@wraps.dev/cli 2.11.2 → 2.11.3

package/dist/cli.js

@@ -4880,9 +4880,36 @@ var init_lambda = __esm({
 // src/infrastructure/resources/acm.ts
 var acm_exports = {};
 __export(acm_exports, {
+  checkCertificateValidation: () => checkCertificateValidation,
   createACMCertificate: () => createACMCertificate
 });
+import { ACMClient as ACMClient2, DescribeCertificateCommand as DescribeCertificateCommand2 } from "@aws-sdk/client-acm";
 import * as aws12 from "@pulumi/aws";
+async function checkCertificateValidation(domain) {
+  try {
+    const acm3 = new ACMClient2({ region: "us-east-1" });
+    const { ListCertificatesCommand } = await import("@aws-sdk/client-acm");
+    const listResponse = await acm3.send(
+      new ListCertificatesCommand({
+        CertificateStatuses: ["ISSUED"]
+      })
+    );
+    const cert = listResponse.CertificateSummaryList?.find(
+      (c) => c.DomainName === domain
+    );
+    if (cert?.CertificateArn) {
+      const describeResponse = await acm3.send(
+        new DescribeCertificateCommand2({
+          CertificateArn: cert.CertificateArn
+        })
+      );
+      return describeResponse.Certificate?.Status === "ISSUED";
+    }
+    return false;
+  } catch (error) {
+    return false;
+  }
+}
 async function createACMCertificate(config2) {
   const usEast1Provider = new aws12.Provider("acm-us-east-1", {
     region: "us-east-1"
@@ -5618,6 +5645,10 @@ var init_eventbridge_inbound = __esm({
 });
 
 // src/utils/dns/cloudflare.ts
+var cloudflare_exports = {};
+__export(cloudflare_exports, {
+  CloudflareDNSClient: () => CloudflareDNSClient
+});
 var CLOUDFLARE_API_BASE, CloudflareDNSClient;
 var init_cloudflare = __esm({
   "src/utils/dns/cloudflare.ts"() {
@@ -5844,6 +5875,92 @@ var init_cloudflare = __esm({
           };
         }
       }
+      /**
+       * Get the zone name (domain) for this zone ID
+       */
+      async getZoneName() {
+        try {
+          const response = await fetch(
+            `${CLOUDFLARE_API_BASE}/zones/${this.zoneId}`,
+            {
+              headers: {
+                Authorization: `Bearer ${this.apiToken}`,
+                "Content-Type": "application/json"
+              }
+            }
+          );
+          const data = await response.json();
+          return data.success ? data.result.name : null;
+        } catch {
+          return null;
+        }
+      }
+      /**
+       * Get all CAA records for the zone
+       */
+      async getCAARecords() {
+        const zoneName = await this.getZoneName();
+        if (!zoneName) return [];
+        const result = await this.request(
+          "/dns_records?type=CAA"
+        );
+        if (!(result.success && result.result)) {
+          return [];
+        }
+        return result.result.filter((r) => r.type === "CAA").map((r) => {
+          const match = r.content.match(/^(\d+)\s+(\w+)\s+"?([^"]+)"?$/);
+          if (match) {
+            return {
+              flags: Number.parseInt(match[1], 10),
+              tag: match[2],
+              value: match[3]
+            };
+          }
+          return null;
+        }).filter(
+          (r) => r !== null
+        );
+      }
+      /**
+       * Check if Amazon is allowed to issue certificates based on CAA records
+       */
+      async isAmazonCAAAllowed() {
+        const caaRecords = await this.getCAARecords();
+        const issueRecords = caaRecords.filter(
+          (r) => r.tag === "issue" || r.tag === "issuewild"
+        );
+        if (issueRecords.length === 0) {
+          return { allowed: true, hasCAA: false, existingCAs: [] };
+        }
+        const existingCAs = issueRecords.map((r) => r.value);
+        const amazonAllowed = existingCAs.some(
+          (ca) => ca.includes("amazon.com") || ca.includes("amazontrust.com")
+        );
+        return { allowed: amazonAllowed, hasCAA: true, existingCAs };
