@lead-routing/cli 0.2.0 → 0.4.0

package/dist/index.js

@@ -5,8 +5,10 @@ import { Command } from "commander";
 
 // src/commands/init.ts
 import { promises as dns } from "dns";
-import { intro, outro, note as note4, log as log9, confirm as confirm2, cancel as cancel3, isCancel as isCancel4, password as promptPassword } from "@clack/prompts";
-import chalk2 from "chalk";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { join as join4 } from "path";
+import { intro, outro, note as note3, log as log7, confirm, cancel as cancel3, isCancel as isCancel3, password as promptPassword } from "@clack/prompts";
+import chalk from "chalk";
 
 // src/steps/prerequisites.ts
 import { log } from "@clack/prompts";
@@ -170,8 +172,9 @@ async function collectConfig(opts = {}) {
   const dbPassword = generateSecret(16);
   const managedDb = !opts.externalDb;
   const databaseUrl = opts.externalDb ?? `postgresql://leadrouting:${dbPassword}@postgres:5432/leadrouting`;
+  const redisPassword = generateSecret(16);
   const managedRedis = !opts.externalRedis;
-  const redisUrl = opts.externalRedis ?? "redis://redis:6379";
+  const redisUrl = opts.externalRedis ?? `redis://:${redisPassword}@redis:6379`;
   note2("This creates the first admin user for the web app.", "Admin Account");
   const adminEmail = await text2({
     message: "Admin email address",
@@ -193,6 +196,7 @@ async function collectConfig(opts = {}) {
   const sessionSecret = generateSecret(32);
   const engineWebhookSecret = generateSecret(32);
   const adminSecret = generateSecret(16);
+  const internalApiKey = generateSecret(32);
   return {
     appUrl: appUrl.trim().replace(/\/+$/, ""),
     engineUrl: engineUrl.trim().replace(/\/+$/, ""),
@@ -204,13 +208,15 @@ async function collectConfig(opts = {}) {
     dbPassword: managedDb ? dbPassword : "",
     managedRedis,
     redisUrl,
+    redisPassword: managedRedis ? redisPassword : "",
     adminEmail,
     adminPassword,
     resendApiKey: "",
     feedbackToEmail: "",
     sessionSecret,
     engineWebhookSecret,
-    adminSecret
+    adminSecret,
+    internalApiKey
   };
 }
 
@@ -243,14 +249,16 @@ function renderDockerCompose(c) {
       timeout: 5s
       retries: 10
 ` : "";
+  const redisPassword = c.redisPassword ?? "";
   const redisService = c.managedRedis ? `
   redis:
     image: redis:7-alpine
-    restart: unless-stopped
+    restart: unless-stopped${redisPassword ? `
+    command: redis-server --requirepass ${redisPassword}` : ""}
     volumes:
       - redis_data:/data
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: ["CMD-SHELL", "redis-cli${redisPassword ? ` -a ${redisPassword}` : ""} ping | grep PONG"]
       interval: 5s
       timeout: 3s
       retries: 10
@@ -366,6 +374,9 @@ function renderEnvWeb(c) {
     `ADMIN_EMAIL=${c.adminEmail}`,
     `ADMIN_PASSWORD=${c.adminPassword}`,
     ``,
+    `# Internal API key (shared with engine for analytics)`,
+    `INTERNAL_API_KEY=${c.internalApiKey}`,
+    ``,
     `# Email (optional)`,
     `RESEND_API_KEY=${c.resendApiKey ?? ""}`,
     `FEEDBACK_TO_EMAIL=${c.feedbackToEmail ?? ""}`
@@ -395,7 +406,10 @@ function renderEnvEngine(c) {
     `SFDC_LOGIN_URL=${c.sfdcLoginUrl}`,
     ``,
     `# Webhook`,
-    `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`
+    `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`,
+    ``,
+    `# Internal API key (Bearer token for analytics endpoints)`,
+    `INTERNAL_API_KEY=${c.internalApiKey}`
   ].join("\n");
 }
 
