@wraps.dev/cli 2.1.0 → 2.2.1

package/dist/cli.js

@@ -147,7 +147,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@wraps.dev/cli",
-      version: "2.1.0",
+      version: "2.2.1",
       description: "CLI for deploying Wraps email infrastructure to your AWS account",
       type: "module",
       main: "./dist/cli.js",
@@ -647,6 +647,19 @@ To remove: wraps destroy --stack ${stackName}`,
         "SMS_SIMULATOR_LIMIT",
         "Upgrade to a toll-free number for production use:\n  wraps sms upgrade --phone-type toll-free",
         "https://wraps.dev/docs/cli-reference"
+      ),
+      // SMTP-specific errors
+      smtpRequiresSending: () => new WrapsError(
+        "SMTP credentials require email sending to be enabled",
+        "SMTP_REQUIRES_SENDING",
+        "Enable sending first:\n  wraps email upgrade\nAnd select 'Custom configuration' to enable sending.",
+        "https://wraps.dev/docs/cli-reference"
+      ),
+      smtpCredentialsNotFound: () => new WrapsError(
+        "SMTP credentials not found",
+        "SMTP_CREDENTIALS_NOT_FOUND",
+        "Enable SMTP credentials:\n  wraps email upgrade\nAnd select 'Enable SMTP credentials'",
+        "https://wraps.dev/docs/cli-reference"
       )
     };
   }
@@ -953,6 +966,15 @@ function calculateEmailArchivingCost(config2, emailsPerMonth) {
     description: `Email archiving (${retention}, ~${storageGB.toFixed(2)} GB at steady-state)`
   };
 }
+function calculateSMTPCredentialsCost(config2) {
+  if (!config2.smtpCredentials?.enabled) {
+    return;
+  }
+  return {
+    monthly: 0,
+    description: "SMTP credentials (no additional cost)"
+  };
+}
 function calculateCosts(config2, emailsPerMonth = 1e4) {
   const tracking = calculateTrackingCost(config2);
   const reputationMetrics = calculateReputationMetricsCost(config2);
@@ -961,8 +983,9 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
   const emailArchiving = calculateEmailArchivingCost(config2, emailsPerMonth);
   const dedicatedIp = calculateDedicatedIpCost(config2);
   const waf = calculateWafCost(config2, emailsPerMonth);
+  const smtpCredentials = calculateSMTPCredentialsCost(config2);
   const sesEmailCost = Math.max(0, emailsPerMonth - FREE_TIER.SES_EMAILS) * AWS_PRICING.SES_PER_EMAIL;
-  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0);
+  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0) + (smtpCredentials?.monthly || 0);
   return {
     tracking,
     reputationMetrics,
@@ -971,6 +994,7 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
     emailArchiving,
     dedicatedIp,
     waf,
+    smtpCredentials,
     total: {
       monthly: totalMonthlyCost,
       perEmail: AWS_PRICING.SES_PER_EMAIL,
@@ -1031,6 +1055,11 @@ function getCostSummary(config2, emailsPerMonth = 1e4) {
       `  - ${costs.waf.description}: ${formatCost(costs.waf.monthly)}`
     );
   }
+  if (costs.smtpCredentials) {
+    lines.push(
+      `  - ${costs.smtpCredentials.description}: ${formatCost(costs.smtpCredentials.monthly)}`
+    );
+  }
   return lines.join("\n");
 }
 var AWS_PRICING, FREE_TIER;
@@ -2317,6 +2346,11 @@ function applyConfigUpdates(existingConfig, updates) {
         ...result.emailArchiving,
         ...value
       };
+    } else if (key === "smtpCredentials" && typeof value === "object") {
+      result.smtpCredentials = {
+        ...result.smtpCredentials,
+        ...value
+      };
     } else {
       result[key] = value;
     }
@@ -2348,8 +2382,8 @@ function addServiceToConnection(accountId, region, provider, service, config2, p
         config: config2,
         deployedAt: timestamp
       };
-    } else if (service === "storage") {
-      existingMetadata.services.storage = {
+    } else if (service === "cdn") {
+      existingMetadata.services.cdn = {
         preset,
         config: config2,
         deployedAt: timestamp
@@ -2378,8 +2412,8 @@ function addServiceToConnection(accountId, region, provider, service, config2, p
       config: config2,
       deployedAt: timestamp
     };
-  } else if (service === "storage") {
-    metadata.services.storage = {
+  } else if (service === "cdn") {
+    metadata.services.cdn = {
       preset,
       config: config2,
       deployedAt: timestamp
@@ -2398,9 +2432,9 @@ function updateServiceConfig(metadata, service, config2) {
       ...metadata.services.sms.config,
       ...config2
     };
-  } else if (service === "storage" && metadata.services.storage) {
-    metadata.services.storage.config = {
-      ...metadata.services.storage.config,
+  } else if (service === "cdn" && metadata.services.cdn) {
+    metadata.services.cdn.config = {
+      ...metadata.services.cdn.config,
       ...config2
     };
   } else {
@@ -2415,8 +2449,8 @@ function removeServiceFromConnection(metadata, service) {
   } else if (service === "sms") {
     const { sms, ...rest } = metadata.services;
     metadata.services = rest;
-  } else if (service === "storage") {
-    const { storage, ...rest } = metadata.services;
+  } else if (service === "cdn") {
+    const { cdn, ...rest } = metadata.services;
     metadata.services = rest;
   }
   metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
@@ -2428,8 +2462,8 @@ function hasService(metadata, service) {
   if (service === "sms") {
     return metadata.services.sms !== void 0;
   }
-  if (service === "storage") {
-    return metadata.services.storage !== void 0;
+  if (service === "cdn") {
+    return metadata.services.cdn !== void 0;
   }
   return false;
 }
@@ -2441,8 +2475,8 @@ function getConfiguredServices(metadata) {
   if (metadata.services.sms) {
     services.push("sms");
   }
-  if (metadata.services.storage) {
-    services.push("storage");
+  if (metadata.services.cdn) {
+    services.push("cdn");
   }
   return services;
 }
@@ -3230,12 +3264,12 @@ var acm_exports = {};
 __export(acm_exports, {
   createACMCertificate: () => createACMCertificate
 });
-import * as aws8 from "@pulumi/aws";
+import * as aws9 from "@pulumi/aws";
 async function createACMCertificate(config2) {
-  const usEast1Provider = new aws8.Provider("acm-us-east-1", {
+  const usEast1Provider = new aws9.Provider("acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws8.acm.Certificate(
+  const certificate = new aws9.acm.Certificate(
     "wraps-email-tracking-cert",
     {
       domainName: config2.domain,
@@ -3258,7 +3292,7 @@ async function createACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws8.route53.Record(
+    const validationRecord = new aws9.route53.Record(
       "wraps-email-tracking-cert-validation",
       {
         zoneId: config2.hostedZoneId,
@@ -3268,7 +3302,7 @@ async function createACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws8.acm.CertificateValidation(
+    certificateValidation = new aws9.acm.CertificateValidation(
       "wraps-email-tracking-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
@@ -3297,7 +3331,7 @@ var cloudfront_exports = {};
 __export(cloudfront_exports, {
   createCloudFrontTracking: () => createCloudFrontTracking
 });
-import * as aws9 from "@pulumi/aws";
+import * as aws10 from "@pulumi/aws";
 async function findDistributionByAlias(alias) {
   try {
     const { CloudFrontClient, ListDistributionsCommand } = await import("@aws-sdk/client-cloudfront");
@@ -3313,10 +3347,10 @@ async function findDistributionByAlias(alias) {
   }
 }
 async function createWAFWebACL() {
-  const usEast1Provider = new aws9.Provider("waf-us-east-1", {
+  const usEast1Provider = new aws10.Provider("waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws9.wafv2.WebAcl(
+  const webAcl = new aws10.wafv2.WebAcl(
     "wraps-email-tracking-waf",
     {
       scope: "CLOUDFRONT",
@@ -3431,14 +3465,14 @@ async function createCloudFrontTracking(config2) {
       Description: "Wraps email tracking CloudFront distribution"
     }
   };
-  const distribution = existingDistributionId ? new aws9.cloudfront.Distribution(
+  const distribution = existingDistributionId ? new aws10.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig,
     {
       import: existingDistributionId
       // Import existing distribution
     }
-  ) : new aws9.cloudfront.Distribution(
+  ) : new aws10.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig
   );
@@ -8143,7 +8177,7 @@ import pc8 from "picocolors";
 
 // src/infrastructure/email-stack.ts
 init_esm_shims();
-import * as aws10 from "@pulumi/aws";
+import * as aws11 from "@pulumi/aws";
 import * as pulumi4 from "@pulumi/pulumi";
 
 // src/infrastructure/resources/dynamodb.ts
@@ -8366,10 +8400,10 @@ import * as pulumi2 from "@pulumi/pulumi";
 async function roleExists(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam7.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand2({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
@@ -8728,11 +8762,93 @@ async function createSESResources(config2) {
   };
 }
 
-// src/infrastructure/resources/sqs.ts
+// src/infrastructure/resources/smtp-credentials.ts
 init_esm_shims();
 import * as aws6 from "@pulumi/aws";
+import { createHmac } from "crypto";
+function convertToSMTPPassword(secretAccessKey, region) {
+  const DATE = "11111111";
+  const SERVICE = "ses";
+  const MESSAGE = "SendRawEmail";
+  const TERMINAL = "aws4_request";
+  const VERSION2 = 4;
+  const kDate = createHmac("sha256", `AWS4${secretAccessKey}`).update(DATE).digest();
+  const kRegion = createHmac("sha256", kDate).update(region).digest();
+  const kService = createHmac("sha256", kRegion).update(SERVICE).digest();
+  const kTerminal = createHmac("sha256", kService).update(TERMINAL).digest();
+  const kMessage = createHmac("sha256", kTerminal).update(MESSAGE).digest();
+  const signatureWithVersion = Buffer.concat([Buffer.from([VERSION2]), kMessage]);
+  return signatureWithVersion.toString("base64");
+}
+async function userExists(userName) {
+  try {
+    const { IAMClient: IAMClient3, GetUserCommand } = await import("@aws-sdk/client-iam");
+    const iam8 = new IAMClient3({ region: process.env.AWS_REGION || "us-east-1" });
+    await iam8.send(new GetUserCommand({ UserName: userName }));
+    return true;
+  } catch (error) {
+    if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity") {
+      return false;
+    }
+    return false;
+  }
+}
+async function createSMTPCredentials(config2) {
+  const userName = "wraps-email-smtp-user";
+  const userAlreadyExists = await userExists(userName);
+  const iamUser = userAlreadyExists ? new aws6.iam.User(
+    userName,
+    {
+      name: userName,
+      tags: {
+        ManagedBy: "wraps-cli",
+        Purpose: "SES SMTP Authentication"
+      }
+    },
+    { import: userName }
+  ) : new aws6.iam.User(userName, {
+    name: userName,
+    tags: {
+      ManagedBy: "wraps-cli",
+      Purpose: "SES SMTP Authentication"
+    }
+  });
+  new aws6.iam.UserPolicy("wraps-email-smtp-policy", {
+    user: iamUser.name,
+    policy: JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Action: "ses:SendRawEmail",
+          Resource: "*",
+          Condition: {
+            StringEquals: {
+              "ses:ConfigurationSetName": config2.configSetName
+            }
+          }
+        }
+      ]
+    })
+  });
+  const accessKey = new aws6.iam.AccessKey("wraps-email-smtp-key", {
+    user: iamUser.name
+  });
+  const smtpPassword = accessKey.secret.apply(
+    (secret) => convertToSMTPPassword(secret, config2.region)
+  );
+  return {
+    iamUser,
+    accessKey,
+    smtpPassword
+  };
+}
+
+// src/infrastructure/resources/sqs.ts
+init_esm_shims();
+import * as aws7 from "@pulumi/aws";
 async function createSQSResources() {
-  const dlq = new aws6.sqs.Queue("wraps-email-events-dlq", {
+  const dlq = new aws7.sqs.Queue("wraps-email-events-dlq", {
     name: "wraps-email-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -8741,7 +8857,7 @@ async function createSQSResources() {
       Description: "Dead letter queue for failed SES event processing"
     }
   });
-  const queue = new aws6.sqs.Queue("wraps-email-events", {
+  const queue = new aws7.sqs.Queue("wraps-email-events", {
     name: "wraps-email-events",
     visibilityTimeoutSeconds: 300,
     // 5 minutes (Lambda timeout)
@@ -8769,14 +8885,14 @@ async function createSQSResources() {
 
 // src/infrastructure/vercel-oidc.ts
 init_esm_shims();
-import * as aws7 from "@pulumi/aws";
+import * as aws8 from "@pulumi/aws";
 async function getExistingOIDCProviderArn(url) {
   try {
     const { IAMClient: IAMClient3, ListOpenIDConnectProvidersCommand } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    const response = await iam7.send(new ListOpenIDConnectProvidersCommand({}));
+    const response = await iam8.send(new ListOpenIDConnectProvidersCommand({}));
     const expectedArnSuffix = url.replace("https://", "");
     const provider = response.OpenIDConnectProviderList?.find(
       (p) => p.Arn?.endsWith(expectedArnSuffix)
@@ -8791,7 +8907,7 @@ async function createVercelOIDC(config2) {
   const url = `https://oidc.vercel.com/${config2.teamSlug}`;
   const existingArn = await getExistingOIDCProviderArn(url);
   if (existingArn) {
-    return new aws7.iam.OpenIdConnectProvider(
+    return new aws8.iam.OpenIdConnectProvider(
       "wraps-vercel-oidc",
       {
         url,
@@ -8812,7 +8928,7 @@ async function createVercelOIDC(config2) {
       }
     );
   }
-  return new aws7.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
+  return new aws8.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
     url,
     clientIdLists: [`https://vercel.com/${config2.teamSlug}`],
     thumbprintLists: [
@@ -8829,7 +8945,7 @@ async function createVercelOIDC(config2) {
 
