@wraps.dev/cli 2.1.0 → 2.2.0

package/dist/cli.js

@@ -147,7 +147,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@wraps.dev/cli",
-      version: "2.1.0",
+      version: "2.2.0",
       description: "CLI for deploying Wraps email infrastructure to your AWS account",
       type: "module",
       main: "./dist/cli.js",
@@ -647,6 +647,19 @@ To remove: wraps destroy --stack ${stackName}`,
         "SMS_SIMULATOR_LIMIT",
         "Upgrade to a toll-free number for production use:\n  wraps sms upgrade --phone-type toll-free",
         "https://wraps.dev/docs/cli-reference"
+      ),
+      // SMTP-specific errors
+      smtpRequiresSending: () => new WrapsError(
+        "SMTP credentials require email sending to be enabled",
+        "SMTP_REQUIRES_SENDING",
+        "Enable sending first:\n  wraps email upgrade\nAnd select 'Custom configuration' to enable sending.",
+        "https://wraps.dev/docs/cli-reference"
+      ),
+      smtpCredentialsNotFound: () => new WrapsError(
+        "SMTP credentials not found",
+        "SMTP_CREDENTIALS_NOT_FOUND",
+        "Enable SMTP credentials:\n  wraps email upgrade\nAnd select 'Enable SMTP credentials'",
+        "https://wraps.dev/docs/cli-reference"
       )
     };
   }
@@ -953,6 +966,15 @@ function calculateEmailArchivingCost(config2, emailsPerMonth) {
     description: `Email archiving (${retention}, ~${storageGB.toFixed(2)} GB at steady-state)`
   };
 }
+function calculateSMTPCredentialsCost(config2) {
+  if (!config2.smtpCredentials?.enabled) {
+    return;
+  }
+  return {
+    monthly: 0,
+    description: "SMTP credentials (no additional cost)"
+  };
+}
 function calculateCosts(config2, emailsPerMonth = 1e4) {
   const tracking = calculateTrackingCost(config2);
   const reputationMetrics = calculateReputationMetricsCost(config2);
@@ -961,8 +983,9 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
   const emailArchiving = calculateEmailArchivingCost(config2, emailsPerMonth);
   const dedicatedIp = calculateDedicatedIpCost(config2);
   const waf = calculateWafCost(config2, emailsPerMonth);
+  const smtpCredentials = calculateSMTPCredentialsCost(config2);
   const sesEmailCost = Math.max(0, emailsPerMonth - FREE_TIER.SES_EMAILS) * AWS_PRICING.SES_PER_EMAIL;
-  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0);
+  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0) + (smtpCredentials?.monthly || 0);
   return {
     tracking,
     reputationMetrics,
@@ -971,6 +994,7 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
     emailArchiving,
     dedicatedIp,
     waf,
+    smtpCredentials,
     total: {
       monthly: totalMonthlyCost,
       perEmail: AWS_PRICING.SES_PER_EMAIL,
@@ -1031,6 +1055,11 @@ function getCostSummary(config2, emailsPerMonth = 1e4) {
       `  - ${costs.waf.description}: ${formatCost(costs.waf.monthly)}`
     );
   }
+  if (costs.smtpCredentials) {
+    lines.push(
+      `  - ${costs.smtpCredentials.description}: ${formatCost(costs.smtpCredentials.monthly)}`
+    );
+  }
   return lines.join("\n");
 }
 var AWS_PRICING, FREE_TIER;
@@ -2317,6 +2346,11 @@ function applyConfigUpdates(existingConfig, updates) {
         ...result.emailArchiving,
         ...value
       };
+    } else if (key === "smtpCredentials" && typeof value === "object") {
+      result.smtpCredentials = {
+        ...result.smtpCredentials,
+        ...value
+      };
     } else {
       result[key] = value;
     }
@@ -3230,12 +3264,12 @@ var acm_exports = {};
 __export(acm_exports, {
   createACMCertificate: () => createACMCertificate
 });
-import * as aws8 from "@pulumi/aws";
+import * as aws9 from "@pulumi/aws";
 async function createACMCertificate(config2) {
-  const usEast1Provider = new aws8.Provider("acm-us-east-1", {
+  const usEast1Provider = new aws9.Provider("acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws8.acm.Certificate(
+  const certificate = new aws9.acm.Certificate(
     "wraps-email-tracking-cert",
     {
       domainName: config2.domain,
@@ -3258,7 +3292,7 @@ async function createACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws8.route53.Record(
+    const validationRecord = new aws9.route53.Record(
       "wraps-email-tracking-cert-validation",
       {
         zoneId: config2.hostedZoneId,
@@ -3268,7 +3302,7 @@ async function createACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws8.acm.CertificateValidation(
+    certificateValidation = new aws9.acm.CertificateValidation(
       "wraps-email-tracking-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
@@ -3297,7 +3331,7 @@ var cloudfront_exports = {};
