@wraps.dev/cli 2.11.4 → 2.11.6

package/dist/cli.js

@@ -1133,9 +1133,11 @@ var init_aws_detection = __esm({
 var errors_exports = {};
 __export(errors_exports, {
   WrapsError: () => WrapsError,
+  classifyDNSError: () => classifyDNSError,
   errors: () => errors,
   handleCLIError: () => handleCLIError,
   isAWSError: () => isAWSError,
+  isAWSNotFoundError: () => isAWSNotFoundError,
   isPulumiError: () => isPulumiError,
   parseAWSError: () => parseAWSError,
   parsePulumiError: () => parsePulumiError,
@@ -1162,6 +1164,23 @@ function isAWSError(error) {
   ];
   return awsErrorNames.includes(error.name) || "$metadata" in error;
 }
+function classifyDNSError(error) {
+  if (!(error instanceof Error)) {
+    return "unknown";
+  }
+  const code = error.code;
+  if (code === "ENOTFOUND" || code === "ENODATA") {
+    return "missing";
+  }
+  if (code === "ETIMEOUT" || code === "ESERVFAIL" || code === "ECONNREFUSED") {
+    return "network";
+  }
+  return "unknown";
+}
+function isAWSNotFoundError(error) {
+  if (!(error instanceof Error)) return false;
+  return error.name === "NotFoundException" || error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.name === "ResourceNotFoundException" || error.$metadata?.httpStatusCode === 404;
+}
 function isPulumiError(error) {
   if (!(error instanceof Error)) {
     return false;
@@ -4444,6 +4463,100 @@ var init_metadata = __esm({
   }
 });
 
+// src/infrastructure/shared/resource-checks.ts
+async function roleExists(roleName) {
+  try {
+    const { IAMClient: IAMClient4, GetRoleCommand: GetRoleCommand3 } = await import("@aws-sdk/client-iam");
+    const iam10 = new IAMClient4({
+      region: process.env.AWS_REGION || "us-east-1"
+    });
+    await iam10.send(new GetRoleCommand3({ RoleName: roleName }));
+    return true;
+  } catch (error) {
+    if (error instanceof Error && (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity")) {
+      return false;
+    }
+    console.error("Error checking for existing IAM role:", error);
+    return false;
+  }
+}
+async function tableExists(tableName) {
+  try {
+    const { DynamoDBClient: DynamoDBClient6, DescribeTableCommand: DescribeTableCommand2 } = await import("@aws-sdk/client-dynamodb");
+    const dynamodb3 = new DynamoDBClient6({
+      region: process.env.AWS_REGION || "us-east-1"
+    });
+    await dynamodb3.send(new DescribeTableCommand2({ TableName: tableName }));
+    return true;
+  } catch (error) {
+    if (error instanceof Error && error.name === "ResourceNotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing DynamoDB table:", error);
+    return false;
+  }
+}
+async function sqsQueueExists(queueName) {
+  try {
+    const { SQSClient, GetQueueUrlCommand } = await import("@aws-sdk/client-sqs");
+    const sqs5 = new SQSClient({
+      region: process.env.AWS_REGION || "us-east-1"
+    });
+    const response = await sqs5.send(
+      new GetQueueUrlCommand({ QueueName: queueName })
+    );
+    return response.QueueUrl || null;
+  } catch {
+    return null;
+  }
+}
+async function snsTopicExists(topicName) {
+  try {
+    const { SNSClient: SNSClient2, ListTopicsCommand: ListTopicsCommand2 } = await import("@aws-sdk/client-sns");
+    const sns3 = new SNSClient2({
+      region: process.env.AWS_REGION || "us-east-1"
+    });
+    let nextToken;
+    do {
+      const response = await sns3.send(
+        new ListTopicsCommand2({ NextToken: nextToken })
+      );
+      const found = response.Topics?.find(
+        (t) => t.TopicArn?.endsWith(`:${topicName}`)
+      );
+      if (found?.TopicArn) {
+        return found.TopicArn;
+      }
+      nextToken = response.NextToken;
+    } while (nextToken);
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function lambdaFunctionExists(functionName) {
+  try {
+    const { LambdaClient: LambdaClient2, GetFunctionCommand } = await import("@aws-sdk/client-lambda");
+    const lambda4 = new LambdaClient2({
+      region: process.env.AWS_REGION || "us-east-1"
+    });
+    await lambda4.send(new GetFunctionCommand({ FunctionName: functionName }));
+    return true;
+  } catch (error) {
+    if (error instanceof Error && error.name === "ResourceNotFoundException") {
+      return false;
+    }
+    console.error("Error checking for existing Lambda function:", error);
+    return false;
+  }
+}
+var init_resource_checks = __esm({
+  "src/infrastructure/shared/resource-checks.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
 // ../core/dist/index.js
 var dist_exports = {};
 __export(dist_exports, {
@@ -4661,22 +4774,6 @@ function getPackageRoot() {
   }
   throw new Error("Could not find package.json");
 }
-async function lambdaFunctionExists(functionName) {
-  try {
-    const { LambdaClient: LambdaClient2, GetFunctionCommand } = await import("@aws-sdk/client-lambda");
-    const lambda4 = new LambdaClient2({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    await lambda4.send(new GetFunctionCommand({ FunctionName: functionName }));
-    return true;
-  } catch (error) {
-    if (error.name === "ResourceNotFoundException") {
-      return false;
-    }
-    console.error("Error checking for existing Lambda function:", error);
-    return false;
-  }
-}
 async function findEventSourceMapping(functionName, queueArn) {
   try {
     const { LambdaClient: LambdaClient2, ListEventSourceMappingsCommand } = await import("@aws-sdk/client-lambda");
@@ -4873,6 +4970,7 @@ var init_lambda = __esm({
   "src/infrastructure/resources/lambda.ts"() {
     "use strict";
     init_esm_shims();
+    init_resource_checks();
     nodeBuiltins = builtinModules.flatMap((m) => [m, `node:${m}`]);
   }
 });
@@ -7334,7 +7432,11 @@ async function login(options) {
     client_id: "wraps-cli"
   });
   if (codeError || !codeData) {
-    trackCommand("auth:login", { success: false, duration_ms: Date.now() - startTime, method: "device" });
+    trackCommand("auth:login", {
+      success: false,
+      duration_ms: Date.now() - startTime,
+      method: "device"
+    });
     trackError("DEVICE_AUTH_FAILED", "auth:login", { step: "request_code" });
     clack.log.error("Failed to start device authorization.");
     process.exit(1);
@@ -7410,7 +7512,11 @@ async function login(options) {
         continue;
       }
       if (errorCode === "access_denied") {
-        trackCommand("auth:login", { success: false, duration_ms: Date.now() - startTime, method: "device" });