 // src/infrastructure/email-stack.ts
 async function deployEmailStack(config2) {
-  const identity = await aws10.getCallerIdentity();
+  const identity = await aws11.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -8934,6 +9050,13 @@ async function deployEmailStack(config2) {
       region: config2.region
     });
   }
+  let smtpResources;
+  if (emailConfig.smtpCredentials?.enabled && sesResources) {
+    smtpResources = await createSMTPCredentials({
+      configSetName: "wraps-email-tracking",
+      region: config2.region
+    });
+  }
   return {
     roleArn: role.arn,
     configSetName: sesResources?.configSet.configurationSetName,
@@ -8953,7 +9076,12 @@ async function deployEmailStack(config2) {
     mailFromDomain: sesResources?.mailFromDomain,
     archiveArn: archiveResources?.archiveArn,
     archivingEnabled: emailConfig.emailArchiving?.enabled,
-    archiveRetention: emailConfig.emailArchiving?.enabled ? emailConfig.emailArchiving.retention : void 0
+    archiveRetention: emailConfig.emailArchiving?.enabled ? emailConfig.emailArchiving.retention : void 0,
+    // SMTP credentials (shown once, not stored)
+    smtpUserArn: smtpResources?.iamUser.arn,
+    smtpUsername: smtpResources?.accessKey.id,
+    smtpPassword: smtpResources?.smtpPassword,
+    smtpEndpoint: smtpResources ? `email-smtp.${config2.region}.amazonaws.com` : void 0
   };
 }
 
@@ -10000,13 +10128,13 @@ async function scanLambdaFunctions(region) {
   }
 }
 async function scanIAMRoles(region) {
-  const iam7 = new IAMClient({ region });
+  const iam8 = new IAMClient({ region });
   const roles = [];
   try {
     let marker;
     let hasMore = true;
     while (hasMore) {
-      const listResponse = await iam7.send(
+      const listResponse = await iam8.send(
         new ListRolesCommand({
           Marker: marker,
           MaxItems: 100
@@ -11901,6 +12029,11 @@ ${pc15.bold("Current Configuration:")}
         value: "wraps-dashboard",
         label: metadata.services.email?.webhookSecret ? "Manage Wraps Dashboard connection" : "Connect to Wraps Dashboard",
         hint: metadata.services.email?.webhookSecret ? "Regenerate secret or disconnect" : "Send events to dashboard for analytics"
+      },
+      {
+        value: "smtp-credentials",
+        label: metadata.services.email?.smtpCredentials?.enabled ? "Manage SMTP credentials" : "Enable SMTP credentials",
+        hint: metadata.services.email?.smtpCredentials?.enabled ? "Rotate or disable credentials" : "Generate credentials for PHP, WordPress, etc."
       }
     ]
   });
@@ -12492,6 +12625,98 @@ ${pc15.bold("Webhook Configuration:")}`);
       newPreset = void 0;
       break;
     }
+    case "smtp-credentials": {
+      if (metadata.services.email?.smtpCredentials?.enabled) {
+        clack14.log.info(
+          `SMTP credentials are currently ${pc15.green("enabled")} (created ${metadata.services.email.smtpCredentials.createdAt})`
+        );
+        const smtpAction = await clack14.select({
+          message: "What would you like to do?",
+          options: [
+            {
+              value: "rotate",
+              label: "Rotate credentials",
+              hint: "Generate new credentials (invalidates old ones)"
+            },
+            {
+              value: "disable",
+              label: "Disable SMTP credentials",
+              hint: "Delete IAM user and credentials"
+            },
+            {
+              value: "cancel",
+              label: "Cancel",
+              hint: "Keep current credentials"
+            }
+          ]
+        });
+        if (clack14.isCancel(smtpAction) || smtpAction === "cancel") {
+          clack14.log.info("No changes made.");
+          process.exit(0);
+        }
+        if (smtpAction === "disable") {
+          const confirmDisable = await clack14.confirm({
+            message: "Are you sure? Any systems using these credentials will stop working immediately.",
+            initialValue: false
+          });
+          if (clack14.isCancel(confirmDisable) || !confirmDisable) {
+            clack14.log.info("SMTP credentials not disabled.");
+            process.exit(0);
+          }
+          updatedConfig = {
+            ...config2,
+            smtpCredentials: { enabled: false }
+          };
+          if (metadata.services.email) {
+            metadata.services.email.smtpCredentials = void 0;
+          }
+          newPreset = void 0;
+          break;
+        }
+        clack14.log.info(
+          "\nRotating credentials will invalidate your current SMTP password."
+        );
+        clack14.log.warn("You will need to update all systems using the old credentials.");
+        const confirmRotate = await clack14.confirm({
+          message: "Generate new SMTP credentials?",
+          initialValue: false
+        });
+        if (clack14.isCancel(confirmRotate) || !confirmRotate) {
+          clack14.log.info("Credential rotation cancelled.");
+          process.exit(0);
+        }
+      }
+      clack14.log.info(`
+${pc15.bold("SMTP Credentials for Legacy Systems")}
+`);
+      clack14.log.info(pc15.dim("Generate SMTP username/password that works with:"));
+      clack14.log.info(pc15.dim("  - PHP mail() and PHPMailer"));
+      clack14.log.info(pc15.dim("  - WordPress (WP Mail SMTP plugin)"));
+      clack14.log.info(pc15.dim("  - Nodemailer and other SMTP libraries"));
+      clack14.log.info(pc15.dim("  - Any SMTP-compatible email client"));
+      console.log("");
+      clack14.log.warn(
+        "Credentials will be shown ONCE after deployment - save them immediately!"
+      );
+      console.log("");
+      const confirmCreate = await clack14.confirm({
+        message: "Create SMTP credentials?",
+        initialValue: true
+      });
+      if (clack14.isCancel(confirmCreate) || !confirmCreate) {
+        clack14.log.info("SMTP credentials not created.");
+        process.exit(0);
+      }
+      updatedConfig = {
+        ...config2,
+        smtpCredentials: {
+          enabled: true,
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      };
+      newPreset = void 0;
+      break;
+    }
   }
   const newCostData = calculateCosts(updatedConfig, 5e4);
   const costDiff = newCostData.total.monthly - currentCostData.total.monthly;
@@ -12643,7 +12868,12 @@ ${pc15.bold("Cost Impact:")}`);
                 acmCertificateValidationRecords: result.acmCertificateValidationRecords,
                 archiveArn: result.archiveArn,
                 archivingEnabled: result.archivingEnabled,
-                archiveRetention: result.archiveRetention
+                archiveRetention: result.archiveRetention,
+                // SMTP credentials (shown once)
+                smtpUserArn: result.smtpUserArn,
+                smtpUsername: result.smtpUsername,
+                smtpPassword: result.smtpPassword,
+                smtpEndpoint: result.smtpEndpoint
               };
             }
           },
@@ -12679,7 +12909,12 @@ ${pc15.bold("Cost Impact:")}`);
           acmCertificateValidationRecords: pulumiOutputs.acmCertificateValidationRecords?.value,
           archiveArn: pulumiOutputs.archiveArn?.value,
           archivingEnabled: pulumiOutputs.archivingEnabled?.value,
-          archiveRetention: pulumiOutputs.archiveRetention?.value
+          archiveRetention: pulumiOutputs.archiveRetention?.value,
+          // SMTP credentials (shown once)
+          smtpUserArn: pulumiOutputs.smtpUserArn?.value,
+          smtpUsername: pulumiOutputs.smtpUsername?.value,
+          smtpPassword: pulumiOutputs.smtpPassword?.value,
+          smtpEndpoint: pulumiOutputs.smtpEndpoint?.value
         };
       }
     );
@@ -12823,6 +13058,31 @@ ${pc15.green("\u2713")} ${pc15.bold("Upgrade complete!")}
       )
     );
   }
+  if (upgradeAction === "smtp-credentials" && outputs.smtpUsername && outputs.smtpPassword) {
+    console.log(pc15.bold("\n\u{1F4E7} SMTP Connection Details\n"));
+    console.log(`  ${pc15.cyan("Server:")}     ${outputs.smtpEndpoint}`);
+    console.log(`  ${pc15.cyan("Port:")}       587 (STARTTLS) or 465 (TLS)`);
+    console.log(`  ${pc15.cyan("Username:")}   ${outputs.smtpUsername}`);
+    console.log(`  ${pc15.cyan("Password:")}   ${outputs.smtpPassword}`);
+    console.log(`  ${pc15.cyan("Encryption:")} TLS/STARTTLS required
+`);
+    console.log(pc15.yellow("\u26A0\uFE0F  IMPORTANT: Save these credentials NOW!"));
+    console.log(pc15.yellow("   They cannot be retrieved later.\n"));
+    console.log(pc15.bold("  Environment Variables:\n"));
+    console.log(pc15.dim(`  SMTP_HOST=${outputs.smtpEndpoint}`));
+    console.log(pc15.dim(`  SMTP_PORT=587`));
+    console.log(pc15.dim(`  SMTP_USER=${outputs.smtpUsername}`));
+    console.log(pc15.dim(`  SMTP_PASS=${outputs.smtpPassword}
+`));
+    if (metadata.services.email && outputs.smtpUserArn) {
+      metadata.services.email.smtpCredentials = {
+        enabled: true,
+        iamUserArn: outputs.smtpUserArn,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      await saveConnectionMetadata(metadata);
+    }
+  }
   const enabledFeatures = [];
   if (updatedConfig.tracking?.enabled) {
     enabledFeatures.push("tracking");
@@ -12842,6 +13102,9 @@ ${pc15.green("\u2713")} ${pc15.bold("Upgrade complete!")}
   if (updatedConfig.emailArchiving?.enabled) {
     enabledFeatures.push("email_archiving");
   }
+  if (updatedConfig.smtpCredentials?.enabled) {
+    enabledFeatures.push("smtp_credentials");
+  }
   trackServiceUpgrade("email", {
     from_preset: metadata.services.email?.preset,
     to_preset: newPreset,
@@ -12945,10 +13208,10 @@ Run ${pc18.cyan("wraps email init")} to deploy infrastructure first.
     process.exit(1);
   }
   const roleName = "wraps-console-access-role";
-  const iam7 = new IAMClient2({ region: "us-east-1" });
+  const iam8 = new IAMClient2({ region: "us-east-1" });
   let roleExists4 = false;
   try {
-    await iam7.send(new GetRoleCommand({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand({ RoleName: roleName }));
     roleExists4 = true;
   } catch (error) {
     if (error && typeof error === "object" && "name" in error && error.name !== "NoSuchEntity") {
@@ -12989,7 +13252,7 @@ Run ${pc18.cyan("wraps email init")} to deploy infrastructure first.
   const smsEventTracking = smsConfig?.eventTracking;
   await progress.execute("Updating IAM role permissions", async () => {
     const { PutRolePolicyCommand } = await import("@aws-sdk/client-iam");
-    await iam7.send(
+    await iam8.send(
       new PutRolePolicyCommand({
         RoleName: roleName,
         PolicyName: "wraps-console-access-policy",
@@ -15113,11 +15376,11 @@ function createSMSRouter(config2) {
   return router;
 }
 