 __export(cloudfront_exports, {
   createCloudFrontTracking: () => createCloudFrontTracking
 });
-import * as aws9 from "@pulumi/aws";
+import * as aws10 from "@pulumi/aws";
 async function findDistributionByAlias(alias) {
   try {
     const { CloudFrontClient, ListDistributionsCommand } = await import("@aws-sdk/client-cloudfront");
@@ -3313,10 +3347,10 @@ async function findDistributionByAlias(alias) {
   }
 }
 async function createWAFWebACL() {
-  const usEast1Provider = new aws9.Provider("waf-us-east-1", {
+  const usEast1Provider = new aws10.Provider("waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws9.wafv2.WebAcl(
+  const webAcl = new aws10.wafv2.WebAcl(
     "wraps-email-tracking-waf",
     {
       scope: "CLOUDFRONT",
@@ -3431,14 +3465,14 @@ async function createCloudFrontTracking(config2) {
       Description: "Wraps email tracking CloudFront distribution"
     }
   };
-  const distribution = existingDistributionId ? new aws9.cloudfront.Distribution(
+  const distribution = existingDistributionId ? new aws10.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig,
     {
       import: existingDistributionId
       // Import existing distribution
     }
-  ) : new aws9.cloudfront.Distribution(
+  ) : new aws10.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig
   );
@@ -8143,7 +8177,7 @@ import pc8 from "picocolors";
 
 // src/infrastructure/email-stack.ts
 init_esm_shims();
-import * as aws10 from "@pulumi/aws";
+import * as aws11 from "@pulumi/aws";
 import * as pulumi4 from "@pulumi/pulumi";
 
 // src/infrastructure/resources/dynamodb.ts
@@ -8366,10 +8400,10 @@ import * as pulumi2 from "@pulumi/pulumi";
 async function roleExists(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam7.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand2({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
@@ -8728,11 +8762,93 @@ async function createSESResources(config2) {
   };
 }
 
-// src/infrastructure/resources/sqs.ts
+// src/infrastructure/resources/smtp-credentials.ts
 init_esm_shims();
 import * as aws6 from "@pulumi/aws";
+import { createHmac } from "crypto";
+function convertToSMTPPassword(secretAccessKey, region) {
+  const DATE = "11111111";
+  const SERVICE = "ses";
+  const MESSAGE = "SendRawEmail";
+  const TERMINAL = "aws4_request";
+  const VERSION2 = 4;
+  const kDate = createHmac("sha256", `AWS4${secretAccessKey}`).update(DATE).digest();
+  const kRegion = createHmac("sha256", kDate).update(region).digest();
+  const kService = createHmac("sha256", kRegion).update(SERVICE).digest();
+  const kTerminal = createHmac("sha256", kService).update(TERMINAL).digest();
+  const kMessage = createHmac("sha256", kTerminal).update(MESSAGE).digest();
+  const signatureWithVersion = Buffer.concat([Buffer.from([VERSION2]), kMessage]);
+  return signatureWithVersion.toString("base64");
+}
+async function userExists(userName) {
+  try {
+    const { IAMClient: IAMClient3, GetUserCommand } = await import("@aws-sdk/client-iam");
+    const iam8 = new IAMClient3({ region: process.env.AWS_REGION || "us-east-1" });
+    await iam8.send(new GetUserCommand({ UserName: userName }));
+    return true;
+  } catch (error) {
+    if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity") {
+      return false;
+    }
+    return false;
+  }
+}
+async function createSMTPCredentials(config2) {
+  const userName = "wraps-email-smtp-user";
+  const userAlreadyExists = await userExists(userName);
+  const iamUser = userAlreadyExists ? new aws6.iam.User(
+    userName,
+    {
+      name: userName,
+      tags: {
+        ManagedBy: "wraps-cli",
+        Purpose: "SES SMTP Authentication"
+      }
+    },
+    { import: userName }
+  ) : new aws6.iam.User(userName, {
+    name: userName,
+    tags: {
+      ManagedBy: "wraps-cli",
+      Purpose: "SES SMTP Authentication"
+    }
+  });
+  new aws6.iam.UserPolicy("wraps-email-smtp-policy", {
+    user: iamUser.name,
+    policy: JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Action: "ses:SendRawEmail",
+          Resource: "*",
+          Condition: {
+            StringEquals: {
+              "ses:ConfigurationSetName": config2.configSetName
+            }
+          }
+        }
+      ]
+    })
+  });
+  const accessKey = new aws6.iam.AccessKey("wraps-email-smtp-key", {
+    user: iamUser.name
+  });
+  const smtpPassword = accessKey.secret.apply(
+    (secret) => convertToSMTPPassword(secret, config2.region)
+  );
+  return {
+    iamUser,
+    accessKey,
+    smtpPassword
+  };
+}
+
+// src/infrastructure/resources/sqs.ts
+init_esm_shims();
+import * as aws7 from "@pulumi/aws";
