@wraps.dev/cli 2.11.7 → 2.11.9

package/dist/cli.js

@@ -95,7 +95,7 @@ async function stateBucketExists(accountId, region) {
     await client.send(new HeadBucketCommand({ Bucket: bucketName }));
     return true;
   } catch (error) {
-    if (error.name === "NotFound" || error.name === "NoSuchBucket" || error.$metadata?.httpStatusCode === 404) {
+    if (error instanceof Error && (error.name === "NotFound" || error.name === "NoSuchBucket" || error.$metadata?.httpStatusCode === 404)) {
       return false;
     }
     throw error;
@@ -117,7 +117,8 @@ async function ensureStateBucket(accountId, region) {
     await client.send(new HeadBucketCommand({ Bucket: bucketName }));
     return bucketName;
   } catch (error) {
-    if (error.name !== "NotFound" && error.name !== "NoSuchBucket" && error.$metadata?.httpStatusCode !== 404) {
+    const isNotFound = error instanceof Error && (error.name === "NotFound" || error.name === "NoSuchBucket" || error.$metadata?.httpStatusCode === 404);
+    if (!isNotFound) {
       throw error;
     }
   }
@@ -204,7 +205,7 @@ async function downloadMetadata(bucketName, accountId, region) {
     }
     return JSON.parse(body);
   } catch (error) {
-    if (error.name === "NoSuchKey" || error.$metadata?.httpStatusCode === 404) {
+    if (error instanceof Error && (error.name === "NoSuchKey" || error.$metadata?.httpStatusCode === 404)) {
       return null;
     }
     throw error;
@@ -277,7 +278,7 @@ async function migrateLocalPulumiState(localPulumiDir, bucketName, accountId, re
         await s3Stack.importStack(state);
       } catch (error) {
         console.error(
-          `Warning: Failed to migrate stack ${stackName}: ${error.message}`
+          `Warning: Failed to migrate stack ${stackName}: ${error instanceof Error ? error.message : error}`
         );
       }
     }
@@ -351,7 +352,7 @@ async function ensurePulumiWorkDir(options) {
     } catch (error) {
       const clack47 = await import("@clack/prompts");
       clack47.log.warn(
-        `S3 state backend unavailable (${error.message}). Using local state.`
+        `S3 state backend unavailable (${error instanceof Error ? error.message : error}). Using local state.`
       );
     }
   }
@@ -825,8 +826,8 @@ async function isAWSCLIInstalled() {
 }
 async function getAWSCLIVersion() {
   try {
-    const output4 = execSync("aws --version", { encoding: "utf-8" });
-    const match = output4.match(/aws-cli\/(\d+\.\d+\.\d+)/);
+    const output3 = execSync("aws --version", { encoding: "utf-8" });
+    const match = output3.match(/aws-cli\/(\d+\.\d+\.\d+)/);
     return match ? match[1] : null;
   } catch {
     return null;
@@ -1815,7 +1816,7 @@ async function isSESSandbox(region) {
     );
     return false;
   } catch (error) {
-    if (error.name === "InvalidParameterValue") {
+    if (error instanceof Error && error.name === "InvalidParameterValue") {
       return true;
     }
     throw error;
@@ -4057,7 +4058,10 @@ async function loadConnectionMetadata(accountId, region) {
         localData = data;
       }
     } catch (error) {
-      console.error("Error loading connection metadata:", error.message);
+      console.error(
+        "Error loading connection metadata:",
+        error instanceof Error ? error.message : error
+      );
     }
   }
   if (process.env.WRAPS_LOCAL_ONLY !== "1") {
@@ -4115,7 +4119,10 @@ async function saveConnectionMetadata(metadata) {
     const content = JSON.stringify(metadata, null, 2);
     await writeFile3(metadataPath, content, "utf-8");
   } catch (error) {
-    console.error("Error saving connection metadata:", error.message);
+    console.error(
+      "Error saving connection metadata:",
+      error instanceof Error ? error.message : error
+    );
     throw error;
   }
   if (process.env.WRAPS_LOCAL_ONLY !== "1") {
@@ -4165,7 +4172,10 @@ async function listConnections() {
     }
     return connections;
   } catch (error) {
-    console.error("Error listing connections:", error.message);
+    console.error(
+      "Error listing connections:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
@@ -4467,10 +4477,10 @@ var init_metadata = __esm({
 async function roleExists(roleName) {
   try {
     const { IAMClient: IAMClient4, GetRoleCommand: GetRoleCommand3 } = await import("@aws-sdk/client-iam");
-    const iam10 = new IAMClient4({
+    const iam9 = new IAMClient4({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam10.send(new GetRoleCommand3({ RoleName: roleName }));
+    await iam9.send(new GetRoleCommand3({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error instanceof Error && (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity")) {
@@ -4760,7 +4770,7 @@ import { builtinModules } from "module";
 import { tmpdir } from "os";
 import { dirname as dirname2, join as join7 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
-import * as aws8 from "@pulumi/aws";
+import * as aws7 from "@pulumi/aws";
 import * as pulumi11 from "@pulumi/pulumi";
 import { build } from "esbuild";
 function getPackageRoot() {
@@ -4835,7 +4845,7 @@ Try running: pnpm build`
 }
 async function deployLambdaFunctions(config2) {
   const eventProcessorCode = await getLambdaCode("event-processor");
-  const lambdaRole = new aws8.iam.Role("wraps-email-lambda-role", {
+  const lambdaRole = new aws7.iam.Role("wraps-email-lambda-role", {
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
       Statement: [
@@ -4850,11 +4860,11 @@ async function deployLambdaFunctions(config2) {
       ManagedBy: "wraps-cli"
     }
   });
-  new aws8.iam.RolePolicyAttachment("wraps-email-lambda-basic-execution", {
+  new aws7.iam.RolePolicyAttachment("wraps-email-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws8.iam.RolePolicy("wraps-email-lambda-policy", {
+  new aws7.iam.RolePolicy("wraps-email-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi11.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -4898,7 +4908,7 @@ async function deployLambdaFunctions(config2) {
       RETENTION_DAYS: config2.retentionDays.toString()
     }
   };
-  const eventProcessor = exists ? new aws8.lambda.Function(
+  const eventProcessor = exists ? new aws7.lambda.Function(
     functionName,
     {
       name: functionName,
@@ -4919,7 +4929,7 @@ async function deployLambdaFunctions(config2) {
       import: functionName
       // Import existing function
     }
-  ) : new aws8.lambda.Function(functionName, {
+  ) : new aws7.lambda.Function(functionName, {
     name: functionName,
     runtime: "nodejs24.x",
     handler: "index.handler",
@@ -4949,14 +4959,14 @@ async function deployLambdaFunctions(config2) {
     functionResponseTypes: ["ReportBatchItemFailures"]
     // Enable partial batch responses
