@wraps.dev/cli 1.0.0 → 1.1.2

package/dist/cli.js

@@ -18,6 +18,356 @@ var init_esm_shims = __esm({
   }
 });
 
+// src/utils/email/route53.ts
+var route53_exports = {};
+__export(route53_exports, {
+  createDNSRecords: () => createDNSRecords,
+  findHostedZone: () => findHostedZone
+});
+import {
+  ChangeResourceRecordSetsCommand,
+  ListHostedZonesByNameCommand,
+  Route53Client
+} from "@aws-sdk/client-route-53";
+async function findHostedZone(domain, region) {
+  const client = new Route53Client({ region });
+  try {
+    const response = await client.send(
+      new ListHostedZonesByNameCommand({
+        DNSName: domain,
+        MaxItems: 1
+      })
+    );
+    const zone = response.HostedZones?.[0];
+    if (zone && zone.Name === `${domain}.` && zone.Id) {
+      return {
+        id: zone.Id.replace("/hostedzone/", ""),
+        name: zone.Name
+      };
+    }
+  } catch (_error) {
+  }
+  const parts = domain.split(".");
+  if (parts.length > 2) {
+    const parentDomain = parts.slice(1).join(".");
+    return findHostedZone(parentDomain, region);
+  }
+  return null;
+}
+async function createDNSRecords(hostedZoneId, domain, dkimTokens, region, customTrackingDomain, mailFromDomain, cloudFrontDomain) {
+  const client = new Route53Client({ region });
+  const changes = [];
+  for (const token of dkimTokens) {
+    changes.push({
+      Action: "UPSERT",
+      ResourceRecordSet: {
+        Name: `${token}._domainkey.${domain}`,
+        Type: "CNAME",
+        TTL: 1800,
+        ResourceRecords: [{ Value: `${token}.dkim.amazonses.com` }]
+      }
+    });
+  }
+  changes.push({
+    Action: "UPSERT",
+    ResourceRecordSet: {
+      Name: domain,
+      Type: "TXT",
+      TTL: 1800,
+      ResourceRecords: [{ Value: '"v=spf1 include:amazonses.com ~all"' }]
+    }
+  });
+  changes.push({
+    Action: "UPSERT",
+    ResourceRecordSet: {
+      Name: `_dmarc.${domain}`,
+      Type: "TXT",
+      TTL: 1800,
+      ResourceRecords: [
+        { Value: `"v=DMARC1; p=quarantine; rua=mailto:postmaster@${domain}"` }
+      ]
+    }
+  });
+  if (customTrackingDomain) {
+    const targetDomain = cloudFrontDomain || `r.${region}.awstrack.me`;
+    changes.push({
+      Action: "UPSERT",
+      ResourceRecordSet: {
+        Name: customTrackingDomain,
+        Type: "CNAME",
+        TTL: 1800,
+        ResourceRecords: [{ Value: targetDomain }]
+      }
+    });
+  }
+  if (mailFromDomain) {
+    changes.push({
+      Action: "UPSERT",
+      ResourceRecordSet: {
+        Name: mailFromDomain,
+        Type: "MX",
+        TTL: 1800,
+        ResourceRecords: [
+          { Value: `10 feedback-smtp.${region}.amazonses.com` }
+        ]
+      }
+    });
+    changes.push({
+      Action: "UPSERT",
+      ResourceRecordSet: {
+        Name: mailFromDomain,
+        Type: "TXT",
+        TTL: 1800,
+        ResourceRecords: [{ Value: '"v=spf1 include:amazonses.com ~all"' }]
+      }
+    });
+  }
+  await client.send(
+    new ChangeResourceRecordSetsCommand({
+      HostedZoneId: hostedZoneId,
+      ChangeBatch: {
+        Changes: changes
+      }
+    })
+  );
+}
+var init_route53 = __esm({
+  "src/utils/email/route53.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
+// src/infrastructure/resources/acm.ts
+var acm_exports = {};
+__export(acm_exports, {
+  createACMCertificate: () => createACMCertificate
+});
+import * as aws8 from "@pulumi/aws";
+async function createACMCertificate(config2) {
+  const usEast1Provider = new aws8.Provider("acm-us-east-1", {
+    region: "us-east-1"
+  });
+  const certificate = new aws8.acm.Certificate(
+    "wraps-email-tracking-cert",
+    {
+      domainName: config2.domain,
+      validationMethod: "DNS",
+      tags: {
+        ManagedBy: "wraps-cli",
+        Description: "SSL certificate for Wraps email tracking domain"
+      }
+    },
+    {
+      provider: usEast1Provider
+    }
+  );
+  const validationRecords = certificate.domainValidationOptions.apply(
+    (options) => options.map((option) => ({
+      name: option.resourceRecordName,
+      type: option.resourceRecordType,
+      value: option.resourceRecordValue
+    }))
+  );
+  let certificateValidation;
+  if (config2.hostedZoneId) {
+    const validationRecord = new aws8.route53.Record(
+      "wraps-email-tracking-cert-validation",
+      {
+        zoneId: config2.hostedZoneId,
+        name: certificate.domainValidationOptions[0].resourceRecordName,
+        type: certificate.domainValidationOptions[0].resourceRecordType,
+        records: [certificate.domainValidationOptions[0].resourceRecordValue],
+        ttl: 60
+      }
+    );
+    certificateValidation = new aws8.acm.CertificateValidation(
+      "wraps-email-tracking-cert-validation-waiter",
+      {
+        certificateArn: certificate.arn,
+        validationRecordFqdns: [validationRecord.fqdn]
+      },
+      {
+        provider: usEast1Provider
+      }
+    );
+  }
+  return {
+    certificate,
+    certificateValidation,
+    validationRecords
+  };
+}
+var init_acm = __esm({
+  "src/infrastructure/resources/acm.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
+// src/infrastructure/resources/cloudfront.ts
+var cloudfront_exports = {};
+__export(cloudfront_exports, {
+  createCloudFrontTracking: () => createCloudFrontTracking
+});
+import * as aws9 from "@pulumi/aws";
+async function findDistributionByAlias(alias) {
+  try {
+    const { CloudFrontClient, ListDistributionsCommand } = await import("@aws-sdk/client-cloudfront");
+    const cloudfront2 = new CloudFrontClient({ region: "us-east-1" });
+    const response = await cloudfront2.send(new ListDistributionsCommand({}));
+    const distribution = response.DistributionList?.Items?.find(
+      (dist) => dist.Aliases?.Items?.includes(alias)
+    );
+    return distribution?.Id || null;
+  } catch (error) {
+    console.error("Error finding CloudFront distribution:", error);
+    return null;
+  }
+}
+async function createWAFWebACL() {
+  const usEast1Provider = new aws9.Provider("waf-us-east-1", {
+    region: "us-east-1"
+  });
+  const webAcl = new aws9.wafv2.WebAcl(
+    "wraps-email-tracking-waf",
+    {
+      scope: "CLOUDFRONT",
+      // WAF for CloudFront must use CLOUDFRONT scope
+      description: "Rate limiting protection for Wraps email tracking",
+      defaultAction: {
+        allow: {}
+        // Allow by default
+      },
+      rules: [
+        {
+          name: "RateLimitRule",
+          priority: 1,
+          action: {
+            block: {}
+            // Block requests exceeding rate limit
+          },
+          statement: {
+            rateBasedStatement: {
+              limit: 2e3,
+              // 2000 requests per 5 minutes per IP
+              aggregateKeyType: "IP"
+            }
+          },
+          visibilityConfig: {
+            sampledRequestsEnabled: true,
+            cloudwatchMetricsEnabled: true,
+            metricName: "RateLimitRule"