+        trackCommand("auth:login", {
+          success: false,
+          duration_ms: Date.now() - startTime,
+          method: "device"
+        });
         trackError("ACCESS_DENIED", "auth:login", { step: "poll_token" });
         spinner8.stop("Denied.");
         clack.log.error("Authorization was denied.");
@@ -7421,7 +7527,11 @@ async function login(options) {
       }
     }
   }
-  trackCommand("auth:login", { success: false, duration_ms: Date.now() - startTime, method: "device" });
+  trackCommand("auth:login", {
+    success: false,
+    duration_ms: Date.now() - startTime,
+    method: "device"
+  });
   trackError("DEVICE_CODE_EXPIRED", "auth:login", { step: "poll_token" });
   spinner8.stop("Expired.");
   clack.log.error("Device code expired. Run `wraps auth login` to try again.");
@@ -9134,12 +9244,13 @@ async function cdnDestroy(options) {
       return;
     } catch (error) {
       progress.stop();
-      if (error.message.includes("No CDN infrastructure found")) {
+      const msg = error instanceof Error ? error.message : String(error);
+      if (msg.includes("No CDN infrastructure found")) {
         clack9.log.warn("No CDN infrastructure found to preview");
         process.exit(0);
       }
       trackError("PREVIEW_FAILED", "storage destroy", { step: "preview" });
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   if (shouldCleanDNS && hostedZone && customDomain) {
@@ -9151,7 +9262,8 @@ async function cdnDestroy(options) {
         }
       );
     } catch (error) {
-      clack9.log.warn(`Could not delete DNS records: ${error.message}`);
+      const msg = error instanceof Error ? error.message : String(error);
+      clack9.log.warn(`Could not delete DNS records: ${msg}`);
       clack9.log.info("You may need to delete them manually from Route53");
     }
   }
@@ -9164,7 +9276,8 @@ async function cdnDestroy(options) {
       }
     );
   } catch (error) {
-    clack9.log.info(`Note: ${error.message}`);
+    const msg = error instanceof Error ? error.message : String(error);
+    clack9.log.info(`Note: ${msg}`);
   }
   try {
     await progress.execute(
@@ -9188,7 +9301,8 @@ async function cdnDestroy(options) {
     );
   } catch (error) {
     progress.stop();
-    if (error.message.includes("No CDN infrastructure found")) {
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("No CDN infrastructure found")) {
       clack9.log.warn("No CDN infrastructure found");
       if (metadata) {
         removeServiceFromConnection(metadata, "cdn");
@@ -9196,7 +9310,7 @@ async function cdnDestroy(options) {
       }
       process.exit(0);
     }
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "storage destroy", { step: "destroy" });
       throw errors.stackLocked();
     }
@@ -9635,6 +9749,9 @@ async function createCdnACMCertificate(config2) {
   };
 }
 
+// src/infrastructure/cdn-stack.ts
+init_resource_checks();
+
 // src/infrastructure/vercel-oidc.ts
 init_esm_shims();
 import * as aws2 from "@pulumi/aws";
@@ -9696,22 +9813,6 @@ async function createVercelOIDC(config2) {
 }
 
 // src/infrastructure/cdn-stack.ts
-async function roleExists(roleName) {
-  try {
-    const { IAMClient: IAMClient4, GetRoleCommand: GetRoleCommand3 } = await import("@aws-sdk/client-iam");
-    const iam10 = new IAMClient4({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    await iam10.send(new GetRoleCommand3({ RoleName: roleName }));
-    return true;
-  } catch (error) {
-    if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
-      return false;
-    }
-    console.error("Error checking for existing IAM role:", error);
-    return false;
-  }
-}
 async function createCdnIAMRole(config2) {
   let assumeRolePolicy;
   if (config2.provider === "vercel" && config2.oidcProvider) {
@@ -10480,10 +10581,11 @@ ${pc11.yellow(pc11.bold("Configuration Notes:"))}`);
       return;
     } catch (error) {
       trackError("PREVIEW_FAILED", "storage:init", { step: "preview" });
-      if (error.message?.includes("stack is currently locked")) {
+      const msg = error instanceof Error ? error.message : String(error);
+      if (msg.includes("stack is currently locked")) {
         throw errors.stackLocked();
       }
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   let outputs;
@@ -10547,18 +10649,19 @@ ${pc11.yellow(pc11.bold("Configuration Notes:"))}`);
       }
     );
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackServiceInit("cdn", false, {
       preset,
       provider,
       region,
       duration_ms: Date.now() - startTime
     });
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "storage:init", { step: "deploy" });
       throw errors.stackLocked();
     }
     trackError("DEPLOYMENT_FAILED", "storage:init", { step: "deploy" });
-    throw new Error(`Pulumi deployment failed: ${error.message}`);
+    throw new Error(`Pulumi deployment failed: ${msg}`);
   }
   if (metadata.services.cdn) {
     metadata.services.cdn.pulumiStackName = `wraps-cdn-${identity.accountId}-${region}`;
@@ -10691,7 +10794,8 @@ ${pc11.yellow(pc11.bold("Configuration Notes:"))}`);
           }
         } catch (error) {
           progress.stop();
-          clack10.log.warn(`Could not manage DNS records: ${error.message}`);
+          const msg = error instanceof Error ? error.message : String(error);
+          clack10.log.warn(`Could not manage DNS records: ${msg}`);
         }
       }
     }
@@ -11115,13 +11219,14 @@ async function cdnSync(options) {
       return result.summary;
     });
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackCommand("storage:sync", {
       success: false,
-      error: error.message,
+      error: msg,
       region,
       duration_ms: Date.now() - startTime
     });
-    clack12.log.error(`Sync failed: ${error.message}`);
+    clack12.log.error(`Sync failed: ${msg}`);
     process.exit(1);
   }
   clack12.log.success(pc13.green("CDN infrastructure synced!"));
@@ -11245,7 +11350,8 @@ Current configuration:
     certStatus = certResponse.Certificate?.Status || "UNKNOWN";
   } catch (error) {
     progress.fail("Failed to check certificate status");
-    clack13.log.error(`Error: ${error.message}`);
+    const msg = error instanceof Error ? error.message : String(error);
+    clack13.log.error(`Error: ${msg}`);
     process.exit(1);
   }
   progress.stop();
@@ -11369,13 +11475,14 @@ Ready to add custom domain: ${pc14.cyan(pendingDomain)}`);