+      }
+      /**
+       * Add a CAA record to allow Amazon to issue certificates
+       */
+      async addAmazonCAARecord() {
+        const zoneName = await this.getZoneName();
+        if (!zoneName) return false;
+        const body = {
+          name: zoneName,
+          type: "CAA",
+          data: {
+            flags: 0,
+            tag: "issue",
+            value: "amazon.com"
+          },
+          ttl: 1800
+        };
+        const result = await this.request(
+          "/dns_records",
+          "POST",
+          body
+        );
+        return result.success;
+      }
       async verifyRecords(data) {
         const { domain, dkimTokens, mailFromDomain, region } = data;
         const missing = [];
@@ -5891,6 +6008,10 @@ var init_cloudflare = __esm({
 });
 
 // src/utils/dns/vercel.ts
+var vercel_exports = {};
+__export(vercel_exports, {
+  VercelDNSClient: () => VercelDNSClient
+});
 var VERCEL_API_BASE, VercelDNSClient;
 var init_vercel = __esm({
   "src/utils/dns/vercel.ts"() {
@@ -6122,6 +6243,68 @@ var init_vercel = __esm({
           };
         }
       }
+      /**
+       * Get all CAA records for the domain
+       */
+      async getCAARecords() {
+        const result = await this.request(
+          `/v4/domains/${this.domain}/records`
+        );
+        if (result.error || !result.records) {
+          return [];
+        }
+        return result.records.filter((r) => r.type === "CAA").map((r) => {
+          const match = r.value.match(/^(\d+)\s+(\w+)\s+"?([^"]+)"?$/);
+          if (match) {
+            return {
+              flags: Number.parseInt(match[1], 10),
+              tag: match[2],
+              value: match[3]
+            };
+          }
+          return null;
+        }).filter(
+          (r) => r !== null
+        );
+      }
+      /**
+       * Check if Amazon is allowed to issue certificates based on CAA records
+       * Returns true if:
+       * - No CAA records exist (any CA can issue)
+       * - CAA records exist and include amazon.com or amazontrust.com
+       */
+      async isAmazonCAAAllowed() {
+        const caaRecords = await this.getCAARecords();
+        const issueRecords = caaRecords.filter(
+          (r) => r.tag === "issue" || r.tag === "issuewild"
+        );
+        if (issueRecords.length === 0) {
+          return { allowed: true, hasCAA: false, existingCAs: [] };
+        }
+        const existingCAs = issueRecords.map((r) => r.value);
+        const amazonAllowed = existingCAs.some(
+          (ca) => ca.includes("amazon.com") || ca.includes("amazontrust.com")
+        );
+        return { allowed: amazonAllowed, hasCAA: true, existingCAs };
+      }
+      /**
+       * Add a CAA record to allow Amazon to issue certificates
+       */
+      async addAmazonCAARecord() {
+        const body = {
+          name: "@",
+          // Root domain
+          type: "CAA",
+          value: '0 issue "amazon.com"',
+          ttl: 1800
+        };
+        const result = await this.request(
+          `/v2/domains/${this.domain}/records`,
+          "POST",
+          body
+        );
+        return !result.error;
+      }
       async verifyRecords(data) {
         const { domain, dkimTokens, mailFromDomain, region } = data;
         const missing = [];
@@ -6687,6 +6870,76 @@ var init_dns = __esm({
   }
 });
 
+// src/utils/dns/caa.ts
+var caa_exports = {};
+__export(caa_exports, {
+  ensureAmazonCAAAllowed: () => ensureAmazonCAAAllowed
+});
+async function ensureAmazonCAAAllowed(credentials, domain) {
+  if (credentials.provider === "manual" || credentials.provider === "route53") {
+    return { success: true, wasAlreadyAllowed: true, recordCreated: false };
+  }
+  try {
+    if (credentials.provider === "vercel") {
+      const { VercelDNSClient: VercelDNSClient2 } = await Promise.resolve().then(() => (init_vercel(), vercel_exports));
