@lead-routing/cli 0.5.0 → 0.6.0

package/dist/index.js

@@ -5,12 +5,12 @@ import { Command } from "commander";
 
 // src/commands/init.ts
 import { promises as dns } from "dns";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
 import { exec } from "child_process";
 import { platform } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
 import { intro, outro, note as note3, log as log7, confirm, cancel as cancel3, isCancel as isCancel3, password as promptPassword } from "@clack/prompts";
-import chalk from "chalk";
+import chalk2 from "chalk";
 
 // src/steps/prerequisites.ts
 import { log } from "@clack/prompts";
@@ -77,12 +77,12 @@ async function collectSshConfig(opts = {}) {
     privateKeyPath = resolved;
     log2.info(`Using SSH key: ${opts.sshKey}`);
   } else {
-    const p = await password({
+    const p3 = await password({
       message: `SSH password for ${opts.sshUser ?? "root"}@${host}`,
       validate: (v) => !v ? "Required" : void 0
     });
-    if (isCancel(p)) bail(p);
-    pwd = p;
+    if (isCancel(p3)) bail(p3);
+    pwd = p3;
   }
   return {
     host,
@@ -170,7 +170,6 @@ async function collectConfig(opts = {}) {
   if (isCancel2(adminPassword)) bail2(adminPassword);
   const sessionSecret = generateSecret(32);
   const engineWebhookSecret = generateSecret(32);
-  const adminSecret = generateSecret(16);
   const internalApiKey = generateSecret(32);
   return {
     appUrl: appUrl.trim().replace(/\/+$/, ""),
@@ -187,7 +186,6 @@ async function collectConfig(opts = {}) {
     feedbackToEmail: "",
     sessionSecret,
     engineWebhookSecret,
-    adminSecret,
     internalApiKey
   };
 }
@@ -336,13 +334,17 @@ function renderEnvWeb(c) {
     `SESSION_SECRET=${c.sessionSecret}`,
     ``,
     `# Admin`,
-    `ADMIN_SECRET=${c.adminSecret}`,
     `ADMIN_EMAIL=${c.adminEmail}`,
     `ADMIN_PASSWORD=${c.adminPassword}`,
     ``,
     `# Internal API key (shared with engine for analytics)`,
     `INTERNAL_API_KEY=${c.internalApiKey}`,
     ``,
+    `# License`,
+    `LICENSE_KEY=${c.licenseKey ?? ""}`,
+    `LICENSE_TIER=${c.licenseTier}`,
+    `LICENSE_API_URL=https://lead-routing-license.artyagi2011.workers.dev`,
+    ``,
     `# Email (optional)`,
     `RESEND_API_KEY=${c.resendApiKey ?? ""}`,
     `FEEDBACK_TO_EMAIL=${c.feedbackToEmail ?? ""}`
@@ -370,7 +372,12 @@ function renderEnvEngine(c) {
     `ENGINE_WEBHOOK_SECRET=${c.engineWebhookSecret}`,
     ``,
     `# Internal API key (Bearer token for analytics endpoints)`,
-    `INTERNAL_API_KEY=${c.internalApiKey}`
+    `INTERNAL_API_KEY=${c.internalApiKey}`,
+    ``,
+    `# License`,
+    `LICENSE_KEY=${c.licenseKey ?? ""}`,
+    `LICENSE_TIER=${c.licenseTier}`,
+    `LICENSE_API_URL=https://lead-routing-license.artyagi2011.workers.dev`
   ].join("\n");
 }
 
@@ -411,6 +418,14 @@ function renderCaddyfile(appUrl, engineUrl) {
       `    health_uri /health`,
       `    health_interval 15s`,
       `  }`,
+      `}`,
+      ``,
+      `# Marketing site \u2014 served independently`,
+      `openedgeai.tech {`,
+      `  import security_headers`,
+      `  root * /srv/marketing-site`,
+      `  file_server`,
+      `  try_files {path} /index.html`,
       `}`
     ].join("\n");
   }
@@ -443,6 +458,14 @@ function renderCaddyfile(appUrl, engineUrl) {
     `    health_uri /health`,
     `    health_interval 15s`,
     `  }`,
+    `}`,
+    ``,
+    `# Marketing site \u2014 served independently`,
+    `openedgeai.tech {`,
+    `  import security_headers`,
+    `  root * /srv/marketing-site`,
+    `  file_server`,
+    `  try_files {path} /index.html`,
     `}`
   ].join("\n");
 }
@@ -483,7 +506,7 @@ function getCliVersion() {
     return "0.1.0";
   }
 }
-function generateFiles(cfg, sshCfg) {
+function generateFiles(cfg, sshCfg, license = { licenseTier: "free" }) {
   const dir = join2(process.cwd(), "lead-routing");
   mkdirSync(dir, { recursive: true });
   const dockerEngineUrl = `http://engine:3001`;
@@ -507,12 +530,13 @@ function generateFiles(cfg, sshCfg) {
     redisUrl: cfg.redisUrl,
     sessionSecret: cfg.sessionSecret,
     engineWebhookSecret: cfg.engineWebhookSecret,
-    adminSecret: cfg.adminSecret,
     adminEmail: cfg.adminEmail,
     adminPassword: cfg.adminPassword,
     internalApiKey: cfg.internalApiKey,
     resendApiKey: cfg.resendApiKey || void 0,
-    feedbackToEmail: cfg.feedbackToEmail || void 0
+    feedbackToEmail: cfg.feedbackToEmail || void 0,
+    licenseKey: license.licenseKey,
+    licenseTier: license.licenseTier
   });
   const envWeb = join2(dir, ".env.web");
   writeFileSync2(envWeb, envWebContent, "utf8");
@@ -521,7 +545,9 @@ function generateFiles(cfg, sshCfg) {
     databaseUrl: cfg.databaseUrl,
     redisUrl: cfg.redisUrl,
     engineWebhookSecret: cfg.engineWebhookSecret,
-    internalApiKey: cfg.internalApiKey
+    internalApiKey: cfg.internalApiKey,
+    licenseKey: license.licenseKey,
+    licenseTier: license.licenseTier
   });
   const envEngine = join2(dir, ".env.engine");
   writeFileSync2(envEngine, envEngineContent, "utf8");
@@ -543,11 +569,13 @@ function generateFiles(cfg, sshCfg) {
       redis: cfg.managedRedis
     },
     engineWebhookSecret: cfg.engineWebhookSecret,
+    licenseKey: license.licenseKey,
+    licenseTier: license.licenseTier,
     installedAt: (/* @__PURE__ */ new Date()).toISOString(),
     version: getCliVersion()
   });
   log3.success("Generated lead-routing.json");
-  return { dir, composeFile, envWeb, envEngine, adminSecret: cfg.adminSecret };
+  return { dir, composeFile, envWeb, envEngine };
 }
 