       }
     );
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackCommand("storage:upgrade", {
       success: false,
-      error: error.message,
+      error: msg,
       region,
       duration_ms: Date.now() - startTime
     });
-    clack13.log.error(`Upgrade failed: ${error.message}`);
+    clack13.log.error(`Upgrade failed: ${msg}`);
     process.exit(1);
   }
   if (metadata.services.cdn) {
@@ -14224,16 +14331,17 @@ async function check(options) {
     process.exit(getExitCode(result.score.grade));
   } catch (error) {
     spinner8?.stop("Check failed");
+    const msg = error instanceof Error ? error.message : String(error);
     if (options.json) {
-      console.log(JSON.stringify({ error: error.message }));
+      console.log(JSON.stringify({ error: msg }));
     } else {
-      clack15.log.error(error.message);
+      clack15.log.error(msg);
     }
     const duration = Date.now() - startTime;
     trackCommand("email:check", {
       success: false,
       duration_ms: duration,
-      error: error.message
+      error: msg
     });
     process.exit(4);
   }
@@ -14843,23 +14951,8 @@ async function createAlertingResources(config2) {
 
 // src/infrastructure/resources/dynamodb.ts
 init_esm_shims();
+init_resource_checks();
 import * as aws5 from "@pulumi/aws";
-async function tableExists(tableName) {
-  try {
-    const { DynamoDBClient: DynamoDBClient6, DescribeTableCommand: DescribeTableCommand2 } = await import("@aws-sdk/client-dynamodb");
-    const dynamodb3 = new DynamoDBClient6({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    await dynamodb3.send(new DescribeTableCommand2({ TableName: tableName }));
-    return true;
-  } catch (error) {
-    if (error.name === "ResourceNotFoundException") {
-      return false;
-    }
-    console.error("Error checking for existing DynamoDB table:", error);
-    return false;
-  }
-}
 async function createDynamoDBTables(_config) {
   const tableName = "wraps-email-history";
   const exists = await tableExists(tableName);
@@ -15056,24 +15149,9 @@ async function createEventBridgeResources(config2) {
 
 // src/infrastructure/resources/iam.ts
 init_esm_shims();
+init_resource_checks();
 import * as aws7 from "@pulumi/aws";
 import * as pulumi10 from "@pulumi/pulumi";
-async function roleExists2(roleName) {
-  try {
-    const { IAMClient: IAMClient4, GetRoleCommand: GetRoleCommand3 } = await import("@aws-sdk/client-iam");
-    const iam10 = new IAMClient4({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    await iam10.send(new GetRoleCommand3({ RoleName: roleName }));
-    return true;
-  } catch (error) {
-    if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
-      return false;
-    }
-    console.error("Error checking for existing IAM role:", error);
-    return false;
-  }
-}
 async function createIAMRole(config2) {
   let assumeRolePolicy;
   if (config2.provider === "vercel" && config2.oidcProvider) {
@@ -15110,7 +15188,7 @@ async function createIAMRole(config2) {
     throw new Error("Other providers not yet implemented");
   }
   const roleName = "wraps-email-role";
-  const exists = await roleExists2(roleName);
+  const exists = await roleExists(roleName);
   const role = exists ? new aws7.iam.Role(
     roleName,
     {
@@ -15955,10 +16033,11 @@ ${pc17.bold("Current Configuration:")}
       return;
     } catch (error) {
       trackError("PREVIEW_FAILED", "email:config", { step: "preview" });
-      if (error.message?.includes("stack is currently locked")) {
+      const msg = error instanceof Error ? error.message : String(error);
+      if (msg.includes("stack is currently locked")) {
         throw errors.stackLocked();
       }
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   let outputs;
@@ -16016,16 +16095,17 @@ ${pc17.bold("Current Configuration:")}
       }
     );
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackCommand("email:config", {
       success: false,
       duration_ms: Date.now() - startTime
     });
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "email:config", { step: "update" });
       throw errors.stackLocked();
     }
     trackError("UPDATE_FAILED", "email:config", { step: "update" });
-    throw new Error(`Pulumi update failed: ${error.message}`);
+    throw new Error(`Pulumi update failed: ${msg}`);
   }
   metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
   await saveConnectionMetadata(metadata);
@@ -16456,10 +16536,11 @@ async function connect2(options) {
       return;
     } catch (error) {
       trackError("PREVIEW_FAILED", "email:connect", { step: "preview" });
-      if (error.message?.includes("stack is currently locked")) {
+      const msg = error instanceof Error ? error.message : String(error);
+      if (msg.includes("stack is currently locked")) {
         throw errors.stackLocked();
       }
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   let outputs;
@@ -16515,17 +16596,18 @@ async function connect2(options) {
       }
     );
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackServiceInit("email", false, {
       preset,
       provider,
       duration_ms: Date.now() - startTime
     });
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "email:connect", { step: "deploy" });
       throw errors.stackLocked();
     }
     trackError("DEPLOYMENT_FAILED", "email:connect", { step: "deploy" });
-    throw new Error(`Pulumi deployment failed: ${error.message}`);
+    throw new Error(`Pulumi deployment failed: ${msg}`);
   }
   if (outputs.domain && outputs.dkimTokens && outputs.dkimTokens.length > 0) {
     const { findHostedZone: findHostedZone2, createDNSRecords: createDNSRecords2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
@@ -16544,9 +16626,8 @@ async function connect2(options) {
         );
         progress.succeed("DNS records created in Route53");
       } catch (error) {
-        progress.fail(
-          `Failed to create DNS records automatically: ${error.message}`
-        );
+        const msg = error instanceof Error ? error.message : String(error);
+        progress.fail(`Failed to create DNS records automatically: ${msg}`);
         progress.info(
           "You can manually add the required DNS records shown below"
         );
@@ -16675,8 +16756,11 @@ async function getEmailIdentityInfo(domain, region) {
       dkimTokens: response.DkimAttributes?.Tokens || [],