 async function createSQSResources() {
-  const dlq = new aws6.sqs.Queue("wraps-email-events-dlq", {
+  const dlq = new aws7.sqs.Queue("wraps-email-events-dlq", {
     name: "wraps-email-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -8741,7 +8857,7 @@ async function createSQSResources() {
       Description: "Dead letter queue for failed SES event processing"
     }
   });
-  const queue = new aws6.sqs.Queue("wraps-email-events", {
+  const queue = new aws7.sqs.Queue("wraps-email-events", {
     name: "wraps-email-events",
     visibilityTimeoutSeconds: 300,
     // 5 minutes (Lambda timeout)
@@ -8769,14 +8885,14 @@ async function createSQSResources() {
 
 // src/infrastructure/vercel-oidc.ts
 init_esm_shims();
-import * as aws7 from "@pulumi/aws";
+import * as aws8 from "@pulumi/aws";
 async function getExistingOIDCProviderArn(url) {
   try {
     const { IAMClient: IAMClient3, ListOpenIDConnectProvidersCommand } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    const response = await iam7.send(new ListOpenIDConnectProvidersCommand({}));
+    const response = await iam8.send(new ListOpenIDConnectProvidersCommand({}));
     const expectedArnSuffix = url.replace("https://", "");
     const provider = response.OpenIDConnectProviderList?.find(
       (p) => p.Arn?.endsWith(expectedArnSuffix)
@@ -8791,7 +8907,7 @@ async function createVercelOIDC(config2) {
   const url = `https://oidc.vercel.com/${config2.teamSlug}`;
   const existingArn = await getExistingOIDCProviderArn(url);
   if (existingArn) {
-    return new aws7.iam.OpenIdConnectProvider(
+    return new aws8.iam.OpenIdConnectProvider(
       "wraps-vercel-oidc",
       {
         url,
@@ -8812,7 +8928,7 @@ async function createVercelOIDC(config2) {
       }
     );
   }
-  return new aws7.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
+  return new aws8.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
     url,
     clientIdLists: [`https://vercel.com/${config2.teamSlug}`],
     thumbprintLists: [
@@ -8829,7 +8945,7 @@ async function createVercelOIDC(config2) {
 
 // src/infrastructure/email-stack.ts
 async function deployEmailStack(config2) {
-  const identity = await aws10.getCallerIdentity();
+  const identity = await aws11.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -8934,6 +9050,13 @@ async function deployEmailStack(config2) {
       region: config2.region
     });
   }
+  let smtpResources;
+  if (emailConfig.smtpCredentials?.enabled && sesResources) {
+    smtpResources = await createSMTPCredentials({
+      configSetName: "wraps-email-tracking",
+      region: config2.region
+    });
+  }
   return {
     roleArn: role.arn,
     configSetName: sesResources?.configSet.configurationSetName,
@@ -8953,7 +9076,12 @@ async function deployEmailStack(config2) {
     mailFromDomain: sesResources?.mailFromDomain,
     archiveArn: archiveResources?.archiveArn,
     archivingEnabled: emailConfig.emailArchiving?.enabled,
-    archiveRetention: emailConfig.emailArchiving?.enabled ? emailConfig.emailArchiving.retention : void 0
+    archiveRetention: emailConfig.emailArchiving?.enabled ? emailConfig.emailArchiving.retention : void 0,
+    // SMTP credentials (shown once, not stored)
+    smtpUserArn: smtpResources?.iamUser.arn,
+    smtpUsername: smtpResources?.accessKey.id,
+    smtpPassword: smtpResources?.smtpPassword,
+    smtpEndpoint: smtpResources ? `email-smtp.${config2.region}.amazonaws.com` : void 0
   };
 }
 
@@ -10000,13 +10128,13 @@ async function scanLambdaFunctions(region) {
   }
 }
 async function scanIAMRoles(region) {
-  const iam7 = new IAMClient({ region });
+  const iam8 = new IAMClient({ region });
   const roles = [];
   try {
     let marker;
     let hasMore = true;
     while (hasMore) {
-      const listResponse = await iam7.send(
+      const listResponse = await iam8.send(
         new ListRolesCommand({
           Marker: marker,
           MaxItems: 100
@@ -11901,6 +12029,11 @@ ${pc15.bold("Current Configuration:")}
         value: "wraps-dashboard",
         label: metadata.services.email?.webhookSecret ? "Manage Wraps Dashboard connection" : "Connect to Wraps Dashboard",
         hint: metadata.services.email?.webhookSecret ? "Regenerate secret or disconnect" : "Send events to dashboard for analytics"
+      },
+      {
+        value: "smtp-credentials",
+        label: metadata.services.email?.smtpCredentials?.enabled ? "Manage SMTP credentials" : "Enable SMTP credentials",
+        hint: metadata.services.email?.smtpCredentials?.enabled ? "Rotate or disable credentials" : "Generate credentials for PHP, WordPress, etc."