+          }
+        }
+      ],
+      visibilityConfig: {
+        sampledRequestsEnabled: true,
+        cloudwatchMetricsEnabled: true,
+        metricName: "wraps-email-tracking-waf"
+      },
+      tags: {
+        ManagedBy: "wraps-cli",
+        Description: "WAF for Wraps email tracking with rate limiting"
+      }
+    },
+    {
+      provider: usEast1Provider
+    }
+  );
+  return webAcl;
+}
+async function createCloudFrontTracking(config2) {
+  const sesTrackingOrigin = `r.${config2.region}.awstrack.me`;
+  const webAcl = await createWAFWebACL();
+  const existingDistributionId = await findDistributionByAlias(
+    config2.customTrackingDomain
+  );
+  const distributionConfig = {
+    enabled: true,
+    comment: "Wraps email tracking with HTTPS support",
+    aliases: [config2.customTrackingDomain],
+    // Attach WAF Web ACL for rate limiting protection
+    webAclId: webAcl.arn,
+    // Origin: SES tracking endpoint
+    origins: [
+      {
+        domainName: sesTrackingOrigin,
+        originId: "ses-tracking",
+        customOriginConfig: {
+          httpPort: 80,
+          httpsPort: 443,
+          originProtocolPolicy: "http-only",
+          // SES tracking endpoint is HTTP
+          originSslProtocols: ["TLSv1.2"]
+        }
+      }
+    ],
+    // Default cache behavior
+    defaultCacheBehavior: {
+      targetOriginId: "ses-tracking",
+      viewerProtocolPolicy: "redirect-to-https",
+      // Force HTTPS
+      allowedMethods: ["GET", "HEAD", "OPTIONS"],
+      cachedMethods: ["GET", "HEAD"],
+      // Forward all query strings and headers (tracking links use query params)
+      forwardedValues: {
+        queryString: true,
+        cookies: {
+          forward: "all"
+        },
+        headers: ["*"]
+        // Forward all headers to preserve tracking functionality
+      },
+      // Minimal caching for tracking redirects
+      minTtl: 0,
+      defaultTtl: 0,
+      maxTtl: 31536e3,
+      compress: true
+    },
+    // Price class (use only North America & Europe for cost optimization)
+    priceClass: "PriceClass_100",
+    // Restrictions (none)
+    restrictions: {
+      geoRestriction: {
+        restrictionType: "none"
+      }
+    },
+    // SSL certificate from ACM
+    viewerCertificate: {
+      acmCertificateArn: config2.certificateArn,
+      sslSupportMethod: "sni-only",
+      minimumProtocolVersion: "TLSv1.2_2021"
+    },
+    tags: {
+      ManagedBy: "wraps-cli",
+      Description: "Wraps email tracking CloudFront distribution"
+    }
+  };
+  const distribution = existingDistributionId ? new aws9.cloudfront.Distribution(
+    "wraps-email-tracking-cdn",
+    distributionConfig,
+    {
+      import: existingDistributionId
+      // Import existing distribution
+    }
+  ) : new aws9.cloudfront.Distribution(
+    "wraps-email-tracking-cdn",
+    distributionConfig
+  );
+  return {
+    distribution,
+    domainName: distribution.domainName,
+    webAcl
+  };
+}
+var init_cloudfront = __esm({
+  "src/infrastructure/resources/cloudfront.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
 // src/infrastructure/resources/mail-manager.ts
 var mail_manager_exports = {};
 __export(mail_manager_exports, {
@@ -224,14 +574,14 @@ var init_errors = __esm({
         "AWS credentials not found",
         "NO_AWS_CREDENTIALS",
         "Run: aws configure\nOr set AWS_PROFILE environment variable",
-        "https://docs.wraps.dev/setup/aws-credentials"
+        "https://wraps.dev/docs/setup/aws-credentials"
       ),
       stackExists: (stackName) => new WrapsError(
         `Stack "${stackName}" already exists`,
         "STACK_EXISTS",
         `To update: wraps upgrade
 To remove: wraps destroy --stack ${stackName}`,
-        "https://docs.wraps.dev/cli/upgrade"
+        "https://wraps.dev/docs/cli/upgrade"
       ),
       invalidRegion: (region) => new WrapsError(
         `Invalid AWS region: ${region}`,
@@ -243,13 +593,13 @@ To remove: wraps destroy --stack ${stackName}`,
         `Infrastructure deployment failed: ${message}`,
         "PULUMI_ERROR",
         "Check your AWS permissions and try again",
-        "https://docs.wraps.dev/troubleshooting"
+        "https://wraps.dev/docs/troubleshooting"
       ),
       noStack: () => new WrapsError(
         "No Wraps infrastructure found in this AWS account",
         "NO_STACK",
         "Run: wraps init\nTo deploy new infrastructure",
-        "https://docs.wraps.dev/cli/init"
+        "https://wraps.dev/docs/cli/init"
       ),
       pulumiNotInstalled: () => new WrapsError(
         "Pulumi CLI is not installed",
@@ -265,11 +615,13 @@ To remove: wraps destroy --stack ${stackName}`,
 var aws_exports = {};
 __export(aws_exports, {
   checkRegion: () => checkRegion,
+  getACMCertificateStatus: () => getACMCertificateStatus,
   getAWSRegion: () => getAWSRegion,
   isSESSandbox: () => isSESSandbox,
   listSESDomains: () => listSESDomains,
   validateAWSCredentials: () => validateAWSCredentials
 });
+import { ACMClient, DescribeCertificateCommand } from "@aws-sdk/client-acm";
 import {
   GetIdentityVerificationAttributesCommand,
   ListIdentitiesCommand,
@@ -368,6 +720,33 @@ async function isSESSandbox(region) {
     throw error;
   }
 }
+async function getACMCertificateStatus(certificateArn) {
+  const acm2 = new ACMClient({ region: "us-east-1" });
+  try {
+    const response = await acm2.send(
+      new DescribeCertificateCommand({
+        CertificateArn: certificateArn
+      })
+    );
+    const certificate = response.Certificate;
+    if (!certificate) {
+      return null;
+    }
+    const validationRecords = certificate.DomainValidationOptions?.map((option) => ({
+      name: option.ResourceRecord?.Name || "",
+      type: option.ResourceRecord?.Type || "",
+      value: option.ResourceRecord?.Value || ""
+    })) || [];
+    return {
+      status: certificate.Status || "UNKNOWN",
+      domainName: certificate.DomainName || "",
+      validationRecords
+    };
+  } catch (error) {
+    console.error("Error getting ACM certificate status:", error);
+    return null;
+  }
+}
 var init_aws = __esm({
   "src/utils/shared/aws.ts"() {
     "use strict";
@@ -383,11 +762,23 @@ function estimateStorageSize(emailsPerMonth, retention, numEventTypes = 8) {
     "7days": 0.25,
     "30days": 1,
     "90days": 3,
+    "3months": 3,
     "6months": 6,
+    "9months": 9,
     "1year": 12,
     "18months": 18,
-    indefinite: 120
-    // Assume 10 years for cost estimation
+    "2years": 24,
+    "30months": 30,
+    "3years": 36,
+    "4years": 48,
+    "5years": 60,
+    "6years": 72,
+    "7years": 84,
+    "8years": 96,
+    "9years": 108,
+    "10years": 120,
+    indefinite: 120,
+    permanent: 120
   }[retention];
   const totalKB = emailsPerMonth * numEventTypes * (retentionMonths ?? 12) * avgRecordSizeKB;
   return totalKB / 1024 / 1024;