       mailFromDomain: response.MailFromAttributes?.MailFromDomain
     };
-  } catch (_error) {
-    return { dkimTokens: [] };
+  } catch (error) {
+    if (isAWSError(error)) {
+      return { dkimTokens: [] };
+    }
+    throw error;
   }
 }
 async function emailDestroy(options) {
@@ -16771,7 +16855,7 @@ async function emailDestroy(options) {
               stackName,
               workDir: getPulumiWorkDir()
             });
-          } catch (_error) {
+          } catch {
             throw new Error("No email infrastructure found to preview");
           }
           const result = await previewWithResourceChanges(stack, {
@@ -16805,12 +16889,13 @@ async function emailDestroy(options) {
       return;
     } catch (error) {
       progress.stop();
-      if (error.message.includes("No email infrastructure found")) {
+      const msg = error instanceof Error ? error.message : String(error);
+      if (msg.includes("No email infrastructure found")) {
         clack18.log.warn("No email infrastructure found to preview");
         process.exit(0);
       }
       trackError("PREVIEW_FAILED", "email destroy", { step: "preview" });
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   if (shouldCleanDNS && hostedZone && domain && dkimTokens.length > 0) {
@@ -16826,7 +16911,8 @@ async function emailDestroy(options) {
         );
       });
     } catch (error) {
-      clack18.log.warn(`Could not delete DNS records: ${error.message}`);
+      const msg = error instanceof Error ? error.message : String(error);
+      clack18.log.warn(`Could not delete DNS records: ${msg}`);
       clack18.log.info("You may need to delete them manually from Route53");
     }
   }
@@ -16842,7 +16928,7 @@ async function emailDestroy(options) {
             stackName,
             workDir: getPulumiWorkDir()
           });
-        } catch (_error) {
+        } catch {
           throw new Error("No email infrastructure found to destroy");
         }
         await withTimeout(
@@ -16857,12 +16943,13 @@ async function emailDestroy(options) {
     );
   } catch (error) {
     progress.stop();
-    if (error.message.includes("No email infrastructure found")) {
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("No email infrastructure found")) {
       clack18.log.warn("No email infrastructure found");
       await deleteConnectionMetadata(identity.accountId, region);
       process.exit(0);
     }
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "email destroy", { step: "destroy" });
       throw errors.stackLocked();
     }
@@ -16907,6 +16994,7 @@ init_client();
 init_events();
 init_dns();
 init_aws();
+init_errors();
 init_metadata();
 import { Resolver as Resolver2 } from "dns/promises";
 import { GetEmailIdentityCommand as GetEmailIdentityCommand2, SESv2Client as SESv2Client3 } from "@aws-sdk/client-sesv2";
@@ -16933,16 +17021,19 @@ async function verifyDomain(options) {
     );
     dkimTokens = identity.DkimAttributes?.Tokens || [];
     mailFromDomain = identity.MailFromAttributes?.MailFromDomain;
-  } catch (_error) {
-    progress.stop();
-    clack19.log.error(`Domain ${options.domain} not found in SES`);
-    console.log(
-      `
+  } catch (error) {
+    if (isAWSNotFoundError(error)) {
+      progress.stop();
+      clack19.log.error(`Domain ${options.domain} not found in SES`);
+      console.log(
+        `
 Run ${pc20.cyan(`wraps email init --domain ${options.domain}`)} to add this domain.
 `
-    );
-    process.exit(1);
-    return;
+      );
+      process.exit(1);
+      return;
+    }
+    throw error;
   }
   const resolver = new Resolver2();
   resolver.setServers(["8.8.8.8", "1.1.1.1"]);
@@ -16959,12 +17050,24 @@ Run ${pc20.cyan(`wraps email init --domain ${options.domain}`)} to add this doma
         status: found ? "verified" : "incorrect",
         records
       });
-    } catch (_error) {
-      dnsResults.push({
-        name: dkimRecord,
-        type: "CNAME",
-        status: "missing"
-      });
+    } catch (error) {
+      const dnsClass = classifyDNSError(error);
+      if (dnsClass === "missing") {
+        dnsResults.push({
+          name: dkimRecord,
+          type: "CNAME",
+          status: "missing"
+        });
+      } else if (dnsClass === "network") {
+        dnsResults.push({
+          name: dkimRecord,
+          type: "CNAME",
+          status: "missing",
+          records: ["DNS lookup failed (network issue)"]
+        });
+      } else {
+        throw error;
+      }
     }
   }
   try {
@@ -16977,12 +17080,24 @@ Run ${pc20.cyan(`wraps email init --domain ${options.domain}`)} to add this doma
       status: hasAmazonSES ? "verified" : spfRecord ? "incorrect" : "missing",
       records: spfRecord ? [spfRecord] : void 0
     });
-  } catch (_error) {
-    dnsResults.push({
-      name: options.domain,
-      type: "TXT (SPF)",
-      status: "missing"
-    });
+  } catch (error) {
+    const dnsClass = classifyDNSError(error);
+    if (dnsClass === "missing") {
+      dnsResults.push({
+        name: options.domain,
+        type: "TXT (SPF)",
+        status: "missing"
+      });
+    } else if (dnsClass === "network") {
+      dnsResults.push({
+        name: options.domain,
+        type: "TXT (SPF)",
+        status: "missing",
+        records: ["DNS lookup failed (network issue)"]
+      });
+    } else {
+      throw error;
+    }
   }
   try {
     const records = await resolver.resolveTxt(`_dmarc.${options.domain}`);
@@ -16993,12 +17108,24 @@ Run ${pc20.cyan(`wraps email init --domain ${options.domain}`)} to add this doma
       status: dmarcRecord ? "verified" : "missing",
       records: dmarcRecord ? [dmarcRecord] : void 0
     });
-  } catch (_error) {
-    dnsResults.push({
-      name: `_dmarc.${options.domain}`,
-      type: "TXT (DMARC)",
-      status: "missing"
-    });
+  } catch (error) {
+    const dnsClass = classifyDNSError(error);
+    if (dnsClass === "missing") {
+      dnsResults.push({
+        name: `_dmarc.${options.domain}`,
+        type: "TXT (DMARC)",
+        status: "missing"
+      });
+    } else if (dnsClass === "network") {
+      dnsResults.push({
+        name: `_dmarc.${options.domain}`,
+        type: "TXT (DMARC)",
+        status: "missing",
+        records: ["DNS lookup failed (network issue)"]
+      });
+    } else {
+      throw error;
+    }
   }
   if (mailFromDomain) {
     try {