+      const client = new VercelDNSClient2(
+        domain,
+        credentials.token,
+        credentials.teamId
+      );
+      const caaStatus = await client.isAmazonCAAAllowed();
+      if (caaStatus.hasCAA && caaStatus.allowed) {
+        return { success: true, wasAlreadyAllowed: true, recordCreated: false };
+      }
+      const added = await client.addAmazonCAARecord();
+      if (added) {
+        return { success: true, wasAlreadyAllowed: false, recordCreated: true };
+      }
+      return {
+        success: false,
+        wasAlreadyAllowed: false,
+        recordCreated: false,
+        error: "Failed to create CAA record in Vercel DNS"
+      };
+    }
+    if (credentials.provider === "cloudflare") {
+      const { CloudflareDNSClient: CloudflareDNSClient2 } = await Promise.resolve().then(() => (init_cloudflare(), cloudflare_exports));
+      const client = new CloudflareDNSClient2(
+        credentials.zoneId,
+        credentials.token
+      );
+      const caaStatus = await client.isAmazonCAAAllowed();
+      if (caaStatus.allowed) {
+        return { success: true, wasAlreadyAllowed: true, recordCreated: false };
+      }
+      const added = await client.addAmazonCAARecord();
+      if (added) {
+        return { success: true, wasAlreadyAllowed: false, recordCreated: true };
+      }
+      return {
+        success: false,
+        wasAlreadyAllowed: false,
+        recordCreated: false,
+        error: "Failed to create CAA record in Cloudflare DNS"
+      };
+    }
+    return { success: true, wasAlreadyAllowed: true, recordCreated: false };
+  } catch (error) {
+    return {
+      success: false,
+      wasAlreadyAllowed: false,
+      recordCreated: false,
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
+var init_caa = __esm({
+  "src/utils/dns/caa.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
 // src/utils/shared/assume-role.ts
 var assume_role_exports = {};
 __export(assume_role_exports, {
@@ -10753,10 +11006,10 @@ async function cdnSync(options) {
       });
       const stackOutputs = await checkStack.outputs();
       if (stackOutputs.acmCertificateArn?.value) {
-        const { ACMClient: ACMClient2, DescribeCertificateCommand: DescribeCertificateCommand2 } = await import("@aws-sdk/client-acm");
-        const acmClient = new ACMClient2({ region: "us-east-1" });
+        const { ACMClient: ACMClient3, DescribeCertificateCommand: DescribeCertificateCommand3 } = await import("@aws-sdk/client-acm");
+        const acmClient = new ACMClient3({ region: "us-east-1" });
         const certResponse = await acmClient.send(
-          new DescribeCertificateCommand2({
+          new DescribeCertificateCommand3({
             CertificateArn: stackOutputs.acmCertificateArn.value
           })
         );
@@ -10941,12 +11194,12 @@ Current configuration:
     process.exit(0);
   }
   progress.start("Checking certificate validation status");
-  const { ACMClient: ACMClient2, DescribeCertificateCommand: DescribeCertificateCommand2 } = await import("@aws-sdk/client-acm");
-  const acmClient = new ACMClient2({ region: "us-east-1" });
+  const { ACMClient: ACMClient3, DescribeCertificateCommand: DescribeCertificateCommand3 } = await import("@aws-sdk/client-acm");
+  const acmClient = new ACMClient3({ region: "us-east-1" });
   let certStatus;
   try {
     const certResponse = await acmClient.send(
-      new DescribeCertificateCommand2({
+      new DescribeCertificateCommand3({
         CertificateArn: stackOutputs.acmCertificateArn.value
       })
     );
@@ -11142,10 +11395,10 @@ async function checkDNSRecord(hostname, expectedValue) {
 }
 async function checkCertificateStatus(certificateArn) {
   try {
-    const { ACMClient: ACMClient2, DescribeCertificateCommand: DescribeCertificateCommand2 } = await import("@aws-sdk/client-acm");