       }
     ]
   });
@@ -12492,6 +12625,98 @@ ${pc15.bold("Webhook Configuration:")}`);
       newPreset = void 0;
       break;
     }
+    case "smtp-credentials": {
+      if (metadata.services.email?.smtpCredentials?.enabled) {
+        clack14.log.info(
+          `SMTP credentials are currently ${pc15.green("enabled")} (created ${metadata.services.email.smtpCredentials.createdAt})`
+        );
+        const smtpAction = await clack14.select({
+          message: "What would you like to do?",
+          options: [
+            {
+              value: "rotate",
+              label: "Rotate credentials",
+              hint: "Generate new credentials (invalidates old ones)"
+            },
+            {
+              value: "disable",
+              label: "Disable SMTP credentials",
+              hint: "Delete IAM user and credentials"
+            },
+            {
+              value: "cancel",
+              label: "Cancel",
+              hint: "Keep current credentials"
+            }
+          ]
+        });
+        if (clack14.isCancel(smtpAction) || smtpAction === "cancel") {
+          clack14.log.info("No changes made.");
+          process.exit(0);
+        }
+        if (smtpAction === "disable") {
+          const confirmDisable = await clack14.confirm({
+            message: "Are you sure? Any systems using these credentials will stop working immediately.",
+            initialValue: false
+          });
+          if (clack14.isCancel(confirmDisable) || !confirmDisable) {
+            clack14.log.info("SMTP credentials not disabled.");
+            process.exit(0);
+          }
+          updatedConfig = {
+            ...config2,
+            smtpCredentials: { enabled: false }
+          };
+          if (metadata.services.email) {
+            metadata.services.email.smtpCredentials = void 0;
+          }
+          newPreset = void 0;
+          break;
+        }
+        clack14.log.info(
+          "\nRotating credentials will invalidate your current SMTP password."
+        );
+        clack14.log.warn("You will need to update all systems using the old credentials.");
+        const confirmRotate = await clack14.confirm({
+          message: "Generate new SMTP credentials?",
+          initialValue: false
+        });
+        if (clack14.isCancel(confirmRotate) || !confirmRotate) {
+          clack14.log.info("Credential rotation cancelled.");
+          process.exit(0);
+        }
+      }
+      clack14.log.info(`
+${pc15.bold("SMTP Credentials for Legacy Systems")}
+`);
+      clack14.log.info(pc15.dim("Generate SMTP username/password that works with:"));
+      clack14.log.info(pc15.dim("  - PHP mail() and PHPMailer"));
+      clack14.log.info(pc15.dim("  - WordPress (WP Mail SMTP plugin)"));
+      clack14.log.info(pc15.dim("  - Nodemailer and other SMTP libraries"));
+      clack14.log.info(pc15.dim("  - Any SMTP-compatible email client"));
+      console.log("");
+      clack14.log.warn(
+        "Credentials will be shown ONCE after deployment - save them immediately!"