 // src/steps/check-remote-prerequisites.ts
@@ -1001,6 +1029,104 @@ ${result.stderr || result.stdout}`
   }
 };
 
+// src/utils/auth.ts
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2 } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join4 } from "path";
+
+// src/utils/license.ts
+import chalk from "chalk";
+var LICENSE_API_URL = process.env.LICENSE_API_URL || "https://lead-routing-license.artyagi2011.workers.dev";
+function formatTierBadge(tier) {
+  if (tier === "pro") return chalk.bgGreen.black(" PRO ");
+  return chalk.bgGray.white(" FREE ");
+}
+
+// src/utils/auth.ts
+var CRED_DIR = join4(homedir2(), ".lead-routing");
+var CRED_FILE = join4(CRED_DIR, "credentials.json");
+function loadCredentials() {
+  try {
+    const data = readFileSync3(CRED_FILE, "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+function saveCredentials(creds) {
+  mkdirSync2(CRED_DIR, { recursive: true });
+  writeFileSync3(CRED_FILE, JSON.stringify(creds, null, 2));
+}
+function clearCredentials() {
+  try {
+    writeFileSync3(CRED_FILE, "");
+  } catch {
+  }
+}
+async function requireAuth() {
+  const creds = loadCredentials();
+  if (!creds?.token) {
+    throw new Error("Not logged in. Run `lead-routing login` first.");
+  }
+  const res = await fetch(`${LICENSE_API_URL}/v1/auth/me`, {
+    headers: { "Authorization": `Bearer ${creds.token}` },
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!res.ok) {
+    clearCredentials();
+    throw new Error("Session expired. Run `lead-routing login` to sign in again.");
+  }
+  const data = await res.json();
+  if (!data.customer.emailVerified) {
+    throw new Error("Email not verified. Check your inbox for the verification link.");
+  }
+  const updated = {
+    token: creds.token,
+    customer: data.customer,
+    storedAt: creds.storedAt
+  };
+  saveCredentials(updated);
+  return updated;
+}
+async function apiLogin(email, password5) {
+  const res = await fetch(`${LICENSE_API_URL}/v1/auth/login`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ email, password: password5 }),
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({ error: `HTTP ${res.status}` }));
+    throw new Error(body.error || "Login failed");
+  }
+  return await res.json();
+}
+async function apiSignup(data) {
+  const res = await fetch(`${LICENSE_API_URL}/v1/auth/signup`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(data),
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({ error: `HTTP ${res.status}` }));
+    throw new Error(body.error || "Signup failed");
+  }
+  const result = await res.json();
+  return result.message;
+}
+async function apiResendVerification(token) {
+  const res = await fetch(`${LICENSE_API_URL}/v1/auth/resend-verification`, {
+    method: "POST",
+    headers: { "Authorization": `Bearer ${token}` },
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({ error: "Failed" }));
+    throw new Error(body.error || "Failed to resend");
+  }
+}
+
 // src/commands/init.ts
 var MANAGED_PACKAGE_INSTALL_URL = "https://login.salesforce.com/packaging/installPackage.apexp?p0=04tgL000000CTnp";
 function openBrowser(url) {
@@ -1019,7 +1145,7 @@ async function checkDnsResolvable(appUrl, engineUrl) {
       await dns.lookup(host);
     } catch {
       log7.warn(
-        `${chalk.yellow(host)} does not resolve in DNS yet.
+        `${chalk2.yellow(host)} does not resolve in DNS yet.
   Check for typos \u2014 a bad domain will cause a 2-minute timeout at step 7.`
       );
       const go = await confirm({ message: "Continue anyway?", initialValue: true });
@@ -1035,7 +1161,7 @@ async function runInit(options = {}) {
   const resume = options.resume ?? false;
   console.log();
   intro(
-    chalk.bold.cyan("Lead Routing \u2014 Self-Hosted Setup") + (dryRun ? chalk.yellow("  [dry run]") : "") + (resume ? chalk.yellow("  [resume]") : "")
+    chalk2.bold.cyan("Lead Routing \u2014 Self-Hosted Setup") + (dryRun ? chalk2.yellow("  [dry run]") : "") + (resume ? chalk2.yellow("  [resume]") : "")
   );
   const ssh = new SshConnection();
   if (resume) {
@@ -1067,7 +1193,7 @@ async function runInit(options = {}) {
       const remoteDir = await ssh.resolveHome(saved.remoteDir);
       log7.step("Verifying health");
       await verifyHealth(saved.appUrl, saved.engineUrl, ssh, remoteDir);
-      outro(chalk.green("\u2714  Services are healthy!"));
+      outro(chalk2.green("\u2714  Services are healthy!"));
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       log7.error(`Resume failed: ${message}`);
@@ -1077,18 +1203,35 @@ async function runInit(options = {}) {
     }
     return;
   }
+  let auth;
+  try {
+    auth = await requireAuth();
+  } catch (err) {
+    log7.error(err instanceof Error ? err.message : "Authentication required");
+    note3(
+      `Run one of the following:
+
+  ${chalk2.cyan("lead-routing signup")}   Create a new account
+  ${chalk2.cyan("lead-routing login")}    Log in to existing account`,
+      "Account Required"
+    );
+    process.exit(1);
+  }
+  log7.success(`Logged in as ${auth.customer.firstName} ${auth.customer.lastName} \u2014 ${formatTierBadge(auth.customer.tier)}`);
   try {
-    log7.step("Step 1/8  Install Salesforce Package");
+    log7.step("Step 1/9  License validation");
+    const licenseResult = { tier: auth.customer.tier, key: void 0 };
+    log7.step("Step 2/9  Install Salesforce Package");
     note3(
       `The Lead Router managed package installs the required Connected App,
 triggers, and custom objects in your Salesforce org.
 