-// src/console/routes/storage.ts
+// src/console/routes/cdn.ts
 init_esm_shims();
 init_metadata();
 import { Router as createRouter6 } from "express";
-function createStorageRouter(config2) {
+function createCdnRouter(config2) {
   const router = createRouter6();
   router.get("/settings", async (_req, res) => {
     try {
@@ -15125,36 +15388,36 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const storageService = metadata.services.storage;
-      const storageConfig = storageService.config;
+      const cdnService = metadata.services.cdn;
+      const cdnConfig = cdnService.config;
       const settings = {
-        bucketName: config2.storageBucketName || `wraps-storage-${config2.accountId}`,
-        bucketArn: `arn:aws:s3:::${config2.storageBucketName || `wraps-storage-${config2.accountId}`}`,
+        bucketName: config2.cdnBucketName || `wraps-cdn-${config2.accountId}`,
+        bucketArn: `arn:aws:s3:::${config2.cdnBucketName || `wraps-cdn-${config2.accountId}`}`,
         region: config2.region,
-        roleArn: config2.storageRoleArn || config2.roleArn,
+        roleArn: config2.cdnRoleArn || config2.roleArn,
         cdn: {
-          enabled: storageConfig.cdn?.enabled ?? false,
-          distributionId: config2.storageDistributionId,
-          distributionDomain: config2.storageDistributionDomain,
-          customDomain: storageConfig.cdn?.customDomain,
-          status: config2.storageDistributionId ? "Deployed" : void 0
+          enabled: cdnConfig.cdn?.enabled ?? false,
+          distributionId: config2.cdnDistributionId,
+          distributionDomain: config2.cdnDistributionDomain,
+          customDomain: cdnConfig.cdn?.customDomain,
+          status: config2.cdnDistributionId ? "Deployed" : void 0
         },
-        certificate: storageConfig.cdn?.customDomain ? {
-          arn: config2.storageCertificateArn,
-          status: config2.storageCertificateArn ? "ISSUED" : "PENDING_VALIDATION"
+        certificate: cdnConfig.cdn?.customDomain ? {
+          arn: config2.cdnCertificateArn,
+          status: config2.cdnCertificateArn ? "ISSUED" : "PENDING_VALIDATION"
         } : void 0,
-        versioning: storageConfig.versioning ?? false,
-        retention: storageConfig.retention
+        versioning: cdnConfig.versioning ?? false,
+        retention: cdnConfig.retention
       };
       res.json(settings);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error fetching settings:", error);
+      console.error("[CDN] Error fetching settings:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15164,16 +15427,16 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const bucketName = config2.storageBucketName || `wraps-storage-${config2.accountId}`;
+      const bucketName = config2.cdnBucketName || `wraps-cdn-${config2.accountId}`;
       const { S3Client, ListObjectsV2Command, GetObjectTaggingCommand } = await import("@aws-sdk/client-s3");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
-      const credentials = config2.storageRoleArn || config2.roleArn ? await assumeRole2(
-        config2.storageRoleArn || config2.roleArn,
+      const credentials = config2.cdnRoleArn || config2.roleArn ? await assumeRole2(
+        config2.cdnRoleArn || config2.roleArn,
         config2.region
       ) : void 0;
       const s3Client = new S3Client({ region: config2.region, credentials });
@@ -15183,7 +15446,7 @@ function createStorageRouter(config2) {
           MaxKeys: 100
         })
       );
-      const cdnUrl = config2.storageDistributionDomain ? `https://${metadata.services.storage.config.cdn?.customDomain || config2.storageDistributionDomain}` : null;
+      const cdnUrl = config2.cdnDistributionDomain ? `https://${metadata.services.cdn.config.cdn?.customDomain || config2.cdnDistributionDomain}` : null;
       const getContentType = (key) => {
         const ext = key.split(".").pop()?.toLowerCase();
         const mimeTypes = {
@@ -15246,15 +15509,15 @@ function createStorageRouter(config2) {
       res.json({
         bucketName,
         region: config2.region,
-        cdnDomain: config2.storageDistributionDomain,
-        customDomain: metadata.services.storage.config.cdn?.customDomain,
+        cdnDomain: config2.cdnDistributionDomain,
+        customDomain: metadata.services.cdn.config.cdn?.customDomain,
         files,
         totalSize,
         fileCount: files.length
       });
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error fetching files:", error);
+      console.error("[CDN] Error fetching files:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15266,16 +15529,16 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const bucketName = config2.storageBucketName || `wraps-storage-${config2.accountId}`;
+      const bucketName = config2.cdnBucketName || `wraps-cdn-${config2.accountId}`;
       const { CloudWatchClient: CloudWatchClient3, GetMetricStatisticsCommand } = await import("@aws-sdk/client-cloudwatch");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
-      const credentials = config2.storageRoleArn || config2.roleArn ? await assumeRole2(
-        config2.storageRoleArn || config2.roleArn,
+      const credentials = config2.cdnRoleArn || config2.roleArn ? await assumeRole2(
+        config2.cdnRoleArn || config2.roleArn,
         config2.region
       ) : void 0;
       const cloudWatchClient = new CloudWatchClient3({
@@ -15317,7 +15580,7 @@ function createStorageRouter(config2) {
         );
         numberOfObjects = objectsResponse.Datapoints?.[0]?.Average || 0;
       } catch (err) {
-        console.log("[Storage] CloudWatch metrics not available yet");
+        console.log("[CDN] CloudWatch metrics not available yet");
       }
       const usage = [];
       const bandwidth = [];
@@ -15353,7 +15616,7 @@ function createStorageRouter(config2) {
       });
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error fetching metrics:", error);
+      console.error("[CDN] Error fetching metrics:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15367,17 +15630,17 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const bucketName = config2.storageBucketName || `wraps-storage-${config2.accountId}`;
+      const bucketName = config2.cdnBucketName || `wraps-cdn-${config2.accountId}`;
       const { S3Client, PutObjectCommand } = await import("@aws-sdk/client-s3");
       const { getSignedUrl } = await import("@aws-sdk/s3-request-presigner");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
-      const credentials = config2.storageRoleArn || config2.roleArn ? await assumeRole2(
-        config2.storageRoleArn || config2.roleArn,
+      const credentials = config2.cdnRoleArn || config2.roleArn ? await assumeRole2(
+        config2.cdnRoleArn || config2.roleArn,
         config2.region
       ) : void 0;
       const s3Client = new S3Client({ region: config2.region, credentials });
@@ -15390,7 +15653,7 @@ function createStorageRouter(config2) {
         expiresIn: 3600
         // 1 hour
       });
-      const cdnUrl = metadata.services.storage.config.cdn?.customDomain ? `https://${metadata.services.storage.config.cdn.customDomain}/${filename}` : config2.storageDistributionDomain ? `https://${config2.storageDistributionDomain}/${filename}` : `s3://${bucketName}/${filename}`;
+      const cdnUrl = metadata.services.cdn.config.cdn?.customDomain ? `https://${metadata.services.cdn.config.cdn.customDomain}/${filename}` : config2.cdnDistributionDomain ? `https://${config2.cdnDistributionDomain}/${filename}` : `s3://${bucketName}/${filename}`;
       res.json({
         uploadUrl,
         cdnUrl,
@@ -15399,7 +15662,7 @@ function createStorageRouter(config2) {
       });
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error generating upload URL:", error);
+      console.error("[CDN] Error generating upload URL:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15417,16 +15680,16 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const bucketName = config2.storageBucketName || `wraps-storage-${config2.accountId}`;
+      const bucketName = config2.cdnBucketName || `wraps-cdn-${config2.accountId}`;
       const { S3Client, GetObjectTaggingCommand, PutObjectTaggingCommand } = await import("@aws-sdk/client-s3");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
-      const credentials = config2.storageRoleArn || config2.roleArn ? await assumeRole2(
-        config2.storageRoleArn || config2.roleArn,
+      const credentials = config2.cdnRoleArn || config2.roleArn ? await assumeRole2(
+        config2.cdnRoleArn || config2.roleArn,
         config2.region
       ) : void 0;
       const s3Client = new S3Client({ region: config2.region, credentials });
@@ -15458,7 +15721,7 @@ function createStorageRouter(config2) {
       res.json({ success: true, key, starred });
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error toggling star:", error);
+      console.error("[CDN] Error toggling star:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15472,16 +15735,16 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const bucketName = config2.storageBucketName || `wraps-storage-${config2.accountId}`;
+      const bucketName = config2.cdnBucketName || `wraps-cdn-${config2.accountId}`;
       const { S3Client, DeleteObjectCommand } = await import("@aws-sdk/client-s3");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
-      const credentials = config2.storageRoleArn || config2.roleArn ? await assumeRole2(
-        config2.storageRoleArn || config2.roleArn,
+      const credentials = config2.cdnRoleArn || config2.roleArn ? await assumeRole2(
+        config2.cdnRoleArn || config2.roleArn,
         config2.region
       ) : void 0;
       const s3Client = new S3Client({ region: config2.region, credentials });
@@ -15494,7 +15757,7 @@ function createStorageRouter(config2) {
       res.json({ success: true, key });
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error deleting file:", error);
+      console.error("[CDN] Error deleting file:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15511,16 +15774,16 @@ function createStorageRouter(config2) {
         config2.accountId || "",
         config2.region
       );
-      if (!metadata?.services.storage) {
+      if (!metadata?.services.cdn) {
         return res.status(404).json({
-          error: "No storage infrastructure found for this account and region"
+          error: "No CDN infrastructure found for this account and region"
         });
       }
-      const bucketName = config2.storageBucketName || `wraps-storage-${config2.accountId}`;
+      const bucketName = config2.cdnBucketName || `wraps-cdn-${config2.accountId}`;
       const { S3Client, CopyObjectCommand, DeleteObjectCommand } = await import("@aws-sdk/client-s3");
       const { assumeRole: assumeRole2 } = await Promise.resolve().then(() => (init_assume_role(), assume_role_exports));
-      const credentials = config2.storageRoleArn || config2.roleArn ? await assumeRole2(
-        config2.storageRoleArn || config2.roleArn,
+      const credentials = config2.cdnRoleArn || config2.roleArn ? await assumeRole2(
+        config2.cdnRoleArn || config2.roleArn,
         config2.region
       ) : void 0;
       const s3Client = new S3Client({ region: config2.region, credentials });
@@ -15537,11 +15800,11 @@ function createStorageRouter(config2) {
           Key: oldKey
         })
       );
-      const cdnUrl = metadata.services.storage.config.cdn?.customDomain ? `https://${metadata.services.storage.config.cdn.customDomain}/${newKey}` : config2.storageDistributionDomain ? `https://${config2.storageDistributionDomain}/${newKey}` : `s3://${bucketName}/${newKey}`;
+      const cdnUrl = metadata.services.cdn.config.cdn?.customDomain ? `https://${metadata.services.cdn.config.cdn.customDomain}/${newKey}` : config2.cdnDistributionDomain ? `https://${config2.cdnDistributionDomain}/${newKey}` : `s3://${bucketName}/${newKey}`;
       res.json({ success: true, oldKey, newKey, cdnUrl });
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      console.error("[Storage] Error renaming file:", error);
+      console.error("[CDN] Error renaming file:", error);
       res.status(500).json({ error: errorMessage });
     }
   });
@@ -15641,7 +15904,7 @@ async function startConsoleServer(config2) {
   app.use((_req, res, next) => {
     res.setHeader("X-Frame-Options", "DENY");
     res.setHeader("X-Content-Type-Options", "nosniff");
-    const customDomainSrc = config2.storageCustomDomain ? ` https://${config2.storageCustomDomain}` : "";
+    const customDomainSrc = config2.cdnCustomDomain ? ` https://${config2.cdnCustomDomain}` : "";
     res.setHeader(
       "Content-Security-Policy",
       `default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://*.amazonaws.com https://*.cloudfront.net${customDomainSrc}; connect-src 'self' https://*.amazonaws.com https://*.cloudfront.net${customDomainSrc}`
@@ -15675,9 +15938,9 @@ async function startConsoleServer(config2) {
   app.use("/api/user", authenticateToken(authToken), createUserRouter(config2));
   app.use("/api/sms", authenticateToken(authToken), createSMSRouter(config2));
   app.use(
-    "/api/storage",
+    "/api/cdn",
     authenticateToken(authToken),
-    createStorageRouter(config2)
+    createCdnRouter(config2)
   );
   const staticDir = path2.join(__dirname2, "console");
   app.use(express.static(staticDir));
@@ -15763,15 +16026,15 @@ async function dashboard(options) {
   const smsPhoneNumberArn = smsStackOutputs.phoneNumberArn?.value;
   const smsPhoneNumberType = smsStackOutputs.phoneNumberType?.value;
   const smsConfigSetName = smsStackOutputs.configSetName?.value;
-  const storageBucketName = storageStackOutputs.bucketName?.value;
-  const storageDistributionId = storageStackOutputs.distributionId?.value;
-  const storageDistributionDomain = storageStackOutputs.distributionDomain?.value;
-  const storageCertificateArn = storageStackOutputs.acmCertificateArn?.value;
+  const cdnBucketName = storageStackOutputs.bucketName?.value;
+  const cdnDistributionId = storageStackOutputs.distributionId?.value;
+  const cdnDistributionDomain = storageStackOutputs.distributionDomain?.value;
+  const cdnCertificateArn = storageStackOutputs.acmCertificateArn?.value;
   let smsProtectEnabled = false;
   let smsAllowedCountries;
   let smsAitFiltering;
   let smsArchiveRetention;
-  let storageCustomDomain;
+  let cdnCustomDomain;
   try {
     const metadata = await loadConnectionMetadata(identity.accountId, region);
     if (metadata?.services?.sms?.config) {
@@ -15785,8 +16048,8 @@ async function dashboard(options) {
         smsArchiveRetention = smsConfig.eventTracking.archiveRetention;
       }
     }
-    if (metadata?.services?.storage?.config?.cdn?.customDomain) {
-      storageCustomDomain = metadata.services.storage.config.cdn.customDomain;
+    if (metadata?.services?.cdn?.config?.cdn?.customDomain) {
+      cdnCustomDomain = metadata.services.cdn.config.cdn.customDomain;
     }
   } catch {
   }
@@ -15817,13 +16080,13 @@ async function dashboard(options) {
     smsAitFiltering,
     smsArchiveRetention,
     // Storage config (don't pass roleArn - use current credentials like email)
-    storageBucketName,
-    storageRoleArn: void 0,
+    cdnBucketName,
+    cdnRoleArn: void 0,
     // Use current credentials instead of assuming role
-    storageDistributionId,
-    storageDistributionDomain,
-    storageCustomDomain,
-    storageCertificateArn
+    cdnDistributionId,
+    cdnDistributionDomain,
+    cdnCustomDomain,
+    cdnCertificateArn
   });
   console.log(`\\n${pc19.bold("Dashboard:")} ${pc19.cyan(url)}`);
   console.log(`${pc19.dim("Press Ctrl+C to stop")}\\n`);
@@ -16014,15 +16277,15 @@ import pc22 from "picocolors";
 