-    const acm3 = new ACMClient2({ region: "us-east-1" });
+    const { ACMClient: ACMClient3, DescribeCertificateCommand: DescribeCertificateCommand3 } = await import("@aws-sdk/client-acm");
+    const acm3 = new ACMClient3({ region: "us-east-1" });
     const result = await acm3.send(
-      new DescribeCertificateCommand2({ CertificateArn: certificateArn })
+      new DescribeCertificateCommand3({ CertificateArn: certificateArn })
     );
     const cert = result.Certificate;
     const validationStatus = cert?.DomainValidationOptions?.[0]?.ValidationStatus;
@@ -15296,6 +15549,7 @@ async function deployEmailStack(config2) {
   });
   let cloudFrontResources;
   let acmResources;
+  let skipCloudFront = false;
   if (emailConfig.tracking?.enabled && emailConfig.tracking.customRedirectDomain && emailConfig.tracking.httpsEnabled) {
     const { findHostedZone: findHostedZone2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
     const hostedZone = await findHostedZone2(
@@ -15307,16 +15561,27 @@ async function deployEmailStack(config2) {
       domain: emailConfig.tracking.customRedirectDomain,
       hostedZoneId: hostedZone?.id
     });
-    const { createCloudFrontTracking: createCloudFrontTracking2 } = await Promise.resolve().then(() => (init_cloudfront(), cloudfront_exports));
-    const certificateArn = acmResources.certificateValidation ? acmResources.certificateValidation.certificateArn : acmResources.certificate.arn;
-    cloudFrontResources = await createCloudFrontTracking2({
-      customTrackingDomain: emailConfig.tracking.customRedirectDomain,
-      region: config2.region,
-      certificateArn,
-      hostedZoneId: hostedZone?.id,
-      // Pass hosted zone ID for automatic DNS record creation
-      wafEnabled: emailConfig.tracking.wafEnabled
-    });
+    if (!hostedZone) {
+      const { checkCertificateValidation: checkCertificateValidation2 } = await Promise.resolve().then(() => (init_acm(), acm_exports));
+      const isValidated = await checkCertificateValidation2(
+        emailConfig.tracking.customRedirectDomain
+      );
+      if (!isValidated) {
+        skipCloudFront = true;
+      }
+    }
+    if (!skipCloudFront) {
+      const { createCloudFrontTracking: createCloudFrontTracking2 } = await Promise.resolve().then(() => (init_cloudfront(), cloudfront_exports));
+      const certificateArn = acmResources.certificateValidation ? acmResources.certificateValidation.certificateArn : acmResources.certificate.arn;
+      cloudFrontResources = await createCloudFrontTracking2({
+        customTrackingDomain: emailConfig.tracking.customRedirectDomain,
+        region: config2.region,
+        certificateArn,
+        hostedZoneId: hostedZone?.id,
+        // Pass hosted zone ID for automatic DNS record creation
+        wafEnabled: emailConfig.tracking.wafEnabled
+      });
+    }
   }
   let sesResources;
   if (emailConfig.tracking?.enabled || emailConfig.eventTracking?.enabled) {
@@ -15329,11 +15594,19 @@ async function deployEmailStack(config2) {
     if (!mailFromDomain && emailConfig.mailFromSubdomain && emailConfig.domain) {
       mailFromDomain = `${emailConfig.mailFromSubdomain}.${emailConfig.domain}`;
     }
+    const effectiveTrackingConfig = skipCloudFront && emailConfig.tracking ? {
+      enabled: emailConfig.tracking.enabled,
+      opens: emailConfig.tracking.opens,
+      clicks: emailConfig.tracking.clicks,
+      customRedirectDomain: emailConfig.tracking.customRedirectDomain,
+      httpsEnabled: false
+      // Use OPTIONAL until CloudFront is ready
+    } : emailConfig.tracking;
     sesResources = await createSESResources({
       domain: emailConfig.domain,
       mailFromDomain,
       region: config2.region,
-      trackingConfig: emailConfig.tracking,
+      trackingConfig: effectiveTrackingConfig,