@@ -398,11 +789,23 @@ function estimateArchiveStorageSize(emailsPerMonth, retention) {
     "7days": 0.25,
     "30days": 1,
     "90days": 3,
+    "3months": 3,
     "6months": 6,
+    "9months": 9,
     "1year": 12,
     "18months": 18,
-    indefinite: 120
-    // Assume 10 years for cost estimation
+    "2years": 24,
+    "30months": 30,
+    "3years": 36,
+    "4years": 48,
+    "5years": 60,
+    "6years": 72,
+    "7years": 84,
+    "8years": 96,
+    "9years": 108,
+    "10years": 120,
+    indefinite: 120,
+    permanent: 120
   }[retention];
   const totalKB = emailsPerMonth * (retentionMonths ?? 12) * avgEmailSizeKB;
   return totalKB / 1024 / 1024;
@@ -1478,116 +1881,34 @@ var init_prompts = __esm({
   }
 });
 
-// src/utils/email/route53.ts
-var route53_exports = {};
-__export(route53_exports, {
-  createDNSRecords: () => createDNSRecords,
-  findHostedZone: () => findHostedZone
+// src/utils/shared/assume-role.ts
+var assume_role_exports = {};
+__export(assume_role_exports, {
+  assumeRole: () => assumeRole
 });
-import {
-  ChangeResourceRecordSetsCommand,
-  ListHostedZonesByNameCommand,
-  Route53Client
-} from "@aws-sdk/client-route-53";
-async function findHostedZone(domain, region) {
-  const client = new Route53Client({ region });
-  try {
-    const response = await client.send(
-      new ListHostedZonesByNameCommand({
-        DNSName: domain,
-        MaxItems: 1
-      })
-    );
-    const zone = response.HostedZones?.[0];
-    if (zone && zone.Name === `${domain}.` && zone.Id) {
-      return {
-        id: zone.Id.replace("/hostedzone/", ""),
-        name: zone.Name
-      };
-    }
-    return null;
-  } catch (_error) {
-    return null;
-  }
-}
-async function createDNSRecords(hostedZoneId, domain, dkimTokens, region, customTrackingDomain, mailFromDomain) {
-  const client = new Route53Client({ region });
-  const changes = [];
-  for (const token of dkimTokens) {
-    changes.push({
-      Action: "UPSERT",
-      ResourceRecordSet: {
-        Name: `${token}._domainkey.${domain}`,
-        Type: "CNAME",
-        TTL: 1800,
-        ResourceRecords: [{ Value: `${token}.dkim.amazonses.com` }]
-      }
-    });
-  }
-  changes.push({
-    Action: "UPSERT",
-    ResourceRecordSet: {
-      Name: domain,
-      Type: "TXT",
-      TTL: 1800,
-      ResourceRecords: [{ Value: '"v=spf1 include:amazonses.com ~all"' }]
-    }
-  });
-  changes.push({
-    Action: "UPSERT",
-    ResourceRecordSet: {
-      Name: `_dmarc.${domain}`,
-      Type: "TXT",
-      TTL: 1800,
-      ResourceRecords: [
-        { Value: `"v=DMARC1; p=quarantine; rua=mailto:postmaster@${domain}"` }
-      ]
-    }
-  });
-  if (customTrackingDomain) {
-    changes.push({
-      Action: "UPSERT",
-      ResourceRecordSet: {
-        Name: customTrackingDomain,
-        Type: "CNAME",
-        TTL: 1800,
-        ResourceRecords: [{ Value: `r.${region}.awstrack.me` }]
-      }
-    });
-  }
-  if (mailFromDomain) {
-    changes.push({
-      Action: "UPSERT",
-      ResourceRecordSet: {
-        Name: mailFromDomain,
-        Type: "MX",
-        TTL: 1800,
-        ResourceRecords: [
-          { Value: `10 feedback-smtp.${region}.amazonses.com` }
-        ]
-      }
-    });
-    changes.push({
-      Action: "UPSERT",
-      ResourceRecordSet: {
-        Name: mailFromDomain,
-        Type: "TXT",
-        TTL: 1800,
-        ResourceRecords: [{ Value: '"v=spf1 include:amazonses.com ~all"' }]
-      }
-    });
-  }
-  await client.send(
-    new ChangeResourceRecordSetsCommand({
-      HostedZoneId: hostedZoneId,
-      ChangeBatch: {
-        Changes: changes
-      }
+import { AssumeRoleCommand, STSClient as STSClient2 } from "@aws-sdk/client-sts";
+async function assumeRole(roleArn, region, sessionName = "wraps-console") {
+  const sts = new STSClient2({ region });
+  const response = await sts.send(
+    new AssumeRoleCommand({
+      RoleArn: roleArn,
+      RoleSessionName: sessionName,
+      DurationSeconds: 3600
+      // 1 hour
     })
   );
+  if (!response.Credentials) {
+    throw new Error("Failed to assume role: No credentials returned");
+  }
+  return {
+    accessKeyId: response.Credentials.AccessKeyId,
+    secretAccessKey: response.Credentials.SecretAccessKey,
+    sessionToken: response.Credentials.SessionToken,
+    expiration: response.Credentials.Expiration
+  };
 }
-var init_route53 = __esm({
-  "src/utils/email/route53.ts"() {
+var init_assume_role = __esm({
+  "src/utils/shared/assume-role.ts"() {
     "use strict";
     init_esm_shims();
   }
@@ -1895,15 +2216,63 @@ import pc3 from "picocolors";
 
 // src/infrastructure/email-stack.ts
 init_esm_shims();
-import * as aws8 from "@pulumi/aws";
+import * as aws10 from "@pulumi/aws";
 import * as pulumi4 from "@pulumi/pulumi";
 
 // src/infrastructure/resources/dynamodb.ts
 init_esm_shims();
 import * as aws from "@pulumi/aws";
+async function tableExists(tableName) {
+  try {
+    const { DynamoDBClient: DynamoDBClient4, DescribeTableCommand: DescribeTableCommand2 } = await import("@aws-sdk/client-dynamodb");
+    const dynamodb2 = new DynamoDBClient4({});
+    await dynamodb2.send(new DescribeTableCommand2({ TableName: tableName }));
+    return true;
+  } catch (error) {
+    if (error.name === "ResourceNotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing DynamoDB table:", error);
+    return false;
+  }
+}
 async function createDynamoDBTables(_config) {
-  const emailHistory = new aws.dynamodb.Table("wraps-email-history", {
-    name: "wraps-email-history",
+  const tableName = "wraps-email-history";
+  const exists = await tableExists(tableName);
+  const emailHistory = exists ? new aws.dynamodb.Table(
+    tableName,
+    {
+      name: tableName,
+      billingMode: "PAY_PER_REQUEST",
+      hashKey: "messageId",
+      rangeKey: "sentAt",
+      attributes: [
+        { name: "messageId", type: "S" },
+        { name: "sentAt", type: "N" },
+        { name: "accountId", type: "S" }
+      ],
+      globalSecondaryIndexes: [
+        {
+          name: "accountId-sentAt-index",
+          hashKey: "accountId",
+          rangeKey: "sentAt",
+          projectionType: "ALL"
+        }
+      ],
+      ttl: {
+        enabled: true,
+        attributeName: "expiresAt"
+      },
+      tags: {
+        ManagedBy: "wraps-cli"
+      }
+    },
+    {
+      import: tableName
+      // Import existing table
+    }
+  ) : new aws.dynamodb.Table(tableName, {
+    name: tableName,
     billingMode: "PAY_PER_REQUEST",
     hashKey: "messageId",
     rangeKey: "sentAt",
@@ -1990,6 +2359,20 @@ async function createEventBridgeResources(config2) {
 init_esm_shims();
 import * as aws3 from "@pulumi/aws";
 import * as pulumi2 from "@pulumi/pulumi";
+async function roleExists(roleName) {
+  try {
+    const { IAMClient: IAMClient2, GetRoleCommand } = await import("@aws-sdk/client-iam");
+    const iam4 = new IAMClient2({});
+    await iam4.send(new GetRoleCommand({ RoleName: roleName }));