@@ -412,7 +426,18 @@ function renderCaddyfile(appUrl, engineUrl) {
       `# Generated by lead-routing CLI`,
       `# Caddy auto-provisions SSL certificates via Let's Encrypt`,
       ``,
+      `(security_headers) {`,
+      `  header {`,
+      `    X-Content-Type-Options nosniff`,
+      `    X-Frame-Options DENY`,
+      `    Referrer-Policy strict-origin-when-cross-origin`,
+      `    Permissions-Policy interest-cohort=()`,
+      `    Strict-Transport-Security "max-age=31536000; includeSubDomains"`,
+      `  }`,
+      `}`,
+      ``,
       `${appHost} {`,
+      `  import security_headers`,
       `  reverse_proxy web:3000 {`,
       `    health_uri /api/health`,
       `    health_interval 15s`,
@@ -420,6 +445,7 @@ function renderCaddyfile(appUrl, engineUrl) {
       `}`,
       ``,
       `${appHost}:${enginePort} {`,
+      `  import security_headers`,
       `  reverse_proxy engine:3001 {`,
       `    health_uri /health`,
       `    health_interval 15s`,
@@ -432,7 +458,18 @@ function renderCaddyfile(appUrl, engineUrl) {
     `# Generated by lead-routing CLI`,
     `# Caddy auto-provisions SSL certificates via Let's Encrypt`,
     ``,
+    `(security_headers) {`,
+    `  header {`,
+    `    X-Content-Type-Options nosniff`,
+    `    X-Frame-Options DENY`,
+    `    Referrer-Policy strict-origin-when-cross-origin`,
+    `    Permissions-Policy interest-cohort=()`,
+    `    Strict-Transport-Security "max-age=31536000; includeSubDomains"`,
+    `  }`,
+    `}`,
+    ``,
     `${appHost} {`,
+    `  import security_headers`,
     `  reverse_proxy web:3000 {`,
     `    health_uri /api/health`,
     `    health_interval 15s`,
@@ -440,6 +477,7 @@ function renderCaddyfile(appUrl, engineUrl) {
     `}`,
     ``,
     `${engineHost} {`,
+    `  import security_headers`,
     `  reverse_proxy engine:3001 {`,
     `    health_uri /health`,
     `    health_interval 15s`,
@@ -491,7 +529,8 @@ function generateFiles(cfg, sshCfg) {
   const composeContent = renderDockerCompose({
     managedDb: cfg.managedDb,
     managedRedis: cfg.managedRedis,
-    dbPassword: cfg.dbPassword
+    dbPassword: cfg.dbPassword,
+    redisPassword: cfg.redisPassword
   });
   const composeFile = join2(dir, "docker-compose.yml");
   writeFileSync2(composeFile, composeContent, "utf8");
@@ -513,6 +552,7 @@ function generateFiles(cfg, sshCfg) {
     adminSecret: cfg.adminSecret,
     adminEmail: cfg.adminEmail,
     adminPassword: cfg.adminPassword,
+    internalApiKey: cfg.internalApiKey,
     resendApiKey: cfg.resendApiKey || void 0,
     feedbackToEmail: cfg.feedbackToEmail || void 0
   });
@@ -525,7 +565,8 @@ function generateFiles(cfg, sshCfg) {
     sfdcClientId: cfg.sfdcClientId,
     sfdcClientSecret: cfg.sfdcClientSecret,
     sfdcLoginUrl: cfg.sfdcLoginUrl,
-    engineWebhookSecret: cfg.engineWebhookSecret
+    engineWebhookSecret: cfg.engineWebhookSecret,
+    internalApiKey: cfg.internalApiKey
   });
   const envEngine = join2(dir, ".env.engine");
   writeFileSync2(envEngine, envEngineContent, "utf8");
@@ -549,6 +590,7 @@ function generateFiles(cfg, sshCfg) {
     // Stored so `lead-routing sfdc deploy` can re-authenticate without re-prompting
     sfdcClientId: cfg.sfdcClientId,
     sfdcLoginUrl: cfg.sfdcLoginUrl,
+    engineWebhookSecret: cfg.engineWebhookSecret,
     installedAt: (/* @__PURE__ */ new Date()).toISOString(),
     version: getCliVersion()
   });
@@ -893,516 +935,70 @@ function sleep2(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
-// src/steps/sfdc-deploy-inline.ts
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, cpSync, rmSync } from "fs";
-import { join as join5, dirname as dirname2 } from "path";
-import { tmpdir } from "os";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { execSync } from "child_process";
-import { spinner as spinner5, log as log7 } from "@clack/prompts";
-
-// src/utils/sfdc-api.ts
-var API_VERSION = "v59.0";
-var SalesforceApi = class {
-  constructor(instanceUrl, accessToken) {
-    this.instanceUrl = instanceUrl;
-    this.accessToken = accessToken;
-    this.baseUrl = `${instanceUrl.replace(/\/+$/, "")}/services/data/${API_VERSION}`;
-  }
-  baseUrl;
-  headers(extra) {
-    return {
-      Authorization: `Bearer ${this.accessToken}`,
-      "Content-Type": "application/json",
-      ...extra
+// src/utils/ssh.ts
+import net from "net";
+import { NodeSSH } from "node-ssh";
+var SshConnection = class {
+  ssh = new NodeSSH();
+  _connected = false;
+  async connect(config2) {
+    const opts = {
+      host: config2.host,
+      port: config2.port,
+      username: config2.username,
+      // Reduce connection timeout to fail fast on bad creds
+      readyTimeout: 15e3
     };
-  }
-  /** Execute a SOQL query and return records */
-  async query(soql) {
-    const url = `${this.baseUrl}/query?q=${encodeURIComponent(soql)}`;
-    const res = await fetch(url, { headers: this.headers() });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`SOQL query failed (${res.status}): ${body}`);
-    }
-    const data = await res.json();
-    return data.records;
-  }
-  /** Create an sObject record, returns the new record ID */
-  async create(sobject, data) {
-    const url = `${this.baseUrl}/sobjects/${sobject}`;
-    const res = await fetch(url, {
-      method: "POST",
-      headers: this.headers(),
-      body: JSON.stringify(data)
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      if (res.status === 400 && body.includes("Duplicate")) {
-        throw new DuplicateError(body);
-      }
-      throw new Error(`Create ${sobject} failed (${res.status}): ${body}`);
-    }
-    const result = await res.json();
-    return result.id;
-  }
-  /** Update an sObject record */
-  async update(sobject, id, data) {
-    const url = `${this.baseUrl}/sobjects/${sobject}/${id}`;
-    const res = await fetch(url, {
-      method: "PATCH",
-      headers: this.headers(),
-      body: JSON.stringify(data)
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Update ${sobject}/${id} failed (${res.status}): ${body}`);
+    if (config2.privateKeyPath) {
+      opts.privateKeyPath = config2.privateKeyPath;
+    } else if (config2.password) {
+      opts.password = config2.password;
     }
+    await this.ssh.connect(opts);
+    this._connected = true;
   }
-  /** Get current user info (for permission set assignment) */
-  async getCurrentUserId() {
-    const url = `${this.instanceUrl.replace(/\/+$/, "")}/services/oauth2/userinfo`;
-    const res = await fetch(url, {
-      headers: { Authorization: `Bearer ${this.accessToken}` }
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Get current user failed (${res.status}): ${body}`);
-    }
-    const data = await res.json();
-    return data.user_id;
+  get isConnected() {
+    return this._connected;
   }
   /**
-   * Deploy metadata using the Source Deploy API (same API that `sf project deploy start` uses).
-   * Accepts a ZIP buffer containing the source-format package.
-   * Returns the deploy request ID for polling.
+   * Run a command remotely. Throws if exit code is non-zero.
    */
-  async deployMetadata(zipBuffer) {
-    const url = `${this.baseUrl}/metadata/deployRequest`;
-    const boundary = `----FormBoundary${Date.now()}`;
-    const deployOptions = JSON.stringify({
-      deployOptions: {
-        rollbackOnError: true,
-        singlePackage: true,
-        rest: true
-      }
-    });
-    const parts = [];
-    parts.push(
-      Buffer.from(
-        `--${boundary}\r
-Content-Disposition: form-data; name="json"\r
-Content-Type: application/json\r
-\r
-${deployOptions}\r
-`
-      )
-    );
-    parts.push(
-      Buffer.from(
-        `--${boundary}\r
-Content-Disposition: form-data; name="file"; filename="deploy.zip"\r
-Content-Type: application/zip\r
-\r
-`
-      )
-    );
-    parts.push(zipBuffer);
-    parts.push(Buffer.from(`\r
---${boundary}--\r
-`));
-    const body = Buffer.concat(parts);
-    const res = await fetch(url, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        "Content-Type": `multipart/form-data; boundary=${boundary}`
-      },
-      body
-    });
-    if (!res.ok) {
-      const text5 = await res.text();
+  async exec(cmd, cwd) {
+    const result = await this.ssh.execCommand(cmd, cwd ? { cwd } : {});
+    if (result.code !== 0) {
       throw new Error(
-        `Metadata deploy request failed (${res.status}): ${text5}`
+        `Remote command failed (exit ${result.code}): ${cmd}
+${result.stderr || result.stdout}`
       );
     }
-    const result = await res.json();
-    return result.id;
+    return { stdout: result.stdout, stderr: result.stderr };
   }
   /**
-   * Poll deploy status until complete.
-   * Returns deploy result with success/failure info.
+   * Run a command remotely without throwing — returns code + output.
    */
-  async waitForDeploy(deployId, timeoutMs = 3e5) {
-    const startTime = Date.now();
-    const pollInterval = 3e3;
-    while (Date.now() - startTime < timeoutMs) {
-      const url = `${this.baseUrl}/metadata/deployRequest/${deployId}?includeDetails=true`;
-      const res = await fetch(url, { headers: this.headers() });
-      if (!res.ok) {
-        const text5 = await res.text();
-        throw new Error(
-          `Deploy status check failed (${res.status}): ${text5}`
-        );
-      }
-      const data = await res.json();
-      const result = data.deployResult;
-      if (result.done) {
-        return result;
-      }
-      await new Promise((resolve) => setTimeout(resolve, pollInterval));
-    }
-    throw new Error(`Deploy timed out after ${timeoutMs / 1e3}s`);
+  async execSilent(cmd, cwd) {
+    const result = await this.ssh.execCommand(cmd, cwd ? { cwd } : {});
+    return { stdout: result.stdout, stderr: result.stderr, code: result.code ?? 1 };
   }
-};
-var DuplicateError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "DuplicateError";
+  /**
+   * Create a remote directory (including parents).
+   */
+  async mkdir(remotePath) {
+    await this.exec(`mkdir -p ${remotePath}`);
   }
-};
-
-// src/utils/zip-source.ts
-import { join as join4 } from "path";
-import archiver from "archiver";
-async function zipSourcePackage(packageDir) {
-  return new Promise((resolve, reject) => {
-    const chunks = [];
-    const archive = archiver("zip", { zlib: { level: 9 } });
-    archive.on("data", (chunk) => chunks.push(chunk));
-    archive.on("end", () => resolve(Buffer.concat(chunks)));
-    archive.on("error", reject);
-    archive.directory(join4(packageDir, "force-app"), "force-app");
-    archive.file(join4(packageDir, "sfdx-project.json"), {
-      name: "sfdx-project.json"
-    });
-    archive.finalize();
-  });
-}
-
-// src/steps/sfdc-deploy-inline.ts
-var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
-function patchXml(content, tag, value) {
-  const re = new RegExp(`(<${tag}>)[^<]*(</\\s*${tag}>)`, "g");
-  return content.replace(re, `$1${value}$2`);
-}
-async function sfdcDeployInline(params) {
-  const { appUrl, engineUrl, installDir } = params;
-  const s = spinner5();
-  const { accessToken, instanceUrl } = await loginViaAppBridge(appUrl);
-  const sf = new SalesforceApi(instanceUrl, accessToken);
-  s.start("Copying Salesforce package\u2026");
-  const inDist = join5(__dirname2, "sfdc-package");
-  const nextToDist = join5(__dirname2, "..", "sfdc-package");
-  const bundledPkg = existsSync3(inDist) ? inDist : nextToDist;
-  const destPkg = join5(installDir ?? tmpdir(), "lead-routing-sfdc-package");
-  if (!existsSync3(bundledPkg)) {
-    s.stop("sfdc-package not found in CLI bundle");
-    throw new Error(
-      `Expected bundle at: ${inDist}
-The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
-    );
+  /**
+   * Upload local files to the remote server via SFTP.
+   */
+  async upload(files) {
+    await this.ssh.putFiles(files);
   }
-  if (existsSync3(destPkg)) rmSync(destPkg, { recursive: true, force: true });
-  cpSync(bundledPkg, destPkg, { recursive: true });
-  s.stop("Package copied");
-  const ncPath = join5(
-    destPkg,
-    "force-app",
-    "main",
-    "default",
-    "namedCredentials",
-    "RoutingEngine.namedCredential-meta.xml"
-  );
-  if (existsSync3(ncPath)) {
-    const nc = patchXml(readFileSync3(ncPath, "utf8"), "endpoint", engineUrl);
-    writeFileSync3(ncPath, nc, "utf8");
-  }
-  const rssEnginePath = join5(
-    destPkg,
-    "force-app",
-    "main",
-    "default",
-    "remoteSiteSettings",
-    "LeadRouterEngine.remoteSite-meta.xml"
-  );
-  if (existsSync3(rssEnginePath)) {
-    let rss = patchXml(readFileSync3(rssEnginePath, "utf8"), "url", engineUrl);
-    rss = patchXml(rss, "description", "Lead Router Engine endpoint");
-    writeFileSync3(rssEnginePath, rss, "utf8");
-  }
-  const rssAppPath = join5(
-    destPkg,
-    "force-app",
-    "main",
-    "default",
-    "remoteSiteSettings",
-    "LeadRouterApp.remoteSite-meta.xml"
-  );
-  if (existsSync3(rssAppPath)) {