+      );
+      console.log("");
+      const confirmCreate = await clack14.confirm({
+        message: "Create SMTP credentials?",
+        initialValue: true
+      });
+      if (clack14.isCancel(confirmCreate) || !confirmCreate) {
+        clack14.log.info("SMTP credentials not created.");
+        process.exit(0);
+      }
+      updatedConfig = {
+        ...config2,
+        smtpCredentials: {
+          enabled: true,
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      };
+      newPreset = void 0;
+      break;
+    }
   }
   const newCostData = calculateCosts(updatedConfig, 5e4);
   const costDiff = newCostData.total.monthly - currentCostData.total.monthly;
@@ -12643,7 +12868,12 @@ ${pc15.bold("Cost Impact:")}`);
                 acmCertificateValidationRecords: result.acmCertificateValidationRecords,
                 archiveArn: result.archiveArn,
                 archivingEnabled: result.archivingEnabled,
-                archiveRetention: result.archiveRetention
+                archiveRetention: result.archiveRetention,
+                // SMTP credentials (shown once)
+                smtpUserArn: result.smtpUserArn,
+                smtpUsername: result.smtpUsername,
+                smtpPassword: result.smtpPassword,
+                smtpEndpoint: result.smtpEndpoint
               };
             }
           },
@@ -12679,7 +12909,12 @@ ${pc15.bold("Cost Impact:")}`);
           acmCertificateValidationRecords: pulumiOutputs.acmCertificateValidationRecords?.value,
           archiveArn: pulumiOutputs.archiveArn?.value,
           archivingEnabled: pulumiOutputs.archivingEnabled?.value,
-          archiveRetention: pulumiOutputs.archiveRetention?.value
+          archiveRetention: pulumiOutputs.archiveRetention?.value,
+          // SMTP credentials (shown once)
+          smtpUserArn: pulumiOutputs.smtpUserArn?.value,
+          smtpUsername: pulumiOutputs.smtpUsername?.value,
+          smtpPassword: pulumiOutputs.smtpPassword?.value,
+          smtpEndpoint: pulumiOutputs.smtpEndpoint?.value
         };
       }
     );
@@ -12823,6 +13058,31 @@ ${pc15.green("\u2713")} ${pc15.bold("Upgrade complete!")}
       )
     );
   }
+  if (upgradeAction === "smtp-credentials" && outputs.smtpUsername && outputs.smtpPassword) {
+    console.log(pc15.bold("\n\u{1F4E7} SMTP Connection Details\n"));
+    console.log(`  ${pc15.cyan("Server:")}     ${outputs.smtpEndpoint}`);
+    console.log(`  ${pc15.cyan("Port:")}       587 (STARTTLS) or 465 (TLS)`);
+    console.log(`  ${pc15.cyan("Username:")}   ${outputs.smtpUsername}`);
+    console.log(`  ${pc15.cyan("Password:")}   ${outputs.smtpPassword}`);
+    console.log(`  ${pc15.cyan("Encryption:")} TLS/STARTTLS required
+`);
+    console.log(pc15.yellow("\u26A0\uFE0F  IMPORTANT: Save these credentials NOW!"));
+    console.log(pc15.yellow("   They cannot be retrieved later.\n"));
+    console.log(pc15.bold("  Environment Variables:\n"));
+    console.log(pc15.dim(`  SMTP_HOST=${outputs.smtpEndpoint}`));
+    console.log(pc15.dim(`  SMTP_PORT=587`));
+    console.log(pc15.dim(`  SMTP_USER=${outputs.smtpUsername}`));
+    console.log(pc15.dim(`  SMTP_PASS=${outputs.smtpPassword}
+`));
+    if (metadata.services.email && outputs.smtpUserArn) {
+      metadata.services.email.smtpCredentials = {
+        enabled: true,
+        iamUserArn: outputs.smtpUserArn,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      await saveConnectionMetadata(metadata);
+    }
+  }
   const enabledFeatures = [];
   if (updatedConfig.tracking?.enabled) {
     enabledFeatures.push("tracking");
@@ -12842,6 +13102,9 @@ ${pc15.green("\u2713")} ${pc15.bold("Upgrade complete!")}
   if (updatedConfig.emailArchiving?.enabled) {
     enabledFeatures.push("email_archiving");
   }
+  if (updatedConfig.smtpCredentials?.enabled) {
+    enabledFeatures.push("smtp_credentials");
+  }
   trackServiceUpgrade("email", {
     from_preset: metadata.services.email?.preset,
     to_preset: newPreset,
@@ -12945,10 +13208,10 @@ Run ${pc18.cyan("wraps email init")} to deploy infrastructure first.
     process.exit(1);
   }
   const roleName = "wraps-console-access-role";
-  const iam7 = new IAMClient2({ region: "us-east-1" });
+  const iam8 = new IAMClient2({ region: "us-east-1" });
   let roleExists4 = false;
   try {
-    await iam7.send(new GetRoleCommand({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand({ RoleName: roleName }));
     roleExists4 = true;
   } catch (error) {
     if (error && typeof error === "object" && "name" in error && error.name !== "NoSuchEntity") {
@@ -12989,7 +13252,7 @@ Run ${pc18.cyan("wraps email init")} to deploy infrastructure first.