+    return true;
+  } catch (error) {
+    if (error.name === "NoSuchEntityException") {
+      return false;
+    }
+    console.error("Error checking for existing IAM role:", error);
+    return false;
+  }
+}
 async function createIAMRole(config2) {
   let assumeRolePolicy;
   if (config2.provider === "vercel" && config2.oidcProvider) {
@@ -2025,8 +2408,24 @@ async function createIAMRole(config2) {
   } else {
     throw new Error("Other providers not yet implemented");
   }
-  const role = new aws3.iam.Role("wraps-email-role", {
-    name: "wraps-email-role",
+  const roleName = "wraps-email-role";
+  const exists = await roleExists(roleName);
+  const role = exists ? new aws3.iam.Role(
+    roleName,
+    {
+      name: roleName,
+      assumeRolePolicy,
+      tags: {
+        ManagedBy: "wraps-cli",
+        Provider: config2.provider
+      }
+    },
+    {
+      import: roleName
+      // Import existing role (use role name, not ARN)
+    }
+  ) : new aws3.iam.Role(roleName, {
+    name: roleName,
     assumeRolePolicy,
     tags: {
       ManagedBy: "wraps-cli",
@@ -2143,6 +2542,36 @@ function getPackageRoot() {
   }
   throw new Error("Could not find package.json");
 }
+async function lambdaFunctionExists(functionName) {
+  try {
+    const { LambdaClient: LambdaClient2, GetFunctionCommand } = await import("@aws-sdk/client-lambda");
+    const lambda2 = new LambdaClient2({});
+    await lambda2.send(new GetFunctionCommand({ FunctionName: functionName }));
+    return true;
+  } catch (error) {
+    if (error.name === "ResourceNotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing Lambda function:", error);
+    return false;
+  }
+}
+async function findEventSourceMapping(functionName, queueArn) {
+  try {
+    const { LambdaClient: LambdaClient2, ListEventSourceMappingsCommand } = await import("@aws-sdk/client-lambda");
+    const lambda2 = new LambdaClient2({});
+    const response = await lambda2.send(
+      new ListEventSourceMappingsCommand({
+        FunctionName: functionName,
+        EventSourceArn: queueArn
+      })
+    );
+    return response.EventSourceMappings?.[0]?.UUID || null;
+  } catch (error) {
+    console.error("Error finding event source mapping:", error);
+    return null;
+  }
+}
 async function getLambdaCode(functionName) {
   const packageRoot = getPackageRoot();
   const distLambdaPath = join(packageRoot, "dist", "lambda", functionName);
@@ -2238,10 +2667,12 @@ async function deployLambdaFunctions(config2) {
       })
     )
   });
-  const eventProcessor = new aws4.lambda.Function(
-    "wraps-email-event-processor",
+  const functionName = "wraps-email-event-processor";
+  const exists = await lambdaFunctionExists(functionName);
+  const eventProcessor = exists ? new aws4.lambda.Function(
+    functionName,
     {
-      name: "wraps-email-event-processor",
+      name: functionName,
       runtime: aws4.lambda.Runtime.NodeJS20dX,
       handler: "index.handler",
       role: lambdaRole.arn,
@@ -2259,20 +2690,56 @@ async function deployLambdaFunctions(config2) {
         ManagedBy: "wraps-cli",
         Description: "Process SES email events from SQS and store in DynamoDB"
       }
+    },
+    {
+      import: functionName
+      // Import existing function
+    }
+  ) : new aws4.lambda.Function(functionName, {
+    name: functionName,
+    runtime: aws4.lambda.Runtime.NodeJS20dX,
+    handler: "index.handler",
+    role: lambdaRole.arn,
+    code: new pulumi3.asset.FileArchive(eventProcessorCode),
+    timeout: 300,
+    // 5 minutes (matches SQS visibility timeout)
+    memorySize: 512,
+    environment: {
+      variables: {
+        TABLE_NAME: config2.tableName,
+        AWS_ACCOUNT_ID: config2.accountId
+      }
+    },
+    tags: {
+      ManagedBy: "wraps-cli",
+      Description: "Process SES email events from SQS and store in DynamoDB"
     }
+  });
+  const queueArnValue = `arn:aws:sqs:${config2.region}:${config2.accountId}:wraps-email-events`;
+  const existingMappingUuid = await findEventSourceMapping(
+    functionName,
+    queueArnValue
   );
-  const eventSourceMapping = new aws4.lambda.EventSourceMapping(
+  const mappingConfig = {
+    eventSourceArn: config2.queueArn,
+    functionName: eventProcessor.name,
+    batchSize: 10,
+    // Process up to 10 messages per invocation
+    maximumBatchingWindowInSeconds: 5,
+    // Wait up to 5 seconds to batch messages
+    functionResponseTypes: ["ReportBatchItemFailures"]
+    // Enable partial batch responses
+  };
+  const eventSourceMapping = existingMappingUuid ? new aws4.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
+    mappingConfig,
     {
-      eventSourceArn: config2.queueArn,
-      functionName: eventProcessor.name,
-      batchSize: 10,
-      // Process up to 10 messages per invocation
-      maximumBatchingWindowInSeconds: 5,
-      // Wait up to 5 seconds to batch messages
-      functionResponseTypes: ["ReportBatchItemFailures"]
-      // Enable partial batch responses
+      import: existingMappingUuid
+      // Import with the UUID
     }
+  ) : new aws4.lambda.EventSourceMapping(
+    "wraps-email-event-source-mapping",
+    mappingConfig
   );
   return {
     eventProcessor,
@@ -2283,6 +2750,56 @@ async function deployLambdaFunctions(config2) {
 // src/infrastructure/resources/ses.ts
 init_esm_shims();
 import * as aws5 from "@pulumi/aws";
+async function configurationSetExists(configSetName, region) {
+  try {
+    const { SESv2Client: SESv2Client5, GetConfigurationSetCommand: GetConfigurationSetCommand2 } = await import("@aws-sdk/client-sesv2");
+    const ses = new SESv2Client5({ region });
+    await ses.send(
+      new GetConfigurationSetCommand2({ ConfigurationSetName: configSetName })
+    );
+    return true;
+  } catch (error) {
+    if (error.name === "NotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing configuration set:", error);
+    return false;
+  }
+}
+async function emailIdentityExists(emailIdentity, region) {
+  try {
+    const { SESv2Client: SESv2Client5, GetEmailIdentityCommand: GetEmailIdentityCommand4 } = await import("@aws-sdk/client-sesv2");
+    const ses = new SESv2Client5({ region });
+    await ses.send(
+      new GetEmailIdentityCommand4({ EmailIdentity: emailIdentity })
+    );
+    return true;
+  } catch (error) {
+    if (error.name === "NotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing email identity:", error);
+    return false;
+  }
+}
+async function eventDestinationExists(configSetName, eventDestName, region) {
+  try {
+    const { SESv2Client: SESv2Client5, GetConfigurationSetEventDestinationsCommand } = await import("@aws-sdk/client-sesv2");
+    const ses = new SESv2Client5({ region });
+    const response = await ses.send(
+      new GetConfigurationSetEventDestinationsCommand({
+        ConfigurationSetName: configSetName
+      })
+    );
+    return response.EventDestinations?.some((dest) => dest.Name === eventDestName) ?? false;