-    let rss = patchXml(readFileSync3(rssAppPath, "utf8"), "url", appUrl);
-    rss = patchXml(rss, "description", "Lead Router App URL");
-    writeFileSync3(rssAppPath, rss, "utf8");
-  }
-  log7.success("Remote Site Settings patched");
-  s.start("Deploying Salesforce package (this may take ~2 min)\u2026");
-  try {
-    const zipBuffer = await zipSourcePackage(destPkg);
-    const deployId = await sf.deployMetadata(zipBuffer);
-    const result = await sf.waitForDeploy(deployId);
-    if (!result.success) {
-      const failures = result.details?.componentFailures ?? [];
-      const failureMsg = failures.map((f) => `  ${f.componentType}/${f.fullName}: ${f.problem}`).join("\n");
-      s.stop("Deployment failed");
-      throw new Error(
-        `Metadata deploy failed (${result.numberComponentErrors} error(s)):
-${failureMsg || result.errorMessage || "Unknown error"}`
-      );
-    }
-    s.stop(`Package deployed (${result.numberComponentsDeployed} components)`);
-  } catch (err) {
-    if (err instanceof Error && err.message.startsWith("Metadata deploy failed")) {
-      throw err;
-    }
-    s.stop("Deployment failed");
-    throw new Error(
-      `Metadata deploy failed: ${String(err)}
-
-  The patched package is at: ${destPkg}
-  You can retry with: sf project deploy start --source-dir force-app`
-    );
-  }
-  s.start("Assigning LeadRouterAdmin permission set\u2026");
-  try {
-    const permSets = await sf.query(
-      "SELECT Id FROM PermissionSet WHERE Name = 'LeadRouterAdmin' LIMIT 1"
-    );
-    if (permSets.length === 0) {
-      s.stop("LeadRouterAdmin permission set not found (non-fatal)");
-      log7.warn("The permission set may not have been included in the deploy.");
-    } else {
-      const userId = await sf.getCurrentUserId();
-      try {
-        await sf.create("PermissionSetAssignment", {
-          AssigneeId: userId,
-          PermissionSetId: permSets[0].Id
-        });
-        s.stop("Permission set assigned \u2014 Lead Router Setup will appear in the App Launcher");
-      } catch (err) {
-        if (err instanceof DuplicateError) {
-          s.stop("Permission set already assigned");
-        } else {
-          throw err;
-        }
-      }
-    }
-  } catch (err) {
-    if (!(err instanceof DuplicateError)) {
-      s.stop("Permission set assignment failed (non-fatal)");
-      log7.warn(String(err));
-      log7.info(
-        "Grant access manually:\n  Salesforce Setup \u2192 Users \u2192 Permission Sets \u2192 Lead Router Admin \u2192 Manage Assignments"
-      );
-    }
-  }
-  s.start("Writing org settings to Routing_Settings__c\u2026");
-  try {
-    const existing = await sf.query(
-      "SELECT Id FROM Routing_Settings__c LIMIT 1"
-    );
-    if (existing.length > 0) {
-      await sf.update("Routing_Settings__c", existing[0].Id, {
-        App_Url__c: appUrl,
-        Engine_Endpoint__c: engineUrl
-      });
-    } else {
-      await sf.create("Routing_Settings__c", {
-        App_Url__c: appUrl,
-        Engine_Endpoint__c: engineUrl
-      });
-    }
-    s.stop("Org settings written");
-  } catch (err) {
-    s.stop("Org settings write failed (non-fatal)");
-    log7.warn(String(err));
-    log7.info("Set manually: Salesforce \u2192 Custom Settings \u2192 Routing Settings \u2192 Manage");
-  }
-}
-async function loginViaAppBridge(rawAppUrl) {
-  const appUrl = rawAppUrl.replace(/\/+$/, "");
-  const s = spinner5();
-  s.start("Starting Salesforce authentication via your Lead Router app\u2026");
-  let sessionId;
-  let authUrl;
-  try {
-    const res = await fetch(`${appUrl}/api/cli-auth/request`, { method: "POST" });
-    if (!res.ok) {
-      s.stop("Failed to start auth session");
-      throw new Error(
-        `Could not reach ${appUrl}/api/cli-auth/request (HTTP ${res.status}).
-Make sure the web app is running and accessible.`
-      );
-    }
-    const data = await res.json();
-    sessionId = data.sessionId;
-    authUrl = data.authUrl;
-  } catch (err) {
-    s.stop("Could not reach Lead Router app");
-    throw new Error(
-      `Failed to connect to ${appUrl}: ${String(err)}
-Ensure the app is running and the URL is correct.`
-    );
-  }
-  s.stop("Auth session started");
-  log7.info(`Open this URL in your browser to authenticate with Salesforce:
-
-  ${authUrl}
-`);
-  log7.info('If Chrome shows a "Dangerous site" warning with no proceed option, paste the URL into Safari or Firefox.');
-  const opener = process.platform === "win32" ? "start" : process.platform === "darwin" ? "open" : "xdg-open";
-  try {
-    execSync(`${opener} "${authUrl}"`, { stdio: "ignore" });
-  } catch {
-  }
-  s.start("Waiting for Salesforce authentication in browser\u2026");
-  const maxPolls = 150;
-  let accessToken;
-  let instanceUrl;
-  for (let i = 0; i < maxPolls; i++) {
-    await new Promise((r) => setTimeout(r, 2e3));
-    try {
-      const pollRes = await fetch(`${appUrl}/api/cli-auth/poll/${sessionId}`);
-      if (pollRes.status === 410) {
-        s.stop("Auth session expired");
-        throw new Error("CLI auth session expired. Please re-run the command.");
-      }
-      const data = await pollRes.json();
-      if (data.status === "ok") {
-        accessToken = data.accessToken;
-        instanceUrl = data.instanceUrl;
-        break;
-      }
-    } catch (err) {
-      if (String(err).includes("session expired")) throw err;
-    }
-  }
-  if (!accessToken || !instanceUrl) {
-    s.stop("Timed out");
-    throw new Error(
-      "Timed out waiting for Salesforce authentication (5 minutes).\nPlease re-run the command and complete login within 5 minutes."
-    );
-  }
-  s.stop("Authenticated with Salesforce");
-  return { accessToken, instanceUrl };
-}
-
-// src/steps/app-launcher-guide.ts
-import { note as note3, confirm, isCancel as isCancel3, log as log8 } from "@clack/prompts";
-import chalk from "chalk";
-async function guideAppLauncherSetup(appUrl) {
-  note3(
-    `Complete the following steps in Salesforce now:
-
-  ${chalk.cyan("1.")} Open ${chalk.bold("App Launcher")} (grid icon, top-left in Salesforce)
-  ${chalk.cyan("2.")} Search for ${chalk.white('"Lead Router Setup"')} and click it
-  ${chalk.cyan("3.")} Click ${chalk.white('"Connect to Lead Router"')}
-     \u2192 You will be redirected to ${chalk.dim(appUrl)} and back
-     \u2192 Authorize the OAuth connection when prompted
-
-  ${chalk.cyan("4.")} ${chalk.bold("Step 1")} \u2014 wait for the ${chalk.green('"Connected"')} checkmark (~5 sec)
-  ${chalk.cyan("5.")} ${chalk.bold("Step 2")} \u2014 click ${chalk.white("Activate")} to enable Lead triggers
-  ${chalk.cyan("6.")} ${chalk.bold("Step 3")} \u2014 click ${chalk.white("Sync Fields")} to index your Lead field schema
-  ${chalk.cyan("7.")} ${chalk.bold("Step 4")} \u2014 click ${chalk.white("Send Test")} to fire a test routing event
-     \u2192 ${chalk.dim('"Test successful"')} or ${chalk.dim('"No matching rule"')} are both valid
-
-` + chalk.dim("Keep this terminal open while you complete the wizard."),
-    "Complete Salesforce setup"
-  );
-  const done = await confirm({
-    message: "Have you completed the App Launcher wizard?",
-    initialValue: false
-  });
-  if (isCancel3(done)) {
-    log8.warn(
-      "Wizard skipped. Run `lead-routing sfdc deploy` to retry the Salesforce setup."
-    );
-    return;
-  }
-  if (!done) {
-    log8.warn(
-      `No problem \u2014 complete it at your own pace.
-  Open App Launcher \u2192 Lead Router Setup \u2192 Connect to Lead Router
-  Dashboard: ${appUrl}`
-    );
-  } else {
-    log8.success("Salesforce setup complete");
-  }
-}
-
-// src/utils/ssh.ts
-import net from "net";
-import { NodeSSH } from "node-ssh";
-var SshConnection = class {
-  ssh = new NodeSSH();
-  _connected = false;
-  async connect(config2) {
-    const opts = {
-      host: config2.host,
-      port: config2.port,
-      username: config2.username,
-      // Reduce connection timeout to fail fast on bad creds
-      readyTimeout: 15e3
-    };
-    if (config2.privateKeyPath) {
-      opts.privateKeyPath = config2.privateKeyPath;
-    } else if (config2.password) {
-      opts.password = config2.password;
-    }
-    await this.ssh.connect(opts);
-    this._connected = true;
-  }
-  get isConnected() {
-    return this._connected;
-  }
-  /**
-   * Run a command remotely. Throws if exit code is non-zero.
-   */
-  async exec(cmd, cwd) {
-    const result = await this.ssh.execCommand(cmd, cwd ? { cwd } : {});
-    if (result.code !== 0) {
-      throw new Error(
-        `Remote command failed (exit ${result.code}): ${cmd}
-${result.stderr || result.stdout}`
-      );
-    }
-    return { stdout: result.stdout, stderr: result.stderr };
-  }
-  /**
-   * Run a command remotely without throwing — returns code + output.
-   */
-  async execSilent(cmd, cwd) {
-    const result = await this.ssh.execCommand(cmd, cwd ? { cwd } : {});
-    return { stdout: result.stdout, stderr: result.stderr, code: result.code ?? 1 };
-  }
-  /**
-   * Create a remote directory (including parents).
-   */
-  async mkdir(remotePath) {
-    await this.exec(`mkdir -p ${remotePath}`);
-  }
-  /**
-   * Upload local files to the remote server via SFTP.
-   */
-  async upload(files) {
-    await this.ssh.putFiles(files);
-  }
-  /**
-   * Resolve ~ in a remote path by querying $HOME on the server.
-   */
-  async resolveHome(remotePath) {
-    if (!remotePath.startsWith("~")) return remotePath;
-    const { stdout } = await this.exec("echo $HOME");
-    return stdout.trim() + remotePath.slice(1);
+  /**
+   * Resolve ~ in a remote path by querying $HOME on the server.
+   */
+  async resolveHome(remotePath) {
+    if (!remotePath.startsWith("~")) return remotePath;
+    const { stdout } = await this.exec("echo $HOME");
+    return stdout.trim() + remotePath.slice(1);
   }
   /**
    * Open an SSH port-forward tunnel.
@@ -1465,12 +1061,12 @@ async function checkDnsResolvable(appUrl, engineUrl) {
     try {
       await dns.lookup(host);
     } catch {
-      log9.warn(
-        `${chalk2.yellow(host)} does not resolve in DNS yet.
-  Check for typos \u2014 a bad domain will cause a 2-minute timeout at step 8.`
+      log7.warn(
+        `${chalk.yellow(host)} does not resolve in DNS yet.
+  Check for typos \u2014 a bad domain will cause a 2-minute timeout at step 7.`
       );
-      const go = await confirm2({ message: "Continue anyway?", initialValue: true });
-      if (isCancel4(go) || !go) {
+      const go = await confirm({ message: "Continue anyway?", initialValue: true });
+      if (isCancel3(go) || !go) {
         cancel3("Setup cancelled.");
         process.exit(0);
       }
@@ -1482,14 +1078,14 @@ async function runInit(options = {}) {
   const resume = options.resume ?? false;
   console.log();
   intro(
-    chalk2.bold.cyan("Lead Routing \u2014 Self-Hosted Setup") + (dryRun ? chalk2.yellow("  [dry run]") : "") + (resume ? chalk2.yellow("  [resume]") : "")
+    chalk.bold.cyan("Lead Routing \u2014 Self-Hosted Setup") + (dryRun ? chalk.yellow("  [dry run]") : "") + (resume ? chalk.yellow("  [resume]") : "")
   );
   const ssh = new SshConnection();
   if (resume) {
     try {
       const dir = findInstallDir();
       if (!dir) {
-        log9.error("No lead-routing.json found \u2014 run `lead-routing init` first.");
+        log7.error("No lead-routing.json found \u2014 run `lead-routing init` first.");
         process.exit(1);
       }
       const saved = readConfig(dir);
@@ -1501,7 +1097,7 @@ async function runInit(options = {}) {
         if (typeof pw === "symbol") process.exit(0);
         sshPassword = pw;
       }
-      log9.step("Connecting to server");
+      log7.step("Connecting to server");
       await ssh.connect({
         host: saved.ssh.host,
         port: saved.ssh.port,
@@ -1510,35 +1106,31 @@ async function runInit(options = {}) {
         password: sshPassword,
         remoteDir: saved.remoteDir
       });
-      log9.success(`Connected to ${saved.ssh.host}`);
+      log7.success(`Connected to ${saved.ssh.host}`);
       const remoteDir = await ssh.resolveHome(saved.remoteDir);
-      log9.step("Step 7/8  Verifying health");
+      log7.step("Step 7/7  Verifying health");
       await verifyHealth(saved.appUrl, saved.engineUrl, ssh, remoteDir);
-      log9.step("Step 8/8  Deploying Salesforce package");
-      await sfdcDeployInline({
-        appUrl: saved.appUrl,
-        engineUrl: saved.engineUrl,
-        orgAlias: "lead-routing",
-        sfdcClientId: saved.sfdcClientId ?? "",
-        sfdcLoginUrl: saved.sfdcLoginUrl ?? "https://login.salesforce.com",
-        installDir: dir
-      });
-      await guideAppLauncherSetup(saved.appUrl);
+      note3(
+        `Open ${saved.appUrl} \u2192 Integrations \u2192 Salesforce to connect your CRM and deploy the package.`,
+        "Next: Connect Salesforce"
+      );
       outro(
-        chalk2.green("\u2714  You're live!") + `
+        chalk.green("\u2714  You're live!") + `
 
