@wraps.dev/cli 0.3.2 → 0.3.4

package/dist/cli.js

@@ -9,11 +9,11 @@ var __export = (target, all3) => {
     __defProp(target, name, { get: all3[name], enumerable: true });
 };
 
-// ../../node_modules/.pnpm/tsup@8.5.0_jiti@2.6.1_postcss@8.5.6_tsx@4.20.6_typescript@5.8.3/node_modules/tsup/assets/esm_shims.js
+// ../../node_modules/.pnpm/tsup@8.5.0_jiti@2.6.1_postcss@8.5.6_tsx@4.20.6_typescript@5.9.3/node_modules/tsup/assets/esm_shims.js
 import path from "path";
 import { fileURLToPath } from "url";
 var init_esm_shims = __esm({
-  "../../node_modules/.pnpm/tsup@8.5.0_jiti@2.6.1_postcss@8.5.6_tsx@4.20.6_typescript@5.8.3/node_modules/tsup/assets/esm_shims.js"() {
+  "../../node_modules/.pnpm/tsup@8.5.0_jiti@2.6.1_postcss@8.5.6_tsx@4.20.6_typescript@5.9.3/node_modules/tsup/assets/esm_shims.js"() {
     "use strict";
   }
 });
@@ -23,11 +23,152 @@ var mail_manager_exports = {};
 __export(mail_manager_exports, {
   createMailManagerArchive: () => createMailManagerArchive
 });
+import {
+  CreateArchiveCommand,
+  GetArchiveCommand,
+  ListArchivesCommand,
+  MailManagerClient
+} from "@aws-sdk/client-mailmanager";
+import {
+  PutConfigurationSetArchivingOptionsCommand,
+  SESv2Client
+} from "@aws-sdk/client-sesv2";
+function retentionToAWSPeriod(retention) {
+  switch (retention) {
+    case "3months":
+      return "THREE_MONTHS";
+    case "6months":
+      return "SIX_MONTHS";
+    case "9months":
+      return "NINE_MONTHS";
+    case "1year":
+      return "ONE_YEAR";
+    case "18months":
+      return "EIGHTEEN_MONTHS";
+    case "2years":
+      return "TWO_YEARS";
+    case "30months":
+      return "THIRTY_MONTHS";
+    case "3years":
+      return "THREE_YEARS";
+    case "4years":
+      return "FOUR_YEARS";
+    case "5years":
+      return "FIVE_YEARS";
+    case "6years":
+      return "SIX_YEARS";
+    case "7years":
+      return "SEVEN_YEARS";
+    case "8years":
+      return "EIGHT_YEARS";
+    case "9years":
+      return "NINE_YEARS";
+    case "10years":
+      return "TEN_YEARS";
+    case "permanent":
+      return "PERMANENT";
+    default:
+      return "THREE_MONTHS";
+  }
+}
 async function createMailManagerArchive(config) {
-  void config;
-  throw new Error(
-    "Mail Manager Archive is not yet supported in Pulumi AWS provider. Email archiving with Mail Manager is coming soon."
-  );
+  const region = config.region || process.env.AWS_REGION || "us-east-1";
+  const archiveName = `wraps-${config.name}-archive`;
+  const mailManagerClient = new MailManagerClient({ region });
+  const sesClient = new SESv2Client({ region });
+  const kmsKeyArn = config.kmsKeyArn;
+  if (!kmsKeyArn) {
+  }
+  const awsRetention = retentionToAWSPeriod(config.retention);
+  let archiveId;
+  let archiveArn;
+  try {
+    const listCommand = new ListArchivesCommand({});
+    const listResult = await mailManagerClient.send(listCommand);
+    const existingArchive = listResult.Archives?.find(
+      (archive) => archive.ArchiveName === archiveName
+    );
+    if (existingArchive?.ArchiveId) {
+      console.log(`Using existing Mail Manager archive: ${archiveName}`);
+      archiveId = existingArchive.ArchiveId;
+      const getCommand = new GetArchiveCommand({ ArchiveId: archiveId });
+      const getResult = await mailManagerClient.send(getCommand);
+      archiveArn = getResult.ArchiveArn;
+    }
+  } catch (error) {
+    console.log("Error checking for existing archive:", error);
+  }
+  if (!archiveId) {
+    try {
+      const createArchiveCommand = new CreateArchiveCommand({
+        ArchiveName: archiveName,
+        Retention: {
+          RetentionPeriod: awsRetention
+        },
+        ...kmsKeyArn && { KmsKeyArn: kmsKeyArn },
+        Tags: [
+          { Key: "ManagedBy", Value: "wraps-cli" },
+          { Key: "Name", Value: archiveName },
+          { Key: "Retention", Value: config.retention }
+        ]
+      });
+      const archiveResult = await mailManagerClient.send(createArchiveCommand);
+      archiveId = archiveResult.ArchiveId;
+      if (!archiveId) {
+        throw new Error(
+          "Failed to create Mail Manager Archive: No ArchiveId returned"
+        );
+      }
+      console.log(`Created new Mail Manager archive: ${archiveName}`);
+    } catch (error) {
+      if (error instanceof Error && error.name === "ConflictException" && error.message.includes("Archive already exists")) {
+        console.log(
+          "Archive was created concurrently, fetching existing archive..."