+  } catch (error) {
+    if (error.name === "NotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing event destination:", error);
+    return false;
+  }
+}
 async function createSESResources(config2) {
   const configSetOptions = {
     configurationSetName: "wraps-email-tracking",
@@ -2294,46 +2811,78 @@ async function createSESResources(config2) {
   if (config2.trackingConfig?.customRedirectDomain) {
     configSetOptions.trackingOptions = {
       customRedirectDomain: config2.trackingConfig.customRedirectDomain,
-      // Use OPTIONAL because custom domains don't have SSL certificates by default
-      // AWS's tracking domain (r.{region}.awstrack.me) doesn't have certs for custom domains
-      httpsPolicy: "OPTIONAL"
+      // HTTPS policy depends on whether HTTPS tracking is enabled
+      // - REQUIRE: When using CloudFront with SSL certificate
+      // - OPTIONAL: When using direct SES tracking endpoint (no SSL)
+      httpsPolicy: config2.trackingConfig.httpsEnabled ? "REQUIRE" : "OPTIONAL"
     };
   }
-  const configSet = new aws5.sesv2.ConfigurationSet(
-    "wraps-email-tracking",
-    configSetOptions
-  );
+  const configSetName = "wraps-email-tracking";
+  const exists = await configurationSetExists(configSetName, config2.region);
+  const configSet = exists ? new aws5.sesv2.ConfigurationSet(configSetName, configSetOptions, {
+    import: configSetName
+    // Import existing configuration set
+  }) : new aws5.sesv2.ConfigurationSet(configSetName, configSetOptions);
   const defaultEventBus = aws5.cloudwatch.getEventBusOutput({
     name: "default"
   });
-  new aws5.sesv2.ConfigurationSetEventDestination("wraps-email-all-events", {
-    configurationSetName: configSet.configurationSetName,
-    eventDestinationName: "wraps-email-eventbridge",
-    eventDestination: {
-      enabled: true,
-      matchingEventTypes: [
-        "SEND",
-        "DELIVERY",
-        "OPEN",
-        "CLICK",
-        "BOUNCE",
-        "COMPLAINT",
-        "REJECT",
-        "RENDERING_FAILURE",
-        "DELIVERY_DELAY",
-        "SUBSCRIPTION"
-      ],
-      eventBridgeDestination: {
-        // SES requires default bus - cannot use custom bus
-        eventBusArn: defaultEventBus.arn
+  const eventDestName = "wraps-email-eventbridge";
+  const eventDestExists = await eventDestinationExists(
+    configSetName,
+    eventDestName,
+    config2.region
+  );
+  if (!eventDestExists) {
+    new aws5.sesv2.ConfigurationSetEventDestination("wraps-email-all-events", {
+      configurationSetName: configSet.configurationSetName,
+      eventDestinationName: eventDestName,
+      eventDestination: {
+        enabled: true,
+        matchingEventTypes: [
+          "SEND",
+          "DELIVERY",
+          "OPEN",
+          "CLICK",
+          "BOUNCE",
+          "COMPLAINT",
+          "REJECT",
+          "RENDERING_FAILURE",
+          "DELIVERY_DELAY",
+          "SUBSCRIPTION"
+        ],
+        eventBridgeDestination: {
+          // SES requires default bus - cannot use custom bus
+          eventBusArn: defaultEventBus.arn
+        }
       }
-    }
-  });
+    });
+  }
   let domainIdentity;
   let dkimTokens;
   let mailFromDomain;
   if (config2.domain) {
-    domainIdentity = new aws5.sesv2.EmailIdentity("wraps-email-domain", {
+    const identityExists = await emailIdentityExists(
+      config2.domain,
+      config2.region
+    );
+    domainIdentity = identityExists ? new aws5.sesv2.EmailIdentity(
+      "wraps-email-domain",
+      {
+        emailIdentity: config2.domain,
+        configurationSetName: configSet.configurationSetName,
+        // Link configuration set to domain
+        dkimSigningAttributes: {
+          nextSigningKeyLength: "RSA_2048_BIT"
+        },
+        tags: {
+          ManagedBy: "wraps-cli"
+        }
+      },
+      {
+        import: config2.domain
+        // Import existing identity
+      }
+    ) : new aws5.sesv2.EmailIdentity("wraps-email-domain", {
       emailIdentity: config2.domain,
       configurationSetName: configSet.configurationSetName,
       // Link configuration set to domain
@@ -2417,9 +2966,48 @@ async function createSQSResources() {
 // src/infrastructure/vercel-oidc.ts
 init_esm_shims();
 import * as aws7 from "@pulumi/aws";
+async function getExistingOIDCProviderArn(url) {
+  try {
+    const { IAMClient: IAMClient2, ListOpenIDConnectProvidersCommand } = await import("@aws-sdk/client-iam");
+    const iam4 = new IAMClient2({});
+    const response = await iam4.send(new ListOpenIDConnectProvidersCommand({}));
+    const expectedArnSuffix = url.replace("https://", "");
+    const provider = response.OpenIDConnectProviderList?.find(
+      (p) => p.Arn?.endsWith(expectedArnSuffix)
+    );
+    return provider?.Arn || null;
+  } catch (error) {
+    console.error("Error checking for existing OIDC provider:", error);
+    return null;
+  }
+}
 async function createVercelOIDC(config2) {
+  const url = `https://oidc.vercel.com/${config2.teamSlug}`;
+  const existingArn = await getExistingOIDCProviderArn(url);
+  if (existingArn) {
+    return new aws7.iam.OpenIdConnectProvider(
+      "wraps-vercel-oidc",
+      {
+        url,
+        clientIdLists: [`https://vercel.com/${config2.teamSlug}`],
+        thumbprintLists: [
+          // Vercel OIDC thumbprints
+          "20032e77eca0785eece16b56b42c9b330b906320",
+          "696db3af0dffc17e65c6a20d925c5a7bd24dec7e"
+        ],
+        tags: {
+          ManagedBy: "wraps-cli",
+          Provider: "vercel"
+        }
+      },
+      {
+        import: existingArn
+        // Import existing resource
+      }
+    );
+  }
   return new aws7.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
-    url: `https://oidc.vercel.com/${config2.teamSlug}`,
+    url,
     clientIdLists: [`https://vercel.com/${config2.teamSlug}`],
     thumbprintLists: [
       // Vercel OIDC thumbprints
@@ -2435,7 +3023,7 @@ async function createVercelOIDC(config2) {
 
 // src/infrastructure/email-stack.ts
 async function deployEmailStack(config2) {
-  const identity = await aws8.getCallerIdentity();
+  const identity = await aws10.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -2452,6 +3040,27 @@ async function deployEmailStack(config2) {
     vercelProjectName: config2.vercel?.projectName,
     emailConfig
   });
+  let cloudFrontResources;
+  let acmResources;
+  if (emailConfig.tracking?.enabled && emailConfig.tracking.customRedirectDomain && emailConfig.tracking.httpsEnabled) {
+    const { findHostedZone: findHostedZone2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
+    const hostedZone = await findHostedZone2(
+      emailConfig.tracking.customRedirectDomain,
+      config2.region
+    );
+    const { createACMCertificate: createACMCertificate2 } = await Promise.resolve().then(() => (init_acm(), acm_exports));
+    acmResources = await createACMCertificate2({