-  Dashboard:      ${chalk2.cyan(saved.appUrl)}
-  Routing engine: ${chalk2.cyan(saved.engineUrl)}
+  Dashboard:      ${chalk.cyan(saved.appUrl)}
+  Routing engine: ${chalk.cyan(saved.engineUrl)}
 
-` + chalk2.bold("  Next steps:\n") + `  ${chalk2.cyan("1.")} Open ${chalk2.cyan(saved.appUrl)} and log in
-  ${chalk2.cyan("2.")} Create your first routing rule to start routing leads
+` + chalk.bold("  Next steps:\n") + `  ${chalk.cyan("1.")} Open ${chalk.cyan(saved.appUrl)} and log in
+  ${chalk.cyan("2.")} Go to Integrations \u2192 Salesforce to connect your org
+  ${chalk.cyan("3.")} Deploy the package and configure routing objects
+  ${chalk.cyan("4.")} Create your first routing rule
 
-  Run ${chalk2.cyan("lead-routing doctor")} to check service health at any time.
-  Run ${chalk2.cyan("lead-routing deploy")} to update to a new version.`
+  Run ${chalk.cyan("lead-routing doctor")} to check service health at any time.
+  Run ${chalk.cyan("lead-routing deploy")} to update to a new version.`
       );
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
-      log9.error(`Resume failed: ${message}`);
+      log7.error(`Resume failed: ${message}`);
       process.exit(1);
     } finally {
       await ssh.disconnect();
@@ -1546,9 +1138,9 @@ async function runInit(options = {}) {
     return;
   }
   try {
-    log9.step("Step 1/8  Checking local prerequisites");
+    log7.step("Step 1/7  Checking local prerequisites");
     await checkPrerequisites();
-    log9.step("Step 2/8  SSH connection");
+    log7.step("Step 2/7  SSH connection");
     const sshCfg = await collectSshConfig({
       sshPort: options.sshPort,
       sshUser: options.sshUser,
@@ -1558,74 +1150,78 @@ async function runInit(options = {}) {
     if (!dryRun) {
       try {
         await ssh.connect(sshCfg);
-        log9.success(`Connected to ${sshCfg.host}`);
+        log7.success(`Connected to ${sshCfg.host}`);
       } catch (err) {
-        log9.error(`SSH connection failed: ${String(err)}`);
-        log9.info("Check your password and re-run `lead-routing init`.");
+        log7.error(`SSH connection failed: ${String(err)}`);
+        log7.info("Check your password and re-run `lead-routing init`.");
         process.exit(1);
       }
     }
-    log9.step("Step 3/8  Configuration");
+    log7.step("Step 3/7  Configuration");
     const cfg = await collectConfig({
       sandbox: options.sandbox,
       externalDb: options.externalDb,
       externalRedis: options.externalRedis
     });
     await checkDnsResolvable(cfg.appUrl, cfg.engineUrl);
-    log9.step("Step 4/8  Generating config files");
+    log7.step("Step 4/7  Generating config files");
     const { dir, adminSecret } = generateFiles(cfg, sshCfg);
-    note4(
-      `Local config directory: ${chalk2.cyan(dir)}
+    note3(
+      `Local config directory: ${chalk.cyan(dir)}
 Files created: docker-compose.yml, Caddyfile, .env.web, .env.engine, lead-routing.json`,
       "Files"
     );
     if (dryRun) {
       outro(
-        chalk2.yellow("Dry run complete \u2014 no connection made, no services started.") + `
+        chalk.yellow("Dry run complete \u2014 no connection made, no services started.") + `
 
-  Config files written to: ${chalk2.cyan(dir)}
+  Config files written to: ${chalk.cyan(dir)}
 
-  When ready, run ${chalk2.cyan("lead-routing init")} (without --dry-run) to deploy.`
+  When ready, run ${chalk.cyan("lead-routing init")} (without --dry-run) to deploy.`
       );
       return;
     }
-    log9.step("Step 5/8  Remote setup");
+    log7.step("Step 5/7  Remote setup");
     const remoteDir = await ssh.resolveHome(sshCfg.remoteDir);
     await checkRemotePrerequisites(ssh);
     await uploadFiles(ssh, dir, remoteDir);
-    log9.step("Step 6/8  Starting services");
+    log7.step("Step 6/7  Starting services");
     await startServices(ssh, remoteDir);
-    log9.step("Step 7/8  Verifying health");
+    log7.step("Step 7/7  Verifying health");
     await verifyHealth(cfg.appUrl, cfg.engineUrl, ssh, remoteDir);
-    log9.step("Step 8/8  Deploying Salesforce package");
-    await sfdcDeployInline({
-      appUrl: cfg.appUrl,
-      engineUrl: cfg.engineUrl,
-      orgAlias: "lead-routing",
-      sfdcClientId: cfg.sfdcClientId,
-      sfdcLoginUrl: cfg.sfdcLoginUrl,
-      installDir: dir
-    });
-    await guideAppLauncherSetup(cfg.appUrl);
+    try {
+      const envWebPath = join4(dir, ".env.web");
+      const envContent = readFileSync3(envWebPath, "utf-8");
+      const cleaned = envContent.split("\n").filter((line) => !line.startsWith("ADMIN_PASSWORD=")).join("\n");
+      writeFileSync3(envWebPath, cleaned, "utf-8");
+      log7.success("Removed ADMIN_PASSWORD from .env.web (no longer needed after seed)");
+    } catch {
+    }
+    note3(
+      `Open ${cfg.appUrl} \u2192 Integrations \u2192 Salesforce to connect your CRM and deploy the package.`,
+      "Next: Connect Salesforce"
+    );
     outro(
-      chalk2.green("\u2714  You're live!") + `
+      chalk.green("\u2714  You're live!") + `
 