   const smsEventTracking = smsConfig?.eventTracking;
   await progress.execute("Updating IAM role permissions", async () => {
     const { PutRolePolicyCommand } = await import("@aws-sdk/client-iam");
-    await iam7.send(
+    await iam8.send(
       new PutRolePolicyCommand({
         RoleName: roleName,
         PolicyName: "wraps-console-access-policy",
@@ -16014,15 +16277,15 @@ import pc22 from "picocolors";
 
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
-import * as aws11 from "@pulumi/aws";
+import * as aws12 from "@pulumi/aws";
 import * as pulumi14 from "@pulumi/pulumi";
 async function roleExists2(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam7.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand2({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
@@ -16092,7 +16355,7 @@ async function createSMSIAMRole(config2) {
   }
   const roleName = "wraps-sms-role";
   const exists = await roleExists2(roleName);
-  const role = exists ? new aws11.iam.Role(
+  const role = exists ? new aws12.iam.Role(
     roleName,
     {
       name: roleName,
@@ -16107,7 +16370,7 @@ async function createSMSIAMRole(config2) {
       import: roleName,
       customTimeouts: { create: "2m", update: "2m", delete: "2m" }
     }
-  ) : new aws11.iam.Role(
+  ) : new aws12.iam.Role(
     roleName,
     {
       name: roleName,
@@ -16202,7 +16465,7 @@ async function createSMSIAMRole(config2) {
       Resource: "arn:aws:logs:*:*:log-group:/aws/lambda/wraps-sms-*"
     });
   }
-  new aws11.iam.RolePolicy("wraps-sms-policy", {
+  new aws12.iam.RolePolicy("wraps-sms-policy", {
     role: role.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -16212,7 +16475,7 @@ async function createSMSIAMRole(config2) {
   return role;
 }
 function createSMSConfigurationSet() {
-  return new aws11.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
+  return new aws12.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
     name: "wraps-sms-config",
     defaultMessageType: "TRANSACTIONAL",
     tags: {
@@ -16222,7 +16485,7 @@ function createSMSConfigurationSet() {
   });
 }
 function createSMSOptOutList() {
-  return new aws11.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
+  return new aws12.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
     name: "wraps-sms-optouts",
     tags: {
       ManagedBy: "wraps-cli",
@@ -16286,7 +16549,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
     }
   };
   if (existingArn) {
-    return new aws11.pinpoint.Smsvoicev2PhoneNumber(
+    return new aws12.pinpoint.Smsvoicev2PhoneNumber(
       "wraps-sms-number",
       phoneConfig,
       {
@@ -16295,7 +16558,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
       }
     );
   }
-  return new aws11.pinpoint.Smsvoicev2PhoneNumber(
+  return new aws12.pinpoint.Smsvoicev2PhoneNumber(
     "wraps-sms-number",
     phoneConfig,
     {
@@ -16338,10 +16601,10 @@ async function createSMSSQSResources() {
       Description: "Dead letter queue for failed SMS event processing"
     }
   };
-  const dlq = dlqUrl ? new aws11.sqs.Queue(dlqName, dlqConfig, {
+  const dlq = dlqUrl ? new aws12.sqs.Queue(dlqName, dlqConfig, {
     import: dlqUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws11.sqs.Queue(dlqName, dlqConfig, {
+  }) : new aws12.sqs.Queue(dlqName, dlqConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   const queueConfig = {
@@ -16364,10 +16627,10 @@ async function createSMSSQSResources() {
       Description: "Queue for SMS events from SNS"
     }
   };
-  const queue = queueUrl ? new aws11.sqs.Queue(queueName, queueConfig, {
+  const queue = queueUrl ? new aws12.sqs.Queue(queueName, queueConfig, {
     import: queueUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws11.sqs.Queue(queueName, queueConfig, {
+  }) : new aws12.sqs.Queue(queueName, queueConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   return { queue, dlq };
@@ -16407,13 +16670,13 @@ async function createSMSSNSResources(config2) {
       Description: "SNS topic for SMS delivery events"
     }
   };
-  const topic = topicArn ? new aws11.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  const topic = topicArn ? new aws12.sns.Topic("wraps-sms-events-topic", topicConfig, {
     import: topicArn,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws11.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  }) : new aws12.sns.Topic("wraps-sms-events-topic", topicConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
-  new aws11.sns.TopicPolicy("wraps-sms-events-topic-policy", {
+  new aws12.sns.TopicPolicy("wraps-sms-events-topic-policy", {