   };
-  const eventSourceMapping = existingMappingUuid ? new aws8.lambda.EventSourceMapping(
+  const eventSourceMapping = existingMappingUuid ? new aws7.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
     mappingConfig,
     {
       import: existingMappingUuid
       // Import with the UUID
     }
-  ) : new aws8.lambda.EventSourceMapping(
+  ) : new aws7.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
     mappingConfig
   );
@@ -4982,7 +4992,7 @@ __export(acm_exports, {
   createACMCertificate: () => createACMCertificate
 });
 import { ACMClient as ACMClient2, DescribeCertificateCommand as DescribeCertificateCommand2 } from "@aws-sdk/client-acm";
-import * as aws12 from "@pulumi/aws";
+import * as aws11 from "@pulumi/aws";
 async function checkCertificateValidation(domain) {
   try {
     const acm3 = new ACMClient2({ region: "us-east-1" });
@@ -5009,10 +5019,10 @@ async function checkCertificateValidation(domain) {
   }
 }
 async function createACMCertificate(config2) {
-  const usEast1Provider = new aws12.Provider("acm-us-east-1", {
+  const usEast1Provider = new aws11.Provider("acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws12.acm.Certificate(
+  const certificate = new aws11.acm.Certificate(
     "wraps-email-tracking-cert",
     {
       domainName: config2.domain,
@@ -5035,7 +5045,7 @@ async function createACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws12.route53.Record(
+    const validationRecord = new aws11.route53.Record(
       "wraps-email-tracking-cert-validation",
       {
         zoneId: config2.hostedZoneId,
@@ -5045,7 +5055,7 @@ async function createACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws12.acm.CertificateValidation(
+    certificateValidation = new aws11.acm.CertificateValidation(
       "wraps-email-tracking-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
@@ -5074,7 +5084,7 @@ var cloudfront_exports = {};
 __export(cloudfront_exports, {
   createCloudFrontTracking: () => createCloudFrontTracking
 });
-import * as aws13 from "@pulumi/aws";
+import * as aws12 from "@pulumi/aws";
 async function findDistributionByAlias(alias) {
   try {
     const { CloudFrontClient, ListDistributionsCommand } = await import("@aws-sdk/client-cloudfront");
@@ -5090,10 +5100,10 @@ async function findDistributionByAlias(alias) {
   }
 }
 async function createWAFWebACL() {
-  const usEast1Provider = new aws13.Provider("waf-us-east-1", {
+  const usEast1Provider = new aws12.Provider("waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws13.wafv2.WebAcl(
+  const webAcl = new aws12.wafv2.WebAcl(
     "wraps-email-tracking-waf",
     {
       scope: "CLOUDFRONT",
@@ -5208,14 +5218,14 @@ async function createCloudFrontTracking(config2) {
       Description: "Wraps email tracking CloudFront distribution"
     }
   };
-  const distribution = existingDistributionId ? new aws13.cloudfront.Distribution(
+  const distribution = existingDistributionId ? new aws12.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig,
     {
       import: existingDistributionId
       // Import existing distribution
     }
-  ) : new aws13.cloudfront.Distribution(
+  ) : new aws12.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig
   );
@@ -5396,10 +5406,10 @@ var s3_inbound_exports = {};
 __export(s3_inbound_exports, {
   createS3InboundResources: () => createS3InboundResources
 });
-import * as aws14 from "@pulumi/aws";
+import * as aws13 from "@pulumi/aws";
 async function createS3InboundResources(config2) {
   const bucketName = `wraps-inbound-${config2.accountId}-${config2.region}`;
-  const bucket = new aws14.s3.BucketV2("wraps-inbound-bucket", {
+  const bucket = new aws13.s3.BucketV2("wraps-inbound-bucket", {
     bucket: bucketName,
     forceDestroy: true,
     tags: {
@@ -5407,14 +5417,14 @@ async function createS3InboundResources(config2) {
       Service: "email-inbound"
     }
   });
-  new aws14.s3.BucketPublicAccessBlock("wraps-inbound-public-access-block", {
+  new aws13.s3.BucketPublicAccessBlock("wraps-inbound-public-access-block", {
     bucket: bucket.id,
     blockPublicAcls: true,
     blockPublicPolicy: true,
     ignorePublicAcls: true,
     restrictPublicBuckets: true
   });
-  new aws14.s3.BucketServerSideEncryptionConfigurationV2(
+  new aws13.s3.BucketServerSideEncryptionConfigurationV2(
     "wraps-inbound-encryption",
     {
       bucket: bucket.id,
@@ -5430,7 +5440,7 @@ async function createS3InboundResources(config2) {
   if (config2.retention) {
     const retentionDays = retentionToDays2(config2.retention);
     if (retentionDays > 0) {
-      new aws14.s3.BucketLifecycleConfigurationV2("wraps-inbound-lifecycle", {
+      new aws13.s3.BucketLifecycleConfigurationV2("wraps-inbound-lifecycle", {
         bucket: bucket.id,
         rules: [
           {
@@ -5444,8 +5454,8 @@ async function createS3InboundResources(config2) {
       });
     }
   }
-  const identity = await aws14.getCallerIdentity();
-  new aws14.s3.BucketPolicy("wraps-inbound-bucket-policy", {
+  const identity = await aws13.getCallerIdentity();
+  new aws13.s3.BucketPolicy("wraps-inbound-bucket-policy", {
     bucket: bucket.id,
     policy: bucket.arn.apply(
       (arn) => JSON.stringify({
@@ -5487,9 +5497,9 @@ var sqs_inbound_exports = {};
 __export(sqs_inbound_exports, {
   createSQSInboundResources: () => createSQSInboundResources
 });
-import * as aws15 from "@pulumi/aws";
+import * as aws14 from "@pulumi/aws";
 function createSQSInboundResources() {
-  const dlq = new aws15.sqs.Queue("wraps-inbound-events-dlq", {
+  const dlq = new aws14.sqs.Queue("wraps-inbound-events-dlq", {
     name: "wraps-inbound-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -5499,7 +5509,7 @@ function createSQSInboundResources() {
       Description: "Dead letter queue for failed inbound email processing"
     }
   });
-  const queue = new aws15.sqs.Queue("wraps-inbound-events", {
+  const queue = new aws14.sqs.Queue("wraps-inbound-events", {
     name: "wraps-inbound-events",
     visibilityTimeoutSeconds: 300,
     // Must be >= Lambda timeout (120s) * 2 + buffer
@@ -5536,11 +5546,11 @@ var lambda_inbound_exports = {};
 __export(lambda_inbound_exports, {
   deployInboundLambda: () => deployInboundLambda
 });
-import * as aws16 from "@pulumi/aws";
+import * as aws15 from "@pulumi/aws";
 import * as pulumi12 from "@pulumi/pulumi";
 async function deployInboundLambda(config2) {
   const inboundProcessorCode = await getLambdaCode("inbound-processor");
-  const lambdaRole = new aws16.iam.Role("wraps-inbound-lambda-role", {
+  const lambdaRole = new aws15.iam.Role("wraps-inbound-lambda-role", {
     name: "wraps-inbound-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -5557,11 +5567,11 @@ async function deployInboundLambda(config2) {