+        );
+        const listCommand = new ListArchivesCommand({});
+        const listResult = await mailManagerClient.send(listCommand);
+        const existingArchive = listResult.Archives?.find(
+          (archive) => archive.ArchiveName === archiveName
+        );
+        if (!existingArchive?.ArchiveId) {
+          throw new Error(
+            `Archive exists but couldn't find it: ${archiveName}`
+          );
+        }
+        archiveId = existingArchive.ArchiveId;
+        const getCommand = new GetArchiveCommand({ ArchiveId: archiveId });
+        const getResult = await mailManagerClient.send(getCommand);
+        archiveArn = getResult.ArchiveArn;
+      } else {
+        throw error;
+      }
+    }
+  }
+  if (!archiveArn) {
+    const identity = await import("@aws-sdk/client-sts").then(
+      (m) => new m.STSClient({ region }).send(new m.GetCallerIdentityCommand({}))
+    );
+    const accountId = identity.Account;
+    archiveArn = `arn:aws:ses:${region}:${accountId}:mailmanager-archive/${archiveId}`;
+  }
+  const configSetName = await new Promise((resolve) => {
+    config.configSetName.apply((name) => {
+      resolve(name);
+    });
+  });
+  const putArchivingOptionsCommand = new PutConfigurationSetArchivingOptionsCommand({
+    ConfigurationSetName: configSetName,
+    ArchiveArn: archiveArn
+  });
+  await sesClient.send(putArchivingOptionsCommand);
+  if (!(archiveId && archiveArn)) {
+    throw new Error("Failed to get archive ID or ARN");
+  }
+  return {
+    archiveId,
+    archiveArn,
+    kmsKeyArn
+  };
 }
 var init_mail_manager = __esm({
   "src/infrastructure/resources/mail-manager.ts"() {
@@ -239,13 +380,22 @@ var init_aws = __esm({
 function estimateStorageSize(emailsPerMonth, retention, numEventTypes = 8) {
   const avgRecordSizeKB = 2;
   const retentionMonths = {
-    "7days": 0.25,
-    "30days": 1,
-    "90days": 3,
+    "3months": 3,
     "6months": 6,
+    "9months": 9,
     "1year": 12,
     "18months": 18,
-    indefinite: 120
+    "2years": 24,
+    "30months": 30,
+    "3years": 36,
+    "4years": 48,
+    "5years": 60,
+    "6years": 72,
+    "7years": 84,
+    "8years": 96,
+    "9years": 108,
+    "10years": 120,
+    permanent: 120
     // Assume 10 years for cost estimation
   }[retention];
   const totalKB = emailsPerMonth * numEventTypes * (retentionMonths ?? 12) * avgRecordSizeKB;
@@ -254,13 +404,22 @@ function estimateStorageSize(emailsPerMonth, retention, numEventTypes = 8) {
 function estimateArchiveStorageSize(emailsPerMonth, retention) {
   const avgEmailSizeKB = 50;
   const retentionMonths = {
-    "7days": 0.25,
-    "30days": 1,
-    "90days": 3,
+    "3months": 3,
     "6months": 6,
+    "9months": 9,
     "1year": 12,
     "18months": 18,
-    indefinite: 120
+    "2years": 24,
+    "30months": 30,
+    "3years": 36,
+    "4years": 48,
+    "5years": 60,
+    "6years": 72,
+    "7years": 84,
+    "8years": 96,
+    "9years": 108,
+    "10years": 120,
+    permanent: 120
     // Assume 10 years for cost estimation
   }[retention];
   const totalKB = emailsPerMonth * (retentionMonths ?? 12) * avgEmailSizeKB;
@@ -300,7 +459,7 @@ function calculateDynamoDBCost(config, emailsPerMonth) {
   if (!config.eventTracking?.dynamoDBHistory) {
     return;
   }
-  const retention = config.eventTracking.archiveRetention || "90days";
+  const retention = config.eventTracking.archiveRetention || "3months";
   const numEventTypes = config.eventTracking.events?.length || 8;
   const totalEvents = emailsPerMonth * numEventTypes;
   const writeCost = Math.max(0, totalEvents - FREE_TIER.DYNAMODB_WRITES) / 1e6 * AWS_PRICING.DYNAMODB_WRITE_PER_MILLION;
@@ -561,7 +720,7 @@ function getPresetInfo(preset) {
         "Everything in Starter",
         "Reputation metrics dashboard",
         "Real-time event tracking (EventBridge)",
-        "90-day email history storage",
+        "3-month email history storage",
         "Optional: Email archiving with rendered viewer",
         "Complete event visibility"
       ]
@@ -630,9 +789,9 @@ function validateConfig(config) {
       "\u{1F4A1} Event tracking is enabled but history storage is disabled. Events will only be available in real-time."