+      domain: emailConfig.tracking.customRedirectDomain,
+      hostedZoneId: hostedZone?.id
+    });
+    const { createCloudFrontTracking: createCloudFrontTracking2 } = await Promise.resolve().then(() => (init_cloudfront(), cloudfront_exports));
+    const certificateArn = acmResources.certificateValidation ? acmResources.certificateValidation.certificateArn : acmResources.certificate.arn;
+    cloudFrontResources = await createCloudFrontTracking2({
+      customTrackingDomain: emailConfig.tracking.customRedirectDomain,
+      region: config2.region,
+      certificateArn
+    });
+  }
   let sesResources;
   if (emailConfig.tracking?.enabled || emailConfig.eventTracking?.enabled) {
     sesResources = await createSESResources({
@@ -2485,7 +3094,8 @@ async function deployEmailStack(config2) {
       roleArn: role.arn,
       tableName: dynamoTables.emailHistory.name,
       queueArn: sqsResources.queue.arn,
-      accountId
+      accountId,
+      region: config2.region
     });
   }
   let archiveResources;
@@ -2511,8 +3121,10 @@ async function deployEmailStack(config2) {
     queueUrl: sqsResources?.queue.url,
     dlqUrl: sqsResources?.dlq.url,
     customTrackingDomain: sesResources?.customTrackingDomain,
+    httpsTrackingEnabled: emailConfig.tracking?.httpsEnabled,
+    cloudFrontDomain: cloudFrontResources?.domainName,
+    acmCertificateValidationRecords: acmResources?.validationRecords,
     mailFromDomain: sesResources?.mailFromDomain,
-    archiveId: archiveResources?.archiveId,
     archiveArn: archiveResources?.archiveArn,
     archivingEnabled: emailConfig.emailArchiving?.enabled,
     archiveRetention: emailConfig.emailArchiving?.enabled ? emailConfig.emailArchiving.retention : void 0
@@ -2742,7 +3354,7 @@ function displaySuccess(outputs) {
     "",
     pc2.bold("Next steps:"),
     `  1. Install SDK: ${pc2.yellow("npm install @wraps/sdk")}`,
-    `  2. View dashboard: ${pc2.blue("https://dashboard.wraps.dev")}`,
+    `  2. View dashboard: ${pc2.blue("https://app.wraps.dev")}`,
     ""
   );
   clack2.outro(pc2.green("Email infrastructure deployed successfully!"));
@@ -2785,9 +3397,29 @@ Verification should complete within a few minutes.`,
     }
     clack2.note(dnsLines.join("\n"), "DNS Records to add:");
   }
+  if (outputs.acmValidationRecords && outputs.acmValidationRecords.length > 0) {
+    const acmDnsLines = [
+      pc2.bold("SSL Certificate Validation (ACM):"),
+      ...outputs.acmValidationRecords.map(
+        (record) => `  ${pc2.cyan(record.name)} ${pc2.dim(record.type)} "${record.value}"`
+      ),
+      "",
+      pc2.dim(
+        "Note: These records are required to validate your SSL certificate."
+      ),
+      pc2.dim(
+        "CloudFront will be enabled automatically after certificate validation."
+      )
+    ];
+    clack2.note(
+      acmDnsLines.join("\n"),
+      "SSL Certificate Validation DNS Records:"
+    );
+  }
   if (outputs.trackingDomainDnsRecords && outputs.trackingDomainDnsRecords.length > 0) {
+    const trackingProtocol = outputs.httpsTrackingEnabled ? "HTTPS" : "HTTP";
     const trackingDnsLines = [
-      pc2.bold("Custom Tracking Domain - Redirect CNAME:"),
+      pc2.bold(`Custom Tracking Domain - ${trackingProtocol} Redirect CNAME:`),
       ...outputs.trackingDomainDnsRecords.map(
         (record) => `  ${pc2.cyan(record.name)} ${pc2.dim(record.type)} "${record.value}"`
       ),
@@ -2797,6 +3429,12 @@ Verification should complete within a few minutes.`,
       ),
       pc2.dim("your custom domain for open and click tracking.")
     ];
+    if (outputs.httpsTrackingEnabled) {
+      trackingDnsLines.push(
+        "",
+        pc2.dim("HTTPS tracking is enabled via CloudFront with SSL certificate.")
+      );
+    }
     clack2.note(
       trackingDnsLines.join("\n"),
       "Custom Tracking Domain DNS Records:"
@@ -2811,7 +3449,8 @@ ${pc2.dim("Run:")} ${pc2.yellow(`wraps verify --domain ${outputs.customTrackingD
       );
     }
   }
-  if (outputs.customTrackingDomain && !outputs.dnsAutoCreated && (!outputs.dnsRecords || outputs.dnsRecords.length === 0) && (!outputs.trackingDomainDnsRecords || outputs.trackingDomainDnsRecords.length === 0)) {
+  if (outputs.customTrackingDomain && !outputs.httpsTrackingEnabled && // Only show for HTTP tracking
+  !outputs.dnsAutoCreated && (!outputs.dnsRecords || outputs.dnsRecords.length === 0) && (!outputs.trackingDomainDnsRecords || outputs.trackingDomainDnsRecords.length === 0)) {
     const trackingLines = [
       pc2.bold("Tracking Domain (CNAME):"),
       `  ${pc2.cyan(outputs.customTrackingDomain)} ${pc2.dim("CNAME")} "r.${outputs.region}.awstrack.me"`,
@@ -2884,6 +3523,19 @@ ${domainStrings.join("\n")}`);
       `  ${pc2.dim("\u25CB")} Email Archiving ${pc2.dim("(run 'wraps upgrade' to enable)")}`
     );
   }
+  if (status2.tracking?.customTrackingDomain) {
+    const protocol = status2.tracking.httpsEnabled ? "HTTPS" : "HTTP";
+    const cloudFrontStatus = status2.tracking.httpsEnabled ? status2.tracking.cloudFrontDomain ? pc2.green("\u2713 Active") : pc2.yellow("\u23F1 Pending") : "";
+    const trackingLabel = status2.tracking.httpsEnabled ? `${protocol} tracking ${cloudFrontStatus}` : `${protocol} tracking`;
+    featureLines.push(
+      `  ${pc2.green("\u2713")} Custom Tracking Domain ${pc2.dim(`(${trackingLabel})`)}`
+    );
+    featureLines.push(`      ${pc2.cyan(status2.tracking.customTrackingDomain)}`);
+  } else {
+    featureLines.push(
+      `  ${pc2.dim("\u25CB")} Custom Tracking Domain ${pc2.dim("(run 'wraps upgrade' to enable)")}`
+    );
+  }
   featureLines.push(
     `  ${pc2.green("\u2713")} Console Dashboard ${pc2.dim("(run 'wraps console')")}`
   );
@@ -2965,11 +3617,9 @@ ${pc2.dim("Run:")} ${pc2.yellow(`wraps verify --domain ${exampleDomain}`)} ${pc2
 `
     );
   }
-  console.log(
-    `
-${pc2.bold("Dashboard:")} ${pc2.blue("https://dashboard.wraps.dev")}`
-  );
-  console.log(`${pc2.bold("Docs:")} ${pc2.blue("https://docs.wraps.dev")}
+  console.log(`
+${pc2.bold("Dashboard:")} ${pc2.blue("https://app.wraps.dev")}`);
+  console.log(`${pc2.bold("Docs:")} ${pc2.blue("https://wraps.dev/docs")}
 `);
 }
 
@@ -4324,9 +4974,12 @@ ${pc8.bold("The following Wraps resources will be removed:")}
   if (metadata.services.email?.pulumiStackName) {
     await progress.execute("Removing Wraps infrastructure", async () => {
       try {
+        if (!metadata.services.email?.pulumiStackName) {
+          throw new Error("No Pulumi stack name found in metadata");
+        }
         const stack = await pulumi8.automation.LocalWorkspace.selectStack(
           {
-            stackName: metadata.services.email?.pulumiStackName,
+            stackName: metadata.services.email.pulumiStackName,
             projectName: "wraps-email",
             program: async () => {
             }
@@ -4343,7 +4996,7 @@ ${pc8.bold("The following Wraps resources will be removed:")}
         await stack.destroy({ onOutput: () => {