     arn: topic.arn,
     policy: topic.arn.apply(
       (topicArn2) => JSON.stringify({
@@ -16430,7 +16693,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  new aws11.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
+  new aws12.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi14.all([config2.queueArn, topic.arn]).apply(
       ([queueArn, topicArn2]) => JSON.stringify({
@@ -16449,7 +16712,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  const subscription = new aws11.sns.TopicSubscription(
+  const subscription = new aws12.sns.TopicSubscription(
     "wraps-sms-events-subscription",
     {
       topic: topic.arn,
@@ -16498,17 +16761,17 @@ async function createSMSDynamoDBTable() {
       Service: "sms"
     }
   };
-  return exists ? new aws11.dynamodb.Table(tableName, tableConfig, {
+  return exists ? new aws12.dynamodb.Table(tableName, tableConfig, {
     import: tableName,
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
-  }) : new aws11.dynamodb.Table(tableName, tableConfig, {
+  }) : new aws12.dynamodb.Table(tableName, tableConfig, {
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
   });
 }
 async function deploySMSLambdaFunction(config2) {
   const { getLambdaCode: getLambdaCode2 } = await Promise.resolve().then(() => (init_lambda(), lambda_exports));
   const codeDir = await getLambdaCode2("sms-event-processor");
-  const lambdaRole = new aws11.iam.Role("wraps-sms-lambda-role", {
+  const lambdaRole = new aws12.iam.Role("wraps-sms-lambda-role", {
     name: "wraps-sms-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -16525,11 +16788,11 @@ async function deploySMSLambdaFunction(config2) {
       Service: "sms"
     }
   });
-  new aws11.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
+  new aws12.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws11.iam.RolePolicy("wraps-sms-lambda-policy", {
+  new aws12.iam.RolePolicy("wraps-sms-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi14.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -16561,7 +16824,7 @@ async function deploySMSLambdaFunction(config2) {
       })
     )
   });
-  const eventProcessor = new aws11.lambda.Function(
+  const eventProcessor = new aws12.lambda.Function(
     "wraps-sms-event-processor",
     {
       name: "wraps-sms-event-processor",
@@ -16588,7 +16851,7 @@ async function deploySMSLambdaFunction(config2) {
       customTimeouts: { create: "5m", update: "5m", delete: "2m" }
     }
   );
-  new aws11.lambda.EventSourceMapping(
+  new aws12.lambda.EventSourceMapping(
     "wraps-sms-event-source-mapping",
     {
       eventSourceArn: config2.queueArn,
@@ -16604,7 +16867,7 @@ async function deploySMSLambdaFunction(config2) {
   return eventProcessor;
 }
 async function deploySMSStack(config2) {
-  const identity = await aws11.getCallerIdentity();
+  const identity = await aws12.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -20152,12 +20415,12 @@ import pc31 from "picocolors";
 
 // src/infrastructure/storage-stack.ts
 init_esm_shims();
-import * as aws13 from "@pulumi/aws";
+import * as aws14 from "@pulumi/aws";
 import * as pulumi22 from "@pulumi/pulumi";
 
 // src/infrastructure/resources/s3-storage.ts
 init_esm_shims();
-import * as aws12 from "@pulumi/aws";
+import * as aws13 from "@pulumi/aws";
 import * as pulumi21 from "@pulumi/pulumi";
 function retentionToDays(retention) {
   switch (retention) {
@@ -20179,7 +20442,7 @@ function retentionToDays(retention) {
 }
 async function createStorageBucket(config2) {
   const bucketName = config2.storageConfig.bucketName || `wraps-storage-${config2.accountId}`;
-  const bucket = new aws12.s3.BucketV2("wraps-storage-bucket", {
+  const bucket = new aws13.s3.BucketV2("wraps-storage-bucket", {
     bucket: bucketName,
     tags: {
       ManagedBy: "wraps-cli",
@@ -20187,14 +20450,14 @@ async function createStorageBucket(config2) {
     }
   });
   if (config2.storageConfig.versioning) {
-    new aws12.s3.BucketVersioningV2("wraps-storage-versioning", {
+    new aws13.s3.BucketVersioningV2("wraps-storage-versioning", {
       bucket: bucket.id,
       versioningConfiguration: {
         status: "Enabled"
       }
     });
   }
-  new aws12.s3.BucketServerSideEncryptionConfigurationV2(
+  new aws13.s3.BucketServerSideEncryptionConfigurationV2(
     "wraps-storage-encryption",
     {
       bucket: bucket.id,
@@ -20220,7 +20483,7 @@ async function createStorageBucket(config2) {
     "http://localhost:8080",
     ...config2.storageConfig.additionalOrigins || []
   ];
-  new aws12.s3.BucketCorsConfigurationV2("wraps-storage-cors", {