       Service: "email-inbound"
     }
   });
-  new aws16.iam.RolePolicyAttachment("wraps-inbound-lambda-basic-execution", {
+  new aws15.iam.RolePolicyAttachment("wraps-inbound-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws16.iam.RolePolicy("wraps-inbound-lambda-policy", {
+  new aws15.iam.RolePolicy("wraps-inbound-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi12.all([config2.bucketArn, config2.dlqArn]).apply(
       ([bucketArn, dlqArn]) => JSON.stringify({
@@ -5590,7 +5600,7 @@ async function deployInboundLambda(config2) {
     )
   });
   const functionName = "wraps-inbound-email-processor";
-  const lambdaFunction = new aws16.lambda.Function(functionName, {
+  const lambdaFunction = new aws15.lambda.Function(functionName, {
     name: functionName,
     runtime: "nodejs20.x",
     handler: "index.handler",
@@ -5612,7 +5622,7 @@ async function deployInboundLambda(config2) {
       Service: "email-inbound"
     }
   });
-  const s3InvokePermission = new aws16.lambda.Permission(
+  const s3InvokePermission = new aws15.lambda.Permission(
     "wraps-inbound-s3-invoke",
     {
       action: "lambda:InvokeFunction",
@@ -5640,9 +5650,9 @@ var eventbridge_inbound_exports = {};
 __export(eventbridge_inbound_exports, {
   createEventBridgeInboundResources: () => createEventBridgeInboundResources
 });
-import * as aws17 from "@pulumi/aws";
+import * as aws16 from "@pulumi/aws";
 function createEventBridgeInboundResources(config2) {
-  const rule = new aws17.cloudwatch.EventRule("wraps-inbound-events-rule", {
+  const rule = new aws16.cloudwatch.EventRule("wraps-inbound-events-rule", {
     name: "wraps-inbound-events-to-webhook",
     description: "Route inbound email events to webhook",
     eventBusName: "default",
@@ -5659,7 +5669,7 @@ function createEventBridgeInboundResources(config2) {
   let webhookApiDestination;
   let webhookTarget;
   if (config2.webhookUrl && config2.webhookSecret) {
-    webhookConnection = new aws17.cloudwatch.EventConnection(
+    webhookConnection = new aws16.cloudwatch.EventConnection(
       "wraps-inbound-webhook-connection",
       {
         name: "wraps-inbound-webhook-connection",
@@ -5673,7 +5683,7 @@ function createEventBridgeInboundResources(config2) {
         }
       }
     );
-    webhookApiDestination = new aws17.cloudwatch.EventApiDestination(
+    webhookApiDestination = new aws16.cloudwatch.EventApiDestination(
       "wraps-inbound-webhook-destination",
       {
         name: "wraps-inbound-webhook-destination",
@@ -5684,7 +5694,7 @@ function createEventBridgeInboundResources(config2) {
         invocationRateLimitPerSecond: 100
       }
     );
-    const webhookRole = new aws17.iam.Role("wraps-inbound-webhook-role", {
+    const webhookRole = new aws16.iam.Role("wraps-inbound-webhook-role", {
       name: "wraps-inbound-eventbridge-webhook-role",
       assumeRolePolicy: JSON.stringify({
         Version: "2012-10-17",
@@ -5703,7 +5713,7 @@ function createEventBridgeInboundResources(config2) {
         Service: "email-inbound"
       }
     });
-    new aws17.iam.RolePolicy("wraps-inbound-webhook-policy", {
+    new aws16.iam.RolePolicy("wraps-inbound-webhook-policy", {
       role: webhookRole.name,
       policy: webhookApiDestination.arn.apply(
         (destArn) => JSON.stringify({
@@ -5718,7 +5728,7 @@ function createEventBridgeInboundResources(config2) {
         })
       )
     });
-    webhookTarget = new aws17.cloudwatch.EventTarget(
+    webhookTarget = new aws16.cloudwatch.EventTarget(
       "wraps-inbound-webhook-target",
       {
         rule: rule.name,
@@ -9419,13 +9429,12 @@ async function deleteCdnDNSRecords(hostedZoneId, customDomain) {
 // src/commands/cdn/init.ts
 init_esm_shims();
 import * as clack10 from "@clack/prompts";
-import * as pulumi4 from "@pulumi/pulumi";
+import * as pulumi5 from "@pulumi/pulumi";
 import pc11 from "picocolors";
 
 // src/infrastructure/cdn-stack.ts
 init_esm_shims();
-import * as aws3 from "@pulumi/aws";
-import * as pulumi3 from "@pulumi/pulumi";
+import * as pulumi4 from "@pulumi/pulumi";
 
 // src/infrastructure/resources/s3-cdn.ts
 init_esm_shims();
@@ -9749,19 +9758,133 @@ async function createCdnACMCertificate(config2) {
   };
 }
 
-// src/infrastructure/cdn-stack.ts
+// src/infrastructure/shared/iam.ts
+init_esm_shims();
 init_resource_checks();
+import * as aws2 from "@pulumi/aws";
+import * as pulumi3 from "@pulumi/pulumi";
+async function createServiceIAMRole(config2) {
+  let assumeRolePolicy;
+  if (config2.provider === "vercel" && config2.oidcProvider) {
+    const hasAdditionalPrincipals = config2.additionalVercelPrincipals && config2.additionalVercelPrincipals.length > 0;
+    if (hasAdditionalPrincipals) {
+      const serviceStatement = JSON.stringify({
+        Effect: "Allow",
+        Principal: {
+          Service: config2.additionalVercelPrincipals.length === 1 ? config2.additionalVercelPrincipals[0] : config2.additionalVercelPrincipals
+        },
+        Action: "sts:AssumeRole"
+      });
+      assumeRolePolicy = pulumi3.interpolate`{
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Federated": "${config2.oidcProvider.arn}"
+          },
+          "Action": "sts:AssumeRoleWithWebIdentity",
+          "Condition": {
+            "StringEquals": {
+              "oidc.vercel.com/${config2.vercelTeamSlug}:aud": "https://vercel.com/${config2.vercelTeamSlug}"
+            },
+            "StringLike": {
+              "oidc.vercel.com/${config2.vercelTeamSlug}:sub": "owner:${config2.vercelTeamSlug}:project:${config2.vercelProjectName}:environment:*"
+            }
+          }
+        },
+        ${serviceStatement}
+      ]
+    }`;
+    } else {
+      assumeRolePolicy = pulumi3.interpolate`{
+      "Version": "2012-10-17",
+      "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+          "Federated": "${config2.oidcProvider.arn}"
+        },
+        "Action": "sts:AssumeRoleWithWebIdentity",
+        "Condition": {
+          "StringEquals": {
+            "oidc.vercel.com/${config2.vercelTeamSlug}:aud": "https://vercel.com/${config2.vercelTeamSlug}"
+          },
+          "StringLike": {
+            "oidc.vercel.com/${config2.vercelTeamSlug}:sub": "owner:${config2.vercelTeamSlug}:project:${config2.vercelProjectName}:environment:*"
+          }
+        }
+      }]
+    }`;
+    }
+  } else if (config2.provider === "aws") {
+    assumeRolePolicy = pulumi3.output(`{
+      "Version": "2012-10-17",
+      "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+          "Service": ["lambda.amazonaws.com", "ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
+        },
+        "Action": "sts:AssumeRole"