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
-import * as aws11 from "@pulumi/aws";
+import * as aws12 from "@pulumi/aws";
 import * as pulumi14 from "@pulumi/pulumi";
 async function roleExists2(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam7.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand2({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
@@ -16092,7 +16355,7 @@ async function createSMSIAMRole(config2) {
   }
   const roleName = "wraps-sms-role";
   const exists = await roleExists2(roleName);
-  const role = exists ? new aws11.iam.Role(
+  const role = exists ? new aws12.iam.Role(
     roleName,
     {
       name: roleName,
@@ -16107,7 +16370,7 @@ async function createSMSIAMRole(config2) {
       import: roleName,
       customTimeouts: { create: "2m", update: "2m", delete: "2m" }
     }
-  ) : new aws11.iam.Role(
+  ) : new aws12.iam.Role(
     roleName,
     {
       name: roleName,
@@ -16202,7 +16465,7 @@ async function createSMSIAMRole(config2) {
       Resource: "arn:aws:logs:*:*:log-group:/aws/lambda/wraps-sms-*"
     });
   }
-  new aws11.iam.RolePolicy("wraps-sms-policy", {
+  new aws12.iam.RolePolicy("wraps-sms-policy", {
     role: role.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -16212,7 +16475,7 @@ async function createSMSIAMRole(config2) {
   return role;
 }
 function createSMSConfigurationSet() {
-  return new aws11.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
+  return new aws12.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
     name: "wraps-sms-config",
     defaultMessageType: "TRANSACTIONAL",
     tags: {
@@ -16222,7 +16485,7 @@ function createSMSConfigurationSet() {
   });
 }
 function createSMSOptOutList() {
-  return new aws11.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
+  return new aws12.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
     name: "wraps-sms-optouts",
     tags: {
       ManagedBy: "wraps-cli",
@@ -16286,7 +16549,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
     }
   };
   if (existingArn) {
-    return new aws11.pinpoint.Smsvoicev2PhoneNumber(
+    return new aws12.pinpoint.Smsvoicev2PhoneNumber(
       "wraps-sms-number",
       phoneConfig,
       {
@@ -16295,7 +16558,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
       }
     );
   }
-  return new aws11.pinpoint.Smsvoicev2PhoneNumber(
+  return new aws12.pinpoint.Smsvoicev2PhoneNumber(
     "wraps-sms-number",
     phoneConfig,
     {
@@ -16338,10 +16601,10 @@ async function createSMSSQSResources() {
       Description: "Dead letter queue for failed SMS event processing"
     }
   };
-  const dlq = dlqUrl ? new aws11.sqs.Queue(dlqName, dlqConfig, {
+  const dlq = dlqUrl ? new aws12.sqs.Queue(dlqName, dlqConfig, {
     import: dlqUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws11.sqs.Queue(dlqName, dlqConfig, {
+  }) : new aws12.sqs.Queue(dlqName, dlqConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   const queueConfig = {
@@ -16364,10 +16627,10 @@ async function createSMSSQSResources() {
       Description: "Queue for SMS events from SNS"
     }
   };
-  const queue = queueUrl ? new aws11.sqs.Queue(queueName, queueConfig, {
+  const queue = queueUrl ? new aws12.sqs.Queue(queueName, queueConfig, {
     import: queueUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws11.sqs.Queue(queueName, queueConfig, {
+  }) : new aws12.sqs.Queue(queueName, queueConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   return { queue, dlq };
@@ -16407,13 +16670,13 @@ async function createSMSSNSResources(config2) {
       Description: "SNS topic for SMS delivery events"
     }
   };
-  const topic = topicArn ? new aws11.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  const topic = topicArn ? new aws12.sns.Topic("wraps-sms-events-topic", topicConfig, {
     import: topicArn,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws11.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  }) : new aws12.sns.Topic("wraps-sms-events-topic", topicConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
-  new aws11.sns.TopicPolicy("wraps-sms-events-topic-policy", {
+  new aws12.sns.TopicPolicy("wraps-sms-events-topic-policy", {
     arn: topic.arn,
     policy: topic.arn.apply(
       (topicArn2) => JSON.stringify({
@@ -16430,7 +16693,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  new aws11.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
+  new aws12.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi14.all([config2.queueArn, topic.arn]).apply(
       ([queueArn, topicArn2]) => JSON.stringify({
@@ -16449,7 +16712,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  const subscription = new aws11.sns.TopicSubscription(
+  const subscription = new aws12.sns.TopicSubscription(
     "wraps-sms-events-subscription",
     {
       topic: topic.arn,
@@ -16498,17 +16761,17 @@ async function createSMSDynamoDBTable() {
       Service: "sms"
     }
   };
-  return exists ? new aws11.dynamodb.Table(tableName, tableConfig, {
+  return exists ? new aws12.dynamodb.Table(tableName, tableConfig, {
     import: tableName,
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
-  }) : new aws11.dynamodb.Table(tableName, tableConfig, {
+  }) : new aws12.dynamodb.Table(tableName, tableConfig, {
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
   });
 }
 async function deploySMSLambdaFunction(config2) {
   const { getLambdaCode: getLambdaCode2 } = await Promise.resolve().then(() => (init_lambda(), lambda_exports));
   const codeDir = await getLambdaCode2("sms-event-processor");
-  const lambdaRole = new aws11.iam.Role("wraps-sms-lambda-role", {
+  const lambdaRole = new aws12.iam.Role("wraps-sms-lambda-role", {
     name: "wraps-sms-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -16525,11 +16788,11 @@ async function deploySMSLambdaFunction(config2) {
       Service: "sms"
     }
   });
-  new aws11.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
+  new aws12.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws11.iam.RolePolicy("wraps-sms-lambda-policy", {
+  new aws12.iam.RolePolicy("wraps-sms-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi14.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -16561,7 +16824,7 @@ async function deploySMSLambdaFunction(config2) {
       })
     )
   });
-  const eventProcessor = new aws11.lambda.Function(
+  const eventProcessor = new aws12.lambda.Function(
     "wraps-sms-event-processor",
     {
       name: "wraps-sms-event-processor",
@@ -16588,7 +16851,7 @@ async function deploySMSLambdaFunction(config2) {
       customTimeouts: { create: "5m", update: "5m", delete: "2m" }
     }
   );
-  new aws11.lambda.EventSourceMapping(
+  new aws12.lambda.EventSourceMapping(
     "wraps-sms-event-source-mapping",
     {
       eventSourceArn: config2.queueArn,
@@ -16604,7 +16867,7 @@ async function deploySMSLambdaFunction(config2) {
   return eventProcessor;
 }
 async function deploySMSStack(config2) {
-  const identity = await aws11.getCallerIdentity();
+  const identity = await aws12.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -19843,7 +20106,7 @@ Run ${pc29.cyan(`wraps sms verify-number --phone-number ${phoneNumber} --resend`
   }
 }
 
-// src/commands/storage/destroy.ts
+// src/commands/cdn/destroy.ts
 init_esm_shims();
 init_events();
 init_route53();
@@ -19854,11 +20117,11 @@ init_metadata();
 import * as clack28 from "@clack/prompts";
 import * as pulumi20 from "@pulumi/pulumi";
 import pc30 from "picocolors";
-async function storageDestroy(options) {
+async function cdnDestroy(options) {
   const startTime = Date.now();
   clack28.intro(
     pc30.bold(
-      options.preview ? "Storage Infrastructure Destruction Preview" : "Storage Infrastructure Teardown"
+      options.preview ? "CDN Infrastructure Destruction Preview" : "CDN Infrastructure Teardown"
     )
   );
   const progress = new DeploymentProgress();
@@ -19868,16 +20131,16 @@ async function storageDestroy(options) {
   );
   let region = options.region || await getAWSRegion();
   if (!(options.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION)) {
-    const storageConnections = await findConnectionsWithService(
+    const cdnConnections = await findConnectionsWithService(
       identity.accountId,
-      "storage"
+      "cdn"
     );
-    if (storageConnections.length === 1) {
-      region = storageConnections[0].region;
-    } else if (storageConnections.length > 1) {
+    if (cdnConnections.length === 1) {
+      region = cdnConnections[0].region;
+    } else if (cdnConnections.length > 1) {
       const selectedRegion = await clack28.select({
-        message: "Multiple storage deployments found. Which region to destroy?",
-        options: storageConnections.map((conn) => ({
+        message: "Multiple CDN deployments found. Which region to destroy?",
+        options: cdnConnections.map((conn) => ({
           value: conn.region,
           label: conn.region
         }))
@@ -19890,17 +20153,17 @@ async function storageDestroy(options) {
     }
   }
   const metadata = await loadConnectionMetadata(identity.accountId, region);
-  const storageService = metadata?.services?.storage;
-  const storageConfig = storageService?.config;
-  const customDomain = storageConfig?.cdn?.customDomain;
-  const storedStackName = storageService?.pulumiStackName;
+  const cdnService = metadata?.services?.cdn;
+  const cdnConfig = cdnService?.config;
+  const customDomain = cdnConfig?.cdn?.customDomain;
+  const storedStackName = cdnService?.pulumiStackName;
   if (!(options.force || options.preview)) {
     clack28.log.warn(
       pc30.yellow("This will delete your S3 bucket and all files in it!")
     );
     const confirmed = await clack28.confirm({
       message: pc30.red(
-        "Are you sure you want to destroy all storage infrastructure?"
+        "Are you sure you want to destroy all CDN infrastructure?"
       ),
       initialValue: false
     });
@@ -19935,7 +20198,7 @@ async function storageDestroy(options) {
         "Generating destruction preview",
         async () => {
           await ensurePulumiWorkDir();
-          const stackName = storedStackName || `wraps-storage-${identity.accountId}-${region}`;
+          const stackName = storedStackName || `wraps-cdn-${identity.accountId}-${region}`;
           let stack;
           try {
             stack = await pulumi20.automation.LocalWorkspace.selectStack({
@@ -19943,7 +20206,7 @@ async function storageDestroy(options) {
               workDir: getPulumiWorkDir()
             });
           } catch (_error) {
-            throw new Error("No storage infrastructure found to preview");
+            throw new Error("No CDN infrastructure found to preview");
           }
           const result = await previewWithResourceChanges(stack, {
             diff: true
@@ -19955,7 +20218,7 @@ async function storageDestroy(options) {
         changeSummary: previewResult.changeSummary,
         resourceChanges: previewResult.resourceChanges,
         costEstimate: "Monthly cost after destruction: $0.00",
-        commandName: "wraps storage destroy"
+        commandName: "wraps cdn destroy"
       });
       if (customDomain) {
         const previewHostedZone = await findHostedZone(customDomain, region);
@@ -19968,7 +20231,7 @@ async function storageDestroy(options) {
       clack28.outro(
         pc30.green("Preview complete. Run without --preview to destroy.")
       );
-      trackServiceRemoved("storage", {
+      trackServiceRemoved("cdn", {
         preview: true,
         region,
         duration_ms: Date.now() - startTime
@@ -19976,8 +20239,8 @@ async function storageDestroy(options) {
       return;
     } catch (error) {
       progress.stop();
-      if (error.message.includes("No storage infrastructure found")) {
-        clack28.log.warn("No storage infrastructure found to preview");
+      if (error.message.includes("No CDN infrastructure found")) {
+        clack28.log.warn("No CDN infrastructure found to preview");
         process.exit(0);
       }
       trackError("PREVIEW_FAILED", "storage destroy", { step: "preview" });
@@ -19989,7 +20252,7 @@ async function storageDestroy(options) {
       await progress.execute(
         `Deleting DNS records for ${customDomain}`,
         async () => {
-          await deleteStorageDNSRecords(hostedZone.id, customDomain);
+          await deleteCdnDNSRecords(hostedZone.id, customDomain);
         }
       );
     } catch (error) {
@@ -19997,7 +20260,7 @@ async function storageDestroy(options) {
       clack28.log.info("You may need to delete them manually from Route53");
     }
   }
-  const bucketName = `wraps-storage-${identity.accountId}`;
+  const bucketName = `wraps-cdn-${identity.accountId}`;
   try {
     await progress.execute(
       "Emptying S3 bucket (this may take a while for large buckets)",
@@ -20010,10 +20273,10 @@ async function storageDestroy(options) {
   }
   try {
     await progress.execute(
-      "Destroying storage infrastructure (this may take 2-3 minutes)",
+      "Destroying CDN infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stackName = storedStackName || `wraps-storage-${identity.accountId}-${region}`;
+        const stackName = storedStackName || `wraps-cdn-${identity.accountId}-${region}`;
         let stack;
         try {
           stack = await pulumi20.automation.LocalWorkspace.selectStack({
@@ -20021,7 +20284,7 @@ async function storageDestroy(options) {
             workDir: getPulumiWorkDir()
           });
         } catch (_error) {
-          throw new Error("No storage infrastructure found to destroy");
+          throw new Error("No CDN infrastructure found to destroy");
         }
         await stack.destroy({ onOutput: () => {
         } });
@@ -20030,10 +20293,10 @@ async function storageDestroy(options) {
     );
   } catch (error) {
     progress.stop();
-    if (error.message.includes("No storage infrastructure found")) {
-      clack28.log.warn("No storage infrastructure found");
+    if (error.message.includes("No CDN infrastructure found")) {
+      clack28.log.warn("No CDN infrastructure found");
       if (metadata) {
-        removeServiceFromConnection(metadata, "storage");
+        removeServiceFromConnection(metadata, "cdn");
         await saveConnectionMetadata(metadata);
       }
       process.exit(0);
@@ -20043,11 +20306,11 @@ async function storageDestroy(options) {
       throw errors.stackLocked();
     }
     trackError("DESTROY_FAILED", "storage destroy", { step: "destroy" });
-    clack28.log.error("Storage infrastructure destruction failed");
+    clack28.log.error("CDN infrastructure destruction failed");
     throw error;
   }
   if (metadata) {
-    removeServiceFromConnection(metadata, "storage");
+    removeServiceFromConnection(metadata, "cdn");
     const hasOtherServices = Object.keys(metadata.services).length > 0;
     if (hasOtherServices) {
       await saveConnectionMetadata(metadata);
@@ -20061,7 +20324,7 @@ async function storageDestroy(options) {
   if (shouldCleanDNS && hostedZone) {
     deletedItems.push("Route53 DNS records");
   }
-  clack28.outro(pc30.green("Storage infrastructure has been removed"));
+  clack28.outro(pc30.green("CDN infrastructure has been removed"));
   console.log(`
 ${pc30.bold("Cleaned up:")}`);
   for (const item of deletedItems) {
@@ -20069,10 +20332,10 @@ ${pc30.bold("Cleaned up:")}`);
   }
   console.log(
     `
-Run ${pc30.cyan("wraps storage init")} to deploy storage infrastructure again.
+Run ${pc30.cyan("wraps cdn init")} to deploy CDN infrastructure again.
 `
   );
-  trackServiceRemoved("storage", {
+  trackServiceRemoved("cdn", {
     reason: "user_initiated",
     region,
     duration_ms: Date.now() - startTime,
@@ -20111,7 +20374,7 @@ async function emptyS3Bucket(bucketName, region) {
     versionIdMarker = listResponse.NextVersionIdMarker;
   } while (keyMarker);
 }
-async function deleteStorageDNSRecords(hostedZoneId, customDomain) {
+async function deleteCdnDNSRecords(hostedZoneId, customDomain) {
   const {
     Route53Client: Route53Client2,
     ListResourceRecordSetsCommand: ListResourceRecordSetsCommand2,
@@ -20144,20 +20407,20 @@ async function deleteStorageDNSRecords(hostedZoneId, customDomain) {
   );
 }
 