-  Dashboard:      ${chalk2.cyan(cfg.appUrl)}
-  Routing engine: ${chalk2.cyan(cfg.engineUrl)}
+  Dashboard:      ${chalk.cyan(cfg.appUrl)}
+  Routing engine: ${chalk.cyan(cfg.engineUrl)}
 
-  Admin email:    ${chalk2.white(cfg.adminEmail)}
-  Admin secret:   ${chalk2.yellow(adminSecret)}
-                  ${chalk2.dim("run `lead-routing config show` to retrieve later")}
+  Admin email:    ${chalk.white(cfg.adminEmail)}
+  Admin secret:   ${chalk.yellow(adminSecret)}
+                  ${chalk.dim("run `lead-routing config show` to retrieve later")}
 
-` + chalk2.bold("  Next steps:\n") + `  ${chalk2.cyan("1.")} Open ${chalk2.cyan(cfg.appUrl)} and log in
-  ${chalk2.cyan("2.")} Create your first routing rule to start routing leads
+` + chalk.bold("  Next steps:\n") + `  ${chalk.cyan("1.")} Open ${chalk.cyan(cfg.appUrl)} and log in
+  ${chalk.cyan("2.")} Go to Integrations \u2192 Salesforce to connect your org
+  ${chalk.cyan("3.")} Deploy the package and configure routing objects
+  ${chalk.cyan("4.")} Create your first routing rule
 
-  Run ${chalk2.cyan("lead-routing doctor")} to check service health at any time.
-  Run ${chalk2.cyan("lead-routing deploy")} to update to a new version.`
+  Run ${chalk.cyan("lead-routing doctor")} to check service health at any time.
+  Run ${chalk.cyan("lead-routing deploy")} to update to a new version.`
     );
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    log9.error(`Setup failed: ${message}`);
+    log7.error(`Setup failed: ${message}`);
     process.exit(1);
   } finally {
     await ssh.disconnect();
@@ -1634,16 +1230,16 @@ Files created: docker-compose.yml, Caddyfile, .env.web, .env.engine, lead-routin
 
 // src/commands/deploy.ts
 import { writeFileSync as writeFileSync4, unlinkSync } from "fs";
-import { join as join6 } from "path";
-import { tmpdir as tmpdir2 } from "os";
-import { intro as intro2, outro as outro2, log as log10, password as promptPassword2 } from "@clack/prompts";
-import chalk3 from "chalk";
+import { join as join5 } from "path";
+import { tmpdir } from "os";
+import { intro as intro2, outro as outro2, log as log8, password as promptPassword2 } from "@clack/prompts";
+import chalk2 from "chalk";
 async function runDeploy() {
   console.log();
-  intro2(chalk3.bold.cyan("Lead Routing \u2014 Deploy"));
+  intro2(chalk2.bold.cyan("Lead Routing \u2014 Deploy"));
   const dir = findInstallDir();
   if (!dir) {
-    log10.error(
+    log8.error(
       "No lead-routing.json found. Run `lead-routing init` first, or run this command from your install directory."
     );
     process.exit(1);
@@ -1667,35 +1263,35 @@ async function runDeploy() {
       password: sshPassword,
       remoteDir: cfg.remoteDir
     });
-    log10.success(`Connected to ${cfg.ssh.host}`);
+    log8.success(`Connected to ${cfg.ssh.host}`);
   } catch (err) {
-    log10.error(`SSH connection failed: ${String(err)}`);
+    log8.error(`SSH connection failed: ${String(err)}`);
     process.exit(1);
   }
   try {
     const remoteDir = await ssh.resolveHome(cfg.remoteDir);
-    log10.step("Syncing Caddyfile");
+    log8.step("Syncing Caddyfile");
     const caddyContent = renderCaddyfile(cfg.appUrl, cfg.engineUrl);
-    const tmpCaddy = join6(tmpdir2(), "lead-routing-Caddyfile");
+    const tmpCaddy = join5(tmpdir(), "lead-routing-Caddyfile");
     writeFileSync4(tmpCaddy, caddyContent, "utf8");
     await ssh.upload([{ local: tmpCaddy, remote: `${remoteDir}/Caddyfile` }]);
     unlinkSync(tmpCaddy);
     await ssh.exec("docker compose restart caddy", remoteDir);
-    log10.success("Caddyfile synced \u2014 waiting for TLS cert (~30s)");
-    log10.step("Pulling latest Docker images");
+    log8.success("Caddyfile synced \u2014 waiting for TLS cert (~30s)");
+    log8.step("Pulling latest Docker images");
     await ssh.exec("docker compose pull", remoteDir);
-    log10.success("Images pulled");
-    log10.step("Restarting services");
+    log8.success("Images pulled");
+    log8.step("Restarting services");
     await ssh.exec("docker compose up -d --remove-orphans", remoteDir);
-    log10.success("Services restarted");
+    log8.success("Services restarted");
     outro2(
-      chalk3.green("\u2714  Deployment complete!") + `
+      chalk2.green("\u2714  Deployment complete!") + `
 
-  ${chalk3.cyan(cfg.appUrl)}`
+  ${chalk2.cyan(cfg.appUrl)}`
     );
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    log10.error(`Deploy failed: ${message}`);
+    log8.error(`Deploy failed: ${message}`);
     process.exit(1);
   } finally {
     await ssh.disconnect();
@@ -1703,15 +1299,15 @@ async function runDeploy() {
 }
 
 // src/commands/doctor.ts
-import { intro as intro3, outro as outro3, log as log11 } from "@clack/prompts";
-import chalk4 from "chalk";
+import { intro as intro3, outro as outro3, log as log9 } from "@clack/prompts";
+import chalk3 from "chalk";
 import { execa } from "execa";
 async function runDoctor() {
   console.log();
-  intro3(chalk4.bold.cyan("Lead Routing \u2014 Health Check"));
+  intro3(chalk3.bold.cyan("Lead Routing \u2014 Health Check"));
   const dir = findInstallDir();
   if (!dir) {
-    log11.error("No lead-routing.json found. Run `lead-routing init` first.");
+    log9.error("No lead-routing.json found. Run `lead-routing init` first.");
     process.exit(1);
   }
   const cfg = readConfig(dir);
@@ -1727,17 +1323,17 @@ async function runDoctor() {
   checks.push(await checkEndpoint("Routing engine", `${cfg.engineUrl}/health`));
   console.log();
   for (const c of checks) {
-    const icon = c.pass ? chalk4.green("\u2714") : chalk4.red("\u2717");
-    const label = c.pass ? chalk4.white(c.label) : chalk4.red(c.label);
-    const detail = c.detail ? chalk4.dim(` \u2014 ${c.detail}`) : "";
+    const icon = c.pass ? chalk3.green("\u2714") : chalk3.red("\u2717");
+    const label = c.pass ? chalk3.white(c.label) : chalk3.red(c.label);
+    const detail = c.detail ? chalk3.dim(` \u2014 ${c.detail}`) : "";
     console.log(`  ${icon}  ${label}${detail}`);
   }
   console.log();
   const failed = checks.filter((c) => !c.pass);
   if (failed.length === 0) {
-    outro3(chalk4.green("All checks passed"));
+    outro3(chalk3.green("All checks passed"));
   } else {
-    outro3(chalk4.yellow(`${failed.length} check(s) failed`));
+    outro3(chalk3.yellow(`${failed.length} check(s) failed`));
     process.exit(1);
   }
 }
@@ -1794,17 +1390,17 @@ async function checkEndpoint(label, url) {
 }
 
 // src/commands/logs.ts
-import { log as log12 } from "@clack/prompts";
+import { log as log10 } from "@clack/prompts";
 import { execa as execa2 } from "execa";
 var VALID_SERVICES = ["web", "engine", "postgres", "redis"];
 async function runLogs(service = "engine") {
   if (!VALID_SERVICES.includes(service)) {
-    log12.error(`Unknown service "${service}". Valid options: ${VALID_SERVICES.join(", ")}`);
+    log10.error(`Unknown service "${service}". Valid options: ${VALID_SERVICES.join(", ")}`);
     process.exit(1);
   }
   const dir = findInstallDir();
   if (!dir) {
-    log12.error("No lead-routing.json found. Run `lead-routing init` first.");
+    log10.error("No lead-routing.json found. Run `lead-routing init` first.");
     process.exit(1);
   }
   console.log(`
@@ -1819,12 +1415,12 @@ Streaming logs for ${service} (Ctrl+C to stop)...
 }
 