         } });
         await stack.workspace.removeStack(
-          metadata.services.email?.pulumiStackName
+          metadata.services.email.pulumiStackName
         );
       } catch (error) {
         throw new Error(`Failed to destroy Pulumi stack: ${error.message}`);
@@ -4443,10 +5096,23 @@ ${pc9.bold("Current Configuration:")}
       "7days": "7 days",
       "30days": "30 days",
       "90days": "90 days",
+      "3months": "3 months",
       "6months": "6 months",
+      "9months": "9 months",
       "1year": "1 year",
       "18months": "18 months",
-      indefinite: "indefinite"
+      "2years": "2 years",
+      "30months": "30 months",
+      "3years": "3 years",
+      "4years": "4 years",
+      "5years": "5 years",
+      "6years": "6 years",
+      "7years": "7 years",
+      "8years": "8 years",
+      "9years": "9 years",
+      "10years": "10 years",
+      indefinite: "indefinite",
+      permanent: "permanent"
     }[config2.emailArchiving.retention] || "90 days";
     console.log(`  ${pc9.green("\u2713")} Email Archiving (${retentionLabel})`);
   }
@@ -4740,14 +5406,94 @@ ${pc9.bold("Current Configuration:")}
         clack9.cancel("Upgrade cancelled.");
         process.exit(0);
       }
-      updatedConfig = {
-        ...config2,
-        tracking: {
-          ...config2.tracking,
-          enabled: true,
-          customRedirectDomain: trackingDomain || void 0
+      const enableHttps = await clack9.confirm({
+        message: "Enable HTTPS tracking with CloudFront + SSL certificate?",
+        initialValue: true
+      });
+      if (clack9.isCancel(enableHttps)) {
+        clack9.cancel("Upgrade cancelled.");
+        process.exit(0);
+      }
+      if (enableHttps) {
+        clack9.log.info(
+          pc9.dim(
+            "HTTPS tracking creates a CloudFront distribution with an SSL certificate."
+          )
+        );
+        clack9.log.info(
+          pc9.dim(
+            "This ensures all tracking links use secure HTTPS connections."
+          )
+        );
+        const { findHostedZone: findHostedZone2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
+        const hostedZone = await progress.execute(
+          "Checking for Route53 hosted zone",
+          async () => await findHostedZone2(trackingDomain || config2.domain, region)
+        );
+        if (hostedZone) {
+          progress.info(
+            `Found Route53 hosted zone: ${pc9.cyan(hostedZone.name)} ${pc9.green("\u2713")}`
+          );
+          clack9.log.info(
+            pc9.dim(
+              "DNS records (SSL certificate validation + CloudFront) will be created automatically."
+            )
+          );
+        } else {
+          clack9.log.warn(
+            `No Route53 hosted zone found for ${pc9.cyan(trackingDomain || config2.domain)}`
+          );
+          clack9.log.info(
+            pc9.dim(
+              "You'll need to manually create DNS records for SSL certificate validation and CloudFront."
+            )
+          );
+          clack9.log.info(
+            pc9.dim("DNS record details will be shown after deployment.")
+          );
         }
-      };
+        const confirmHttps = await clack9.confirm({
+          message: hostedZone ? "Proceed with automatic HTTPS setup?" : "Proceed with manual HTTPS setup (requires DNS configuration)?",
+          initialValue: true
+        });
+        if (clack9.isCancel(confirmHttps) || !confirmHttps) {
+          clack9.log.info("HTTPS tracking not enabled. Using HTTP tracking.");
+          updatedConfig = {
+            ...config2,
+            tracking: {
+              ...config2.tracking,
+              enabled: true,
+              customRedirectDomain: trackingDomain || void 0,
+              httpsEnabled: false
+            }
+          };
+        } else {
+          updatedConfig = {
+            ...config2,
+            tracking: {
+              ...config2.tracking,
+              enabled: true,
+              customRedirectDomain: trackingDomain || void 0,
+              httpsEnabled: true
+            }
+          };
+        }
+      } else {
+        clack9.log.info(
+          pc9.dim(
+            "Using HTTP tracking (standard). Links will use http:// protocol."
+          )
+        );
+        updatedConfig = {
+          ...config2,
+          tracking: {
+            ...config2.tracking,
+            enabled: true,
+            customRedirectDomain: trackingDomain || void 0,
+            httpsEnabled: false
+          }
+        };
+      }
       newPreset = void 0;
       break;
     }
@@ -4954,6 +5700,9 @@ ${pc9.bold("Cost Impact:")}`);
                 domain: result.domain,
                 dkimTokens: result.dkimTokens,
                 customTrackingDomain: result.customTrackingDomain,
+                httpsTrackingEnabled: result.httpsTrackingEnabled,
+                cloudFrontDomain: result.cloudFrontDomain,
+                acmCertificateValidationRecords: result.acmCertificateValidationRecords,
                 archiveArn: result.archiveArn,
                 archivingEnabled: result.archivingEnabled,
                 archiveRetention: result.archiveRetention
@@ -4972,6 +5721,8 @@ ${pc9.bold("Cost Impact:")}`);
           metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`
         );
         await stack.setConfig("aws:region", { value: region });
+        await stack.refresh({ onOutput: () => {
+        } });
         const upResult = await stack.up({ onOutput: () => {
         } });
         const pulumiOutputs = upResult.outputs;
@@ -4984,6 +5735,9 @@ ${pc9.bold("Cost Impact:")}`);
           domain: pulumiOutputs.domain?.value,
           dkimTokens: pulumiOutputs.dkimTokens?.value,
           customTrackingDomain: pulumiOutputs.customTrackingDomain?.value,
+          httpsTrackingEnabled: pulumiOutputs.httpsTrackingEnabled?.value,
+          cloudFrontDomain: pulumiOutputs.cloudFrontDomain?.value,
+          acmCertificateValidationRecords: pulumiOutputs.acmCertificateValidationRecords?.value,
           archiveArn: pulumiOutputs.archiveArn?.value,
           archivingEnabled: pulumiOutputs.archivingEnabled?.value,
           archiveRetention: pulumiOutputs.archiveRetention?.value
@@ -5007,20 +5761,37 @@ ${pc9.bold("Cost Impact:")}`);
   await saveConnectionMetadata(metadata);
   progress.info("Connection metadata updated");
   const trackingDomainDnsRecords = [];
+  const acmValidationRecords = [];
   if (outputs.customTrackingDomain) {
-    trackingDomainDnsRecords.push({
-      name: outputs.customTrackingDomain,
-      type: "CNAME",
-      value: `r.${outputs.region}.awstrack.me`
-    });
+    if (outputs.httpsTrackingEnabled) {
+      if (outputs.cloudFrontDomain) {
+        trackingDomainDnsRecords.push({
+          name: outputs.customTrackingDomain,
+          type: "CNAME",
+          value: outputs.cloudFrontDomain
+        });
+      }