@@ -17013,12 +17140,24 @@ Run ${pc20.cyan(`wraps email init --domain ${options.domain}`)} to add this doma
         status: hasMx ? "verified" : mxRecords.length > 0 ? "incorrect" : "missing",
         records: mxRecords.map((r) => `${r.priority} ${r.exchange}`)
       });
-    } catch (_error) {
-      dnsResults.push({
-        name: mailFromDomain,
-        type: "MX",
-        status: "missing"
-      });
+    } catch (error) {
+      const dnsClass = classifyDNSError(error);
+      if (dnsClass === "missing") {
+        dnsResults.push({
+          name: mailFromDomain,
+          type: "MX",
+          status: "missing"
+        });
+      } else if (dnsClass === "network") {
+        dnsResults.push({
+          name: mailFromDomain,
+          type: "MX",
+          status: "missing",
+          records: ["DNS lookup failed (network issue)"]
+        });
+      } else {
+        throw error;
+      }
     }
     try {
       const records = await resolver.resolveTxt(mailFromDomain);
@@ -17030,12 +17169,24 @@ Run ${pc20.cyan(`wraps email init --domain ${options.domain}`)} to add this doma
         status: hasAmazonSES ? "verified" : spfRecord ? "incorrect" : "missing",
         records: spfRecord ? [spfRecord] : void 0
       });
-    } catch (_error) {
-      dnsResults.push({
-        name: mailFromDomain,
-        type: "TXT (SPF)",
-        status: "missing"
-      });
+    } catch (error) {
+      const dnsClass = classifyDNSError(error);
+      if (dnsClass === "missing") {
+        dnsResults.push({
+          name: mailFromDomain,
+          type: "TXT (SPF)",
+          status: "missing"
+        });
+      } else if (dnsClass === "network") {
+        dnsResults.push({
+          name: mailFromDomain,
+          type: "TXT (SPF)",
+          status: "missing",
+          records: ["DNS lookup failed (network issue)"]
+        });
+      } else {
+        throw error;
+      }
     }
   }
   progress.stop();
@@ -17177,7 +17328,7 @@ Run ${pc20.cyan(`wraps email domains verify --domain ${domain}`)} to check verif
       );
       return;
     } catch (error) {
-      if (error.name !== "NotFoundException") {
+      if (!isAWSNotFoundError(error)) {
         throw error;
       }
     }
@@ -17490,7 +17641,7 @@ ${pc20.bold("DNS Records to add:")}
   } catch (error) {
     progress.stop();
     trackCommand("email:domains:get-dkim", { success: false });
-    if (error.name === "NotFoundException") {
+    if (isAWSNotFoundError(error)) {
       clack19.log.error(`Domain ${options.domain} not found in SES`);
       console.log(
         `
@@ -17571,7 +17722,7 @@ Use ${pc20.cyan(`wraps email domains remove --domain ${options.domain} --force`)
   } catch (error) {
     progress.stop();
     trackCommand("email:domains:remove", { success: false });
-    if (error.name === "NotFoundException") {
+    if (isAWSNotFoundError(error)) {
       clack19.log.error(`Domain ${options.domain} not found in SES`);
       process.exit(1);
       return;
@@ -18670,10 +18821,11 @@ ${pc22.yellow(pc22.bold("Configuration Warnings:"))}`);
       return;
     } catch (error) {
       trackError("PREVIEW_FAILED", "email:init", { step: "preview" });
-      if (error.message?.includes("stack is currently locked")) {
+      const msg = error instanceof Error ? error.message : String(error);
+      if (msg.includes("stack is currently locked")) {
         throw errors.stackLocked();
       }
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   let outputs;
@@ -18744,13 +18896,14 @@ ${pc22.yellow(pc22.bold("Configuration Warnings:"))}`);
       }
     );
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackServiceInit("email", false, {
       preset,
       provider,
       region,
       duration_ms: Date.now() - startTime
     });
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "email:init", { step: "deploy" });
       throw errors.stackLocked();
     }
@@ -18781,7 +18934,7 @@ ${pc22.yellow(pc22.bold("Configuration Warnings:"))}`);
       }
     }
     trackError("DEPLOYMENT_FAILED", "email:init", { step: "deploy" });
-    throw new Error(`Pulumi deployment failed: ${error.message}`);
+    throw new Error(`Pulumi deployment failed: ${msg}`);
   }
   if (metadata.services.email) {
     metadata.services.email.pulumiStackName = `wraps-${identity.accountId}-${region}`;
@@ -18879,7 +19032,8 @@ ${pc22.yellow(pc22.bold("Configuration Warnings:"))}`);
             }
           } catch (error) {
             progress.stop();
-            clack21.log.warn(`Could not manage DNS records: ${error.message}`);
+            const msg = error instanceof Error ? error.message : String(error);
+            clack21.log.warn(`Could not manage DNS records: ${msg}`);
           }
         } else {
           const recordData = {
@@ -19114,7 +19268,8 @@ ${pc23.bold("The following Wraps resources will be removed:")}
         return;
       } catch (error) {
         trackError("PREVIEW_FAILED", "email:restore", { step: "preview" });
-        throw new Error(`Preview failed: ${error.message}`);
+        const msg = error instanceof Error ? error.message : String(error);
+        throw new Error(`Preview failed: ${msg}`);
       }
     }
     return;
@@ -19149,7 +19304,8 @@ ${pc23.bold("The following Wraps resources will be removed:")}
         );
       } catch (error) {
         trackError("DESTROY_FAILED", "email:restore", { step: "destroy" });
-        throw new Error(`Failed to destroy Pulumi stack: ${error.message}`);
+        const msg = error instanceof Error ? error.message : String(error);
+        throw new Error(`Failed to destroy Pulumi stack: ${msg}`);
       }
     });
   }
@@ -19176,6 +19332,7 @@ init_esm_shims();
 init_client();
 init_events();
 init_aws();
+init_errors();
 init_fs();
 init_metadata();
 import * as clack23 from "@clack/prompts";
@@ -19220,15 +19377,19 @@ async function emailStatus(options) {
       workDir: getPulumiWorkDir()
     });
     stackOutputs = await stack.outputs();
-  } catch (_error) {
-    progress.stop();
-    clack23.log.error("No email infrastructure found");
-    console.log(
-      `
+  } catch (error) {
+    if (error instanceof Error && (error.message.includes("no stack named") || error.message.includes("not found"))) {
+      progress.stop();
+      clack23.log.error("No email infrastructure found");
+      console.log(
+        `
 Run ${pc24.cyan("wraps email init")} to deploy email infrastructure.