-// src/commands/storage/init.ts
+// src/commands/cdn/init.ts
 init_esm_shims();
 import * as clack29 from "@clack/prompts";
 import * as pulumi23 from "@pulumi/pulumi";
 import pc31 from "picocolors";
 
-// src/infrastructure/storage-stack.ts
+// src/infrastructure/cdn-stack.ts
 init_esm_shims();
-import * as aws13 from "@pulumi/aws";
+import * as aws14 from "@pulumi/aws";
 import * as pulumi22 from "@pulumi/pulumi";
 
-// src/infrastructure/resources/s3-storage.ts
+// src/infrastructure/resources/s3-cdn.ts
 init_esm_shims();
-import * as aws12 from "@pulumi/aws";
+import * as aws13 from "@pulumi/aws";
 import * as pulumi21 from "@pulumi/pulumi";
 function retentionToDays(retention) {
   switch (retention) {
@@ -20177,25 +20440,25 @@ function retentionToDays(retention) {
       return null;
   }
 }
-async function createStorageBucket(config2) {
-  const bucketName = config2.storageConfig.bucketName || `wraps-storage-${config2.accountId}`;
-  const bucket = new aws12.s3.BucketV2("wraps-storage-bucket", {
+async function createCdnBucket(config2) {
+  const bucketName = config2.cdnConfig.bucketName || `wraps-cdn-${config2.accountId}`;
+  const bucket = new aws13.s3.BucketV2("wraps-cdn-bucket", {
     bucket: bucketName,
     tags: {
       ManagedBy: "wraps-cli",
-      Service: "storage"
+      Service: "cdn"
     }
   });
-  if (config2.storageConfig.versioning) {
-    new aws12.s3.BucketVersioningV2("wraps-storage-versioning", {
+  if (config2.cdnConfig.versioning) {
+    new aws13.s3.BucketVersioningV2("wraps-cdn-versioning", {
       bucket: bucket.id,
       versioningConfiguration: {
         status: "Enabled"
       }
     });
   }
-  new aws12.s3.BucketServerSideEncryptionConfigurationV2(
-    "wraps-storage-encryption",
+  new aws13.s3.BucketServerSideEncryptionConfigurationV2(
+    "wraps-cdn-encryption",
     {
       bucket: bucket.id,
       rules: [
@@ -20218,9 +20481,9 @@ async function createStorageBucket(config2) {
     "http://localhost:5555",
     "http://localhost:5556",
     "http://localhost:8080",
-    ...config2.storageConfig.additionalOrigins || []
+    ...config2.cdnConfig.additionalOrigins || []
   ];
-  new aws12.s3.BucketCorsConfigurationV2("wraps-storage-cors", {
+  new aws13.s3.BucketCorsConfigurationV2("wraps-cdn-cors", {
     bucket: bucket.id,
     corsRules: [
       {
@@ -20232,9 +20495,9 @@ async function createStorageBucket(config2) {
       }
     ]
   });
-  const retentionDays = config2.storageConfig.retention ? retentionToDays(config2.storageConfig.retention) : null;
+  const retentionDays = config2.cdnConfig.retention ? retentionToDays(config2.cdnConfig.retention) : null;
   if (retentionDays) {
-    new aws12.s3.BucketLifecycleConfigurationV2("wraps-storage-lifecycle", {
+    new aws13.s3.BucketLifecycleConfigurationV2("wraps-cdn-lifecycle", {
       bucket: bucket.id,
       rules: [
         {
@@ -20247,7 +20510,7 @@ async function createStorageBucket(config2) {
       ]
     });
   }
-  new aws12.s3.BucketPublicAccessBlock("wraps-storage-public-access", {
+  new aws13.s3.BucketPublicAccessBlock("wraps-cdn-public-access", {
     bucket: bucket.id,
     blockPublicAcls: true,
     blockPublicPolicy: true,
@@ -20260,16 +20523,16 @@ async function createStorageBucket(config2) {
     bucketArn: bucket.arn
   };
 }
-async function createStorageWAF() {
-  const usEast1Provider = new aws12.Provider("storage-waf-us-east-1", {
+async function createCdnWAF() {
+  const usEast1Provider = new aws13.Provider("storage-waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws12.wafv2.WebAcl(
-    "wraps-storage-waf",
+  const webAcl = new aws13.wafv2.WebAcl(
+    "wraps-cdn-waf",
     {
       scope: "CLOUDFRONT",
       // WAF for CloudFront must use CLOUDFRONT scope
-      description: "Rate limiting protection for Wraps storage CDN",
+      description: "Rate limiting protection for Wraps CDN",
       defaultAction: {
         allow: {}
         // Allow by default
@@ -20292,20 +20555,20 @@ async function createStorageWAF() {
           visibilityConfig: {
             sampledRequestsEnabled: true,
             cloudwatchMetricsEnabled: true,
-            metricName: "StorageRateLimitRule"
+            metricName: "CdnRateLimitRule"
           }
         }
       ],
       visibilityConfig: {
         sampledRequestsEnabled: true,
         cloudwatchMetricsEnabled: true,
-        metricName: "wraps-storage-waf"
+        metricName: "wraps-cdn-waf"
       },
       tags: {
-        Name: "wraps-storage-waf",
+        Name: "wraps-cdn-waf",
         ManagedBy: "wraps-cli",
-        Service: "storage",
-        Description: "WAF for Wraps storage CDN with rate limiting"
+        Service: "cdn",
+        Description: "WAF for Wraps CDN with rate limiting"
       }
     },
     {
@@ -20314,11 +20577,11 @@ async function createStorageWAF() {
   );
   return webAcl;
 }
-async function createStorageCDN(config2) {
-  const webAcl = config2.wafEnabled ? await createStorageWAF() : void 0;
-  const oac = new aws12.cloudfront.OriginAccessControl("wraps-storage-oac", {
-    name: "wraps-storage-oac",
-    description: "OAC for Wraps storage S3 bucket",
+async function createCdnDistribution(config2) {
+  const webAcl = config2.wafEnabled ? await createCdnWAF() : void 0;
+  const oac = new aws13.cloudfront.OriginAccessControl("wraps-cdn-oac", {
+    name: "wraps-cdn-oac",
+    description: "OAC for Wraps CDN S3 bucket",
     originAccessControlOriginType: "s3",
     signingBehavior: "always",
     signingProtocol: "sigv4"
@@ -20333,7 +20596,7 @@ async function createStorageCDN(config2) {
   };
   const originConfig = {
     domainName: config2.bucket.bucketRegionalDomainName,
-    originId: "s3-storage",
+    originId: "s3-cdn",
     originAccessControlId: oac.id
   };
   if (config2.originShield) {
@@ -20351,9 +20614,9 @@ async function createStorageCDN(config2) {
   } : {
     restrictionType: "none"
   };
-  const distribution = new aws12.cloudfront.Distribution("wraps-storage-cdn", {
+  const distribution = new aws13.cloudfront.Distribution("wraps-cdn-cdn", {
     enabled: true,
-    comment: "Wraps storage CDN",
+    comment: "Wraps CDN",
     aliases,
     // Attach WAF Web ACL for rate limiting protection (only if enabled)
     webAclId: webAcl?.arn,
@@ -20361,7 +20624,7 @@ async function createStorageCDN(config2) {
     origins: [originConfig],
     // Default cache behavior for static assets
     defaultCacheBehavior: {
-      targetOriginId: "s3-storage",
+      targetOriginId: "s3-cdn",
       viewerProtocolPolicy: "redirect-to-https",
       // Allow GET, HEAD, OPTIONS only (uploads go direct to S3 via presigned URLs)
       allowedMethods: ["GET", "HEAD", "OPTIONS"],
@@ -20389,12 +20652,12 @@ async function createStorageCDN(config2) {
     // SSL certificate
     viewerCertificate,
     tags: {
-      Name: "wraps-storage",
+      Name: "wraps-cdn",
       ManagedBy: "wraps-cli",
-      Service: "storage"
+      Service: "cdn"
     }
   });
-  new aws12.s3.BucketPolicy("wraps-storage-bucket-policy", {
+  new aws13.s3.BucketPolicy("wraps-cdn-bucket-policy", {
     bucket: config2.bucket.id,
     policy: pulumi21.interpolate`{
       "Version": "2012-10-17",
@@ -20422,19 +20685,19 @@ async function createStorageCDN(config2) {
     webAcl
   };
 }
-async function createStorageACMCertificate(config2) {
-  const usEast1Provider = new aws12.Provider("storage-acm-us-east-1", {
+async function createCdnACMCertificate(config2) {
+  const usEast1Provider = new aws13.Provider("storage-acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws12.acm.Certificate(
-    "wraps-storage-cert",
+  const certificate = new aws13.acm.Certificate(
+    "wraps-cdn-cert",
     {
       domainName: config2.domain,
       validationMethod: "DNS",
       tags: {
         ManagedBy: "wraps-cli",
-        Service: "storage",
-        Description: "SSL certificate for Wraps storage CDN domain"
+        Service: "cdn",
+        Description: "SSL certificate for Wraps CDN domain"
       }
     },
     {
@@ -20450,8 +20713,8 @@ async function createStorageACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws12.route53.Record(
-      "wraps-storage-cert-validation",
+    const validationRecord = new aws13.route53.Record(
+      "wraps-cdn-cert-validation",
       {
         zoneId: config2.hostedZoneId,
         name: certificate.domainValidationOptions[0].resourceRecordName,
@@ -20460,8 +20723,8 @@ async function createStorageACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws12.acm.CertificateValidation(
-      "wraps-storage-cert-validation-waiter",
+    certificateValidation = new aws13.acm.CertificateValidation(
+      "wraps-cdn-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
         validationRecordFqdns: [validationRecord.fqdn]
@@ -20478,14 +20741,14 @@ async function createStorageACMCertificate(config2) {
   };
 }
 