+      }]
+    }`);
+  } else {
+    throw new Error("Other providers not yet implemented");
+  }
+  const roleName = `wraps-${config2.serviceName}-role`;
+  const exists = await roleExists(roleName);
+  const tags = {
+    ManagedBy: "wraps-cli",
+    Provider: config2.provider,
+    ...config2.extraTags
+  };
+  const role = exists ? new aws2.iam.Role(
+    roleName,
+    { name: roleName, assumeRolePolicy, tags },
+    {
+      import: roleName,
+      ...config2.customTimeouts && {
+        customTimeouts: config2.customTimeouts
+      }
+    }
+  ) : new aws2.iam.Role(
+    roleName,
+    { name: roleName, assumeRolePolicy, tags },
+    config2.customTimeouts ? { customTimeouts: config2.customTimeouts } : void 0
+  );
+  const policyName = `wraps-${config2.serviceName}-policy`;
+  const isOutputStatements = pulumi3.Output.isInstance(config2.policyStatements);
+  if (isOutputStatements) {
+    new aws2.iam.RolePolicy(policyName, {
+      role: role.name,
+      policy: config2.policyStatements.apply(
+        (stmts) => JSON.stringify({
+          Version: "2012-10-17",
+          Statement: stmts
+        })
+      )
+    });
+  } else {
+    new aws2.iam.RolePolicy(policyName, {
+      role: role.name,
+      policy: JSON.stringify({
+        Version: "2012-10-17",
+        Statement: config2.policyStatements
+      })
+    });
+  }
+  return role;
+}
 
 // src/infrastructure/vercel-oidc.ts
 init_esm_shims();
-import * as aws2 from "@pulumi/aws";
+import * as aws3 from "@pulumi/aws";
 async function getExistingOIDCProviderArn(url) {
   try {
     const { IAMClient: IAMClient4, ListOpenIDConnectProvidersCommand } = await import("@aws-sdk/client-iam");
-    const iam10 = new IAMClient4({
+    const iam9 = new IAMClient4({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    const response = await iam10.send(new ListOpenIDConnectProvidersCommand({}));
+    const response = await iam9.send(new ListOpenIDConnectProvidersCommand({}));
     const expectedArnSuffix = url.replace("https://", "");
     const provider = response.OpenIDConnectProviderList?.find(
       (p) => p.Arn?.endsWith(expectedArnSuffix)
@@ -9776,7 +9899,7 @@ async function createVercelOIDC(config2) {
   const url = `https://oidc.vercel.com/${config2.teamSlug}`;
   const existingArn = await getExistingOIDCProviderArn(url);
   if (existingArn) {
-    return new aws2.iam.OpenIdConnectProvider(
+    return new aws3.iam.OpenIdConnectProvider(
       "wraps-vercel-oidc",
       {
         url,
@@ -9797,7 +9920,7 @@ async function createVercelOIDC(config2) {
       }
     );
   }
-  return new aws2.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
+  return new aws3.iam.OpenIdConnectProvider("wraps-vercel-oidc", {
     url,
     clientIdLists: [`https://vercel.com/${config2.teamSlug}`],
     thumbprintLists: [
@@ -9814,104 +9937,46 @@ async function createVercelOIDC(config2) {
 
 // src/infrastructure/cdn-stack.ts
 async function createCdnIAMRole(config2) {
-  let assumeRolePolicy;
-  if (config2.provider === "vercel" && config2.oidcProvider) {
-    assumeRolePolicy = pulumi3.interpolate`{
-      "Version": "2012-10-17",
-      "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-          "Federated": "${config2.oidcProvider.arn}"
-        },
-        "Action": "sts:AssumeRoleWithWebIdentity",
-        "Condition": {
-          "StringEquals": {
-            "oidc.vercel.com/${config2.vercelTeamSlug}:aud": "https://vercel.com/${config2.vercelTeamSlug}"
-          },
-          "StringLike": {
-            "oidc.vercel.com/${config2.vercelTeamSlug}:sub": "owner:${config2.vercelTeamSlug}:project:${config2.vercelProjectName}:environment:*"
-          }
-        }
-      }]
-    }`;
-  } else if (config2.provider === "aws") {
-    assumeRolePolicy = pulumi3.output(`{
-      "Version": "2012-10-17",
-      "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-          "Service": ["lambda.amazonaws.com", "ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
-        },
-        "Action": "sts:AssumeRole"
-      }]
-    }`);
-  } else {
-    throw new Error("Other providers not yet implemented");
-  }
-  const roleName = "wraps-cdn-role";
-  const exists = await roleExists(roleName);
-  const role = exists ? new aws3.iam.Role(
-    roleName,
-    {
-      name: roleName,
-      assumeRolePolicy,
-      tags: {
-        ManagedBy: "wraps-cli",
-        Service: "cdn",
-        Provider: config2.provider
+  const resolvedStatements = pulumi4.all([config2.bucketArn, config2.distributionArn]).apply(([bucketArn, distributionArn]) => {
+    const statements = [
+      {
+        Sid: "StorageBucketAccess",
+        Effect: "Allow",
+        Action: [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:ListBucket",
+          "s3:GetBucketLocation",
+          "s3:GetObjectTagging",
+          "s3:PutObjectTagging"
+        ],
+        Resource: [bucketArn, `${bucketArn}/*`]
       }
-    },
-    {
-      import: roleName
-    }
-  ) : new aws3.iam.Role(roleName, {
-    name: roleName,
-    assumeRolePolicy,
-    tags: {
-      ManagedBy: "wraps-cli",
-      Service: "cdn",
-      Provider: config2.provider
+    ];
+    if (distributionArn) {
+      statements.push({
+        Sid: "CloudFrontInvalidation",
+        Effect: "Allow",
+        Action: [
+          "cloudfront:CreateInvalidation",
+          "cloudfront:GetInvalidation",
+          "cloudfront:ListInvalidations"
+        ],
+        Resource: distributionArn
+      });
     }
+    return statements;
   });
-  const statements = [
-    // S3 bucket access
-    {
-      Sid: "StorageBucketAccess",
-      Effect: "Allow",
-      Action: [
-        "s3:PutObject",
-        "s3:GetObject",
-        "s3:DeleteObject",
-        "s3:ListBucket",
-        "s3:GetBucketLocation",
-        "s3:GetObjectTagging",
-        "s3:PutObjectTagging"
-      ],
-      Resource: [config2.bucketArn, pulumi3.interpolate`${config2.bucketArn}/*`]
-    }
-  ];
-  if (config2.distributionArn) {
-    statements.push({
-      Sid: "CloudFrontInvalidation",
-      Effect: "Allow",
-      Action: [
-        "cloudfront:CreateInvalidation",
-        "cloudfront:GetInvalidation",
-        "cloudfront:ListInvalidations"
-      ],
-      Resource: config2.distributionArn
-    });
-  }
-  new aws3.iam.RolePolicy("wraps-cdn-policy", {
-    role: role.name,
-    policy: pulumi3.all([statements]).apply(
-      ([stmts]) => JSON.stringify({
-        Version: "2012-10-17",
-        Statement: stmts
-      })
-    )
+  return createServiceIAMRole({
+    serviceName: "cdn",
+    provider: config2.provider,
+    oidcProvider: config2.oidcProvider,
+    vercelTeamSlug: config2.vercelTeamSlug,
+    vercelProjectName: config2.vercelProjectName,
