawEngine.trim();
   }
-  const s = spinner9();
-  s.start("Checking Salesforce CLI\u2026");
-  try {
-    await execa8("sf", ["--version"], { all: true });
-    s.stop("Salesforce CLI found");
-  } catch {
-    s.stop("Salesforce CLI (sf) not found");
-    log15.error(
-      "Install the Salesforce CLI and re-run this command:\n  https://developer.salesforce.com/tools/salesforcecli"
-    );
-    process.exit(1);
-  }
   const alias = await text4({
     message: "Salesforce org alias (used to log in)",
     placeholder: "lead-routing",
@@ -1988,10 +2140,11 @@ async function runSfdcDeploy() {
       appUrl,
       engineUrl,
       orgAlias: alias,
-      // Read from config if available; alreadyAuthed check will skip login if already logged in
+      // Read from config if available
       sfdcClientId: config2?.sfdcClientId ?? "",
       sfdcLoginUrl: config2?.sfdcLoginUrl ?? "https://login.salesforce.com",
-      installDir: dir ?? void 0
+      installDir: dir ?? void 0,
+      webhookSecret: config2?.engineWebhookSecret
     });
   } catch (err) {
     log15.error(err instanceof Error ? err.message : String(err));