 // src/commands/status.ts
-import { log as log13 } from "@clack/prompts";
+import { log as log11 } from "@clack/prompts";
 import { execa as execa3 } from "execa";
 async function runStatus() {
   const dir = findInstallDir();
   if (!dir) {
-    log13.error("No lead-routing.json found. Run `lead-routing init` first.");
+    log11.error("No lead-routing.json found. Run `lead-routing init` first.");
     process.exit(1);
   }
   const result = await execa3("docker", ["compose", "ps"], {
@@ -1833,20 +1429,20 @@ async function runStatus() {
     reject: false
   });
   if (result.exitCode !== 0) {
-    log13.error("Failed to get container status. Is Docker running?");
+    log11.error("Failed to get container status. Is Docker running?");
     process.exit(1);
   }
 }
 
 // src/commands/config.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync5, existsSync as existsSync4 } from "fs";
-import { join as join7 } from "path";
-import { intro as intro4, outro as outro4, text as text3, password as password3, spinner as spinner6, log as log14 } from "@clack/prompts";
-import chalk5 from "chalk";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync5, existsSync as existsSync3 } from "fs";
+import { join as join6 } from "path";
+import { intro as intro4, outro as outro4, text as text3, password as password3, spinner as spinner5, log as log12 } from "@clack/prompts";
+import chalk4 from "chalk";
 import { execa as execa4 } from "execa";
 function parseEnv(filePath) {
   const map = /* @__PURE__ */ new Map();
-  if (!existsSync4(filePath)) return map;
+  if (!existsSync3(filePath)) return map;
   for (const line of readFileSync4(filePath, "utf8").split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -1857,7 +1453,7 @@ function parseEnv(filePath) {
   return map;
 }
 function writeEnv(filePath, updates) {
-  const lines = existsSync4(filePath) ? readFileSync4(filePath, "utf8").split("\n") : [];
+  const lines = existsSync3(filePath) ? readFileSync4(filePath, "utf8").split("\n") : [];
   const updated = /* @__PURE__ */ new Set();
   const result = lines.map((line) => {
     const trimmed = line.trim();
@@ -1880,18 +1476,18 @@ async function runConfigSfdc() {
   intro4("Lead Routing \u2014 Update Salesforce Credentials");
   const dir = findInstallDir();
   if (!dir) {
-    log14.error("No lead-routing installation found in the current directory.");
-    log14.info("Run `lead-routing init` first, or cd into your installation directory.");
+    log12.error("No lead-routing installation found in the current directory.");
+    log12.info("Run `lead-routing init` first, or cd into your installation directory.");
     process.exit(1);
   }
-  const envWeb = join7(dir, ".env.web");
-  const envEngine = join7(dir, ".env.engine");
+  const envWeb = join6(dir, ".env.web");
+  const envEngine = join6(dir, ".env.engine");
   const currentWeb = parseEnv(envWeb);
   const currentClientId = currentWeb.get("SFDC_CLIENT_ID") ?? "";
   const currentLoginUrl = currentWeb.get("SFDC_LOGIN_URL") ?? "https://login.salesforce.com";
   const currentAppUrl = currentWeb.get("APP_URL") ?? "";
   const callbackUrl = `${currentAppUrl}/api/auth/callback`;
-  log14.info(
+  log12.info(
     `Paste the credentials from your Salesforce Connected App.
 Callback URL for your Connected App: ${callbackUrl}`
   );
@@ -1916,8 +1512,8 @@ Callback URL for your Connected App: ${callbackUrl}`
   };
   writeEnv(envWeb, updates);
   writeEnv(envEngine, updates);
-  log14.success("Updated .env.web and .env.engine");
-  const s = spinner6();
+  log12.success("Updated .env.web and .env.engine");
+  const s = spinner5();
   s.start("Restarting web and engine containers\u2026");
   try {
     await execa4("docker", ["compose", "up", "-d", "--force-recreate", "web", "engine"], {
@@ -1926,7 +1522,7 @@ Callback URL for your Connected App: ${callbackUrl}`
     s.stop("Containers restarted");
   } catch (err) {
     s.stop("Restart failed \u2014 run `docker compose up -d --force-recreate web engine` manually");
-    log14.warn(String(err));
+    log12.warn(String(err));
   }
   outro4(
     "Salesforce credentials updated!\n\nNext: go to the web app \u2192 Settings \u2192 Connect Salesforce to refresh your OAuth tokens."
@@ -1938,24 +1534,567 @@ function runConfigShow() {
     console.error("No lead-routing installation found in the current directory.");
     process.exit(1);
   }
-  const envWeb = join7(dir, ".env.web");
+  const envWeb = join6(dir, ".env.web");
   const cfg = parseEnv(envWeb);
   const adminSecret = cfg.get("ADMIN_SECRET") ?? "(not found)";
   const appUrl = cfg.get("APP_URL") ?? "(not found)";
   const sfdcClientId = cfg.get("SFDC_CLIENT_ID") ?? "(not found)";
   console.log();
-  console.log(chalk5.bold("Lead Routing \u2014 Installation Config"));
+  console.log(chalk4.bold("Lead Routing \u2014 Installation Config"));
   console.log();
-  console.log(`  Admin panel:   ${chalk5.cyan(appUrl + "/admin")}`);
-  console.log(`  Admin secret:  ${chalk5.yellow(adminSecret)}`);
+  console.log(`  Admin panel:   ${chalk4.cyan(appUrl + "/admin")}`);
+  console.log(`  Admin secret:  ${chalk4.yellow(adminSecret)}`);
   console.log();
-  console.log(`  SFDC Client ID: ${chalk5.white(sfdcClientId)}`);
+  console.log(`  SFDC Client ID: ${chalk4.white(sfdcClientId)}`);
   console.log();
 }
 