+    policyStatements: resolvedStatements,
+    extraTags: { Service: "cdn" }
   });
-  return role;
 }
 async function deployCdnStack(config2) {
   const accountId = config2.accountId;
@@ -9943,7 +10008,7 @@ async function deployCdnStack(config2) {
   if (config2.cdnConfig.cdn.enabled) {
     const hasAutoValidation2 = acmResources?.certificateValidation;
     const useCertFromUpgrade = config2.certValidated && config2.existingCertArn;
-    const certificateArn = useCertFromUpgrade ? pulumi3.output(config2.existingCertArn) : hasAutoValidation2 ? acmResources?.certificateValidation?.certificateArn : void 0;
+    const certificateArn = useCertFromUpgrade ? pulumi4.output(config2.existingCertArn) : hasAutoValidation2 ? acmResources?.certificateValidation?.certificateArn : void 0;
     const customDomainForCdn = useCertFromUpgrade || hasAutoValidation2 ? config2.cdnConfig.cdn.customDomain : void 0;
     cdnResources = await createCdnDistribution({
       bucket: bucketResources.bucket,
@@ -10529,7 +10594,7 @@ ${pc11.yellow(pc11.bold("Configuration Notes:"))}`);
         "Generating infrastructure preview",
         async () => {
           await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-          const stack = await pulumi4.automation.LocalWorkspace.createOrSelectStack(
+          const stack = await pulumi5.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: `wraps-cdn-${identity.accountId}-${region}`,
               projectName: "wraps-cdn",
@@ -10594,7 +10659,7 @@ ${pc11.yellow(pc11.bold("Configuration Notes:"))}`);
       "Deploying CDN infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-        const stack = await pulumi4.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi5.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-cdn-${identity.accountId}-${region}`,
             projectName: "wraps-cdn",
@@ -10929,7 +10994,7 @@ init_aws();
 init_fs();
 init_metadata();
 import * as clack11 from "@clack/prompts";
-import * as pulumi5 from "@pulumi/pulumi";
+import * as pulumi6 from "@pulumi/pulumi";
 import pc12 from "picocolors";
 async function cdnStatus(options) {
   const startTime = Date.now();
@@ -10965,7 +11030,7 @@ async function cdnStatus(options) {
   let stackOutputs = {};
   try {
     await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-    const stack = await pulumi5.automation.LocalWorkspace.selectStack({
+    const stack = await pulumi6.automation.LocalWorkspace.selectStack({
       stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
@@ -11087,7 +11152,7 @@ ${pc12.bold("Commands:")}`);
 // src/commands/cdn/sync.ts
 init_esm_shims();
 import * as clack12 from "@clack/prompts";
-import * as pulumi6 from "@pulumi/pulumi";
+import * as pulumi7 from "@pulumi/pulumi";
 import pc13 from "picocolors";
 init_client();
 init_events();
@@ -11143,7 +11208,7 @@ async function cdnSync(options) {
   if (cdnConfig.cdn.customDomain) {
     try {
       await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-      const checkStack = await pulumi6.automation.LocalWorkspace.selectStack({
+      const checkStack = await pulumi7.automation.LocalWorkspace.selectStack({
         stackName: `wraps-cdn-${identity.accountId}-${region}`,
         workDir: getPulumiWorkDir()
       });
@@ -11180,7 +11245,7 @@ async function cdnSync(options) {
   try {
     await progress.execute("Syncing CDN infrastructure", async () => {
       await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-      const stack = await pulumi6.automation.LocalWorkspace.createOrSelectStack(
+      const stack = await pulumi7.automation.LocalWorkspace.createOrSelectStack(
         {
           stackName: `wraps-cdn-${identity.accountId}-${region}`,
           projectName: "wraps-cdn",
@@ -11242,7 +11307,7 @@ async function cdnSync(options) {
 // src/commands/cdn/upgrade.ts
 init_esm_shims();
 import * as clack13 from "@clack/prompts";
-import * as pulumi7 from "@pulumi/pulumi";
+import * as pulumi8 from "@pulumi/pulumi";
 import pc14 from "picocolors";
 init_client();
 init_events();
@@ -11298,7 +11363,7 @@ async function cdnUpgrade(options) {
   let stackOutputs = {};
   try {
     await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-    const stack = await pulumi7.automation.LocalWorkspace.selectStack({
+    const stack = await pulumi8.automation.LocalWorkspace.selectStack({
       stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
@@ -11436,7 +11501,7 @@ Ready to add custom domain: ${pc14.cyan(pendingDomain)}`);
       "Updating CloudFront distribution (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-        const stack = await pulumi7.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi8.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-cdn-${identity.accountId}-${region}`,
             projectName: "wraps-cdn",
@@ -11524,7 +11589,7 @@ init_aws();
 init_fs();
 init_metadata();
 import * as clack14 from "@clack/prompts";
-import * as pulumi8 from "@pulumi/pulumi";
+import * as pulumi9 from "@pulumi/pulumi";
 import pc15 from "picocolors";
 async function checkDNSRecord(hostname, expectedValue) {
   try {
@@ -11607,7 +11672,7 @@ async function cdnVerify(options) {
   let stackOutputs = {};
   try {
     await ensurePulumiWorkDir({ accountId: identity.accountId, region });
-    const stack = await pulumi8.automation.LocalWorkspace.selectStack({
+    const stack = await pulumi9.automation.LocalWorkspace.selectStack({
       stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
@@ -14754,7 +14819,7 @@ import pc17 from "picocolors";
 // src/infrastructure/email-stack.ts
 init_esm_shims();
 init_dist();
-import * as aws18 from "@pulumi/aws";
+import * as aws17 from "@pulumi/aws";
 
 // src/infrastructure/resources/alerting.ts
 init_esm_shims();
@@ -15022,7 +15087,7 @@ async function createDynamoDBTables(_config) {
 // src/infrastructure/resources/eventbridge.ts
 init_esm_shims();
 import * as aws6 from "@pulumi/aws";
-import * as pulumi9 from "@pulumi/pulumi";
+import * as pulumi10 from "@pulumi/pulumi";
 async function createEventBridgeResources(config2) {
   const eventBusName = config2.eventBusArn.apply((arn) => arn.split("/").pop());
   const rule = new aws6.cloudwatch.EventRule("wraps-email-events-rule", {
@@ -15040,7 +15105,7 @@ async function createEventBridgeResources(config2) {
   });
   new aws6.sqs.QueuePolicy("wraps-email-events-queue-policy", {
     queueUrl: config2.queueUrl,
-    policy: pulumi9.all([config2.queueArn, rule.arn]).apply(
+    policy: pulumi10.all([config2.queueArn, rule.arn]).apply(
       ([queueArn, ruleArn]) => JSON.stringify({
         Version: "2012-10-17",
         Statement: [
@@ -15149,68 +15214,7 @@ async function createEventBridgeResources(config2) {
 