-Install URL: ${chalk.cyan(MANAGED_PACKAGE_INSTALL_URL)}`,
+Install URL: ${chalk2.cyan(MANAGED_PACKAGE_INSTALL_URL)}`,
       "Salesforce Package"
     );
     log7.info("Opening install URL in your browser...");
     openBrowser(MANAGED_PACKAGE_INSTALL_URL);
-    log7.info(`${chalk.dim("If the browser didn't open, visit the URL above manually.")}`);
+    log7.info(`${chalk2.dim("If the browser didn't open, visit the URL above manually.")}`);
     const installed = await confirm({
       message: 'Have you installed the package? (Click "Install for All Users" in Salesforce)',
       initialValue: false
@@ -1102,9 +1245,9 @@ Install URL: ${chalk.cyan(MANAGED_PACKAGE_INSTALL_URL)}`,
     } else {
       log7.success("Salesforce package installed");
     }
-    log7.step("Step 2/8  Checking local prerequisites");
+    log7.step("Step 3/9  Checking local prerequisites");
     await checkPrerequisites();
-    log7.step("Step 3/8  SSH connection");
+    log7.step("Step 4/9  SSH connection");
     const sshCfg = await collectSshConfig({
       sshPort: options.sshPort,
       sshUser: options.sshUser,
@@ -1121,42 +1264,45 @@ Install URL: ${chalk.cyan(MANAGED_PACKAGE_INSTALL_URL)}`,
         process.exit(1);
       }
     }
-    log7.step("Step 4/8  Configuration");
+    log7.step("Step 5/9  Configuration");
     const cfg = await collectConfig({
       externalDb: options.externalDb,
       externalRedis: options.externalRedis
     });
     await checkDnsResolvable(cfg.appUrl, cfg.engineUrl);
-    log7.step("Step 5/8  Generating config files");
-    const { dir, adminSecret } = generateFiles(cfg, sshCfg);
+    log7.step("Step 6/9  Generating config files");
+    const { dir } = generateFiles(cfg, sshCfg, {
+      licenseKey: licenseResult.key,
+      licenseTier: licenseResult.tier
+    });
     note3(
-      `Local config directory: ${chalk.cyan(dir)}
+      `Local config directory: ${chalk2.cyan(dir)}
 Files created: docker-compose.yml, Caddyfile, .env.web, .env.engine, lead-routing.json`,
       "Files"
     );
     if (dryRun) {
       outro(
-        chalk.yellow("Dry run complete \u2014 no connection made, no services started.") + `
+        chalk2.yellow("Dry run complete \u2014 no connection made, no services started.") + `
 
-  Config files written to: ${chalk.cyan(dir)}
+  Config files written to: ${chalk2.cyan(dir)}
 
-  When ready, run ${chalk.cyan("lead-routing init")} (without --dry-run) to deploy.`
+  When ready, run ${chalk2.cyan("lead-routing init")} (without --dry-run) to deploy.`
       );
       return;
     }
-    log7.step("Step 6/8  Remote setup");
+    log7.step("Step 7/9  Remote setup");
     const remoteDir = await ssh.resolveHome(sshCfg.remoteDir);
     await checkRemotePrerequisites(ssh);
     await uploadFiles(ssh, dir, remoteDir);
-    log7.step("Step 7/8  Starting services");
+    log7.step("Step 8/9  Starting services");
     await startServices(ssh, remoteDir);
-    log7.step("Step 8/8  Verifying health");
+    log7.step("Step 9/9  Verifying health");
     await verifyHealth(cfg.appUrl, cfg.engineUrl, ssh, remoteDir);
     try {
-      const envWebPath = join4(dir, ".env.web");
-      const envContent = readFileSync3(envWebPath, "utf-8");
+      const envWebPath = join5(dir, ".env.web");
+      const envContent = readFileSync4(envWebPath, "utf-8");
       const cleaned = envContent.split("\n").filter((line) => !line.startsWith("ADMIN_PASSWORD=")).join("\n");
-      writeFileSync3(envWebPath, cleaned, "utf-8");
+      writeFileSync4(envWebPath, cleaned, "utf-8");
       log7.success("Removed ADMIN_PASSWORD from .env.web (no longer needed after seed)");
     } catch {
     }
@@ -1166,22 +1312,20 @@ The managed package is already installed \u2014 just click "Connect Salesforce"
       "Next: Connect Salesforce"
     );
     outro(
-      chalk.green("\u2714  You're live!") + `
+      chalk2.green("\u2714  You're live!") + `
 
-  Dashboard:      ${chalk.cyan(cfg.appUrl)}
-  Routing engine: ${chalk.cyan(cfg.engineUrl)}
+  Dashboard:      ${chalk2.cyan(cfg.appUrl)}
+  Routing engine: ${chalk2.cyan(cfg.engineUrl)}
 
-  Admin email:    ${chalk.white(cfg.adminEmail)}
-  Admin secret:   ${chalk.yellow(adminSecret)}
-                  ${chalk.dim("run `lead-routing config show` to retrieve later")}
+  Admin email:    ${chalk2.white(cfg.adminEmail)}
 
-` + chalk.bold("  Next steps:\n") + `  ${chalk.cyan("1.")} Open ${chalk.cyan(cfg.appUrl)} and log in
-  ${chalk.cyan("2.")} Go to Integrations \u2192 Salesforce \u2192 Connect
-  ${chalk.cyan("3.")} Complete the onboarding wizard in Salesforce
-  ${chalk.cyan("4.")} Create your first routing rule
+` + chalk2.bold("  Next steps:\n") + `  ${chalk2.cyan("1.")} Open ${chalk2.cyan(cfg.appUrl)} and log in
+  ${chalk2.cyan("2.")} Go to Integrations \u2192 Salesforce \u2192 Connect
+  ${chalk2.cyan("3.")} Complete the onboarding wizard in Salesforce
+  ${chalk2.cyan("4.")} Create your first routing rule
 