     );
   }
-  if (config.eventTracking?.archiveRetention === "indefinite") {
+  if (config.eventTracking?.archiveRetention === "permanent") {
     warnings.push(
-      "\u26A0\uFE0F  Indefinite retention can become expensive. Consider 90-day or 1-year retention."
+      "\u26A0\uFE0F  Permanent retention can become expensive. Consider 3-month or 1-year retention."
     );
   }
   return warnings;
@@ -661,7 +820,7 @@ var init_presets = __esm({
       // Email archiving disabled by default
       emailArchiving: {
         enabled: false,
-        retention: "30days"
+        retention: "3months"
       },
       sendingEnabled: true
     };
@@ -691,13 +850,13 @@ var init_presets = __esm({
           "RENDERING_FAILURE"
         ],
         dynamoDBHistory: true,
-        archiveRetention: "90days"
+        archiveRetention: "3months"
       },
-      // Email archiving with 90-day retention
+      // Email archiving with 3-month retention
       emailArchiving: {
         enabled: false,
         // User can opt-in
-        retention: "90days"
+        retention: "3months"
       },
       sendingEnabled: true
     };
@@ -1125,7 +1284,7 @@ async function promptEmailArchiving() {
     process.exit(0);
   }
   if (!enabled) {
-    return { enabled: false, retention: "90days" };
+    return { enabled: false, retention: "3months" };
   }
   const retention = await clack3.select({
     message: "Email archive retention period:",
@@ -1133,7 +1292,7 @@ async function promptEmailArchiving() {
       { value: "7days", label: "7 days", hint: "~$1-2/mo for 10k emails" },
       { value: "30days", label: "30 days", hint: "~$2-4/mo for 10k emails" },
       {
-        value: "90days",
+        value: "3months",
         label: "90 days (recommended)",
         hint: "~$5-10/mo for 10k emails"
       },
@@ -1149,7 +1308,7 @@ async function promptEmailArchiving() {
         hint: "~$35-60/mo for 10k emails"
       }
     ],
-    initialValue: "90days"
+    initialValue: "3months"
   });
   if (clack3.isCancel(retention)) {
     clack3.cancel("Operation cancelled.");
@@ -1188,7 +1347,7 @@ async function promptCustomConfig() {
     process.exit(0);
   }
   let dynamoDBHistory = false;
-  let archiveRetention = "90days";
+  let archiveRetention = "3months";
   if (eventTrackingEnabled) {
     dynamoDBHistory = await clack3.confirm({
       message: "Store email history in DynamoDB?",
@@ -1205,7 +1364,7 @@ async function promptCustomConfig() {
           { value: "7days", label: "7 days", hint: "Minimal storage cost" },
           { value: "30days", label: "30 days", hint: "Development/testing" },
           {
-            value: "90days",
+            value: "3months",
             label: "90 days (recommended)",
             hint: "Standard retention"
           },
@@ -1255,7 +1414,7 @@ async function promptCustomConfig() {
     clack3.cancel("Operation cancelled.");
     process.exit(0);
   }
-  let emailArchiveRetention = "90days";
+  let emailArchiveRetention = "3months";
   if (emailArchivingEnabled) {
     emailArchiveRetention = await clack3.select({
       message: "Email archive retention period:",
@@ -1263,7 +1422,7 @@ async function promptCustomConfig() {
         { value: "7days", label: "7 days", hint: "~$1-2/mo for 10k emails" },
         { value: "30days", label: "30 days", hint: "~$2-4/mo for 10k emails" },
         {
-          value: "90days",
+          value: "3months",
           label: "90 days (recommended)",
           hint: "~$5-10/mo for 10k emails"
         },
@@ -1279,7 +1438,7 @@ async function promptCustomConfig() {
           hint: "~$35-60/mo for 10k emails"
         }
       ],
-      initialValue: "90days"
+      initialValue: "3months"
     });
     if (clack3.isCancel(emailArchiveRetention)) {
       clack3.cancel("Operation cancelled.");
@@ -1320,12 +1479,12 @@ async function promptCustomConfig() {
         "RENDERING_FAILURE"
       ],
       dynamoDBHistory: Boolean(dynamoDBHistory),
-      archiveRetention: typeof archiveRetention === "string" ? archiveRetention : "90days"