 // src/commands/sfdc.ts
 import { intro as intro5, outro as outro5, text as text4, log as log15 } from "@clack/prompts";
 import chalk6 from "chalk";
+
+// src/steps/sfdc-deploy-inline.ts
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync6, existsSync as existsSync5, cpSync, rmSync } from "fs";
+import { join as join8, dirname as dirname2 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { execSync } from "child_process";
+import { spinner as spinner6, log as log13 } from "@clack/prompts";
+
+// src/utils/sfdc-api.ts
+var API_VERSION = "v59.0";
+var SalesforceApi = class {
+  constructor(instanceUrl, accessToken) {
+    this.instanceUrl = instanceUrl;
+    this.accessToken = accessToken;
+    this.baseUrl = `${instanceUrl.replace(/\/+$/, "")}/services/data/${API_VERSION}`;
+  }
+  baseUrl;
+  headers(extra) {
+    return {
+      Authorization: `Bearer ${this.accessToken}`,
+      "Content-Type": "application/json",
+      ...extra
+    };
+  }
+  /** Execute a SOQL query and return records */
+  async query(soql) {
+    const url = `${this.baseUrl}/query?q=${encodeURIComponent(soql)}`;
+    const res = await fetch(url, { headers: this.headers() });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`SOQL query failed (${res.status}): ${body}`);
+    }
+    const data = await res.json();
+    return data.records;
+  }
+  /** Create an sObject record, returns the new record ID */
+  async create(sobject, data) {
+    const url = `${this.baseUrl}/sobjects/${sobject}`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify(data)
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      if (res.status === 400 && body.includes("Duplicate")) {
+        throw new DuplicateError(body);
+      }
+      throw new Error(`Create ${sobject} failed (${res.status}): ${body}`);
+    }
+    const result = await res.json();
+    return result.id;
+  }
+  /** Update an sObject record */
+  async update(sobject, id, data) {
+    const url = `${this.baseUrl}/sobjects/${sobject}/${id}`;
+    const res = await fetch(url, {
+      method: "PATCH",
+      headers: this.headers(),
+      body: JSON.stringify(data)
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Update ${sobject}/${id} failed (${res.status}): ${body}`);
+    }
+  }
+  /** Get current user info (for permission set assignment) */
+  async getCurrentUserId() {
+    const url = `${this.instanceUrl.replace(/\/+$/, "")}/services/oauth2/userinfo`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this.accessToken}` }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Get current user failed (${res.status}): ${body}`);
+    }
+    const data = await res.json();
+    return data.user_id;
+  }
+  /**
+   * Deploy metadata using the Source Deploy API (same API that `sf project deploy start` uses).
+   * Accepts a ZIP buffer containing the source-format package.
+   * Returns the deploy request ID for polling.
+   */
+  async deployMetadata(zipBuffer) {
+    const url = `${this.baseUrl}/metadata/deployRequest`;
+    const boundary = `----FormBoundary${Date.now()}`;
+    const deployOptions = JSON.stringify({
+      deployOptions: {
+        rollbackOnError: true,
+        singlePackage: true
+      }
+    });
+    const parts = [];
+    parts.push(
+      Buffer.from(
+        `--${boundary}\r
+Content-Disposition: form-data; name="json"\r
+Content-Type: application/json\r
+\r
+${deployOptions}\r
+`
+      )
+    );
+    parts.push(
+      Buffer.from(
+        `--${boundary}\r
+Content-Disposition: form-data; name="file"; filename="deploy.zip"\r
+Content-Type: application/zip\r
+\r
+`
+      )
+    );
+    parts.push(zipBuffer);
+    parts.push(Buffer.from(`\r
+--${boundary}--\r
+`));
+    const body = Buffer.concat(parts);
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        "Content-Type": `multipart/form-data; boundary=${boundary}`
+      },
+      body
+    });
+    if (!res.ok) {
+      const text5 = await res.text();
+      throw new Error(
+        `Metadata deploy request failed (${res.status}): ${text5}`
+      );
+    }
+    const result = await res.json();
+    return result.id;
+  }
+  /**
+   * Poll deploy status until complete.
+   * Returns deploy result with success/failure info.
+   */
+  async waitForDeploy(deployId, timeoutMs = 3e5) {
+    const startTime = Date.now();
+    const pollInterval = 3e3;
+    while (Date.now() - startTime < timeoutMs) {
+      const url = `${this.baseUrl}/metadata/deployRequest/${deployId}?includeDetails=true`;
+      const res = await fetch(url, { headers: this.headers() });
+      if (!res.ok) {
+        const text5 = await res.text();
+        throw new Error(
+          `Deploy status check failed (${res.status}): ${text5}`
+        );
+      }
+      const data = await res.json();
+      const result = data.deployResult;
+      if (result.done) {
+        return result;
+      }
+      await new Promise((resolve) => setTimeout(resolve, pollInterval));
+    }
+    throw new Error(`Deploy timed out after ${timeoutMs / 1e3}s`);
+  }
+};
+var DuplicateError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DuplicateError";
+  }
+};
+
+// src/utils/zip-source.ts
+import { join as join7 } from "path";
+import { readdirSync, readFileSync as readFileSync5, existsSync as existsSync4 } from "fs";
+import archiver from "archiver";
+var META_TYPE_MAP = {
+  applications: "CustomApplication",
+  classes: "ApexClass",
+  triggers: "ApexTrigger",
+  lwc: "LightningComponentBundle",
+  permissionsets: "PermissionSet",
+  namedCredentials: "NamedCredential",
+  remoteSiteSettings: "RemoteSiteSetting",
+  tabs: "CustomTab"
+};
+async function zipSourcePackage(packageDir) {
+  const forceAppDefault = join7(packageDir, "force-app", "main", "default");
+  let apiVersion = "59.0";
+  try {
+    const proj = JSON.parse(readFileSync5(join7(packageDir, "sfdx-project.json"), "utf8"));
+    if (proj.sourceApiVersion) apiVersion = proj.sourceApiVersion;
+  } catch {
+  }
+  const members = /* @__PURE__ */ new Map();
+  const addMember = (type, name) => {
+    if (!members.has(type)) members.set(type, /* @__PURE__ */ new Set());
+    members.get(type).add(name);
+  };
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    const archive = archiver("zip", { zlib: { level: 9 } });
+    archive.on("data", (chunk) => chunks.push(chunk));
+    archive.on("end", () => resolve(Buffer.concat(chunks)));
+    archive.on("error", reject);
+    for (const [dirName, metaType] of Object.entries(META_TYPE_MAP)) {
+      const srcDir = join7(forceAppDefault, dirName);
+      if (!existsSync4(srcDir)) continue;
+      const entries = readdirSync(srcDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (dirName === "lwc" && entry.isDirectory()) {
+          addMember(metaType, entry.name);
+          archive.directory(join7(srcDir, entry.name), `${dirName}/${entry.name}`);
+        } else if (entry.isFile()) {
+          archive.file(join7(srcDir, entry.name), { name: `${dirName}/${entry.name}` });
+          if (!entry.name.endsWith("-meta.xml")) {
+            const memberName = entry.name.replace(/\.[^.]+$/, "");
+            addMember(metaType, memberName);
+          }
+        }
+      }
+    }
+    const objectsDir = join7(forceAppDefault, "objects");
+    if (existsSync4(objectsDir)) {
+      for (const objEntry of readdirSync(objectsDir, { withFileTypes: true })) {
+        if (!objEntry.isDirectory()) continue;
+        const objName = objEntry.name;
+        addMember("CustomObject", objName);
+        const objDir = join7(objectsDir, objName);
+        const objectXml = mergeObjectXml(objDir, objName, apiVersion);
+        archive.append(Buffer.from(objectXml, "utf8"), {
+          name: `objects/${objName}.object`
+        });
+      }
+    }
+    const packageXml = generatePackageXml(members, apiVersion);
+    archive.append(Buffer.from(packageXml, "utf8"), { name: "package.xml" });
+    archive.finalize();
+  });
+}
+function mergeObjectXml(objDir, objName, apiVersion) {
+  const lines = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    '<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">'
+  ];
+  const objMetaPath = join7(objDir, `${objName}.object-meta.xml`);
+  if (existsSync4(objMetaPath)) {
+    const content = readFileSync5(objMetaPath, "utf8");
+    const inner = content.replace(/<\?xml[^?]*\?>\s*/g, "").replace(/<CustomObject[^>]*>/g, "").replace(/<\/CustomObject>/g, "").trim();
+    if (inner) lines.push(inner);
+  }
+  const fieldsDir = join7(objDir, "fields");
+  if (existsSync4(fieldsDir)) {
+    for (const fieldFile of readdirSync(fieldsDir).sort()) {
+      if (!fieldFile.endsWith(".field-meta.xml")) continue;
+      const content = readFileSync5(join7(fieldsDir, fieldFile), "utf8");
+      const inner = content.replace(/<\?xml[^?]*\?>\s*/g, "").replace(/<CustomField[^>]*>/g, "").replace(/<\/CustomField>/g, "").trim();
+      if (inner) {
+        lines.push("    <fields>");
+        lines.push(`        ${inner}`);
+        lines.push("    </fields>");
+      }
+    }
+  }
+  lines.push("</CustomObject>");
+  return lines.join("\n");
+}
+function generatePackageXml(members, apiVersion) {
+  const lines = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    '<Package xmlns="http://soap.sforce.com/2006/04/metadata">'
+  ];
+  for (const [metaType, names] of [...members.entries()].sort((a, b) => a[0].localeCompare(b[0]))) {
+    lines.push("    <types>");
+    for (const name of [...names].sort()) {
+      lines.push(`        <members>${name}</members>`);
+    }
+    lines.push(`        <name>${metaType}</name>`);
+    lines.push("    </types>");
+  }
+  lines.push(`    <version>${apiVersion}</version>`);
+  lines.push("</Package>");
+  return lines.join("\n");
+}
+
+// src/steps/sfdc-deploy-inline.ts
+var __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+function patchXml(content, tag, value) {
+  const re = new RegExp(`(<${tag}>)[^<]*(</\\s*${tag}>)`, "g");
+  return content.replace(re, `$1${value}$2`);
+}
+async function sfdcDeployInline(params) {
+  const { appUrl, engineUrl, installDir } = params;
+  const s = spinner6();
+  const { accessToken, instanceUrl } = await loginViaAppBridge(appUrl);
+  const sf = new SalesforceApi(instanceUrl, accessToken);
+  s.start("Copying Salesforce package\u2026");
+  const inDist = join8(__dirname2, "sfdc-package");
+  const nextToDist = join8(__dirname2, "..", "sfdc-package");