-  Run ${chalk.cyan("lead-routing doctor")} to check service health at any time.
-  Run ${chalk.cyan("lead-routing deploy")} to update to a new version.`
+  Run ${chalk2.cyan("lead-routing doctor")} to check service health at any time.
+  Run ${chalk2.cyan("lead-routing deploy")} to update to a new version.`
     );
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -1193,14 +1337,14 @@ The managed package is already installed \u2014 just click "Connect Salesforce"
 }
 
 // src/commands/deploy.ts
-import { writeFileSync as writeFileSync4, unlinkSync } from "fs";
-import { join as join5 } from "path";
+import { writeFileSync as writeFileSync5, unlinkSync } from "fs";
+import { join as join6 } from "path";
 import { tmpdir } from "os";
 import { intro as intro2, outro as outro2, log as log8, password as promptPassword2 } from "@clack/prompts";
-import chalk2 from "chalk";
+import chalk3 from "chalk";
 async function runDeploy() {
   console.log();
-  intro2(chalk2.bold.cyan("Lead Routing \u2014 Deploy"));
+  intro2(chalk3.bold.cyan("Lead Routing \u2014 Deploy"));
   const dir = findInstallDir();
   if (!dir) {
     log8.error(
@@ -1236,8 +1380,8 @@ async function runDeploy() {
     const remoteDir = await ssh.resolveHome(cfg.remoteDir);
     log8.step("Syncing Caddyfile");
     const caddyContent = renderCaddyfile(cfg.appUrl, cfg.engineUrl);
-    const tmpCaddy = join5(tmpdir(), "lead-routing-Caddyfile");
-    writeFileSync4(tmpCaddy, caddyContent, "utf8");
+    const tmpCaddy = join6(tmpdir(), "lead-routing-Caddyfile");
+    writeFileSync5(tmpCaddy, caddyContent, "utf8");
     await ssh.upload([{ local: tmpCaddy, remote: `${remoteDir}/Caddyfile` }]);
     unlinkSync(tmpCaddy);
     await ssh.exec("docker compose restart caddy", remoteDir);
@@ -1249,9 +1393,9 @@ async function runDeploy() {
     await ssh.exec("docker compose up -d --remove-orphans", remoteDir);
     log8.success("Services restarted");
     outro2(
-      chalk2.green("\u2714  Deployment complete!") + `
+      chalk3.green("\u2714  Deployment complete!") + `
 
-  ${chalk2.cyan(cfg.appUrl)}`
+  ${chalk3.cyan(cfg.appUrl)}`
     );
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -1264,11 +1408,11 @@ async function runDeploy() {
 
 // src/commands/doctor.ts
 import { intro as intro3, outro as outro3, log as log9 } from "@clack/prompts";
-import chalk3 from "chalk";
+import chalk4 from "chalk";
 import { execa } from "execa";
 async function runDoctor() {
   console.log();
-  intro3(chalk3.bold.cyan("Lead Routing \u2014 Health Check"));
+  intro3(chalk4.bold.cyan("Lead Routing \u2014 Health Check"));
   const dir = findInstallDir();
   if (!dir) {
     log9.error("No lead-routing.json found. Run `lead-routing init` first.");
@@ -1287,17 +1431,17 @@ async function runDoctor() {
   checks.push(await checkEndpoint("Routing engine", `${cfg.engineUrl}/health`));
   console.log();
   for (const c of checks) {
-    const icon = c.pass ? chalk3.green("\u2714") : chalk3.red("\u2717");
-    const label = c.pass ? chalk3.white(c.label) : chalk3.red(c.label);
-    const detail = c.detail ? chalk3.dim(` \u2014 ${c.detail}`) : "";
+    const icon = c.pass ? chalk4.green("\u2714") : chalk4.red("\u2717");
+    const label = c.pass ? chalk4.white(c.label) : chalk4.red(c.label);
+    const detail = c.detail ? chalk4.dim(` \u2014 ${c.detail}`) : "";
     console.log(`  ${icon}  ${label}${detail}`);
   }
   console.log();
   const failed = checks.filter((c) => !c.pass);
   if (failed.length === 0) {
-    outro3(chalk3.green("All checks passed"));
+    outro3(chalk4.green("All checks passed"));
   } else {
-    outro3(chalk3.yellow(`${failed.length} check(s) failed`));
+    outro3(chalk4.yellow(`${failed.length} check(s) failed`));
     process.exit(1);
   }
 }
@@ -1399,14 +1543,14 @@ async function runStatus() {
 }
 
 // src/commands/config.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync5, existsSync as existsSync3 } from "fs";
-import { join as join6 } from "path";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync6, existsSync as existsSync3 } from "fs";
+import { join as join7 } from "path";
 import { intro as intro4, outro as outro4, log as log12 } from "@clack/prompts";
-import chalk4 from "chalk";
+import chalk5 from "chalk";
 function parseEnv(filePath) {
   const map = /* @__PURE__ */ new Map();
   if (!existsSync3(filePath)) return map;
-  for (const line of readFileSync4(filePath, "utf8").split("\n")) {
+  for (const line of readFileSync5(filePath, "utf8").split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
     const eq = trimmed.indexOf("=");
@@ -1434,25 +1578,23 @@ function runConfigShow() {
     console.error("No lead-routing installation found in the current directory.");
     process.exit(1);
   }
-  const envWeb = join6(dir, ".env.web");
+  const envWeb = join7(dir, ".env.web");
   const cfg = parseEnv(envWeb);
-  const adminSecret = cfg.get("ADMIN_SECRET") ?? "(not found)";
   const appUrl = cfg.get("APP_URL") ?? "(not found)";
   console.log();
-  console.log(chalk4.bold("Lead Routing \u2014 Installation Config"));
+  console.log(chalk5.bold("Lead Routing \u2014 Installation Config"));
   console.log();
-  console.log(`  Admin panel:   ${chalk4.cyan(appUrl + "/admin")}`);
-  console.log(`  Admin secret:  ${chalk4.yellow(adminSecret)}`);
+  console.log(`  Dashboard:  ${chalk5.cyan(appUrl)}`);
   console.log();
 }
 