-// src/infrastructure/storage-stack.ts
+// src/infrastructure/cdn-stack.ts
 async function roleExists3(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
-    const iam7 = new IAMClient3({
+    const iam8 = new IAMClient3({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam7.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam8.send(new GetRoleCommand2({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
@@ -20495,7 +20758,7 @@ async function roleExists3(roleName) {
     return false;
   }
 }
-async function createStorageIAMRole(config2) {
+async function createCdnIAMRole(config2) {
   let assumeRolePolicy;
   if (config2.provider === "vercel" && config2.oidcProvider) {
     assumeRolePolicy = pulumi22.interpolate`{
@@ -20530,28 +20793,28 @@ async function createStorageIAMRole(config2) {
   } else {
     throw new Error("Other providers not yet implemented");
   }
-  const roleName = "wraps-storage-role";
+  const roleName = "wraps-cdn-role";
   const exists = await roleExists3(roleName);
-  const role = exists ? new aws13.iam.Role(
+  const role = exists ? new aws14.iam.Role(
     roleName,
     {
       name: roleName,
       assumeRolePolicy,
       tags: {
         ManagedBy: "wraps-cli",
-        Service: "storage",
+        Service: "cdn",
         Provider: config2.provider
       }
     },
     {
       import: roleName
     }
-  ) : new aws13.iam.Role(roleName, {
+  ) : new aws14.iam.Role(roleName, {
     name: roleName,
     assumeRolePolicy,
     tags: {
       ManagedBy: "wraps-cli",
-      Service: "storage",
+      Service: "cdn",
       Provider: config2.provider
     }
   });
@@ -20584,7 +20847,7 @@ async function createStorageIAMRole(config2) {
       Resource: config2.distributionArn
     });
   }
-  new aws13.iam.RolePolicy("wraps-storage-policy", {
+  new aws14.iam.RolePolicy("wraps-cdn-policy", {
     role: role.name,
     policy: pulumi22.all([statements]).apply(
       ([stmts]) => JSON.stringify({
@@ -20595,7 +20858,7 @@ async function createStorageIAMRole(config2) {
   });
   return role;
 }
-async function deployStorageStack(config2) {
+async function deployCdnStack(config2) {
   const accountId = config2.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -20604,42 +20867,42 @@ async function deployStorageStack(config2) {
       accountId
     });
   }
-  const bucketResources = await createStorageBucket({
+  const bucketResources = await createCdnBucket({
     accountId,
     region: config2.region,
-    storageConfig: config2.storageConfig
+    cdnConfig: config2.cdnConfig
   });
   let acmResources;
   let hostedZone = null;
-  if (config2.storageConfig.cdn.customDomain) {
-    const domainParts = config2.storageConfig.cdn.customDomain.split(".");
-    const rootDomain = domainParts.length > 2 ? domainParts.slice(-2).join(".") : config2.storageConfig.cdn.customDomain;
+  if (config2.cdnConfig.cdn.customDomain) {
+    const domainParts = config2.cdnConfig.cdn.customDomain.split(".");
+    const rootDomain = domainParts.length > 2 ? domainParts.slice(-2).join(".") : config2.cdnConfig.cdn.customDomain;
     const { findHostedZone: findHostedZone2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
     hostedZone = await findHostedZone2(rootDomain, config2.region);
-    acmResources = await createStorageACMCertificate({
-      domain: config2.storageConfig.cdn.customDomain,
+    acmResources = await createCdnACMCertificate({
+      domain: config2.cdnConfig.cdn.customDomain,
       hostedZoneId: hostedZone?.id
     });
   }
   let cdnResources;
-  if (config2.storageConfig.cdn.enabled) {
+  if (config2.cdnConfig.cdn.enabled) {
     const hasAutoValidation2 = acmResources?.certificateValidation;
     const useCertFromUpgrade = config2.certValidated && config2.existingCertArn;
     const certificateArn = useCertFromUpgrade ? pulumi22.output(config2.existingCertArn) : hasAutoValidation2 ? acmResources?.certificateValidation?.certificateArn : void 0;
-    const customDomainForCdn = useCertFromUpgrade || hasAutoValidation2 ? config2.storageConfig.cdn.customDomain : void 0;
-    cdnResources = await createStorageCDN({
+    const customDomainForCdn = useCertFromUpgrade || hasAutoValidation2 ? config2.cdnConfig.cdn.customDomain : void 0;
+    cdnResources = await createCdnDistribution({
       bucket: bucketResources.bucket,
       bucketRegion: config2.region,
       // For Origin Shield
       customDomain: customDomainForCdn,
       certificateArn,
-      priceClass: config2.storageConfig.cdn.priceClass,
-      originShield: config2.storageConfig.cdn.originShield,
-      geoRestriction: config2.storageConfig.cdn.geoRestriction,
-      wafEnabled: config2.storageConfig.cdn.wafEnabled
+      priceClass: config2.cdnConfig.cdn.priceClass,
+      originShield: config2.cdnConfig.cdn.originShield,
+      geoRestriction: config2.cdnConfig.cdn.geoRestriction,
+      wafEnabled: config2.cdnConfig.cdn.wafEnabled
     });
   }
-  const role = await createStorageIAMRole({
+  const role = await createCdnIAMRole({
     provider: config2.provider,
     oidcProvider,
     vercelTeamSlug: config2.vercel?.teamSlug,
@@ -20649,8 +20912,8 @@ async function deployStorageStack(config2) {
   });
   const hasAutoValidation = acmResources?.certificateValidation;
   const hasCertFromUpgrade = config2.certValidated && config2.existingCertArn;
-  const customDomainActive = config2.storageConfig.cdn.customDomain && (hasAutoValidation || hasCertFromUpgrade);
-  const customDomainPending = config2.storageConfig.cdn.customDomain && !hasAutoValidation && !hasCertFromUpgrade;
+  const customDomainActive = config2.cdnConfig.cdn.customDomain && (hasAutoValidation || hasCertFromUpgrade);
+  const customDomainPending = config2.cdnConfig.cdn.customDomain && !hasAutoValidation && !hasCertFromUpgrade;
   return {
     roleArn: role.arn,
     bucketName: bucketResources.bucketName,
@@ -20659,17 +20922,17 @@ async function deployStorageStack(config2) {
     distributionId: cdnResources?.distributionId,
     distributionDomain: cdnResources?.domainName,
     // Report custom domain if it's actually configured on CloudFront (auto or manual validation)
-    customDomain: customDomainActive ? config2.storageConfig.cdn.customDomain : void 0,
+    customDomain: customDomainActive ? config2.cdnConfig.cdn.customDomain : void 0,
     // Report pending custom domain that needs manual cert validation
-    customDomainPending: customDomainPending ? config2.storageConfig.cdn.customDomain : void 0,
+    customDomainPending: customDomainPending ? config2.cdnConfig.cdn.customDomain : void 0,
     acmCertificateArn: acmResources?.certificate.arn,
     acmCertificateValidationRecords: acmResources?.validationRecords,
-    versioning: config2.storageConfig.versioning ?? false,
-    retention: config2.storageConfig.retention
+    versioning: config2.cdnConfig.versioning ?? false,
+    retention: config2.cdnConfig.retention
   };
 }
 
-// src/commands/storage/init.ts
+// src/commands/cdn/init.ts
 init_events();
 init_aws();
 init_errors();
@@ -20677,7 +20940,7 @@ init_fs();
 init_metadata();
 init_prompts();
 
-// src/utils/storage/costs.ts
+// src/utils/cdn/costs.ts
 init_esm_shims();
 var PRICING = {
   // S3 Storage (per GB/month)
@@ -20763,7 +21026,7 @@ function getCostSummary2(config2, estimatedStorageGB = 10, estimatedBandwidthGB
   return lines.join("\n");
 }
 
-// src/utils/storage/presets.ts
+// src/utils/cdn/presets.ts
 init_esm_shims();
 var STARTER_PRESET2 = {
   cdn: {
@@ -20878,13 +21141,13 @@ function validateConfig2(config2) {
   return warnings;
 }
 
-// src/commands/storage/init.ts
-async function promptStoragePreset() {
+// src/commands/cdn/init.ts
+async function promptCdnPreset() {
   const starterInfo = getPresetInfo2("starter");
   const productionInfo = getPresetInfo2("production");
   const customInfo = getPresetInfo2("custom");
   const result = await clack29.select({
-    message: "Select a storage configuration preset:",
+    message: "Select a CDN configuration preset:",
     options: [
       {
         value: "production",
@@ -20909,7 +21172,7 @@ async function promptStoragePreset() {
   }
   return result;
 }
-async function promptCustomStorageConfig() {
+async function promptCustomCdnConfig() {
   const cdnEnabled = await clack29.confirm({
     message: "Enable CloudFront CDN for fast global delivery?",
     initialValue: true
@@ -21104,7 +21367,7 @@ async function init3(options) {
   const startTime = Date.now();
   clack29.intro(
     pc31.bold(
-      options.preview ? "Wraps Storage Infrastructure Preview" : "Wraps Storage Infrastructure Setup"
+      options.preview ? "Wraps CDN Infrastructure Preview" : "Wraps CDN Infrastructure Setup"
     )
   );
   const progress = new DeploymentProgress();
@@ -21137,45 +21400,45 @@ async function init3(options) {
     identity.accountId,
     region
   );
-  if (existingConnection && hasService(existingConnection, "storage")) {
+  if (existingConnection && hasService(existingConnection, "cdn")) {
     clack29.log.warn(
-      `Storage service already exists for account ${pc31.cyan(identity.accountId)} in region ${pc31.cyan(region)}`
+      `CDN service already exists for account ${pc31.cyan(identity.accountId)} in region ${pc31.cyan(region)}`
     );
     clack29.log.info(
-      `Created: ${existingConnection.services.storage?.deployedAt}`
+      `Created: ${existingConnection.services.cdn?.deployedAt}`
     );
     clack29.log.info(
-      `Use ${pc31.cyan("wraps storage status")} to view current setup`
+      `Use ${pc31.cyan("wraps cdn status")} to view current setup`
     );
     process.exit(0);
   }
   let preset = options.preset;
   if (!preset) {
-    preset = await promptStoragePreset();
+    preset = await promptCdnPreset();
   }
-  let storageConfig;
+  let cdnConfig;
   if (preset === "custom") {
-    storageConfig = await promptCustomStorageConfig();
+    cdnConfig = await promptCustomCdnConfig();
   } else {
-    storageConfig = getPreset2(preset);
+    cdnConfig = getPreset2(preset);
   }
   let customDomain = options.domain;
-  if (!customDomain && storageConfig.cdn.enabled) {
+  if (!customDomain && cdnConfig.cdn.enabled) {
     customDomain = await promptCustomDomain();
   }
   if (customDomain) {
-    storageConfig.cdn.customDomain = customDomain;
+    cdnConfig.cdn.customDomain = customDomain;
   }
   const estimatedUsage = await promptEstimatedUsage();
   progress.info(`
 ${pc31.bold("Cost Estimate:")}`);
   const costSummary = getCostSummary2(
-    storageConfig,
+    cdnConfig,
     estimatedUsage.storageGB,
     estimatedUsage.bandwidthGB
   );
   clack29.log.info(costSummary);
-  const warnings = validateConfig2(storageConfig);
+  const warnings = validateConfig2(cdnConfig);
   if (warnings.length > 0) {
     progress.info(`
 ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
@@ -21187,8 +21450,8 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
     identity.accountId,
     region,
     provider,
-    "storage",
-    storageConfig,
+    "cdn",
+    cdnConfig,
     preset === "custom" ? void 0 : preset,
     existingConnection || void 0
   );
@@ -21207,7 +21470,7 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
     region,
     accountId: identity.accountId,
     vercel: vercelConfig,
-    storageConfig
+    cdnConfig
   };
   if (options.preview) {
     try {
@@ -21217,10 +21480,10 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
           await ensurePulumiWorkDir();
           const stack = await pulumi23.automation.LocalWorkspace.createOrSelectStack(
             {
-              stackName: `wraps-storage-${identity.accountId}-${region}`,
-              projectName: "wraps-storage",
+              stackName: `wraps-cdn-${identity.accountId}-${region}`,
+              projectName: "wraps-cdn",
               program: async () => {
-                const result2 = await deployStorageStack(stackConfig);
+                const result2 = await deployCdnStack(stackConfig);
                 return {
                   roleArn: result2.roleArn,
                   bucketName: result2.bucketName,
@@ -21252,12 +21515,12 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
         changeSummary: previewResult.changeSummary,
         resourceChanges: previewResult.resourceChanges,
         costEstimate: costSummary,
-        commandName: "wraps storage init"
+        commandName: "wraps cdn init"
       });
       clack29.outro(
         pc31.green("Preview complete. Run without --preview to deploy.")
       );
-      trackServiceInit("storage", true, {
+      trackServiceInit("cdn", true, {
         preset,
         provider,
         region,
@@ -21276,15 +21539,15 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
   let outputs;
   try {
     outputs = await progress.execute(
-      "Deploying storage infrastructure (this may take 2-3 minutes)",
+      "Deploying CDN infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
         const stack = await pulumi23.automation.LocalWorkspace.createOrSelectStack(
           {
-            stackName: `wraps-storage-${identity.accountId}-${region}`,
-            projectName: "wraps-storage",
+            stackName: `wraps-cdn-${identity.accountId}-${region}`,
+            projectName: "wraps-cdn",
             program: async () => {
-              const result = await deployStorageStack(stackConfig);
+              const result = await deployCdnStack(stackConfig);
               return {
                 roleArn: result.roleArn,
                 bucketName: result.bucketName,
@@ -21311,7 +21574,7 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
           }
         );
         await stack.workspace.selectStack(
-          `wraps-storage-${identity.accountId}-${region}`
+          `wraps-cdn-${identity.accountId}-${region}`
         );
         await stack.setConfig("aws:region", { value: region });
         const upResult = await stack.up({ onOutput: () => {
@@ -21334,7 +21597,7 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
       }
     );
   } catch (error) {
-    trackServiceInit("storage", false, {
+    trackServiceInit("cdn", false, {
       preset,
       provider,
       region,
@@ -21347,8 +21610,8 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
     trackError("DEPLOYMENT_FAILED", "storage:init", { step: "deploy" });
     throw new Error(`Pulumi deployment failed: ${error.message}`);
   }
-  if (metadata.services.storage) {
-    metadata.services.storage.pulumiStackName = `wraps-storage-${identity.accountId}-${region}`;
+  if (metadata.services.cdn) {
+    metadata.services.cdn.pulumiStackName = `wraps-cdn-${identity.accountId}-${region}`;
   }
   await saveConnectionMetadata(metadata);
   progress.info("Connection metadata saved");
@@ -21386,12 +21649,12 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
           );
           const dnsRecords = [];
           const existingValue = existingCname?.ResourceRecords?.[0]?.Value || null;
-          let cdnStatus = "new";
+          let cdnStatus2 = "new";
           let cdnConflictReason;
           if (existingValue === outputs.distributionDomain) {
-            cdnStatus = "no_change";
+            cdnStatus2 = "no_change";
           } else if (existingValue) {
-            cdnStatus = "conflict";
+            cdnStatus2 = "conflict";
             cdnConflictReason = `Currently points to ${existingValue}`;
           }
           dnsRecords.push({
@@ -21399,7 +21662,7 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
             type: "CNAME",
             proposedValue: outputs.distributionDomain,
             existingValue,
-            status: cdnStatus,
+            status: cdnStatus2,
             conflictReason: cdnConflictReason
           });
           console.log();
@@ -21479,7 +21742,7 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
       }
     }
   }
-  displayStorageSuccess({
+  displayCdnSuccess({
     bucketName: outputs.bucketName,
     region: outputs.region,
     distributionDomain: outputs.distributionDomain,
@@ -21494,31 +21757,31 @@ ${pc31.yellow(pc31.bold("Configuration Notes:"))}`);
   });
   const duration = Date.now() - startTime;
   const enabledFeatures = [];
-  if (storageConfig.cdn.enabled) {
+  if (cdnConfig.cdn.enabled) {
     enabledFeatures.push("cdn");
   }
-  if (storageConfig.cdn.customDomain) {
+  if (cdnConfig.cdn.customDomain) {
     enabledFeatures.push("custom_domain");
   }
-  if (storageConfig.versioning) {
+  if (cdnConfig.versioning) {
     enabledFeatures.push("versioning");
   }
-  trackServiceInit("storage", true, {
+  trackServiceInit("cdn", true, {
     preset,
     provider,
     region,
     features: enabledFeatures,
     duration_ms: duration
   });
-  trackServiceDeployed("storage", {
+  trackServiceDeployed("cdn", {
     duration_ms: duration,
     region,
     features: enabledFeatures,
     preset
   });
 }
-function displayStorageSuccess(options) {
-  clack29.log.success(pc31.green(pc31.bold("Storage infrastructure deployed!")));
+function displayCdnSuccess(options) {
+  clack29.log.success(pc31.green(pc31.bold("CDN infrastructure deployed!")));
   clack29.log.info(`
 ${pc31.bold("Infrastructure:")}`);
   clack29.log.info(`  S3 Bucket: ${pc31.cyan(options.bucketName)}`);
@@ -21558,7 +21821,7 @@ ${pc31.yellow(pc31.bold("DNS Records Required:"))}`);
 `);
     }
     clack29.log.warn(
-      "Custom domain requires manual setup:\n  1. Add the SSL certificate validation DNS record above\n  2. Wait for certificate to be validated (check AWS ACM console)\n  3. Run 'wraps storage upgrade' to add custom domain to CloudFront\n  4. Add the CDN CNAME record to point your domain to CloudFront"
+      "Custom domain requires manual setup:\n  1. Add the SSL certificate validation DNS record above\n  2. Wait for certificate to be validated (check AWS ACM console)\n  3. Run 'wraps cdn upgrade' to add custom domain to CloudFront\n  4. Add the CDN CNAME record to point your domain to CloudFront"
     );
   } else if (options.customDomain && !options.dnsAutoCreated && options.distributionDomain) {
     clack29.log.info(`
@@ -21572,19 +21835,19 @@ ${pc31.yellow(pc31.bold("DNS Record Required:"))}`);
   clack29.log.info(`
 ${pc31.bold("Next Steps:")}`);
   clack29.log.info(
-    `  1. ${pc31.cyan("wraps storage status")} - View your storage setup`
+    `  1. ${pc31.cyan("wraps cdn status")} - View your CDN setup`
   );
   if (options.customDomainPending) {
     clack29.log.info("  2. Add DNS records above and validate SSL certificate");
     clack29.log.info(
-      `  3. ${pc31.cyan("wraps storage upgrade")} - Add custom domain to CloudFront`
+      `  3. ${pc31.cyan("wraps cdn upgrade")} - Add custom domain to CloudFront`
     );
   } else if (options.customDomain && !options.dnsAutoCreated) {
     clack29.log.info(
       "  2. Add DNS record above to point your domain to CloudFront"
     );
     clack29.log.info(
-      `  3. ${pc31.cyan("wraps storage verify")} - Check DNS propagation`
+      `  3. ${pc31.cyan("wraps cdn verify")} - Check DNS propagation`
     );
   }
   const cdnUrl = options.customDomain ? `https://${options.customDomain}` : options.distributionDomain ? `https://${options.distributionDomain}` : null;
@@ -21596,15 +21859,15 @@ ${pc31.bold("CDN URL:")}`);
   if (options.customDomainPending) {
     clack29.outro(
       pc31.yellow(
-        "Storage deployed! Custom domain pending certificate validation."
+        "CDN deployed! Custom domain pending certificate validation."
       )
     );
   } else {
-    clack29.outro(pc31.green("Storage is ready!"));
+    clack29.outro(pc31.green("CDN is ready!"));
   }
 }
 