+      archiveRetention: typeof archiveRetention === "string" ? archiveRetention : "3months"
     } : { enabled: false },
     emailArchiving: emailArchivingEnabled ? {
       enabled: true,
-      retention: typeof emailArchiveRetention === "string" ? emailArchiveRetention : "90days"
-    } : { enabled: false, retention: "90days" },
+      retention: typeof emailArchiveRetention === "string" ? emailArchiveRetention : "3months"
+    } : { enabled: false, retention: "3months" },
     dedicatedIp,
     sendingEnabled: true
   };
@@ -1373,13 +1532,114 @@ var init_assume_role = __esm({
 // src/utils/archive.ts
 import {
   GetArchiveMessageCommand,
-  MailManagerClient
+  GetArchiveSearchResultsCommand,
+  MailManagerClient as MailManagerClient2,
+  StartArchiveSearchCommand
 } from "@aws-sdk/client-mailmanager";
+import DOMPurify from "isomorphic-dompurify";
 import { simpleParser } from "mailparser";
-async function getArchivedEmail(_archiveId, messageId, region) {
-  const client = new MailManagerClient({ region });
+function extractArchiveId(archiveArnOrId) {
+  if (archiveArnOrId.startsWith("arn:")) {
+    const parts = archiveArnOrId.split("/");
+    return parts.at(-1);
+  }
+  return archiveArnOrId;
+}
+async function getArchivedEmail(archiveArnOrId, searchCriteria, region) {
+  const client = new MailManagerClient2({ region });
+  const archiveId = extractArchiveId(archiveArnOrId);
+  const searchTime = searchCriteria.timestamp || /* @__PURE__ */ new Date();
+  const dayBefore = new Date(searchTime.getTime() - 24 * 60 * 60 * 1e3);
+  const dayAfter = new Date(searchTime.getTime() + 24 * 60 * 60 * 1e3);
+  const filters = [];
+  if (searchCriteria.from) {
+    filters.push({
+      StringExpression: {
+        Evaluate: {
+          Attribute: "FROM"
+        },
+        Operator: "CONTAINS",
+        Values: [searchCriteria.from]
+      }
+    });
+  }
+  if (searchCriteria.to) {
+    filters.push({
+      StringExpression: {
+        Evaluate: {
+          Attribute: "TO"
+        },
+        Operator: "CONTAINS",
+        Values: [searchCriteria.to]
+      }
+    });
+  }
+  if (searchCriteria.subject) {
+    filters.push({
+      StringExpression: {
+        Evaluate: {
+          Attribute: "SUBJECT"
+        },
+        Operator: "CONTAINS",
+        Values: [searchCriteria.subject]
+      }
+    });
+  }
+  if (filters.length === 0) {
+    throw new Error(
+      "At least one search criterion (from, to, or subject) is required"
+    );
+  }
+  const searchCommand = new StartArchiveSearchCommand({
+    ArchiveId: archiveId,
+    FromTimestamp: dayBefore,
+    ToTimestamp: dayAfter,
+    Filters: {
+      Include: filters
+    },
+    MaxResults: 10
+    // Get a few results in case there are multiple matches
+  });
+  const searchResponse = await client.send(searchCommand);
+  const searchId = searchResponse.SearchId;
+  if (!searchId) {
+    throw new Error("Failed to start archive search");
+  }
+  let archivedMessageId;
+  let attempts = 0;
+  const maxAttempts = 20;
+  const pollInterval = 1e3;
+  await new Promise((resolve) => setTimeout(resolve, 1e3));
+  while (attempts < maxAttempts) {
+    try {
+      const resultsCommand = new GetArchiveSearchResultsCommand({
+        SearchId: searchId
+      });
+      const resultsResponse = await client.send(resultsCommand);
+      if (resultsResponse.Rows && resultsResponse.Rows.length > 0) {
+        archivedMessageId = resultsResponse.Rows[0].ArchivedMessageId;
+        break;
+      }
+      if (resultsResponse.Rows && resultsResponse.Rows.length === 0) {
+        break;
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "ConflictException" && error.message.includes("still in progress")) {
+        console.log(`Search still in progress, attempt ${attempts + 1}...`);
+      } else {
+        throw error;
+      }
+    }
+    await new Promise((resolve) => setTimeout(resolve, pollInterval));
+    attempts++;
+  }
+  if (!archivedMessageId) {
+    throw new Error(
+      "Email not found in archive with the provided search criteria. It may have been sent before archiving was enabled."