 // src/commands/sfdc.ts
 import { intro as intro5, outro as outro5, text as text3, log as log15 } from "@clack/prompts";
-import chalk6 from "chalk";
+import chalk7 from "chalk";
 
 // src/steps/sfdc-deploy-inline.ts
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync6, existsSync as existsSync5, cpSync, rmSync } from "fs";
-import { join as join8, dirname as dirname2 } from "path";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync7, existsSync as existsSync5, cpSync, rmSync } from "fs";
+import { join as join9, dirname as dirname2 } from "path";
 import { tmpdir as tmpdir2 } from "os";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { execSync } from "child_process";
@@ -1577,9 +1719,9 @@ Content-Type: application/zip\r
       body
     });
     if (!res.ok) {
-      const text4 = await res.text();
+      const text6 = await res.text();
       throw new Error(
-        `Metadata deploy request failed (${res.status}): ${text4}`
+        `Metadata deploy request failed (${res.status}): ${text6}`
       );
     }
     const result = await res.json();
@@ -1596,9 +1738,9 @@ Content-Type: application/zip\r
       const url = `${this.baseUrl}/metadata/deployRequest/${deployId}?includeDetails=true`;
       const res = await fetch(url, { headers: this.headers() });
       if (!res.ok) {
-        const text4 = await res.text();
+        const text6 = await res.text();
         throw new Error(
-          `Deploy status check failed (${res.status}): ${text4}`
+          `Deploy status check failed (${res.status}): ${text6}`
         );
       }
       const data = await res.json();
@@ -1619,8 +1761,8 @@ var DuplicateError = class extends Error {
 };
 
 // src/utils/zip-source.ts
-import { join as join7 } from "path";
-import { readdirSync, readFileSync as readFileSync5, existsSync as existsSync4 } from "fs";
+import { join as join8 } from "path";
+import { readdirSync, readFileSync as readFileSync6, existsSync as existsSync4 } from "fs";
 import archiver from "archiver";
 var META_TYPE_MAP = {
   applications: "CustomApplication",
@@ -1633,10 +1775,10 @@ var META_TYPE_MAP = {
   tabs: "CustomTab"
 };
 async function zipSourcePackage(packageDir) {
-  const forceAppDefault = join7(packageDir, "force-app", "main", "default");
+  const forceAppDefault = join8(packageDir, "force-app", "main", "default");
   let apiVersion = "59.0";
   try {
-    const proj = JSON.parse(readFileSync5(join7(packageDir, "sfdx-project.json"), "utf8"));
+    const proj = JSON.parse(readFileSync6(join8(packageDir, "sfdx-project.json"), "utf8"));
     if (proj.sourceApiVersion) apiVersion = proj.sourceApiVersion;
   } catch {
   }
@@ -1652,15 +1794,15 @@ async function zipSourcePackage(packageDir) {
     archive.on("end", () => resolve(Buffer.concat(chunks)));
     archive.on("error", reject);
     for (const [dirName, metaType] of Object.entries(META_TYPE_MAP)) {
-      const srcDir = join7(forceAppDefault, dirName);
+      const srcDir = join8(forceAppDefault, dirName);
       if (!existsSync4(srcDir)) continue;
       const entries = readdirSync(srcDir, { withFileTypes: true });
       for (const entry of entries) {
         if (dirName === "lwc" && entry.isDirectory()) {
           addMember(metaType, entry.name);
-          archive.directory(join7(srcDir, entry.name), `${dirName}/${entry.name}`);
+          archive.directory(join8(srcDir, entry.name), `${dirName}/${entry.name}`);
         } else if (entry.isFile()) {
-          archive.file(join7(srcDir, entry.name), { name: `${dirName}/${entry.name}` });
+          archive.file(join8(srcDir, entry.name), { name: `${dirName}/${entry.name}` });
           if (!entry.name.endsWith("-meta.xml")) {
             const memberName = entry.name.replace(/\.[^.]+$/, "");
             addMember(metaType, memberName);
@@ -1668,13 +1810,13 @@ async function zipSourcePackage(packageDir) {
         }
       }
     }
-    const objectsDir = join7(forceAppDefault, "objects");
+    const objectsDir = join8(forceAppDefault, "objects");
     if (existsSync4(objectsDir)) {
       for (const objEntry of readdirSync(objectsDir, { withFileTypes: true })) {
         if (!objEntry.isDirectory()) continue;
         const objName = objEntry.name;
         addMember("CustomObject", objName);
-        const objDir = join7(objectsDir, objName);
+        const objDir = join8(objectsDir, objName);
         const objectXml = mergeObjectXml(objDir, objName, apiVersion);
         archive.append(Buffer.from(objectXml, "utf8"), {
           name: `objects/${objName}.object`
@@ -1691,17 +1833,17 @@ function mergeObjectXml(objDir, objName, apiVersion) {
     '<?xml version="1.0" encoding="UTF-8"?>',
     '<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">'
   ];
-  const objMetaPath = join7(objDir, `${objName}.object-meta.xml`);
+  const objMetaPath = join8(objDir, `${objName}.object-meta.xml`);
   if (existsSync4(objMetaPath)) {
-    const content = readFileSync5(objMetaPath, "utf8");
+    const content = readFileSync6(objMetaPath, "utf8");
     const inner = content.replace(/<\?xml[^?]*\?>\s*/g, "").replace(/<CustomObject[^>]*>/g, "").replace(/<\/CustomObject>/g, "").trim();
     if (inner) lines.push(inner);
   }
-  const fieldsDir = join7(objDir, "fields");
+  const fieldsDir = join8(objDir, "fields");
   if (existsSync4(fieldsDir)) {
     for (const fieldFile of readdirSync(fieldsDir).sort()) {
       if (!fieldFile.endsWith(".field-meta.xml")) continue;
-      const content = readFileSync5(join7(fieldsDir, fieldFile), "utf8");
+      const content = readFileSync6(join8(fieldsDir, fieldFile), "utf8");
       const inner = content.replace(/<\?xml[^?]*\?>\s*/g, "").replace(/<CustomField[^>]*>/g, "").replace(/<\/CustomField>/g, "").trim();
       if (inner) {
         lines.push("    <fields>");
@@ -1743,10 +1885,10 @@ async function sfdcDeployInline(params) {
   const { accessToken, instanceUrl } = await loginViaAppBridge(appUrl);
   const sf = new SalesforceApi(instanceUrl, accessToken);
   s.start("Copying Salesforce package\u2026");
-  const inDist = join8(__dirname2, "sfdc-package");
-  const nextToDist = join8(__dirname2, "..", "sfdc-package");
+  const inDist = join9(__dirname2, "sfdc-package");
+  const nextToDist = join9(__dirname2, "..", "sfdc-package");
   const bundledPkg = existsSync5(inDist) ? inDist : nextToDist;
-  const destPkg = join8(installDir ?? tmpdir2(), "lead-routing-sfdc-package");
+  const destPkg = join9(installDir ?? tmpdir2(), "lead-routing-sfdc-package");
   if (!existsSync5(bundledPkg)) {
     s.stop("sfdc-package not found in CLI bundle");
     throw new Error(
@@ -1757,7 +1899,7 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
   if (existsSync5(destPkg)) rmSync(destPkg, { recursive: true, force: true });
   cpSync(bundledPkg, destPkg, { recursive: true });
   s.stop("Package copied");
-  const ncPath = join8(
+  const ncPath = join9(
     destPkg,
     "force-app",
     "main",
@@ -1766,10 +1908,10 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
     "RoutingEngine.namedCredential-meta.xml"
   );
   if (existsSync5(ncPath)) {
-    const nc = patchXml(readFileSync6(ncPath, "utf8"), "endpoint", engineUrl);
-    writeFileSync6(ncPath, nc, "utf8");
+    const nc = patchXml(readFileSync7(ncPath, "utf8"), "endpoint", engineUrl);
+    writeFileSync7(ncPath, nc, "utf8");
   }
-  const rssEnginePath = join8(
+  const rssEnginePath = join9(
     destPkg,
     "force-app",
     "main",
@@ -1778,11 +1920,11 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
     "LeadRouterEngine.remoteSite-meta.xml"
   );
   if (existsSync5(rssEnginePath)) {
-    let rss = patchXml(readFileSync6(rssEnginePath, "utf8"), "url", engineUrl);
+    let rss = patchXml(readFileSync7(rssEnginePath, "utf8"), "url", engineUrl);
     rss = patchXml(rss, "description", "Lead Router Engine endpoint");
-    writeFileSync6(rssEnginePath, rss, "utf8");
+    writeFileSync7(rssEnginePath, rss, "utf8");
   }
-  const rssAppPath = join8(
+  const rssAppPath = join9(
     destPkg,
     "force-app",
     "main",
@@ -1791,9 +1933,9 @@ The CLI may need to be reinstalled: npm i -g @lead-routing/cli`
     "LeadRouterApp.remoteSite-meta.xml"
   );
   if (existsSync5(rssAppPath)) {
-    let rss = patchXml(readFileSync6(rssAppPath, "utf8"), "url", appUrl);
+    let rss = patchXml(readFileSync7(rssAppPath, "utf8"), "url", appUrl);
     rss = patchXml(rss, "description", "Lead Router App URL");
-    writeFileSync6(rssAppPath, rss, "utf8");
+    writeFileSync7(rssAppPath, rss, "utf8");
   }
   log13.success("Remote Site Settings patched");
   s.start("Deploying Salesforce package (this may take ~2 min)\u2026");
@@ -1950,24 +2092,24 @@ Ensure the app is running and the URL is correct.`
 