 `
-    );
-    process.exit(1);
+      );
+      process.exit(1);
+      return;
+    }
+    throw error;
   }
   const domains = await listSESDomains(region);
   const { SESv2Client: SESv2Client6, GetEmailIdentityCommand: GetEmailIdentityCommand5 } = await import("@aws-sdk/client-sesv2");
@@ -19253,17 +19414,20 @@ Run ${pc24.cyan("wraps email init")} to deploy email infrastructure.
           isPrimary: tracked?.isPrimary,
           purpose: tracked?.purpose
         };
-      } catch (_error) {
-        return {
-          domain: d.domain,
-          status: d.verified ? "verified" : "pending",
-          dkimTokens: void 0,
-          mailFromDomain: void 0,
-          mailFromStatus: void 0,
-          managed: tracked?.managed,
-          isPrimary: tracked?.isPrimary,
-          purpose: tracked?.purpose
-        };
+      } catch (error) {
+        if (isAWSError(error)) {
+          return {
+            domain: d.domain,
+            status: d.verified ? "verified" : "pending",
+            dkimTokens: void 0,
+            mailFromDomain: void 0,
+            mailFromStatus: void 0,
+            managed: tracked?.managed,
+            isPrimary: tracked?.isPrimary,
+            purpose: tracked?.purpose
+          };
+        }
+        throw error;
       }
     })
   );
@@ -20686,12 +20850,19 @@ ${pc28.bold("Current Configuration:")}
   if (config2.domain) {
     console.log(`  Sending Domain: ${pc28.cyan(config2.domain)}`);
   }
+  const hasHttpsTrackingPending = config2.tracking?.httpsEnabled && config2.tracking?.customRedirectDomain;
   if (config2.tracking?.enabled) {
     console.log(`  ${pc28.green("\u2713")} Open & Click Tracking`);
     if (config2.tracking.customRedirectDomain) {
-      console.log(
-        `    ${pc28.dim("\u2514\u2500")} Custom domain: ${pc28.cyan(config2.tracking.customRedirectDomain)}`
-      );
+      if (hasHttpsTrackingPending) {
+        console.log(
+          `    ${pc28.dim("\u2514\u2500")} Custom domain: ${pc28.cyan(config2.tracking.customRedirectDomain)} ${pc28.yellow("(HTTPS pending - certificate validation required)")}`
+        );
+      } else {
+        console.log(
+          `    ${pc28.dim("\u2514\u2500")} Custom domain: ${pc28.cyan(config2.tracking.customRedirectDomain)}`
+        );
+      }
     }
   }
   if (config2.suppressionList?.enabled) {
@@ -20747,60 +20918,69 @@ ${pc28.bold("Current Configuration:")}
   Estimated Cost: ${pc28.cyan(`~${formatCost(currentCostData.total.monthly)}/mo`)}`
   );
   console.log("");
+  const upgradeOptions = [];
+  if (hasHttpsTrackingPending) {
+    upgradeOptions.push({
+      value: "finish-tracking-domain",
+      label: "Finish setting up custom tracking domain",
+      hint: `Complete HTTPS setup for ${config2.tracking.customRedirectDomain}`
+    });
+  }
+  upgradeOptions.push(
+    {
+      value: "preset",
+      label: "Upgrade to a different preset",
+      hint: "Starter \u2192 Production \u2192 Enterprise"
+    },
+    {
+      value: "archiving",
+      label: config2.emailArchiving?.enabled ? "Change email archiving settings" : "Enable email archiving",
+      hint: config2.emailArchiving?.enabled ? "Update retention or disable" : "Store full email content with HTML"
+    },
+    {
+      value: "tracking-domain",
+      label: "Add/change custom tracking domain",
+      hint: "Use your own domain for email links"
+    },
+    {
+      value: "retention",
+      label: "Change email history retention",
+      hint: "7 days, 30 days, 90 days, 6 months, 1 year, 18 months"
+    },
+    {
+      value: "events",
+      label: "Customize tracked event types",
+      hint: "Choose which SES events to track"
+    },
+    {
+      value: "dedicated-ip",
+      label: "Enable dedicated IP address",
+      hint: "Requires 100k+ emails/day ($50-100/mo)"
+    },
+    {
+      value: "alerts",
+      label: config2.alerts?.enabled ? "Manage reputation alerts" : "Enable reputation alerts",
+      hint: config2.alerts?.enabled ? "Update thresholds or notification settings" : "Get notified before AWS suspends your account"
+    },
+    {
+      value: "custom",
+      label: "Custom configuration",
+      hint: "Modify multiple settings at once"
+    },
+    {
+      value: "wraps-dashboard",
+      label: metadata.services.email?.webhookSecret ? "Manage Wraps Dashboard connection" : "Connect to Wraps Dashboard",
+      hint: metadata.services.email?.webhookSecret ? "Regenerate secret or disconnect" : "Send events to dashboard for analytics"
+    },
+    {
+      value: "smtp-credentials",
+      label: metadata.services.email?.smtpCredentials?.enabled ? "Manage SMTP credentials" : "Enable SMTP credentials",
+      hint: metadata.services.email?.smtpCredentials?.enabled ? "Rotate or disable credentials" : "Generate credentials for PHP, WordPress, etc."