-// src/commands/storage/status.ts
+// src/commands/cdn/status.ts
 init_esm_shims();
 init_client();
 init_events();
@@ -21614,26 +21877,26 @@ init_metadata();
 import * as clack30 from "@clack/prompts";
 import * as pulumi24 from "@pulumi/pulumi";
 import pc32 from "picocolors";
-async function storageStatus(options) {
+async function cdnStatus(options) {
   const startTime = Date.now();
   const progress = new DeploymentProgress();
-  clack30.intro(pc32.bold("Wraps Storage Status"));
+  clack30.intro(pc32.bold("Wraps CDN Status"));
   const identity = await progress.execute(
-    "Loading storage infrastructure status",
+    "Loading CDN infrastructure status",
     async () => validateAWSCredentials()
   );
   let region = options.region || await getAWSRegion();
   if (!(options.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION)) {
-    const storageConnections = await findConnectionsWithService(
+    const cdnConnections = await findConnectionsWithService(
       identity.accountId,
-      "storage"
+      "cdn"
     );
-    if (storageConnections.length === 1) {
-      region = storageConnections[0].region;
-    } else if (storageConnections.length > 1) {
+    if (cdnConnections.length === 1) {
+      region = cdnConnections[0].region;
+    } else if (cdnConnections.length > 1) {
       const selectedRegion = await clack30.select({
-        message: "Multiple storage deployments found. Which region?",
-        options: storageConnections.map((conn) => ({
+        message: "Multiple CDN deployments found. Which region?",
+        options: cdnConnections.map((conn) => ({
           value: conn.region,
           label: conn.region
         }))
@@ -21649,22 +21912,22 @@ async function storageStatus(options) {
   try {
     await ensurePulumiWorkDir();
     const stack = await pulumi24.automation.LocalWorkspace.selectStack({
-      stackName: `wraps-storage-${identity.accountId}-${region}`,
+      stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
     stackOutputs = await stack.outputs();
   } catch (_error) {
     progress.stop();
-    clack30.log.error("No storage infrastructure found");
+    clack30.log.error("No CDN infrastructure found");
     console.log(
       `
-Run ${pc32.cyan("wraps storage init")} to deploy storage infrastructure.
+Run ${pc32.cyan("wraps cdn init")} to deploy CDN infrastructure.
 `
     );
     process.exit(1);
   }
   progress.stop();
-  displayStorageStatus({
+  displayCdnStatus({
     bucketName: stackOutputs.bucketName?.value,
     region: stackOutputs.region?.value || region,
     distributionId: stackOutputs.distributionId?.value,
@@ -21686,9 +21949,9 @@ Run ${pc32.cyan("wraps storage init")} to deploy storage infrastructure.
   });
   getTelemetryClient().showFooterOnce();
 }
-function displayStorageStatus(options) {
+function displayCdnStatus(options) {
   clack30.log.info(`
-${pc32.bold("Storage Infrastructure:")}`);
+${pc32.bold("CDN Infrastructure:")}`);
   clack30.log.info(`  S3 Bucket: ${pc32.cyan(options.bucketName)}`);
   clack30.log.info(`  Region: ${pc32.cyan(options.region)}`);
   clack30.log.info(
@@ -21755,19 +22018,19 @@ ${pc32.bold("File URLs:")}`);
 ${pc32.bold("Commands:")}`);
   if (hasPendingCert) {
     clack30.log.info(
-      `  ${pc32.cyan("wraps storage upgrade")} - Add custom domain after cert validation`
+      `  ${pc32.cyan("wraps cdn upgrade")} - Add custom domain after cert validation`
     );
   }
   clack30.log.info(
-    `  ${pc32.cyan("wraps storage verify")} - Check DNS and certificate status`
+    `  ${pc32.cyan("wraps cdn verify")} - Check DNS and certificate status`
   );
   clack30.log.info(
-    `  ${pc32.cyan("wraps storage destroy")} - Remove storage infrastructure`
+    `  ${pc32.cyan("wraps cdn destroy")} - Remove CDN infrastructure`
   );
   clack30.outro("");
 }
 
-// src/commands/storage/sync.ts
+// src/commands/cdn/sync.ts
 init_esm_shims();
 import * as clack31 from "@clack/prompts";
 import * as pulumi25 from "@pulumi/pulumi";
@@ -21777,26 +22040,26 @@ init_events();
 init_aws();
 init_fs();
 init_metadata();
-async function storageSync(options) {
+async function cdnSync(options) {
   const startTime = Date.now();
   const progress = new DeploymentProgress();
-  clack31.intro(pc33.bold("Wraps Storage Sync"));
+  clack31.intro(pc33.bold("Wraps CDN Sync"));
   const identity = await progress.execute(
     "Validating AWS credentials",
     async () => validateAWSCredentials()
   );
   let region = options.region || await getAWSRegion();
   if (!(options.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION)) {
-    const storageConnections = await findConnectionsWithService(
+    const cdnConnections = await findConnectionsWithService(
       identity.accountId,
-      "storage"
+      "cdn"
     );
-    if (storageConnections.length === 1) {
-      region = storageConnections[0].region;
-    } else if (storageConnections.length > 1) {
+    if (cdnConnections.length === 1) {
+      region = cdnConnections[0].region;
+    } else if (cdnConnections.length > 1) {
       const selectedRegion = await clack31.select({
-        message: "Multiple storage deployments found. Which region?",
-        options: storageConnections.map((conn) => ({
+        message: "Multiple CDN deployments found. Which region?",
+        options: cdnConnections.map((conn) => ({
           value: conn.region,
           label: conn.region
         }))
@@ -21809,25 +22072,25 @@ async function storageSync(options) {
     }
   }
   const metadata = await loadConnectionMetadata(identity.accountId, region);
-  if (!metadata?.services.storage) {
+  if (!metadata?.services.cdn) {
     clack31.log.error(
-      `No storage infrastructure found for account ${pc33.cyan(identity.accountId)} in region ${pc33.cyan(region)}`
+      `No CDN infrastructure found for account ${pc33.cyan(identity.accountId)} in region ${pc33.cyan(region)}`
     );
     clack31.log.info(
-      `Use ${pc33.cyan("wraps storage init")} to deploy storage infrastructure.`
+      `Use ${pc33.cyan("wraps cdn init")} to deploy CDN infrastructure.`
     );
     process.exit(1);
   }
-  const storageService = metadata.services.storage;
-  const storageConfig = storageService.config;
+  const cdnService = metadata.services.cdn;
+  const cdnConfig = cdnService.config;
   progress.info(`Found storage deployment in ${pc33.cyan(region)}`);
   let certValidated = false;
   let existingCertArn;
-  if (storageConfig.cdn.customDomain) {
+  if (cdnConfig.cdn.customDomain) {
     try {
       await ensurePulumiWorkDir();
       const checkStack = await pulumi25.automation.LocalWorkspace.selectStack({
-        stackName: `wraps-storage-${identity.accountId}-${region}`,
+        stackName: `wraps-cdn-${identity.accountId}-${region}`,
         workDir: getPulumiWorkDir()
       });
       const stackOutputs = await checkStack.outputs();
@@ -21843,7 +22106,7 @@ async function storageSync(options) {
           certValidated = true;
           existingCertArn = stackOutputs.acmCertificateArn.value;
           progress.info(
-            `Certificate validated for ${pc33.cyan(storageConfig.cdn.customDomain)}`
+            `Certificate validated for ${pc33.cyan(cdnConfig.cdn.customDomain)}`
           );
         }
       }
@@ -21855,20 +22118,20 @@ async function storageSync(options) {
     region,
     accountId: identity.accountId,
     vercel: metadata.vercel,
-    storageConfig,
+    cdnConfig,
     // Pass cert validation flags if cert is validated externally
     certValidated,
     existingCertArn
   };
   try {
-    await progress.execute("Syncing storage infrastructure", async () => {
+    await progress.execute("Syncing CDN infrastructure", async () => {
       await ensurePulumiWorkDir();
       const stack = await pulumi25.automation.LocalWorkspace.createOrSelectStack(
         {
-          stackName: `wraps-storage-${identity.accountId}-${region}`,
-          projectName: "wraps-storage",
+          stackName: `wraps-cdn-${identity.accountId}-${region}`,
+          projectName: "wraps-cdn",
           program: async () => {
-            const result2 = await deployStorageStack(stackConfig);
+            const result2 = await deployCdnStack(stackConfig);
             return {
               roleArn: result2.roleArn,
               bucketName: result2.bucketName,
@@ -21911,7 +22174,7 @@ async function storageSync(options) {
     clack31.log.error(`Sync failed: ${error.message}`);
     process.exit(1);
   }
-  clack31.log.success(pc33.green("Storage infrastructure synced!"));
+  clack31.log.success(pc33.green("CDN infrastructure synced!"));
   trackCommand("storage:sync", {
     success: true,
     region,
@@ -21921,7 +22184,7 @@ async function storageSync(options) {
   clack31.outro("");
 }
 