 // src/steps/app-launcher-guide.ts
 import { note as note4, confirm as confirm2, isCancel as isCancel4, log as log14 } from "@clack/prompts";
-import chalk5 from "chalk";
+import chalk6 from "chalk";
 async function guideAppLauncherSetup(appUrl) {
   note4(
     `Complete the following steps in Salesforce now:
 
-  ${chalk5.cyan("1.")} Open ${chalk5.bold("App Launcher")} (grid icon, top-left in Salesforce)
-  ${chalk5.cyan("2.")} Search for ${chalk5.white('"Lead Router Setup"')} and click it
-  ${chalk5.cyan("3.")} Click ${chalk5.white('"Connect to Lead Router"')}
-     \u2192 You will be redirected to ${chalk5.dim(appUrl)} and back
+  ${chalk6.cyan("1.")} Open ${chalk6.bold("App Launcher")} (grid icon, top-left in Salesforce)
+  ${chalk6.cyan("2.")} Search for ${chalk6.white('"Lead Router Setup"')} and click it
+  ${chalk6.cyan("3.")} Click ${chalk6.white('"Connect to Lead Router"')}
+     \u2192 You will be redirected to ${chalk6.dim(appUrl)} and back
      \u2192 Authorize the OAuth connection when prompted
 
-  ${chalk5.cyan("4.")} ${chalk5.bold("Step 1")} \u2014 wait for the ${chalk5.green('"Connected"')} checkmark (~5 sec)
-  ${chalk5.cyan("5.")} ${chalk5.bold("Step 2")} \u2014 click ${chalk5.white("Activate")} to enable Lead triggers
-  ${chalk5.cyan("6.")} ${chalk5.bold("Step 3")} \u2014 click ${chalk5.white("Sync Fields")} to index your Lead field schema
-  ${chalk5.cyan("7.")} ${chalk5.bold("Step 4")} \u2014 click ${chalk5.white("Send Test")} to fire a test routing event
-     \u2192 ${chalk5.dim('"Test successful"')} or ${chalk5.dim('"No matching rule"')} are both valid
+  ${chalk6.cyan("4.")} ${chalk6.bold("Step 1")} \u2014 wait for the ${chalk6.green('"Connected"')} checkmark (~5 sec)
+  ${chalk6.cyan("5.")} ${chalk6.bold("Step 2")} \u2014 click ${chalk6.white("Activate")} to enable Lead triggers
+  ${chalk6.cyan("6.")} ${chalk6.bold("Step 3")} \u2014 click ${chalk6.white("Sync Fields")} to index your Lead field schema
+  ${chalk6.cyan("7.")} ${chalk6.bold("Step 4")} \u2014 click ${chalk6.white("Send Test")} to fire a test routing event
+     \u2192 ${chalk6.dim('"Test successful"')} or ${chalk6.dim('"No matching rule"')} are both valid
 