+    );
+  }
   const command2 = new GetArchiveMessageCommand({
-    ArchivedMessageId: messageId
+    ArchivedMessageId: archivedMessageId
   });
   const response = await client.send(command2);
   if (!response.MessageDownloadLink) {
@@ -1418,8 +1678,7 @@ async function getArchivedEmail(_archiveId, messageId, region) {
     return addr.text || "";
   };
   return {
-    messageId,
-    // Use the input messageId since response may not have MessageMetadata
+    messageId: parsed.messageId || headers["message-id"]?.toString() || "",
     from: getAddressText(parsed.from),
     to: getAddressText(parsed.to),
     subject: parsed.subject || "",
@@ -1446,14 +1705,20 @@ __export(email_archive_exports, {
   fetchArchivedEmail: () => fetchArchivedEmail
 });
 async function fetchArchivedEmail(messageId, options) {
-  const { region, archiveArn } = options;
+  const { region, archiveArn, from, to, subject, timestamp } = options;
   try {
     console.log("Fetching archived email:", {
       messageId,
       archiveArn,
       region
     });
-    const email = await getArchivedEmail(archiveArn, messageId, region);
+    const searchCriteria = {
+      from,
+      to,
+      subject,
+      timestamp
+    };
+    const email = await getArchivedEmail(archiveArn, searchCriteria, region);
     console.log("Archived email fetched successfully:", {
       messageId: email.messageId,
       hasHtml: !!email.html,
@@ -1880,11 +2145,18 @@ async function createIAMRole(config) {
     statements.push({
       Effect: "Allow",
       Action: [
-        "ses:GetArchive",
+        // Archive search operations
+        "ses:StartArchiveSearch",
+        "ses:GetArchiveSearchResults",
+        // Archive message retrieval
         "ses:GetArchiveMessage",
         "ses:GetArchiveMessageContent",
-        "ses:SearchArchive",
-        "ses:StartArchiveExport"
+        // Archive metadata
+        "ses:GetArchive",
+        "ses:ListArchives",
+        // Archive export (for future use)
+        "ses:StartArchiveExport",
+        "ses:GetArchiveExport"
       ],
       Resource: "arn:aws:ses:*:*:mailmanager-archive/*"
     });
@@ -2271,7 +2543,8 @@ async function deployEmailStack(config) {
     archiveResources = await createMailManagerArchive2({
       name: "email",
       retention: emailConfig.emailArchiving.retention,
-      configSetName: sesResources.configSet.configurationSetName
+      configSetName: sesResources.configSet.configurationSetName,
+      region: config.region
     });
   }
   return {
@@ -2288,7 +2561,8 @@ async function deployEmailStack(config) {
     dlqUrl: sqsResources?.dlq.url,
     customTrackingDomain: sesResources?.customTrackingDomain,
     mailFromDomain: sesResources?.mailFromDomain,
-    archiveArn: archiveResources?.archive.arn,
+    archiveId: archiveResources?.archiveId,
+    archiveArn: archiveResources?.archiveArn,
     archivingEnabled: emailConfig.emailArchiving?.enabled,
     archiveRetention: emailConfig.emailArchiving?.enabled ? emailConfig.emailArchiving.retention : void 0
   };
@@ -2606,11 +2880,11 @@ ${domainStrings.join("\n")}`);
     const retentionLabel = {
       "7days": "7 days",
       "30days": "30 days",
-      "90days": "90 days",
+      "3months": "90 days",
       "6months": "6 months",
       "1year": "1 year",
       "18months": "18 months"
-    }[status2.resources.archiveRetention || "90days"] || "90 days";
+    }[status2.resources.archiveRetention || "3months"] || "90 days";
     featureLines.push(
       `  ${pc2.green("\u2713")} Email Archiving ${pc2.dim(`(${retentionLabel} retention)`)}`
     );
@@ -3199,7 +3473,7 @@ import { Router as createRouter } from "express";
 init_esm_shims();
 init_assume_role();
 import { GetSendQuotaCommand, SESClient as SESClient3 } from "@aws-sdk/client-ses";
-import { GetEmailIdentityCommand, SESv2Client } from "@aws-sdk/client-sesv2";
+import { GetEmailIdentityCommand, SESv2Client as SESv2Client2 } from "@aws-sdk/client-sesv2";
 async function fetchSendQuota(roleArn, region) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
   const ses = new SESClient3({ region, credentials });
@@ -3212,7 +3486,7 @@ async function fetchSendQuota(roleArn, region) {
 }
 async function fetchDomainInfo(roleArn, region, domain) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
-  const sesv22 = new SESv2Client({ region, credentials });
+  const sesv22 = new SESv2Client2({ region, credentials });
   const response = await sesv22.send(
     new GetEmailIdentityCommand({
       EmailIdentity: domain
@@ -3631,11 +3905,33 @@ function createEmailsRouter(config) {
           error: "Archive ARN not configured."
         });
       }
+      if (!config.tableName) {
+        console.log("No table name configured");
+        return res.status(400).json({
+          error: "Email tracking not enabled. Need email metadata to search archive."
+        });
+      }
+      console.log("Fetching email metadata from DynamoDB...");
+      const emailDetails = await fetchEmailById(id, {
+        region: config.region,
+        tableName: config.tableName
+      });
+      if (!emailDetails) {
+        console.log("Email metadata not found in DynamoDB for ID:", id);
+        return res.status(404).json({
+          error: "Email metadata not found. Cannot search archive."