       eventTypes: emailConfig.eventTracking?.events,
       eventTrackingEnabled: emailConfig.eventTracking?.enabled,
       // Pass flag to create EventBridge destination
@@ -15461,6 +15734,8 @@ async function deployEmailStack(config2) {
     dlqUrl: sqsResources?.dlq.url,
     customTrackingDomain: sesResources?.customTrackingDomain,
     httpsTrackingEnabled: emailConfig.tracking?.httpsEnabled,
+    httpsTrackingPending: skipCloudFront,
+    // True if HTTPS requested but cert not validated yet
     cloudFrontDomain: cloudFrontResources?.domainName,
     acmCertificateValidationRecords: acmResources?.validationRecords,
     mailFromDomain: sesResources?.mailFromDomain,
@@ -21408,6 +21683,56 @@ ${pc28.bold("Cost Impact:")}`);
   const stackConfig = buildEmailStackConfig(metadata, region, {
     emailConfig: updatedConfig
   });
+  if (updatedConfig.tracking?.httpsEnabled && updatedConfig.tracking.customRedirectDomain) {
+    const trackingDomainParts = updatedConfig.tracking.customRedirectDomain.split(".");
+    const parentDomain = trackingDomainParts.length > 2 ? trackingDomainParts.slice(-2).join(".") : updatedConfig.tracking.customRedirectDomain;
+    let dnsProvider = metadata.services.email?.dnsProvider;
+    if (!dnsProvider) {
+      const availableProviders = await progress.execute(
+        "Detecting DNS provider for CAA check",
+        async () => await detectAvailableDNSProviders(parentDomain, region)
+      );
+      const detectedProvider = availableProviders.find(
+        (p) => p.detected && p.provider !== "manual"
+      );
+      if (detectedProvider) {
+        dnsProvider = detectedProvider.provider;
+        if (metadata.services.email) {
+          metadata.services.email.dnsProvider = dnsProvider;
+        }
+      }
+    }
+    if (dnsProvider && dnsProvider !== "manual" && dnsProvider !== "route53") {
+      const credResult = await getDNSCredentials(
+        dnsProvider,
+        parentDomain,
+        region
+      );
+      if (credResult.valid && credResult.credentials) {
+        const { ensureAmazonCAAAllowed: ensureAmazonCAAAllowed2 } = await Promise.resolve().then(() => (init_caa(), caa_exports));
+        const caaResult = await progress.execute(
+          "Checking CAA records for certificate issuance",
+          async () => await ensureAmazonCAAAllowed2(credResult.credentials, parentDomain)
+        );
+        if (caaResult.recordCreated) {
+          progress.info(
+            `Added CAA record to allow Amazon certificate issuance for ${pc28.cyan(parentDomain)}`
+          );
+          await new Promise((resolve) => setTimeout(resolve, 2e3));
+        } else if (!caaResult.success) {
+          clack27.log.warn(
+            `Could not verify CAA records: ${caaResult.error || "Unknown error"}`
+          );
+          clack27.log.info(
+            pc28.dim(
+              "If certificate issuance fails, you may need to add a CAA record manually:"
+            )
+          );
+          clack27.log.info(pc28.dim(`  ${parentDomain} CAA 0 issue "amazon.com"`));
+        }
+      }
+    }
+  }
   if (options.preview) {
     try {
       const previewResult = await progress.execute(
@@ -21508,6 +21833,7 @@ ${pc28.bold("Cost Impact:")}`);
                 dkimTokens: result.dkimTokens,
                 customTrackingDomain: result.customTrackingDomain,
                 httpsTrackingEnabled: result.httpsTrackingEnabled,
+                httpsTrackingPending: result.httpsTrackingPending,
                 cloudFrontDomain: result.cloudFrontDomain,
                 acmCertificateValidationRecords: result.acmCertificateValidationRecords,
                 archiveArn: result.archiveArn,
@@ -21549,6 +21875,7 @@ ${pc28.bold("Cost Impact:")}`);
           dkimTokens: pulumiOutputs.dkimTokens?.value,
           customTrackingDomain: pulumiOutputs.customTrackingDomain?.value,