-` + chalk5.dim("Keep this terminal open while you complete the wizard."),
+` + chalk6.dim("Keep this terminal open while you complete the wizard."),
     "Complete Salesforce setup"
   );
   const done = await confirm2({
@@ -2038,19 +2180,19 @@ async function runSfdcDeploy() {
   }
   await guideAppLauncherSetup(appUrl);
   outro5(
-    chalk6.green("\u2714  Salesforce package deployed!") + `
+    chalk7.green("\u2714  Salesforce package deployed!") + `
 
-  Your Lead Router dashboard: ${chalk6.cyan(appUrl)}`
+  Your Lead Router dashboard: ${chalk7.cyan(appUrl)}`
   );
 }
 
 // src/commands/uninstall.ts
 import { rmSync as rmSync2, existsSync as existsSync6 } from "fs";
 import { intro as intro6, outro as outro6, log as log16, confirm as confirm3, password as promptPassword3, isCancel as isCancel5 } from "@clack/prompts";
-import chalk7 from "chalk";
+import chalk8 from "chalk";
 async function runUninstall() {
   console.log();
-  intro6(chalk7.bold.red("Lead Routing \u2014 Uninstall"));
+  intro6(chalk8.bold.red("Lead Routing \u2014 Uninstall"));
   const dir = findInstallDir();
   if (!dir) {
     log16.error(
@@ -2065,13 +2207,13 @@ async function runUninstall() {
     );
     process.exit(1);
   }
-  log16.warn(chalk7.red("This will permanently destroy:"));
+  log16.warn(chalk8.red("This will permanently destroy:"));
   log16.warn(`  \u2022 Remote: ${cfg.ssh.username}@${cfg.ssh.host}:${cfg.remoteDir}`);
   log16.warn("    \u2514\u2500 All containers, Postgres data, Redis data, config files");
   log16.warn(`  \u2022 Local: ${dir}/`);
   log16.warn("    \u2514\u2500 docker-compose.yml, .env.web, .env.engine, Caddyfile, lead-routing.json");
   const confirmed = await confirm3({
-    message: chalk7.bold("Are you sure you want to uninstall? This cannot be undone."),
+    message: chalk8.bold("Are you sure you want to uninstall? This cannot be undone."),
     initialValue: false
   });
   if (isCancel5(confirmed) || !confirmed) {
@@ -2126,12 +2268,96 @@ async function runUninstall() {
     log16.success(`Removed ${dir}`);
   }
   outro6(
-    chalk7.green("\u2714  Uninstall complete.") + `
+    chalk8.green("\u2714  Uninstall complete.") + `
 
-  Run ${chalk7.cyan("npx @lead-routing/cli init")} to start fresh.`
+  Run ${chalk8.cyan("npx @lead-routing/cli init")} to start fresh.`
   );
 }
 