+        });
+      }
       console.log("Fetching archived email from Mail Manager...");
       const { fetchArchivedEmail: fetchArchivedEmail2 } = await Promise.resolve().then(() => (init_email_archive(), email_archive_exports));
       const archivedEmail = await fetchArchivedEmail2(id, {
         region: config.region,
-        archiveArn: config.archiveArn
+        archiveArn: config.archiveArn,
+        from: emailDetails.from,
+        to: emailDetails.to[0],
+        // Use first recipient for search
+        subject: emailDetails.subject,
+        timestamp: new Date(emailDetails.sentAt)
       });
       if (!archivedEmail) {
         console.log("Archived email not found for message ID:", id);
@@ -3882,11 +4178,11 @@ init_assume_role();
 import {
   GetConfigurationSetCommand,
   GetEmailIdentityCommand as GetEmailIdentityCommand2,
-  SESv2Client as SESv2Client2
+  SESv2Client as SESv2Client3
 } from "@aws-sdk/client-sesv2";
 async function fetchConfigurationSet(roleArn, region, configSetName) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
-  const sesv22 = new SESv2Client2({ region, credentials });
+  const sesv22 = new SESv2Client3({ region, credentials });
   const response = await sesv22.send(
     new GetConfigurationSetCommand({
       ConfigurationSetName: configSetName
@@ -3916,7 +4212,7 @@ async function fetchConfigurationSet(roleArn, region, configSetName) {
 }
 async function fetchEmailIdentity(roleArn, region, identityName) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
-  const sesv22 = new SESv2Client2({ region, credentials });
+  const sesv22 = new SESv2Client3({ region, credentials });
   const response = await sesv22.send(
     new GetEmailIdentityCommand2({
       EmailIdentity: identityName
@@ -4108,10 +4404,10 @@ function createSettingsRouter(config) {
       console.log(
         `[Settings] Updating sending options for ${configSetName}: ${enabled}`
       );
-      const { SESv2Client: SESv2Client4, PutConfigurationSetSendingOptionsCommand } = await import("@aws-sdk/client-sesv2");
+      const { SESv2Client: SESv2Client5, PutConfigurationSetSendingOptionsCommand } = await import("@aws-sdk/client-sesv2");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
       const credentials = config.roleArn ? await assumeRole2(config.roleArn, config.region) : void 0;
-      const sesClient = new SESv2Client4({ region: config.region, credentials });
+      const sesClient = new SESv2Client5({ region: config.region, credentials });
       await sesClient.send(
         new PutConfigurationSetSendingOptionsCommand({
           ConfigurationSetName: configSetName,
@@ -4145,10 +4441,10 @@ function createSettingsRouter(config) {
       console.log(
         `[Settings] Updating reputation options for ${configSetName}: ${enabled}`
       );
-      const { SESv2Client: SESv2Client4, PutConfigurationSetReputationOptionsCommand } = await import("@aws-sdk/client-sesv2");
+      const { SESv2Client: SESv2Client5, PutConfigurationSetReputationOptionsCommand } = await import("@aws-sdk/client-sesv2");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
       const credentials = config.roleArn ? await assumeRole2(config.roleArn, config.region) : void 0;
-      const sesClient = new SESv2Client4({ region: config.region, credentials });
+      const sesClient = new SESv2Client5({ region: config.region, credentials });
       await sesClient.send(
         new PutConfigurationSetReputationOptionsCommand({
           ConfigurationSetName: configSetName,
@@ -4188,10 +4484,10 @@ function createSettingsRouter(config) {
         console.log(
           `[Settings] Updating tracking domain for ${configSetName}: ${domain}`
         );
-        const { SESv2Client: SESv2Client4, PutConfigurationSetTrackingOptionsCommand } = await import("@aws-sdk/client-sesv2");
+        const { SESv2Client: SESv2Client5, PutConfigurationSetTrackingOptionsCommand } = await import("@aws-sdk/client-sesv2");
         const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
         const credentials = config.roleArn ? await assumeRole2(config.roleArn, config.region) : void 0;
-        const sesClient = new SESv2Client4({
+        const sesClient = new SESv2Client5({
           region: config.region,
           credentials
         });
@@ -4282,6 +4578,26 @@ async function startConsoleServer(config) {
   const app = express();
   const authToken = crypto.randomBytes(32).toString("hex");
   app.use(express.json());
+  const requestCounts = /* @__PURE__ */ new Map();
+  const RATE_LIMIT_WINDOW = 60 * 1e3;
+  const RATE_LIMIT_MAX_REQUESTS = 1e3;
+  app.use((req, res, next) => {
+    const ip = req.ip || req.socket.remoteAddress || "unknown";
+    const now = Date.now();
+    const record = requestCounts.get(ip);
+    if (!record || now > record.resetTime) {
+      requestCounts.set(ip, { count: 1, resetTime: now + RATE_LIMIT_WINDOW });
+      next();
+    } else if (record.count < RATE_LIMIT_MAX_REQUESTS) {
+      record.count++;
+      next();
+    } else {
+      res.status(429).json({
+        error: "Too many requests, please slow down",
+        retryAfter: Math.ceil((record.resetTime - now) / 1e3)
+      });
+    }
+  });
   app.use((_req, res, next) => {
     res.setHeader("X-Frame-Options", "DENY");
     res.setHeader("X-Content-Type-Options", "nosniff");
@@ -4819,8 +5135,8 @@ Run ${pc9.cyan("wraps init")} to deploy infrastructure.