           httpsTrackingEnabled: pulumiOutputs.httpsTrackingEnabled?.value,
+          httpsTrackingPending: pulumiOutputs.httpsTrackingPending?.value,
           cloudFrontDomain: pulumiOutputs.cloudFrontDomain?.value,
           acmCertificateValidationRecords: pulumiOutputs.acmCertificateValidationRecords?.value,
           archiveArn: pulumiOutputs.archiveArn?.value,
@@ -21703,14 +22030,92 @@ ${pc28.bold("Add these DNS records to your DNS provider:")}
   if (outputs.httpsTrackingEnabled && outputs.acmCertificateValidationRecords) {
     acmValidationRecords.push(...outputs.acmCertificateValidationRecords);
   }
-  const needsCertificateValidation = outputs.httpsTrackingEnabled && acmValidationRecords.length > 0 && !outputs.cloudFrontDomain;
+  let acmDnsAutoCreated = false;
+  if (outputs.httpsTrackingPending && acmValidationRecords.length > 0 && outputs.customTrackingDomain) {
+    const trackingDnsProvider = metadata.services.email?.dnsProvider;
+    if (trackingDnsProvider && trackingDnsProvider !== "manual") {
+      const trackingDomainParts = outputs.customTrackingDomain.split(".");
+      const parentDomain = trackingDomainParts.length > 2 ? trackingDomainParts.slice(-2).join(".") : outputs.customTrackingDomain;
+      const credResult = await progress.execute(
+        `Validating ${getDNSProviderDisplayName(trackingDnsProvider)} credentials for ACM validation`,
+        async () => await getDNSCredentials(trackingDnsProvider, parentDomain, region)
+      );
+      if (credResult.valid && credResult.credentials) {
+        try {
+          progress.start(
+            `Creating ACM validation DNS record in ${getDNSProviderDisplayName(trackingDnsProvider)}`
+          );
+          if (credResult.credentials.provider === "vercel") {
+            const { VercelDNSClient: VercelDNSClient2 } = await Promise.resolve().then(() => (init_vercel(), vercel_exports));
+            const client = new VercelDNSClient2(
+              parentDomain,
+              credResult.credentials.token,
+              credResult.credentials.teamId
+            );
+            const result = await client.createRecords(
+              acmValidationRecords.map((r) => ({
+                name: r.name,
+                type: r.type,
+                value: r.value
+              }))
+            );
+            if (result.success) {
+              progress.succeed(
+                `Created ACM validation DNS record in ${getDNSProviderDisplayName(trackingDnsProvider)}`
+              );
+              acmDnsAutoCreated = true;
+              progress.info(
+                "Certificate validation usually takes 5-30 minutes. Run this command again after validation completes."
+              );
+            } else {
+              progress.fail(
+                `Failed to create ACM validation record: ${result.errors?.join(", ")}`
+              );
+            }
+          } else if (credResult.credentials.provider === "cloudflare") {
+            const { CloudflareDNSClient: CloudflareDNSClient2 } = await Promise.resolve().then(() => (init_cloudflare(), cloudflare_exports));
+            const client = new CloudflareDNSClient2(
+              credResult.credentials.zoneId,
+              credResult.credentials.token
+            );
+            const result = await client.createRecords(
+              acmValidationRecords.map((r) => ({
+                name: r.name,
+                type: r.type,
+                value: r.value
+              }))
+            );
+            if (result.success) {
+              progress.succeed(
+                `Created ACM validation DNS record in ${getDNSProviderDisplayName(trackingDnsProvider)}`
+              );
+              acmDnsAutoCreated = true;
+              progress.info(
+                "Certificate validation usually takes 5-30 minutes. Run this command again after validation completes."