+// src/commands/signup.ts
+import * as p from "@clack/prompts";
+import chalk9 from "chalk";
+async function runSignup() {
+  p.intro(chalk9.bgBlue.white(" lead-routing signup "));
+  const firstName = await p.text({ message: "First name", placeholder: "John", validate: (v) => v.trim() ? void 0 : "Required" });
+  if (p.isCancel(firstName)) process.exit(0);
+  const lastName = await p.text({ message: "Last name", placeholder: "Smith", validate: (v) => v.trim() ? void 0 : "Required" });
+  if (p.isCancel(lastName)) process.exit(0);
+  const email = await p.text({ message: "Email", placeholder: "john@acme.com", validate: (v) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v.trim()) ? void 0 : "Invalid email" });
+  if (p.isCancel(email)) process.exit(0);
+  const password5 = await p.password({ message: "Password (min 8 characters)", validate: (v) => v.length >= 8 ? void 0 : "Must be at least 8 characters" });
+  if (p.isCancel(password5)) process.exit(0);
+  const confirm5 = await p.password({ message: "Confirm password", validate: (v) => v === password5 ? void 0 : "Passwords do not match" });
+  if (p.isCancel(confirm5)) process.exit(0);
+  const spinner8 = p.spinner();
+  spinner8.start("Creating account...");
+  try {
+    const message = await apiSignup({
+      firstName: firstName.trim(),
+      lastName: lastName.trim(),
+      email: email.trim(),
+      password: password5
+    });
+    spinner8.stop("Account created!");
+    p.note(
+      `Check your email (${email.trim()}) for a verification link.
+
+After verifying, run:
+
+  ${chalk9.cyan("lead-routing login")}`,
+      "Next Steps"
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Signup failed";
+    spinner8.stop(msg);
+    if (msg.includes("already")) {
+      p.log.info(`Try ${chalk9.cyan("lead-routing login")} instead.`);
+    }
+    process.exit(1);
+  }
+  p.outro("Done!");
+}
+
+// src/commands/login.ts
+import * as p2 from "@clack/prompts";
+import chalk10 from "chalk";
+async function runLogin() {
+  p2.intro(chalk10.bgBlue.white(" lead-routing login "));
+  const email = await p2.text({ message: "Email", placeholder: "john@acme.com" });
+  if (p2.isCancel(email)) process.exit(0);
+  const password5 = await p2.password({ message: "Password" });
+  if (p2.isCancel(password5)) process.exit(0);
+  const spinner8 = p2.spinner();
+  spinner8.start("Authenticating...");
+  try {
+    const { token, customer } = await apiLogin(email.trim(), password5);
+    if (!customer.emailVerified) {
+      spinner8.stop("Email not verified");
+      p2.log.warn(`Your email (${customer.email}) hasn't been verified yet.`);
+      const resend = await p2.confirm({ message: "Resend verification email?" });
+      if (resend && !p2.isCancel(resend)) {
+        try {
+          await apiResendVerification(token);
+          p2.log.success("Verification email sent! Check your inbox.");
+        } catch {
+          p2.log.error("Failed to resend. Try again later.");
+        }
+      }
+      p2.note(`Verify your email, then run:
+
+  ${chalk10.cyan("lead-routing login")}`, "Next Steps");
+      process.exit(1);
+    }
+    saveCredentials({ token, customer, storedAt: (/* @__PURE__ */ new Date()).toISOString() });
+    spinner8.stop(`Logged in as ${customer.firstName} ${customer.lastName} \u2014 ${formatTierBadge(customer.tier)}`);
+    p2.note(`Credentials saved to ~/.lead-routing/credentials.json`, "Saved");
+  } catch (err) {
+    spinner8.stop(err instanceof Error ? err.message : "Login failed");
+    process.exit(1);
+  }
+  p2.outro("Done!");
+}
+
 // src/index.ts
 var program = new Command();
 program.name("lead-routing").description("Self-hosted Lead Routing \u2014 scaffold, deploy, and manage your installation").version("0.1.13");
@@ -2150,11 +2376,13 @@ program.command("doctor").description("Check the health of all services in your
 program.command("logs [service]").description("Stream logs from a service (web, engine, postgres, redis). Defaults to engine.").action((service) => runLogs(service));
 program.command("status").description("Show the running state of all Docker containers").action(runStatus);
 var config = program.command("config").description("Update configuration values in a live installation");
-config.command("show").description("Print key config values for this installation (admin secret, app URL, SFDC client ID)").action(runConfigShow);
+config.command("show").description("Print key config values for this installation (app URL)").action(runConfigShow);
 config.command("sfdc").description("Update Salesforce Connected App credentials (Consumer Key + Secret)").action(runConfigSfdc);
 var sfdc = program.command("sfdc").description("Manage the Salesforce package for this installation");
 sfdc.command("deploy").description("Deploy (or redeploy) the Lead Router Salesforce package to your Salesforce org").action(runSfdcDeploy);
 program.command("uninstall").description("Stop all containers, remove all data, and delete the remote installation").action(runUninstall);
+program.command("signup").description("Create a new Lead Routing account").action(runSignup);
+program.command("login").description("Log in to your Lead Routing account").action(runLogin);
 program.parseAsync(process.argv).catch((err) => {
   console.error(err instanceof Error ? err.message : String(err));
   process.exit(1);

package/dist/prisma/migrations/20260315000000_fix_aggregate_upsert_race/migration.sql

@@ -0,0 +1,36 @@
+-- Fix: the existing @@unique constraint does not prevent duplicate rows
+-- because PostgreSQL treats NULLs as distinct in unique indexes.
+
+-- Step 1: Clean up any existing duplicate rows (keep the one with highest totalCount)
+DELETE FROM "routing_daily_aggregates" a
+USING "routing_daily_aggregates" b
+WHERE a."orgId" = b."orgId"
+  AND a."date" = b."date"
+  AND a."objectType" IS NOT DISTINCT FROM b."objectType"
+  AND a."ruleId" IS NOT DISTINCT FROM b."ruleId"
+  AND a."pathLabel" IS NOT DISTINCT FROM b."pathLabel"
+  AND a."branchId" IS NOT DISTINCT FROM b."branchId"
+  AND a."teamId" IS NOT DISTINCT FROM b."teamId"
+  AND a."assigneeId" IS NOT DISTINCT FROM b."assigneeId"
+  AND a."id" < b."id";
+
+-- Step 2: Create an immutable cast helper for the enum column.
+-- PostgreSQL's built-in enum::text cast is only STABLE, not IMMUTABLE,
+-- so it cannot be used directly in an index expression.
+CREATE OR REPLACE FUNCTION immutable_object_type_text(val "SfdcObjectType")
+RETURNS text LANGUAGE sql IMMUTABLE PARALLEL SAFE AS $$
+  SELECT val::text;
+$$;
+
+-- Step 3: Create a functional unique index using COALESCE to handle NULLs
+CREATE UNIQUE INDEX "routing_daily_aggregates_dimension_key"
+ON "routing_daily_aggregates" (
+  "orgId",
+  "date",
+  COALESCE("ruleId", ''),
+  COALESCE("pathLabel", ''),
+  COALESCE("branchId", ''),
+  COALESCE("teamId", ''),
+  COALESCE("assigneeId", ''),
+  COALESCE(immutable_object_type_text("objectType"), '')
+);

package/dist/prisma/migrations/20260316000000_add_license_activation_columns/migration.sql

@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "organizations" ADD COLUMN IF NOT EXISTS "licenseKey" TEXT;
+ALTER TABLE "organizations" ADD COLUMN IF NOT EXISTS "licenseTier" TEXT;
+ALTER TABLE "organizations" ADD COLUMN IF NOT EXISTS "licenseValidUntil" TIMESTAMP(3);
+ALTER TABLE "organizations" ADD COLUMN IF NOT EXISTS "licenseActivatedAt" TIMESTAMP(3);

package/dist/prisma/schema.prisma

@@ -107,6 +107,11 @@ model Organization {
   aiBaseUrl        String?   // custom endpoint URL (null = default)
   aiCustomHeaders  Json?     // custom headers for self-hosted proxies
   aiChatCount      Int       @default(0)
+  // License activation (from web UI)
+  licenseKey         String?
+  licenseTier        String?   // "free" | "pro"
+  licenseValidUntil  DateTime?
+  licenseActivatedAt DateTime?
   createdAt                DateTime @default(now())
   updatedAt                DateTime @updatedAt
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lead-routing/cli",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Self-hosted deployment CLI for Lead Routing",
   "homepage": "https://github.com/lead-routing/lead-routing",
   "keywords": [