 // src/infrastructure/resources/iam.ts
 init_esm_shims();
-init_resource_checks();
-import * as aws7 from "@pulumi/aws";
-import * as pulumi10 from "@pulumi/pulumi";
 async function createIAMRole(config2) {
-  let assumeRolePolicy;
-  if (config2.provider === "vercel" && config2.oidcProvider) {
-    assumeRolePolicy = pulumi10.interpolate`{
-      "Version": "2012-10-17",
-      "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-          "Federated": "${config2.oidcProvider.arn}"
-        },
-        "Action": "sts:AssumeRoleWithWebIdentity",
-        "Condition": {
-          "StringEquals": {
-            "oidc.vercel.com/${config2.vercelTeamSlug}:aud": "https://vercel.com/${config2.vercelTeamSlug}"
-          },
-          "StringLike": {
-            "oidc.vercel.com/${config2.vercelTeamSlug}:sub": "owner:${config2.vercelTeamSlug}:project:${config2.vercelProjectName}:environment:*"
-          }
-        }
-      }]
-    }`;
-  } else if (config2.provider === "aws") {
-    assumeRolePolicy = pulumi10.output(`{
-      "Version": "2012-10-17",
-      "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-          "Service": ["lambda.amazonaws.com", "ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
-        },
-        "Action": "sts:AssumeRole"
-      }]
-    }`);
-  } else {
-    throw new Error("Other providers not yet implemented");
-  }
-  const roleName = "wraps-email-role";
-  const exists = await roleExists(roleName);
-  const role = exists ? new aws7.iam.Role(
-    roleName,
-    {
-      name: roleName,
-      assumeRolePolicy,
-      tags: {
-        ManagedBy: "wraps-cli",
-        Provider: config2.provider
-      }
-    },
-    {
-      import: roleName
-      // Import existing role (use role name, not ARN)
-    }
-  ) : new aws7.iam.Role(roleName, {
-    name: roleName,
-    assumeRolePolicy,
-    tags: {
-      ManagedBy: "wraps-cli",
-      Provider: config2.provider
-    }
-  });
   const statements = [];
   statements.push({
     Effect: "Allow",
@@ -15316,14 +15320,14 @@ async function createIAMRole(config2) {
       Resource: "arn:aws:ses:*:*:mailmanager-archive/*"
     });
   }
-  new aws7.iam.RolePolicy("wraps-email-policy", {
-    role: role.name,
-    policy: JSON.stringify({
-      Version: "2012-10-17",
-      Statement: statements
-    })
+  return createServiceIAMRole({
+    serviceName: "email",
+    provider: config2.provider,
+    oidcProvider: config2.oidcProvider,
+    vercelTeamSlug: config2.vercelTeamSlug,
+    vercelProjectName: config2.vercelProjectName,
+    policyStatements: statements
   });
-  return role;
 }
 
 // src/infrastructure/email-stack.ts
@@ -15331,7 +15335,7 @@ init_lambda();
 
 // src/infrastructure/resources/ses.ts
 init_esm_shims();
-import * as aws9 from "@pulumi/aws";
+import * as aws8 from "@pulumi/aws";
 async function configurationSetExists(configSetName, region) {
   try {
     const { SESv2Client: SESv2Client6, GetConfigurationSetCommand: GetConfigurationSetCommand2 } = await import("@aws-sdk/client-sesv2");
@@ -15341,7 +15345,7 @@ async function configurationSetExists(configSetName, region) {
     );
     return true;
   } catch (error) {
-    if (error.name === "NotFoundException") {
+    if (error instanceof Error && error.name === "NotFoundException") {
       return false;
     }
     console.error("Error checking for existing configuration set:", error);
@@ -15359,7 +15363,7 @@ async function eventDestinationExists(configSetName, eventDestName, region) {
     );
     return response.EventDestinations?.some((dest) => dest.Name === eventDestName) ?? false;
   } catch (error) {
-    if (error.name === "NotFoundException") {
+    if (error instanceof Error && error.name === "NotFoundException") {
       return false;
     }
     return false;
@@ -15374,7 +15378,7 @@ async function emailIdentityExists(emailIdentity, region) {
     );
     return true;
   } catch (error) {
-    if (error.name === "NotFoundException") {
+    if (error instanceof Error && error.name === "NotFoundException") {
       return false;
     }
     console.error("Error checking for existing email identity:", error);
@@ -15409,16 +15413,16 @@ async function createSESResources(config2) {
   }
   const configSetName = "wraps-email-tracking";
   const exists = await configurationSetExists(configSetName, config2.region);
-  const configSet = exists ? new aws9.sesv2.ConfigurationSet(configSetName, configSetOptions, {
+  const configSet = exists ? new aws8.sesv2.ConfigurationSet(configSetName, configSetOptions, {
     import: configSetName
     // Import existing configuration set
-  }) : new aws9.sesv2.ConfigurationSet(configSetName, configSetOptions);
-  const defaultEventBus = aws9.cloudwatch.getEventBusOutput({
+  }) : new aws8.sesv2.ConfigurationSet(configSetName, configSetOptions);
+  const defaultEventBus = aws8.cloudwatch.getEventBusOutput({
     name: "default"
   });
   if (config2.eventTrackingEnabled) {
     const eventDestName = "wraps-email-eventbridge";
-    new aws9.sesv2.ConfigurationSetEventDestination(
+    new aws8.sesv2.ConfigurationSetEventDestination(
       "wraps-email-all-events",
       {
         configurationSetName: configSet.configurationSetName,
@@ -15458,7 +15462,7 @@ async function createSESResources(config2) {
       config2.domain,
       config2.region
     );
-    domainIdentity = identityExists ? new aws9.sesv2.EmailIdentity(
+    domainIdentity = identityExists ? new aws8.sesv2.EmailIdentity(
       "wraps-email-domain",
       {
         emailIdentity: config2.domain,
@@ -15475,7 +15479,7 @@ async function createSESResources(config2) {
         import: config2.domain
         // Import existing identity
       }
-    ) : new aws9.sesv2.EmailIdentity("wraps-email-domain", {
+    ) : new aws8.sesv2.EmailIdentity("wraps-email-domain", {
       emailIdentity: config2.domain,
       configurationSetName: configSet.configurationSetName,
       // Link configuration set to domain
@@ -15491,7 +15495,7 @@ async function createSESResources(config2) {
     );
     if (config2.mailFromDomain) {
       mailFromDomain = config2.mailFromDomain;
-      new aws9.sesv2.EmailIdentityMailFromAttributes(
+      new aws8.sesv2.EmailIdentityMailFromAttributes(
         "wraps-email-mail-from",
         {
           emailIdentity: config2.domain,
@@ -15522,7 +15526,7 @@ async function createSESResources(config2) {
 // src/infrastructure/resources/smtp-credentials.ts
 init_esm_shims();
 import { createHmac as createHmac2 } from "crypto";
-import * as aws10 from "@pulumi/aws";
+import * as aws9 from "@pulumi/aws";
 function convertToSMTPPassword2(secretAccessKey, region) {
   const DATE = "11111111";
   const SERVICE = "ses";