+              );
+            } else {
+              progress.fail(
+                `Failed to create ACM validation record: ${result.errors?.join(", ")}`
+              );
+            }
+          }
+        } catch (error) {
+          progress.fail(
+            `Failed to create ACM validation record: ${error.message}`
+          );
+        }
+      }
+    }
+  }
+  const needsCertificateValidation = outputs.httpsTrackingPending || outputs.httpsTrackingEnabled && acmValidationRecords.length > 0 && !outputs.cloudFrontDomain;
   displaySuccess({
     roleArn: outputs.roleArn,
     configSetName: outputs.configSetName,
     region: outputs.region,
     tableName: outputs.tableName,
     trackingDomainDnsRecords: trackingDomainDnsRecords.length > 0 ? trackingDomainDnsRecords : void 0,
-    acmValidationRecords: acmValidationRecords.length > 0 ? acmValidationRecords : void 0,
+    // Only show ACM validation records if they weren't auto-created
+    acmValidationRecords: acmValidationRecords.length > 0 && !acmDnsAutoCreated ? acmValidationRecords : void 0,
     customTrackingDomain: outputs.customTrackingDomain,
     httpsTrackingEnabled: outputs.httpsTrackingEnabled
   });
@@ -21730,16 +22135,27 @@ ${pc28.green("\u2713")} ${pc28.bold("Upgrade complete!")}
   }
   if (needsCertificateValidation) {
     console.log(pc28.bold("\u26A0\uFE0F  HTTPS Tracking - Next Steps:\n"));
-    console.log(
-      "  1. Add the SSL certificate validation DNS record shown above to your DNS provider"
-    );
-    console.log(
-      "  2. Wait for DNS propagation and certificate validation (5-30 minutes)"
-    );
-    console.log(
-      `  3. Run ${pc28.cyan("wraps email upgrade")} again to complete CloudFront setup
+    if (acmDnsAutoCreated) {
+      console.log(
+        `  1. ${pc28.green("\u2713")} ACM validation DNS record created automatically`
+      );
+      console.log("  2. Wait for certificate validation (5-30 minutes)");
+      console.log(
+        `  3. Run ${pc28.cyan("wraps email upgrade")} again to complete CloudFront setup
 `
-    );
+      );
+    } else {
+      console.log(
+        "  1. Add the SSL certificate validation DNS record shown above to your DNS provider"
+      );
+      console.log(
+        "  2. Wait for DNS propagation and certificate validation (5-30 minutes)"
+      );
+      console.log(
+        `  3. Run ${pc28.cyan("wraps email upgrade")} again to complete CloudFront setup
+`
+      );
+    }
     console.log(
       pc28.dim(
         "  Note: CloudFront distribution will be created once the certificate is validated.\n"
@@ -24496,6 +24912,7 @@ async function platform() {
 
 // src/commands/platform/update-role.ts
 init_esm_shims();
+init_events();
 init_aws();
 init_metadata();
 import {
@@ -24506,6 +24923,7 @@ import {
 import { confirm as confirm13, intro as intro32, isCancel as isCancel19, log as log31, outro as outro19 } from "@clack/prompts";
 import pc35 from "picocolors";
 async function updateRole(options) {
+  const startTime = Date.now();
   intro32(pc35.bold("Update Platform Access Role"));
   const progress = new DeploymentProgress();
   const identity = await progress.execute(
@@ -24633,6 +25051,11 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
   }
   progress.stop();
   const actionVerb = roleExists4 ? "updated" : "created";
+  trackCommand("platform:update-role", {
+    success: true,
+    duration_ms: Date.now() - startTime,
+    action: actionVerb
+  });
   outro19(pc35.green(`\u2713 Platform access role ${actionVerb} successfully`));
   console.log(`
 ${pc35.bold("Permissions:")}`);