-// src/commands/storage/upgrade.ts
+// src/commands/cdn/upgrade.ts
 init_esm_shims();
 import * as clack32 from "@clack/prompts";
 import * as pulumi26 from "@pulumi/pulumi";
@@ -21931,12 +22194,12 @@ init_events();
 init_aws();
 init_fs();
 init_metadata();
-async function storageUpgrade(options) {
+async function cdnUpgrade(options) {
   const startTime = Date.now();
   const progress = new DeploymentProgress();
   clack32.intro(
     pc34.bold(
-      options.preview ? "Wraps Storage Upgrade Preview" : "Wraps Storage Upgrade"
+      options.preview ? "Wraps CDN Upgrade Preview" : "Wraps CDN Upgrade"
     )
   );
   const identity = await progress.execute(
@@ -21946,16 +22209,16 @@ async function storageUpgrade(options) {
   progress.info(`Connected to AWS account: ${pc34.cyan(identity.accountId)}`);
   let region = options.region || await getAWSRegion();
   if (!(options.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION)) {
-    const storageConnections = await findConnectionsWithService(
+    const cdnConnections = await findConnectionsWithService(
       identity.accountId,
-      "storage"
+      "cdn"
     );
-    if (storageConnections.length === 1) {
-      region = storageConnections[0].region;
-    } else if (storageConnections.length > 1) {
+    if (cdnConnections.length === 1) {
+      region = cdnConnections[0].region;
+    } else if (cdnConnections.length > 1) {
       const selectedRegion = await clack32.select({
-        message: "Multiple storage deployments found. Which region?",
-        options: storageConnections.map((conn) => ({
+        message: "Multiple CDN deployments found. Which region?",
+        options: cdnConnections.map((conn) => ({
           value: conn.region,
           label: conn.region
         }))
@@ -21968,22 +22231,22 @@ async function storageUpgrade(options) {
     }
   }
   const metadata = await loadConnectionMetadata(identity.accountId, region);
-  if (!metadata?.services.storage) {
+  if (!metadata?.services.cdn) {
     clack32.log.error(
-      `No storage infrastructure found for account ${pc34.cyan(identity.accountId)} in region ${pc34.cyan(region)}`
+      `No CDN infrastructure found for account ${pc34.cyan(identity.accountId)} in region ${pc34.cyan(region)}`
     );
     clack32.log.info(
-      `Use ${pc34.cyan("wraps storage init")} to deploy storage infrastructure.`
+      `Use ${pc34.cyan("wraps cdn init")} to deploy CDN infrastructure.`
     );
     process.exit(1);
   }
-  const storageService = metadata.services.storage;
-  const storageConfig = storageService.config;
+  const cdnService = metadata.services.cdn;
+  const cdnConfig = cdnService.config;
   let stackOutputs = {};
   try {
     await ensurePulumiWorkDir();
     const stack = await pulumi26.automation.LocalWorkspace.selectStack({
-      stackName: `wraps-storage-${identity.accountId}-${region}`,
+      stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
     stackOutputs = await stack.outputs();
@@ -21992,7 +22255,7 @@ async function storageUpgrade(options) {
     process.exit(1);
   }
   let cloudFrontHasCustomDomain = false;
-  if (stackOutputs.distributionId?.value && storageConfig.cdn?.customDomain) {
+  if (stackOutputs.distributionId?.value && cdnConfig.cdn?.customDomain) {
     try {
       const { CloudFrontClient, GetDistributionCommand } = await import("@aws-sdk/client-cloudfront");
       const cfClient = new CloudFrontClient({ region: "us-east-1" });
@@ -22003,16 +22266,16 @@ async function storageUpgrade(options) {
       );
       const aliases = cfResponse.Distribution?.DistributionConfig?.Aliases?.Items || [];
       cloudFrontHasCustomDomain = aliases.includes(
-        storageConfig.cdn.customDomain
+        cdnConfig.cdn.customDomain
       );
     } catch {
     }
   }
   const hasPendingCert = stackOutputs.acmCertificateArn?.value && !stackOutputs.customDomain?.value && !cloudFrontHasCustomDomain;
   const pendingDomain = stackOutputs.customDomainPending?.value || (hasPendingCert && stackOutputs.acmCertificateValidationRecords?.value?.[0]?.name ? stackOutputs.acmCertificateValidationRecords.value[0].name.replace(/^_[^.]+\./, "").replace(/\.$/, "") : void 0);
-  const activeCustomDomain = cloudFrontHasCustomDomain ? storageConfig.cdn?.customDomain : stackOutputs.customDomain?.value;
+  const activeCustomDomain = cloudFrontHasCustomDomain ? cdnConfig.cdn?.customDomain : stackOutputs.customDomain?.value;
   if (!hasPendingCert) {
-    clack32.log.info("No pending upgrades found for storage infrastructure.");
+    clack32.log.info("No pending upgrades found for CDN infrastructure.");
     clack32.log.info(
       `
 Current configuration:
@@ -22059,7 +22322,7 @@ Pending domain: ${pc34.cyan(pendingDomain)}`);
     clack32.log.info(
       "After adding the DNS record, wait for validation (typically 5-30 minutes)."
     );
-    clack32.log.info(`Then run ${pc34.cyan("wraps storage upgrade")} again.
+    clack32.log.info(`Then run ${pc34.cyan("wraps cdn upgrade")} again.
 `);
     process.exit(0);
   }
@@ -22081,9 +22344,9 @@ Ready to add custom domain: ${pc34.cyan(pendingDomain)}`);
     }
   }
   const updatedConfig = {
-    ...storageConfig,
+    ...cdnConfig,
     cdn: {
-      ...storageConfig.cdn,
+      ...cdnConfig.cdn,
       customDomain: pendingDomain
     }
   };
@@ -22092,8 +22355,8 @@ Ready to add custom domain: ${pc34.cyan(pendingDomain)}`);
     region,
     accountId: identity.accountId,
     vercel: metadata.vercel,
-    storageConfig: updatedConfig,
-    // Tell deployStorageStack that the cert is validated externally (manual DNS)
+    cdnConfig: updatedConfig,
+    // Tell deployCdnStack that the cert is validated externally (manual DNS)
     certValidated: true,
     existingCertArn: stackOutputs.acmCertificateArn.value
   };
@@ -22123,10 +22386,10 @@ Ready to add custom domain: ${pc34.cyan(pendingDomain)}`);
         await ensurePulumiWorkDir();
         const stack = await pulumi26.automation.LocalWorkspace.createOrSelectStack(
           {
-            stackName: `wraps-storage-${identity.accountId}-${region}`,
-            projectName: "wraps-storage",
+            stackName: `wraps-cdn-${identity.accountId}-${region}`,
+            projectName: "wraps-cdn",
             program: async () => {
-              const result = await deployStorageStack(stackConfig);
+              const result = await deployCdnStack(stackConfig);
               return {
                 roleArn: result.roleArn,
                 bucketName: result.bucketName,
@@ -22169,8 +22432,8 @@ Ready to add custom domain: ${pc34.cyan(pendingDomain)}`);
     clack32.log.error(`Upgrade failed: ${error.message}`);
     process.exit(1);
   }
-  if (metadata.services.storage) {
-    metadata.services.storage.config = updatedConfig;
+  if (metadata.services.cdn) {
+    metadata.services.cdn.config = updatedConfig;
     await saveConnectionMetadata(metadata);
   }
   clack32.log.success(`
@@ -22201,7 +22464,7 @@ ${pc34.green("")} ${pc34.bold("Upgrade complete!")}
   clack32.outro("");
 }
 
-// src/commands/storage/verify.ts
+// src/commands/cdn/verify.ts
 init_esm_shims();
 init_events();
 init_aws();
@@ -22257,26 +22520,26 @@ async function checkDistributionStatus(distributionId, region) {
     return { status: "ERROR", enabled: false, aliases: [] };
   }
 }
-async function storageVerify(options) {
+async function cdnVerify(options) {
   const startTime = Date.now();
   const progress = new DeploymentProgress();
-  clack33.intro(pc35.bold("Wraps Storage Verification"));
+  clack33.intro(pc35.bold("Wraps CDN Verification"));
   const identity = await progress.execute(
-    "Loading storage infrastructure",
+    "Loading CDN infrastructure",
     async () => validateAWSCredentials()
   );
   let region = options.region || await getAWSRegion();
   if (!(options.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION)) {
-    const storageConnections = await findConnectionsWithService(
+    const cdnConnections = await findConnectionsWithService(
       identity.accountId,
-      "storage"
+      "cdn"
     );
-    if (storageConnections.length === 1) {
-      region = storageConnections[0].region;
-    } else if (storageConnections.length > 1) {
+    if (cdnConnections.length === 1) {
+      region = cdnConnections[0].region;
+    } else if (cdnConnections.length > 1) {
       const selectedRegion = await clack33.select({
-        message: "Multiple storage deployments found. Which region?",
-        options: storageConnections.map((conn) => ({
+        message: "Multiple CDN deployments found. Which region?",
+        options: cdnConnections.map((conn) => ({
           value: conn.region,
           label: conn.region
         }))
@@ -22292,16 +22555,16 @@ async function storageVerify(options) {
   try {
     await ensurePulumiWorkDir();
     const stack = await pulumi27.automation.LocalWorkspace.selectStack({
-      stackName: `wraps-storage-${identity.accountId}-${region}`,
+      stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
     stackOutputs = await stack.outputs();
   } catch (_error) {
     progress.stop();
-    clack33.log.error("No storage infrastructure found");
+    clack33.log.error("No CDN infrastructure found");
     console.log(
       `
-Run ${pc35.cyan("wraps storage init")} to deploy storage infrastructure.
+Run ${pc35.cyan("wraps cdn init")} to deploy CDN infrastructure.
 `
     );
     process.exit(1);
@@ -22384,7 +22647,7 @@ ${pc35.bold("Custom Domain DNS:")}`);
         `  ${pc35.yellow("!")} CloudFront alias not configured for ${targetDomain}`
       );
       clack33.log.info(
-        `    Run ${pc35.cyan("wraps storage upgrade")} to add the custom domain to CloudFront.`
+        `    Run ${pc35.cyan("wraps cdn upgrade")} to add the custom domain to CloudFront.`
       );
       allPassed = false;
     }
@@ -22425,12 +22688,12 @@ ${pc35.bold("Certificate Validation DNS:")}`);
     const cdnUrl = targetDomain ? `https://${targetDomain}` : distributionDomain ? `https://${distributionDomain}` : null;
     if (cdnUrl) {
       clack33.log.info(`
-Your storage is accessible at: ${pc35.cyan(cdnUrl)}`);
+Your CDN is accessible at: ${pc35.cyan(cdnUrl)}`);
     }
     if (stackOutputsStale) {
       clack33.log.info(
         `
-${pc35.dim("Tip:")} Run ${pc35.cyan("wraps storage sync")} to update infrastructure state.`
+${pc35.dim("Tip:")} Run ${pc35.cyan("wraps cdn sync")} to update infrastructure state.`
       );
     }
   } else {
@@ -22438,7 +22701,7 @@ ${pc35.dim("Tip:")} Run ${pc35.cyan("wraps storage sync")} to update infrastruct
     if (validationRecords && validationRecords.length > 0) {
       clack33.log.info("\nDNS records may take up to 48 hours to propagate.");
       clack33.log.info(
-        `Run ${pc35.cyan("wraps storage verify")} again to check status.`
+        `Run ${pc35.cyan("wraps cdn verify")} again to check status.`
       );
     }
   }
@@ -22600,7 +22863,7 @@ function showHelp() {
     `  ${pc38.cyan("sms")}         SMS infrastructure (AWS End User Messaging)`
   );
   console.log(
-    `  ${pc38.cyan("storage")}     File storage infrastructure (AWS S3 + CloudFront)
+    `  ${pc38.cyan("cdn")}         CDN infrastructure (AWS S3 + CloudFront)
 `
   );
   console.log("Email Commands:");
@@ -22649,24 +22912,24 @@ function showHelp() {
     `  ${pc38.cyan("sms destroy")}          Remove SMS infrastructure
 `
   );
-  console.log("Storage Commands:");
+  console.log("CDN Commands:");
   console.log(
-    `  ${pc38.cyan("storage init")}         Deploy storage infrastructure (S3 + CDN)`
+    `  ${pc38.cyan("cdn init")}             Deploy CDN infrastructure (S3 + CloudFront)`
   );
   console.log(
-    `  ${pc38.cyan("storage status")}       Show storage infrastructure details`
+    `  ${pc38.cyan("cdn status")}           Show CDN infrastructure details`
   );
   console.log(
-    `  ${pc38.cyan("storage verify")}       Check DNS and certificate status`
+    `  ${pc38.cyan("cdn verify")}           Check DNS and certificate status`
   );
   console.log(
-    `  ${pc38.cyan("storage upgrade")}      Add custom domain after cert validation`
+    `  ${pc38.cyan("cdn upgrade")}          Add custom domain after cert validation`
   );
   console.log(
-    `  ${pc38.cyan("storage sync")}         Sync infrastructure with current config`
+    `  ${pc38.cyan("cdn sync")}             Sync infrastructure with current config`
   );
   console.log(
-    `  ${pc38.cyan("storage destroy")}      Remove storage infrastructure
+    `  ${pc38.cyan("cdn destroy")}          Remove CDN infrastructure
 `
   );
   console.log("Local Development:");
@@ -22874,8 +23137,8 @@ if (!primaryCommand) {
           hint: "AWS End User Messaging"
         },
         {
-          value: "storage-init",
-          label: "Deploy Storage",
+          value: "cdn-init",
+          label: "Deploy CDN",
           hint: "AWS S3 + CloudFront CDN"
         },
         {
@@ -22933,7 +23196,7 @@ if (!primaryCommand) {
           yes: flags.yes
         });
         break;
-      case "storage-init":
+      case "cdn-init":
         await init3({
           provider: flags.provider,
           region: flags.region,
@@ -23233,7 +23496,7 @@ Run ${pc38.cyan("wraps --help")} for available commands.
       });
       return;
     }
-    if (primaryCommand === "storage" && subCommand) {
+    if (primaryCommand === "cdn" && subCommand) {
       switch (subCommand) {
         case "init":
           await init3({
@@ -23246,36 +23509,36 @@ Run ${pc38.cyan("wraps --help")} for available commands.
           });
           break;
         case "status":
-          await storageStatus({
+          await cdnStatus({
             region: flags.region
           });
           break;
         case "verify":
-          await storageVerify({
+          await cdnVerify({
             region: flags.region
           });
           break;
         case "upgrade":
-          await storageUpgrade({
+          await cdnUpgrade({
             region: flags.region,
             yes: flags.yes,
             preview: flags.preview
           });
           break;
         case "sync":
-          await storageSync({
+          await cdnSync({
             region: flags.region
           });
           break;
         case "destroy":
-          await storageDestroy({
+          await cdnDestroy({
             force: flags.force,
             region: flags.region,
             preview: flags.preview
           });
           break;
         default:
-          clack36.log.error(`Unknown storage command: ${subCommand}`);
+          clack36.log.error(`Unknown cdn command: ${subCommand}`);
           console.log(
             `
 Run ${pc38.cyan("wraps --help")} for available commands.
@@ -23283,12 +23546,12 @@ Run ${pc38.cyan("wraps --help")} for available commands.
           );
           process.exit(1);
       }
-      const storageDuration = Date.now() - startTime;
-      const storageCommandName = `storage:${subCommand}`;
-      trackCommand(storageCommandName, {
+      const cdnDuration = Date.now() - startTime;
+      const cdnCommandName = `cdn:${subCommand}`;
+      trackCommand(cdnCommandName, {
         success: true,
-        duration_ms: storageDuration,
-        service: "storage"
+        duration_ms: cdnDuration,
+        service: "cdn"
       });
       return;
     }
@@ -23411,7 +23674,7 @@ Available commands: ${pc38.cyan("enable")}, ${pc38.cyan("disable")}, ${pc38.cyan
       // Show help for service without subcommand
       case "email":
       case "sms":
-      case "storage":
+      case "cdn":
       case "aws":
         console.log(
           `