@@ -15543,13 +15547,13 @@ function convertToSMTPPassword2(secretAccessKey, region) {
 async function userExists(userName) {
   try {
     const { IAMClient: IAMClient4, GetUserCommand } = await import("@aws-sdk/client-iam");
-    const iam10 = new IAMClient4({
+    const iam9 = new IAMClient4({
       region: process.env.AWS_REGION || "us-east-1"
     });
-    await iam10.send(new GetUserCommand({ UserName: userName }));
+    await iam9.send(new GetUserCommand({ UserName: userName }));
     return true;
   } catch (error) {
-    if (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity") {
+    if (error instanceof Error && (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity")) {
       return false;
     }
     return false;
@@ -15558,7 +15562,7 @@ async function userExists(userName) {
 async function createSMTPCredentials(config2) {
   const userName = "wraps-email-smtp-user";
   const userAlreadyExists = await userExists(userName);
-  const iamUser = userAlreadyExists ? new aws10.iam.User(
+  const iamUser = userAlreadyExists ? new aws9.iam.User(
     userName,
     {
       name: userName,
@@ -15568,14 +15572,14 @@ async function createSMTPCredentials(config2) {
       }
     },
     { import: userName }
-  ) : new aws10.iam.User(userName, {
+  ) : new aws9.iam.User(userName, {
     name: userName,
     tags: {
       ManagedBy: "wraps-cli",
       Purpose: "SES SMTP Authentication"
     }
   });
-  new aws10.iam.UserPolicy("wraps-email-smtp-policy", {
+  new aws9.iam.UserPolicy("wraps-email-smtp-policy", {
     user: iamUser.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -15593,7 +15597,7 @@ async function createSMTPCredentials(config2) {
       ]
     })
   });
-  const accessKey = new aws10.iam.AccessKey("wraps-email-smtp-key", {
+  const accessKey = new aws9.iam.AccessKey("wraps-email-smtp-key", {
     user: iamUser.name
   });
   const smtpPassword = accessKey.secret.apply(
@@ -15608,9 +15612,9 @@ async function createSMTPCredentials(config2) {
 
 // src/infrastructure/resources/sqs.ts
 init_esm_shims();
-import * as aws11 from "@pulumi/aws";
+import * as aws10 from "@pulumi/aws";
 async function createSQSResources() {
-  const dlq = new aws11.sqs.Queue("wraps-email-events-dlq", {
+  const dlq = new aws10.sqs.Queue("wraps-email-events-dlq", {
     name: "wraps-email-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -15619,7 +15623,7 @@ async function createSQSResources() {
       Description: "Dead letter queue for failed SES event processing"
     }
   });
-  const queue = new aws11.sqs.Queue("wraps-email-events", {
+  const queue = new aws10.sqs.Queue("wraps-email-events", {
     name: "wraps-email-events",
     visibilityTimeoutSeconds: 60,
     // Must be >= Lambda timeout
@@ -15647,7 +15651,7 @@ async function createSQSResources() {
 
 // src/infrastructure/email-stack.ts
 async function deployEmailStack(config2) {
-  const identity = await aws18.getCallerIdentity();
+  const identity = await aws17.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -15810,7 +15814,7 @@ async function deployEmailStack(config2) {
       region: config2.region,
       dlqArn: sqsInbound.dlq.arn
     });
-    new aws18.s3.BucketNotification(
+    new aws17.s3.BucketNotification(
       "wraps-inbound-s3-notification",
       {
         bucket: s3Inbound.bucket.id,
@@ -16200,7 +16204,10 @@ async function scanSESIdentities(region) {
     }
     return identities;
   } catch (error) {
-    console.error("Error scanning SES identities:", error.message);
+    console.error(
+      "Error scanning SES identities:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
@@ -16227,12 +16234,18 @@ async function scanSESConfigurationSets(region) {
           eventDestinations
         });
       } catch (error) {
-        console.error(`Error describing config set ${name}:`, error.message);
+        console.error(
+          `Error describing config set ${name}:`,
+          error instanceof Error ? error.message : error
+        );
       }
     }
     return configSets;
   } catch (error) {
-    console.error("Error scanning SES configuration sets:", error.message);
+    console.error(
+      "Error scanning SES configuration sets:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
@@ -16260,13 +16273,16 @@ async function scanSNSTopics(region) {
       } catch (error) {
         console.error(
           `Error getting topic attributes for ${arn}:`,
-          error.message
+          error instanceof Error ? error.message : error
         );
       }
     }
     return topics;
   } catch (error) {
-    console.error("Error scanning SNS topics:", error.message);
+    console.error(
+      "Error scanning SNS topics:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
@@ -16291,12 +16307,18 @@ async function scanDynamoTables(region) {
           });
         }
       } catch (error) {
-        console.error(`Error describing table ${name}:`, error.message);
+        console.error(
+          `Error describing table ${name}:`,
+          error instanceof Error ? error.message : error
+        );
       }
     }
     return tables;
   } catch (error) {
-    console.error("Error scanning DynamoDB tables:", error.message);
+    console.error(
+      "Error scanning DynamoDB tables:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
@@ -16318,18 +16340,21 @@ async function scanLambdaFunctions(region) {
     }
     return functions;
   } catch (error) {
-    console.error("Error scanning Lambda functions:", error.message);
+    console.error(
+      "Error scanning Lambda functions:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
 async function scanIAMRoles(region) {
-  const iam10 = new IAMClient({ region });
+  const iam9 = new IAMClient({ region });
   const roles = [];
   try {
     let marker;
     let hasMore = true;
     while (hasMore) {
-      const listResponse = await iam10.send(
+      const listResponse = await iam9.send(
         new ListRolesCommand({
           Marker: marker,
           MaxItems: 100
@@ -16350,7 +16375,10 @@ async function scanIAMRoles(region) {
     }
     return roles;
   } catch (error) {
-    console.error("Error scanning IAM roles:", error.message);
+    console.error(
+      "Error scanning IAM roles:",
+      error instanceof Error ? error.message : error
+    );
     return [];
   }
 }
@@ -16757,7 +16785,7 @@ async function getEmailIdentityInfo(domain, region) {
       mailFromDomain: response.MailFromAttributes?.MailFromDomain
     };
   } catch (error) {
-    if (isAWSError(error)) {
+    if (isAWSNotFoundError(error)) {
       return { dkimTokens: [] };
     }
     throw error;
@@ -17549,11 +17577,11 @@ Run ${pc20.cyan("wraps email domains add")} to add a domain.