     process.exit(1);
   }
   const domains = await listSESDomains(region);
-  const { SESv2Client: SESv2Client4, GetEmailIdentityCommand: GetEmailIdentityCommand4 } = await import("@aws-sdk/client-sesv2");
-  const sesv2Client = new SESv2Client4({ region });
+  const { SESv2Client: SESv2Client5, GetEmailIdentityCommand: GetEmailIdentityCommand4 } = await import("@aws-sdk/client-sesv2");
+  const sesv2Client = new SESv2Client5({ region });
   const domainsWithTokens = await Promise.all(
     domains.map(async (d) => {
       try {
@@ -4981,7 +5297,11 @@ ${pc10.bold("Current Configuration:")}
                 lambdaFunctions: result.lambdaFunctions,
                 domain: result.domain,
                 dkimTokens: result.dkimTokens,
-                customTrackingDomain: result.customTrackingDomain
+                customTrackingDomain: result.customTrackingDomain,
+                mailFromDomain: result.mailFromDomain,
+                archiveArn: result.archiveArn,
+                archivingEnabled: result.archivingEnabled,
+                archiveRetention: result.archiveRetention
               };
             }
           },
@@ -5008,7 +5328,11 @@ ${pc10.bold("Current Configuration:")}
           lambdaFunctions: pulumiOutputs.lambdaFunctions?.value,
           domain: pulumiOutputs.domain?.value,
           dkimTokens: pulumiOutputs.dkimTokens?.value,
-          customTrackingDomain: pulumiOutputs.customTrackingDomain?.value
+          customTrackingDomain: pulumiOutputs.customTrackingDomain?.value,
+          mailFromDomain: pulumiOutputs.mailFromDomain?.value,
+          archiveArn: pulumiOutputs.archiveArn?.value,
+          archivingEnabled: pulumiOutputs.archivingEnabled?.value,
+          archiveRetention: pulumiOutputs.archiveRetention?.value
         };
       }
     );
@@ -5119,7 +5443,7 @@ ${pc11.bold("Current Configuration:")}
     console.log(`  ${pc11.green("\u2713")} Event Tracking (EventBridge)`);
     if (config.eventTracking.dynamoDBHistory) {
       console.log(
-        `    ${pc11.dim("\u2514\u2500")} Email History: ${pc11.cyan(config.eventTracking.archiveRetention || "90days")}`
+        `    ${pc11.dim("\u2514\u2500")} Email History: ${pc11.cyan(config.eventTracking.archiveRetention || "3months")}`
       );
     }
   }
@@ -5128,14 +5452,23 @@ ${pc11.bold("Current Configuration:")}
   }
   if (config.emailArchiving?.enabled) {
     const retentionLabel = {
-      "7days": "7 days",
-      "30days": "30 days",
-      "90days": "90 days",
+      "3months": "3 months",
       "6months": "6 months",
+      "9months": "9 months",
       "1year": "1 year",
       "18months": "18 months",
-      indefinite: "indefinite"
-    }[config.emailArchiving.retention] || "90 days";
+      "2years": "2 years",
+      "30months": "30 months",
+      "3years": "3 years",
+      "4years": "4 years",
+      "5years": "5 years",
+      "6years": "6 years",
+      "7years": "7 years",
+      "8years": "8 years",
+      "9years": "9 years",
+      "10years": "10 years",
+      permanent: "permanent"
+    }[config.emailArchiving.retention] || "3 months";
     console.log(`  ${pc11.green("\u2713")} Email Archiving (${retentionLabel})`);
   }
   const currentCostData = calculateCosts(config, 5e4);
@@ -5265,18 +5598,8 @@ ${pc11.bold("Current Configuration:")}
             message: "Email archive retention period:",
             options: [
               {
-                value: "7days",
-                label: "7 days",
-                hint: "~$1-2/mo for 10k emails"
-              },
-              {
-                value: "30days",
-                label: "30 days",
-                hint: "~$2-4/mo for 10k emails"
-              },
-              {
-                value: "90days",
-                label: "90 days (recommended)",
+                value: "3months",
+                label: "3 months (minimum)",
                 hint: "~$5-10/mo for 10k emails"
               },
               {
@@ -5286,13 +5609,38 @@ ${pc11.bold("Current Configuration:")}
               },
               {
                 value: "1year",
-                label: "1 year",
+                label: "1 year (recommended)",
                 hint: "~$25-40/mo for 10k emails"
               },
               {
-                value: "18months",
-                label: "18 months",
-                hint: "~$35-60/mo for 10k emails"
+                value: "2years",
+                label: "2 years",
+                hint: "~$50-80/mo for 10k emails"
+              },
+              {
+                value: "3years",
+                label: "3 years",
+                hint: "~$75-120/mo for 10k emails"
+              },
+              {
+                value: "5years",
+                label: "5 years",
+                hint: "~$125-200/mo for 10k emails"