+    } else {
+      trackingDomainDnsRecords.push({
+        name: outputs.customTrackingDomain,
+        type: "CNAME",
+        value: `r.${outputs.region}.awstrack.me`
+      });
+    }
   }
+  if (outputs.httpsTrackingEnabled && outputs.acmCertificateValidationRecords) {
+    acmValidationRecords.push(...outputs.acmCertificateValidationRecords);
+  }
+  const needsCertificateValidation = outputs.httpsTrackingEnabled && acmValidationRecords.length > 0 && !outputs.cloudFrontDomain;
   displaySuccess({
     roleArn: outputs.roleArn,
     configSetName: outputs.configSetName,
     region: outputs.region,
     tableName: outputs.tableName,
     trackingDomainDnsRecords: trackingDomainDnsRecords.length > 0 ? trackingDomainDnsRecords : void 0,
-    customTrackingDomain: outputs.customTrackingDomain
+    acmValidationRecords: acmValidationRecords.length > 0 ? acmValidationRecords : void 0,
+    customTrackingDomain: outputs.customTrackingDomain,
+    httpsTrackingEnabled: outputs.httpsTrackingEnabled
   });
   console.log(`
 ${pc9.green("\u2713")} ${pc9.bold("Upgrade complete!")}
@@ -5036,6 +5807,28 @@ ${pc9.green("\u2713")} ${pc9.bold("Upgrade complete!")}
 `
     );
   }
+  if (needsCertificateValidation) {
+    console.log(pc9.bold("\u26A0\uFE0F  HTTPS Tracking - Next Steps:\n"));
+    console.log(
+      "  1. Add the SSL certificate validation DNS record shown above to your DNS provider"
+    );
+    console.log(
+      "  2. Wait for DNS propagation and certificate validation (5-30 minutes)"
+    );
+    console.log(
+      `  3. Run ${pc9.cyan("wraps email upgrade")} again to complete CloudFront setup
+`
+    );
+    console.log(
+      pc9.dim(
+        "  Note: CloudFront distribution will be created once the certificate is validated.\n"
+      )
+    );
+  } else if (outputs.httpsTrackingEnabled && outputs.cloudFrontDomain) {
+    console.log(
+      pc9.green("\u2713") + " " + pc9.bold("HTTPS tracking is fully configured and ready to use!\n")
+    );
+  }
 }
 
 // src/commands/shared/dashboard.ts
@@ -5082,34 +5875,9 @@ import { Router as createRouter } from "express";
 
 // src/console/services/ses-service.ts
 init_esm_shims();
+init_assume_role();
 import { GetSendQuotaCommand, SESClient as SESClient3 } from "@aws-sdk/client-ses";
 import { GetEmailIdentityCommand as GetEmailIdentityCommand2, SESv2Client as SESv2Client3 } from "@aws-sdk/client-sesv2";
-
-// src/utils/shared/assume-role.ts
-init_esm_shims();
-import { AssumeRoleCommand, STSClient as STSClient2 } from "@aws-sdk/client-sts";
-async function assumeRole(roleArn, region, sessionName = "wraps-console") {
-  const sts = new STSClient2({ region });
-  const response = await sts.send(
-    new AssumeRoleCommand({
-      RoleArn: roleArn,
-      RoleSessionName: sessionName,
-      DurationSeconds: 3600
-      // 1 hour
-    })
-  );
-  if (!response.Credentials) {
-    throw new Error("Failed to assume role: No credentials returned");
-  }
-  return {
-    accessKeyId: response.Credentials.AccessKeyId,
-    secretAccessKey: response.Credentials.SecretAccessKey,
-    sessionToken: response.Credentials.SessionToken,
-    expiration: response.Credentials.Expiration
-  };
-}
-
-// src/console/services/ses-service.ts
 async function fetchSendQuota(roleArn, region) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
   const ses = new SESClient3({ region, credentials });
@@ -5596,6 +6364,7 @@ import { Router as createRouter3 } from "express";
 
 // src/console/services/aws-metrics.ts
 init_esm_shims();
+init_assume_role();
 import {
   CloudWatchClient,
   GetMetricDataCommand
@@ -5809,6 +6578,7 @@ import { Router as createRouter4 } from "express";
 
 // src/console/services/settings-service.ts
 init_esm_shims();
+init_assume_role();
 import {
   GetConfigurationSetCommand,
   GetEmailIdentityCommand as GetEmailIdentityCommand3,
@@ -6039,7 +6809,7 @@ function createSettingsRouter(config2) {
         `[Settings] Updating sending options for ${configSetName}: ${enabled}`
       );
       const { SESv2Client: SESv2Client5, PutConfigurationSetSendingOptionsCommand } = await import("@aws-sdk/client-sesv2");
-      const { assumeRole: assumeRole2 } = await import("../../utils/assume-role.js");
+      const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
       const credentials = config2.roleArn ? await assumeRole2(config2.roleArn, config2.region) : void 0;
       const sesClient = new SESv2Client5({ region: config2.region, credentials });
       await sesClient.send(
@@ -6076,7 +6846,7 @@ function createSettingsRouter(config2) {
         `[Settings] Updating reputation options for ${configSetName}: ${enabled}`
       );
       const { SESv2Client: SESv2Client5, PutConfigurationSetReputationOptionsCommand } = await import("@aws-sdk/client-sesv2");
-      const { assumeRole: assumeRole2 } = await import("../../utils/assume-role.js");
+      const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
       const credentials = config2.roleArn ? await assumeRole2(config2.roleArn, config2.region) : void 0;
       const sesClient = new SESv2Client5({ region: config2.region, credentials });
       await sesClient.send(
@@ -6119,7 +6889,7 @@ function createSettingsRouter(config2) {
           `[Settings] Updating tracking domain for ${configSetName}: ${domain}`
         );
         const { SESv2Client: SESv2Client5, PutConfigurationSetTrackingOptionsCommand } = await import("@aws-sdk/client-sesv2");
-        const { assumeRole: assumeRole2 } = await import("../../utils/assume-role.js");
+        const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
         const credentials = config2.roleArn ? await assumeRole2(config2.roleArn, config2.region) : void 0;
         const sesClient = new SESv2Client5({
           region: config2.region,
@@ -6167,7 +6937,7 @@ function createUserRouter(config2) {
       try {
         if (config2.roleArn) {
           console.log("[User API] Attempting to fetch account alias via IAM");
-          const { assumeRole: assumeRole2 } = await import("../../utils/assume-role.js");
+          const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
           const { IAMClient: IAMClient2, ListAccountAliasesCommand } = await import("@aws-sdk/client-iam");
           const credentials = await assumeRole2(config2.roleArn, region);
           const iamClient = new IAMClient2({ region, credentials });
@@ -6480,7 +7250,12 @@ Run ${pc12.cyan("wraps init")} to deploy infrastructure.
       archiveArn: stackOutputs.archiveArn?.value,
       archivingEnabled: stackOutputs.archivingEnabled?.value,
       archiveRetention: stackOutputs.archiveRetention?.value
-    }
+    },
+    tracking: stackOutputs.customTrackingDomain?.value ? {
+      customTrackingDomain: stackOutputs.customTrackingDomain?.value,
+      httpsEnabled: stackOutputs.httpsTrackingEnabled?.value,
+      cloudFrontDomain: stackOutputs.cloudFrontDomain?.value
+    } : void 0
   });
 }