+  const bundledPkg = existsSync5(inDist) ? inDist : nextToDist;
+  const destPkg = join8(installDir ?? tmpdir2(), "lead-routing-sfdc-package");
+  if (!existsSync5(bundledPkg)) {
+    s.stop("sfdc-package not found in CLI bundle");
+    throw new Error(
+      `Expected bundle at: ${inDist}
+The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
+    );
+  }
+  if (existsSync5(destPkg)) rmSync(destPkg, { recursive: true, force: true });
+  cpSync(bundledPkg, destPkg, { recursive: true });
+  s.stop("Package copied");
+  const ncPath = join8(
+    destPkg,
+    "force-app",
+    "main",
+    "default",
+    "namedCredentials",
+    "RoutingEngine.namedCredential-meta.xml"
+  );
+  if (existsSync5(ncPath)) {
+    const nc = patchXml(readFileSync6(ncPath, "utf8"), "endpoint", engineUrl);
+    writeFileSync6(ncPath, nc, "utf8");
+  }
+  const rssEnginePath = join8(
+    destPkg,
+    "force-app",
+    "main",
+    "default",
+    "remoteSiteSettings",
+    "LeadRouterEngine.remoteSite-meta.xml"
+  );
+  if (existsSync5(rssEnginePath)) {
+    let rss = patchXml(readFileSync6(rssEnginePath, "utf8"), "url", engineUrl);
+    rss = patchXml(rss, "description", "Lead Router Engine endpoint");
+    writeFileSync6(rssEnginePath, rss, "utf8");
+  }
+  const rssAppPath = join8(
+    destPkg,
+    "force-app",
+    "main",
+    "default",
+    "remoteSiteSettings",
+    "LeadRouterApp.remoteSite-meta.xml"
+  );
+  if (existsSync5(rssAppPath)) {
+    let rss = patchXml(readFileSync6(rssAppPath, "utf8"), "url", appUrl);
+    rss = patchXml(rss, "description", "Lead Router App URL");
+    writeFileSync6(rssAppPath, rss, "utf8");
+  }
+  log13.success("Remote Site Settings patched");
+  s.start("Deploying Salesforce package (this may take ~2 min)\u2026");
+  try {
+    const zipBuffer = await zipSourcePackage(destPkg);
+    const deployId = await sf.deployMetadata(zipBuffer);
+    const result = await sf.waitForDeploy(deployId);
+    if (!result.success) {
+      const failures = result.details?.componentFailures ?? [];
+      const failureMsg = failures.map((f) => `  ${f.componentType}/${f.fullName}: ${f.problem}`).join("\n");
+      s.stop("Deployment failed");
+      throw new Error(
+        `Metadata deploy failed (${result.numberComponentErrors} error(s)):
+${failureMsg || result.errorMessage || "Unknown error"}`
+      );
+    }
+    s.stop(`Package deployed (${result.numberComponentsDeployed} components)`);
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Metadata deploy failed")) {
+      throw err;
+    }
+    s.stop("Deployment failed");
+    throw new Error(
+      `Metadata deploy failed: ${String(err)}
+
+  The patched package is at: ${destPkg}
+  You can retry with: sf project deploy start --source-dir force-app`
+    );
+  }
+  s.start("Assigning LeadRouterAdmin permission set\u2026");
+  try {
+    const permSets = await sf.query(
+      "SELECT Id FROM PermissionSet WHERE Name = 'LeadRouterAdmin' LIMIT 1"
+    );
+    if (permSets.length === 0) {
+      s.stop("LeadRouterAdmin permission set not found (non-fatal)");
+      log13.warn("The permission set may not have been included in the deploy.");
+    } else {
+      const userId = await sf.getCurrentUserId();
+      try {
+        await sf.create("PermissionSetAssignment", {
+          AssigneeId: userId,
+          PermissionSetId: permSets[0].Id
+        });
+        s.stop("Permission set assigned \u2014 Lead Router Setup will appear in the App Launcher");
+      } catch (err) {
+        if (err instanceof DuplicateError) {
+          s.stop("Permission set already assigned");
+        } else {
+          throw err;
+        }
+      }
+    }
+  } catch (err) {
+    if (!(err instanceof DuplicateError)) {
+      s.stop("Permission set assignment failed (non-fatal)");
+      log13.warn(String(err));
+      log13.info(
+        "Grant access manually:\n  Salesforce Setup \u2192 Users \u2192 Permission Sets \u2192 Lead Router Admin \u2192 Manage Assignments"
+      );
+    }
+  }
+  s.start("Writing org settings to Routing_Settings__c\u2026");
+  try {
+    const existing = await sf.query(
+      "SELECT Id FROM Routing_Settings__c LIMIT 1"
+    );
+    const settingsData = {
+      App_Url__c: appUrl,
+      Engine_Endpoint__c: engineUrl
+    };
+    if (params.webhookSecret) {
+      settingsData.Webhook_Secret__c = params.webhookSecret;
+    }
+    if (existing.length > 0) {
+      await sf.update("Routing_Settings__c", existing[0].Id, settingsData);
+    } else {
+      await sf.create("Routing_Settings__c", settingsData);
+    }
+    s.stop("Org settings written");
+  } catch (err) {
+    s.stop("Org settings write failed (non-fatal)");
+    log13.warn(String(err));
+    log13.info("Set manually: Salesforce \u2192 Custom Settings \u2192 Routing Settings \u2192 Manage");
+  }
+}
+async function loginViaAppBridge(rawAppUrl) {
+  const appUrl = rawAppUrl.replace(/\/+$/, "");
+  const s = spinner6();
+  s.start("Starting Salesforce authentication via your Lead Router app\u2026");
+  let sessionId;
+  let authUrl;
+  try {
+    const res = await fetch(`${appUrl}/api/cli-auth/request`, { method: "POST" });
+    if (!res.ok) {
+      s.stop("Failed to start auth session");
+      throw new Error(
+        `Could not reach ${appUrl}/api/cli-auth/request (HTTP ${res.status}).
+Make sure the web app is running and accessible.`
+      );
+    }
+    const data = await res.json();
+    sessionId = data.sessionId;
+    authUrl = data.authUrl;
+  } catch (err) {
+    s.stop("Could not reach Lead Router app");
+    throw new Error(
+      `Failed to connect to ${appUrl}: ${String(err)}
+Ensure the app is running and the URL is correct.`
+    );
+  }
+  s.stop("Auth session started");
+  log13.info(`Open this URL in your browser to authenticate with Salesforce:
+
+  ${authUrl}
+`);
+  log13.info('If Chrome shows a "Dangerous site" warning with no proceed option, paste the URL into Safari or Firefox.');
+  const opener = process.platform === "win32" ? "start" : process.platform === "darwin" ? "open" : "xdg-open";
+  try {
+    execSync(`${opener} "${authUrl}"`, { stdio: "ignore" });
+  } catch {
+  }
+  s.start("Waiting for Salesforce authentication in browser\u2026");
+  const maxPolls = 150;
+  let accessToken;
+  let instanceUrl;
+  for (let i = 0; i < maxPolls; i++) {
+    await new Promise((r) => setTimeout(r, 2e3));
+    try {
+      const pollRes = await fetch(`${appUrl}/api/cli-auth/poll/${sessionId}`);
+      if (pollRes.status === 410) {
+        s.stop("Auth session expired");
+        throw new Error("CLI auth session expired. Please re-run the command.");
+      }
+      const data = await pollRes.json();
+      if (data.status === "ok") {
+        accessToken = data.accessToken;
+        instanceUrl = data.instanceUrl;
+        break;
+      }
+    } catch (err) {
+      if (String(err).includes("session expired")) throw err;
+    }
+  }
+  if (!accessToken || !instanceUrl) {
+    s.stop("Timed out");
+    throw new Error(
+      "Timed out waiting for Salesforce authentication (5 minutes).\nPlease re-run the command and complete login within 5 minutes."
+    );
+  }
+  s.stop("Authenticated with Salesforce");
+  return { accessToken, instanceUrl };
+}
+
+// src/steps/app-launcher-guide.ts
+import { note as note4, confirm as confirm2, isCancel as isCancel4, log as log14 } from "@clack/prompts";
+import chalk5 from "chalk";
+async function guideAppLauncherSetup(appUrl) {
+  note4(
+    `Complete the following steps in Salesforce now:
+
+  ${chalk5.cyan("1.")} Open ${chalk5.bold("App Launcher")} (grid icon, top-left in Salesforce)
+  ${chalk5.cyan("2.")} Search for ${chalk5.white('"Lead Router Setup"')} and click it
+  ${chalk5.cyan("3.")} Click ${chalk5.white('"Connect to Lead Router"')}
+     \u2192 You will be redirected to ${chalk5.dim(appUrl)} and back
+     \u2192 Authorize the OAuth connection when prompted
+
+  ${chalk5.cyan("4.")} ${chalk5.bold("Step 1")} \u2014 wait for the ${chalk5.green('"Connected"')} checkmark (~5 sec)
+  ${chalk5.cyan("5.")} ${chalk5.bold("Step 2")} \u2014 click ${chalk5.white("Activate")} to enable Lead triggers
+  ${chalk5.cyan("6.")} ${chalk5.bold("Step 3")} \u2014 click ${chalk5.white("Sync Fields")} to index your Lead field schema
+  ${chalk5.cyan("7.")} ${chalk5.bold("Step 4")} \u2014 click ${chalk5.white("Send Test")} to fire a test routing event
+     \u2192 ${chalk5.dim('"Test successful"')} or ${chalk5.dim('"No matching rule"')} are both valid
+
+` + chalk5.dim("Keep this terminal open while you complete the wizard."),
+    "Complete Salesforce setup"
+  );
+  const done = await confirm2({
+    message: "Have you completed the App Launcher wizard?",
+    initialValue: false
+  });
+  if (isCancel4(done)) {
+    log14.warn(
+      "Wizard skipped. Run `lead-routing sfdc deploy` to retry the Salesforce setup."
+    );
+    return;
+  }
+  if (!done) {
+    log14.warn(
+      `No problem \u2014 complete it at your own pace.
+  Open App Launcher \u2192 Lead Router Setup \u2192 Connect to Lead Router
+  Dashboard: ${appUrl}`
+    );
+  } else {
+    log14.success("Salesforce setup complete");
+  }
+}
+
+// src/commands/sfdc.ts
 async function runSfdcDeploy() {
   intro5("Lead Routing \u2014 Deploy Salesforce Package");
   let appUrl;
@@ -1996,7 +2135,8 @@ async function runSfdcDeploy() {
       // Read from config if available
       sfdcClientId: config2?.sfdcClientId ?? "",
       sfdcLoginUrl: config2?.sfdcLoginUrl ?? "https://login.salesforce.com",
-      installDir: dir ?? void 0
+      installDir: dir ?? void 0,
+      webhookSecret: config2?.engineWebhookSecret
     });
   } catch (err) {
     log15.error(err instanceof Error ? err.message : String(err));
@@ -2011,7 +2151,7 @@ async function runSfdcDeploy() {
 }
 
 // src/commands/uninstall.ts
-import { rmSync as rmSync2, existsSync as existsSync5 } from "fs";
+import { rmSync as rmSync2, existsSync as existsSync6 } from "fs";
 import { intro as intro6, outro as outro6, log as log16, confirm as confirm3, password as promptPassword3, isCancel as isCancel5 } from "@clack/prompts";
 import chalk7 from "chalk";
 async function runUninstall() {
@@ -2087,7 +2227,7 @@ async function runUninstall() {
     await ssh.disconnect();
   }
   log16.step("Removing local config directory");
-  if (existsSync5(dir)) {
+  if (existsSync6(dir)) {
     rmSync2(dir, { recursive: true, force: true });
     log16.success(`Removed ${dir}`);
   }