+              },
+              {
+                value: "7years",
+                label: "7 years",
+                hint: "~$175-280/mo for 10k emails"
+              },
+              {
+                value: "10years",
+                label: "10 years",
+                hint: "~$250-400/mo for 10k emails"
+              },
+              {
+                value: "permanent",
+                label: "Permanent",
+                hint: "Expensive, not recommended"
               }
             ],
             initialValue: config.emailArchiving.retention
@@ -5326,18 +5674,8 @@ ${pc11.bold("Current Configuration:")}
           message: "Email archive retention period:",
           options: [
             {
-              value: "7days",
-              label: "7 days",
-              hint: "~$1-2/mo for 10k emails"
-            },
-            {
-              value: "30days",
-              label: "30 days",
-              hint: "~$2-4/mo for 10k emails"
-            },
-            {
-              value: "90days",
-              label: "90 days (recommended)",
+              value: "3months",
+              label: "3 months (minimum)",
               hint: "~$5-10/mo for 10k emails"
             },
             {
@@ -5347,16 +5685,41 @@ ${pc11.bold("Current Configuration:")}
             },
             {
               value: "1year",
-              label: "1 year",
+              label: "1 year (recommended)",
               hint: "~$25-40/mo for 10k emails"
             },
             {
-              value: "18months",
-              label: "18 months",
-              hint: "~$35-60/mo for 10k emails"
+              value: "2years",
+              label: "2 years",
+              hint: "~$50-80/mo for 10k emails"
+            },
+            {
+              value: "3years",
+              label: "3 years",
+              hint: "~$75-120/mo for 10k emails"
+            },
+            {
+              value: "5years",
+              label: "5 years",
+              hint: "~$125-200/mo for 10k emails"
+            },
+            {
+              value: "7years",
+              label: "7 years",
+              hint: "~$175-280/mo for 10k emails"
+            },
+            {
+              value: "10years",
+              label: "10 years",
+              hint: "~$250-400/mo for 10k emails"
+            },
+            {
+              value: "permanent",
+              label: "Permanent",
+              hint: "Expensive, not recommended"
             }
           ],
-          initialValue: "90days"
+          initialValue: "3months"
         });
         if (clack11.isCancel(retention)) {
           clack11.cancel("Upgrade cancelled.");
@@ -5443,11 +5806,9 @@ ${pc11.bold("Current Configuration:")}
       const retention = await clack11.select({
         message: "Email history retention period (event data in DynamoDB):",
         options: [
-          { value: "7days", label: "7 days", hint: "Minimal storage cost" },
-          { value: "30days", label: "30 days", hint: "Development/testing" },
           {
-            value: "90days",
-            label: "90 days (recommended)",
+            value: "3months",
+            label: "3 months (recommended)",
             hint: "Standard retention"
           },
           {
@@ -5460,9 +5821,19 @@ ${pc11.bold("Current Configuration:")}
             value: "18months",
             label: "18 months",
             hint: "Long-term retention"
+          },
+          {
+            value: "2years",
+            label: "2 years",
+            hint: "Extended compliance"
+          },
+          {
+            value: "permanent",
+            label: "Permanent",
+            hint: "Not recommended (expensive)"
           }
         ],
-        initialValue: config.eventTracking?.archiveRetention || "90days"
+        initialValue: config.eventTracking?.archiveRetention || "3months"
       });
       if (clack11.isCancel(retention)) {
         clack11.cancel("Upgrade cancelled.");
@@ -5728,14 +6099,14 @@ ${pc11.green("\u2713")} ${pc11.bold("Upgrade complete!")}
 init_esm_shims();
 init_aws();
 import { Resolver } from "dns/promises";
-import { GetEmailIdentityCommand as GetEmailIdentityCommand3, SESv2Client as SESv2Client3 } from "@aws-sdk/client-sesv2";
+import { GetEmailIdentityCommand as GetEmailIdentityCommand3, SESv2Client as SESv2Client4 } from "@aws-sdk/client-sesv2";
 import * as clack12 from "@clack/prompts";
 import pc12 from "picocolors";
 async function verify(options) {
   clack12.intro(pc12.bold(`Verifying ${options.domain}`));
   const progress = new DeploymentProgress();
   const region = await getAWSRegion();
-  const sesClient = new SESv2Client3({ region });
+  const sesClient = new SESv2Client4({ region });
   let identity;
   let dkimTokens = [];
   let mailFromDomain;