+  new aws13.s3.BucketCorsConfigurationV2("wraps-storage-cors", {
     bucket: bucket.id,
     corsRules: [
       {
@@ -20234,7 +20497,7 @@ async function createStorageBucket(config2) {
   });
   const retentionDays = config2.storageConfig.retention ? retentionToDays(config2.storageConfig.retention) : null;
   if (retentionDays) {
-    new aws12.s3.BucketLifecycleConfigurationV2("wraps-storage-lifecycle", {
+    new aws13.s3.BucketLifecycleConfigurationV2("wraps-storage-lifecycle", {
       bucket: bucket.id,
       rules: [
         {
@@ -20247,7 +20510,7 @@ async function createStorageBucket(config2) {
       ]
     });
   }
-  new aws12.s3.BucketPublicAccessBlock("wraps-storage-public-access", {
+  new aws13.s3.BucketPublicAccessBlock("wraps-storage-public-access", {
     bucket: bucket.id,
     blockPublicAcls: true,
     blockPublicPolicy: true,
@@ -20261,10 +20524,10 @@ async function createStorageBucket(config2) {
   };
 }
 async function createStorageWAF() {
-  const usEast1Provider = new aws12.Provider("storage-waf-us-east-1", {
+  const usEast1Provider = new aws13.Provider("storage-waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws12.wafv2.WebAcl(
+  const webAcl = new aws13.wafv2.WebAcl(
     "wraps-storage-waf",
     {
       scope: "CLOUDFRONT",
@@ -20316,7 +20579,7 @@ async function createStorageWAF() {
 }
 async function createStorageCDN(config2) {
   const webAcl = config2.wafEnabled ? await createStorageWAF() : void 0;
-  const oac = new aws12.cloudfront.OriginAccessControl("wraps-storage-oac", {
+  const oac = new aws13.cloudfront.OriginAccessControl("wraps-storage-oac", {
     name: "wraps-storage-oac",
     description: "OAC for Wraps storage S3 bucket",
     originAccessControlOriginType: "s3",
@@ -20351,7 +20614,7 @@ async function createStorageCDN(config2) {
   } : {
     restrictionType: "none"
   };
-  const distribution = new aws12.cloudfront.Distribution("wraps-storage-cdn", {
+  const distribution = new aws13.cloudfront.Distribution("wraps-storage-cdn", {
     enabled: true,
     comment: "Wraps storage CDN",
     aliases,
@@ -20394,7 +20657,7 @@ async function createStorageCDN(config2) {
       Service: "storage"
     }
   });
-  new aws12.s3.BucketPolicy("wraps-storage-bucket-policy", {
+  new aws13.s3.BucketPolicy("wraps-storage-bucket-policy", {
     bucket: config2.bucket.id,
     policy: pulumi21.interpolate`{
       "Version": "2012-10-17",
@@ -20423,10 +20686,10 @@ async function createStorageCDN(config2) {
   };
 }
 async function createStorageACMCertificate(config2) {
-  const usEast1Provider = new aws12.Provider("storage-acm-us-east-1", {
+  const usEast1Provider = new aws13.Provider("storage-acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws12.acm.Certificate(
+  const certificate = new aws13.acm.Certificate(
     "wraps-storage-cert",
     {
       domainName: config2.domain,
@@ -20450,7 +20713,7 @@ async function createStorageACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws12.route53.Record(
+    const validationRecord = new aws13.route53.Record(
       "wraps-storage-cert-validation",
       {
         zoneId: config2.hostedZoneId,
@@ -20460,7 +20723,7 @@ async function createStorageACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws12.acm.CertificateValidation(
+    certificateValidation = new aws13.acm.CertificateValidation(
       "wraps-storage-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
@@ -20482,10 +20745,10 @@ async function createStorageACMCertificate(config2) {
 async function roleExists3(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam7.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand2({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
@@ -20532,7 +20795,7 @@ async function createStorageIAMRole(config2) {
   }
   const roleName = "wraps-storage-role";
   const exists = await roleExists3(roleName);
-  const role = exists ? new aws13.iam.Role(
+  const role = exists ? new aws14.iam.Role(
     roleName,
     {
       name: roleName,
@@ -20546,7 +20809,7 @@ async function createStorageIAMRole(config2) {
     {
       import: roleName
     }
-  ) : new aws13.iam.Role(roleName, {
+  ) : new aws14.iam.Role(roleName, {
     name: roleName,
     assumeRolePolicy,
     tags: {
@@ -20584,7 +20847,7 @@ async function createStorageIAMRole(config2) {
       Resource: config2.distributionArn
     });
   }
-  new aws13.iam.RolePolicy("wraps-storage-policy", {
+  new aws14.iam.RolePolicy("wraps-storage-policy", {
     role: role.name,
     policy: pulumi22.all([statements]).apply(
       ([stmts]) => JSON.stringify({