+    }
+  );
   upgradeAction = await clack27.select({
     message: "What would you like to do?",
-    options: [
-      {
-        value: "preset",
-        label: "Upgrade to a different preset",
-        hint: "Starter \u2192 Production \u2192 Enterprise"
-      },
-      {
-        value: "archiving",
-        label: config2.emailArchiving?.enabled ? "Change email archiving settings" : "Enable email archiving",
-        hint: config2.emailArchiving?.enabled ? "Update retention or disable" : "Store full email content with HTML"
-      },
-      {
-        value: "tracking-domain",
-        label: "Add/change custom tracking domain",
-        hint: "Use your own domain for email links"
-      },
-      {
-        value: "retention",
-        label: "Change email history retention",
-        hint: "7 days, 30 days, 90 days, 6 months, 1 year, 18 months"
-      },
-      {
-        value: "events",
-        label: "Customize tracked event types",
-        hint: "Choose which SES events to track"
-      },
-      {
-        value: "dedicated-ip",
-        label: "Enable dedicated IP address",
-        hint: "Requires 100k+ emails/day ($50-100/mo)"
-      },
-      {
-        value: "alerts",
-        label: config2.alerts?.enabled ? "Manage reputation alerts" : "Enable reputation alerts",
-        hint: config2.alerts?.enabled ? "Update thresholds or notification settings" : "Get notified before AWS suspends your account"
-      },
-      {
-        value: "custom",
-        label: "Custom configuration",
-        hint: "Modify multiple settings at once"
-      },
-      {
-        value: "wraps-dashboard",
-        label: metadata.services.email?.webhookSecret ? "Manage Wraps Dashboard connection" : "Connect to Wraps Dashboard",
-        hint: metadata.services.email?.webhookSecret ? "Regenerate secret or disconnect" : "Send events to dashboard for analytics"
-      },
-      {
-        value: "smtp-credentials",
-        label: metadata.services.email?.smtpCredentials?.enabled ? "Manage SMTP credentials" : "Enable SMTP credentials",
-        hint: metadata.services.email?.smtpCredentials?.enabled ? "Rotate or disable credentials" : "Generate credentials for PHP, WordPress, etc."
-      }
-    ]
+    options: upgradeOptions
   });
   if (clack27.isCancel(upgradeAction)) {
     clack27.cancel("Upgrade cancelled.");
@@ -20809,6 +20989,14 @@ ${pc28.bold("Current Configuration:")}
   let updatedConfig = { ...config2 };
   let newPreset = metadata.services.email?.preset;
   switch (upgradeAction) {
+    case "finish-tracking-domain": {
+      clack27.log.info(
+        `Checking certificate status for ${pc28.cyan(config2.tracking.customRedirectDomain)}...`
+      );
+      updatedConfig = { ...config2 };
+      newPreset = metadata.services.email?.preset;
+      break;
+    }
     case "preset": {
       const presets = getAllPresetInfo().filter(
         (p) => p.name.toLowerCase() !== "custom"
@@ -21863,11 +22051,12 @@ ${pc28.bold("Cost Impact:")}`);
       });
       return;
     } catch (error) {
+      const msg = error instanceof Error ? error.message : String(error);
       trackError("PREVIEW_FAILED", "email:upgrade", { step: "preview" });
-      if (error.message?.includes("stack is currently locked")) {
+      if (msg.includes("stack is currently locked")) {
         throw errors.stackLocked();
       }
-      throw new Error(`Preview failed: ${error.message}`);
+      throw new Error(`Preview failed: ${msg}`);
     }
   }
   let outputs;
@@ -21949,18 +22138,19 @@ ${pc28.bold("Cost Impact:")}`);
       }
     );
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackServiceUpgrade("email", {
       from_preset: metadata.services.email?.preset,
       to_preset: newPreset,
       action: typeof upgradeAction === "string" ? upgradeAction : void 0,
       duration_ms: Date.now() - startTime
     });
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "email:upgrade", { step: "deploy" });
       throw errors.stackLocked();
     }
     trackError("UPGRADE_FAILED", "email:upgrade", { step: "deploy" });
-    throw new Error(`Pulumi upgrade failed: ${error.message}`);
+    throw new Error(`Pulumi upgrade failed: ${msg}`);
   }
   let dnsAutoCreated = false;
   if (outputs.domain && outputs.dkimTokens && outputs.dkimTokens.length > 0) {
@@ -22018,9 +22208,8 @@ ${pc28.bold("Cost Impact:")}`);
             );
           }
         } catch (error) {
-          progress.fail(
-            `Failed to create DNS records automatically: ${error.message}`
-          );
+          const msg = error instanceof Error ? error.message : String(error);
+          progress.fail(`Failed to create DNS records automatically: ${msg}`);
           progress.info(
             "You can manually add the required DNS records shown below"
           );
@@ -22159,9 +22348,8 @@ ${pc28.bold("Add these DNS records to your DNS provider:")}
             }
           }
         } catch (error) {
-          progress.fail(
-            `Failed to create ACM validation record: ${error.message}`
-          );
+          const msg = error instanceof Error ? error.message : String(error);
+          progress.fail(`Failed to create ACM validation record: ${msg}`);
         }
       }
     }
@@ -24387,10 +24575,10 @@ var WRAPS_PLATFORM_ACCOUNT_ID = "905130073023";
 async function updatePlatformRole(metadata, progress, externalId) {
   const roleName = "wraps-console-access-role";
   const iam10 = new IAMClient2({ region: "us-east-1" });
-  let roleExists4 = false;
+  let roleExists2 = false;
   try {
     await iam10.send(new GetRoleCommand({ RoleName: roleName }));
-    roleExists4 = true;
+    roleExists2 = true;
   } catch (error) {
     const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
     if (!isNotFound) {
@@ -24400,7 +24588,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
   const emailConfig = metadata.services.email?.config;
   const smsConfig = metadata.services.sms?.config;
   const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
-  if (roleExists4) {
+  if (roleExists2) {
     await progress.execute("Updating platform access role", async () => {
       await iam10.send(
         new PutRolePolicyCommand({
@@ -24858,17 +25046,17 @@ Run ${pc33.cyan("wraps email init")} or ${pc33.cyan("wraps sms init")} first.
     }
     const roleName = "wraps-console-access-role";
     const iam10 = new IAMClient2({ region: "us-east-1" });
-    let roleExists4 = false;
+    let roleExists2 = false;
     try {
       await iam10.send(new GetRoleCommand({ RoleName: roleName }));
-      roleExists4 = true;
+      roleExists2 = true;
     } catch (error) {
       const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
       if (!isNotFound) {
         throw error;
       }
     }
-    if (roleExists4) {
+    if (roleExists2) {
       const emailConfig = metadata.services.email?.config;
       const smsConfig = metadata.services.sms?.config;
       const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
@@ -25025,10 +25213,10 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
   }
   const roleName = "wraps-console-access-role";
   const iam10 = new IAMClient3({ region: "us-east-1" });
-  let roleExists4 = false;
+  let roleExists2 = false;
   try {
     await iam10.send(new GetRoleCommand2({ RoleName: roleName }));
-    roleExists4 = true;
+    roleExists2 = true;
   } catch (error) {
     const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
     if (!isNotFound) {
@@ -25036,7 +25224,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
     }
   }
   const externalId = metadata.platform?.externalId;
-  if (!(roleExists4 || externalId)) {
+  if (!(roleExists2 || externalId)) {
     progress.stop();
     log31.warn(`IAM role ${pc35.cyan(roleName)} does not exist`);
     console.log(
@@ -25048,7 +25236,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
     );
     process.exit(0);
   }
-  if (roleExists4) {
+  if (roleExists2) {
     progress.info(`Found IAM role: ${pc35.cyan(roleName)}`);
   } else {
     progress.info(
@@ -25057,7 +25245,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
   }
   if (!options.force) {
     progress.stop();
-    const actionLabel = roleExists4 ? "Update" : "Create";
+    const actionLabel = roleExists2 ? "Update" : "Create";
     const shouldContinue = await confirm13({
       message: `${actionLabel} IAM role ${pc35.cyan(roleName)} with latest permissions?`,
       initialValue: true
@@ -25076,7 +25264,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
   const smsEnabled = !!smsConfig;
   const smsSendingEnabled = smsConfig && smsConfig.sendingEnabled !== false;
   const smsEventTracking = smsConfig?.eventTracking;
-  if (!roleExists4 && externalId) {
+  if (!roleExists2 && externalId) {
     const WRAPS_PLATFORM_ACCOUNT_ID2 = "905130073023";
     await progress.execute("Creating IAM role", async () => {
       const trustPolicy = {
@@ -25129,7 +25317,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
     });
   }
   progress.stop();
-  const actionVerb = roleExists4 ? "updated" : "created";
+  const actionVerb = roleExists2 ? "updated" : "created";
   trackCommand("platform:update-role", {
     success: true,
     duration_ms: Date.now() - startTime,
@@ -28313,38 +28501,9 @@ import pc39 from "picocolors";
 
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
+init_resource_checks();
 import * as aws19 from "@pulumi/aws";
 import * as pulumi24 from "@pulumi/pulumi";
-async function roleExists3(roleName) {
-  try {
-    const { IAMClient: IAMClient4, GetRoleCommand: GetRoleCommand3 } = await import("@aws-sdk/client-iam");
-    const iam10 = new IAMClient4({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    await iam10.send(new GetRoleCommand3({ RoleName: roleName }));
-    return true;
-  } catch (error) {
-    if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity") {
-      return false;
-    }
-    return false;
-  }
-}
-async function tableExists2(tableName) {
-  try {
-    const { DynamoDBClient: DynamoDBClient6, DescribeTableCommand: DescribeTableCommand2 } = await import("@aws-sdk/client-dynamodb");
-    const dynamodb3 = new DynamoDBClient6({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    await dynamodb3.send(new DescribeTableCommand2({ TableName: tableName }));
-    return true;
-  } catch (error) {
-    if (error instanceof Error && "name" in error && error.name === "ResourceNotFoundException") {
-      return false;
-    }
-    return false;
-  }
-}
 async function createSMSIAMRole(config2) {
   let assumeRolePolicy;
   if (config2.provider === "vercel" && config2.oidcProvider) {
@@ -28390,7 +28549,7 @@ async function createSMSIAMRole(config2) {
     throw new Error("Other providers not yet implemented");
   }
   const roleName = "wraps-sms-role";
-  const exists = await roleExists3(roleName);
+  const exists = await roleExists(roleName);
   const role = exists ? new aws19.iam.Role(
     roleName,
     {
@@ -28608,20 +28767,6 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
     }
   );
 }
-async function sqsQueueExists(queueName) {
-  try {
-    const { SQSClient, GetQueueUrlCommand } = await import("@aws-sdk/client-sqs");
-    const sqs5 = new SQSClient({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    const response = await sqs5.send(
-      new GetQueueUrlCommand({ QueueName: queueName })
-    );
-    return response.QueueUrl || null;
-  } catch {
-    return null;
-  }
-}
 async function createSMSSQSResources() {
   const dlqName = "wraps-sms-events-dlq";
   const queueName = "wraps-sms-events";
@@ -28671,30 +28816,6 @@ async function createSMSSQSResources() {
   });
   return { queue, dlq };
 }
-async function snsTopicExists(topicName) {
-  try {
-    const { SNSClient: SNSClient2, ListTopicsCommand: ListTopicsCommand2 } = await import("@aws-sdk/client-sns");
-    const sns3 = new SNSClient2({
-      region: process.env.AWS_REGION || "us-east-1"
-    });
-    let nextToken;
-    do {
-      const response = await sns3.send(
-        new ListTopicsCommand2({ NextToken: nextToken })
-      );
-      const found = response.Topics?.find(
-        (t) => t.TopicArn?.endsWith(`:${topicName}`)
-      );
-      if (found?.TopicArn) {
-        return found.TopicArn;
-      }
-      nextToken = response.NextToken;
-    } while (nextToken);
-    return null;
-  } catch {
-    return null;
-  }
-}
 async function createSMSSNSResources(config2) {
   const topicName = "wraps-sms-events";
   const topicArn = await snsTopicExists(topicName);
@@ -28762,7 +28883,7 @@ async function createSMSSNSResources(config2) {
 }
 async function createSMSDynamoDBTable() {
   const tableName = "wraps-sms-history";
-  const exists = await tableExists2(tableName);
+  const exists = await tableExists(tableName);
   const tableConfig = {
     name: tableName,
     billingMode: "PAY_PER_REQUEST",
@@ -31698,18 +31819,19 @@ ${pc45.bold("Cost Impact:")}`);
       });
     }
   } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     trackServiceUpgrade("sms", {
       from_preset: metadata.services.sms?.preset,
       to_preset: newPreset,
       action: typeof upgradeAction === "string" ? upgradeAction : void 0,
       duration_ms: Date.now() - startTime
     });
-    if (error.message?.includes("stack is currently locked")) {
+    if (msg.includes("stack is currently locked")) {
       trackError("STACK_LOCKED", "sms:upgrade", { step: "deploy" });
       throw errors.stackLocked();
     }
     trackError("UPGRADE_FAILED", "sms:upgrade", { step: "deploy" });
-    throw new Error(`SMS upgrade failed: ${error.message}`);
+    throw new Error(`SMS upgrade failed: ${msg}`);
   }
   updateServiceConfig(metadata, "sms", updatedConfig);
   if (metadata.services.sms) {