             verified: details.VerifiedForSendingStatus,
             dkimStatus: details.DkimAttributes?.Status || "PENDING"
           };
-        } catch {
+        } catch (error) {
           return {
             name: domain.IdentityName,
             verified: false,
-            dkimStatus: "UNKNOWN"
+            dkimStatus: isAWSNotFoundError(error) ? "UNKNOWN" : "ERROR"
           };
         }
       })
@@ -19415,7 +19443,7 @@ Run ${pc24.cyan("wraps email init")} to deploy email infrastructure.
           purpose: tracked?.purpose
         };
       } catch (error) {
-        if (isAWSError(error)) {
+        if (isAWSNotFoundError(error)) {
           return {
             domain: d.domain,
             status: d.verified ? "verified" : "pending",
@@ -22459,9 +22487,9 @@ ${pc28.green("\u2713")} ${pc28.bold("Upgrade complete!")}
         iamUserArn: outputs.smtpUserArn,
         createdAt: (/* @__PURE__ */ new Date()).toISOString()
       };
-      await saveConnectionMetadata(metadata);
     }
   }
+  await saveConnectionMetadata(metadata);
   const enabledFeatures = [];
   if (updatedConfig.tracking?.enabled) {
     enabledFeatures.push("tracking");
@@ -24574,10 +24602,10 @@ async function deployEventBridge(metadata, region, identity, webhookSecret, prog
 var WRAPS_PLATFORM_ACCOUNT_ID = "905130073023";
 async function updatePlatformRole(metadata, progress, externalId) {
   const roleName = "wraps-console-access-role";
-  const iam10 = new IAMClient2({ region: "us-east-1" });
+  const iam9 = new IAMClient2({ region: "us-east-1" });
   let roleExists2 = false;
   try {
-    await iam10.send(new GetRoleCommand({ RoleName: roleName }));
+    await iam9.send(new GetRoleCommand({ RoleName: roleName }));
     roleExists2 = true;
   } catch (error) {
     const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
@@ -24590,7 +24618,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
   const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
   if (roleExists2) {
     await progress.execute("Updating platform access role", async () => {
-      await iam10.send(
+      await iam9.send(
         new PutRolePolicyCommand({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -24618,7 +24646,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
           }
         ]
       };
-      await iam10.send(
+      await iam9.send(
         new CreateRoleCommand({
           RoleName: roleName,
           Description: "Allows Wraps dashboard to access CloudWatch metrics and SES data",
@@ -24629,7 +24657,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
           ]
         })
       );
-      await iam10.send(
+      await iam9.send(
         new PutRolePolicyCommand({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -25045,10 +25073,10 @@ Run ${pc33.cyan("wraps email init")} or ${pc33.cyan("wraps sms init")} first.
       progress.succeed("Event streaming already configured");
     }
     const roleName = "wraps-console-access-role";
-    const iam10 = new IAMClient2({ region: "us-east-1" });
+    const iam9 = new IAMClient2({ region: "us-east-1" });
     let roleExists2 = false;
     try {
-      await iam10.send(new GetRoleCommand({ RoleName: roleName }));
+      await iam9.send(new GetRoleCommand({ RoleName: roleName }));
       roleExists2 = true;
     } catch (error) {
       const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
@@ -25061,7 +25089,7 @@ Run ${pc33.cyan("wraps email init")} or ${pc33.cyan("wraps sms init")} first.
       const smsConfig = metadata.services.sms?.config;
       const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
       await progress.execute("Updating platform access role", async () => {
-        await iam10.send(
+        await iam9.send(
           new PutRolePolicyCommand({
             RoleName: roleName,
             PolicyName: "wraps-console-access-policy",
@@ -25212,10 +25240,10 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
     process.exit(1);
   }
   const roleName = "wraps-console-access-role";
-  const iam10 = new IAMClient3({ region: "us-east-1" });
+  const iam9 = new IAMClient3({ region: "us-east-1" });
   let roleExists2 = false;
   try {
-    await iam10.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam9.send(new GetRoleCommand2({ RoleName: roleName }));
     roleExists2 = true;
   } catch (error) {
     const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
@@ -25284,7 +25312,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
           }
         ]
       };
-      await iam10.send(
+      await iam9.send(
         new CreateRoleCommand2({
           RoleName: roleName,
           Description: "Allows Wraps dashboard to access CloudWatch metrics and SES data",
@@ -25296,7 +25324,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
         })
       );
       const { PutRolePolicyCommand: PutRolePolicyCommand2 } = await import("@aws-sdk/client-iam");
-      await iam10.send(
+      await iam9.send(
         new PutRolePolicyCommand2({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -25307,7 +25335,7 @@ Run ${pc35.cyan("wraps email init")} to deploy infrastructure first.
   } else {
     await progress.execute("Updating IAM role permissions", async () => {
       const { PutRolePolicyCommand: PutRolePolicyCommand2 } = await import("@aws-sdk/client-iam");
-      await iam10.send(
+      await iam9.send(
         new PutRolePolicyCommand2({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -27041,7 +27069,7 @@ function createSettingsRouter(config2) {
       });
     } catch (error) {
       console.error("[Verify] Error verifying tracking domain:", error);
-      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+      if (error instanceof Error && (error.code === "ENODATA" || error.code === "ENOTFOUND")) {
         return res.json({
           verified: false,
           error: "No CNAME record found for this domain"
@@ -27075,7 +27103,7 @@ function createSettingsRouter(config2) {
       });
     } catch (error) {
       console.error("[Verify] Error verifying DMARC:", error);
-      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+      if (error instanceof Error && (error.code === "ENODATA" || error.code === "ENOTFOUND")) {
         return res.json({
           verified: false,
           error: "No DMARC record found for this domain"
@@ -28501,85 +28529,10 @@ import pc39 from "picocolors";
 
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
-init_resource_checks();
-import * as aws19 from "@pulumi/aws";
+import * as aws18 from "@pulumi/aws";
 import * as pulumi24 from "@pulumi/pulumi";
+init_resource_checks();
 async function createSMSIAMRole(config2) {
-  let assumeRolePolicy;
-  if (config2.provider === "vercel" && config2.oidcProvider) {
-    assumeRolePolicy = pulumi24.interpolate`{
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "Federated": "${config2.oidcProvider.arn}"
-          },
-          "Action": "sts:AssumeRoleWithWebIdentity",
-          "Condition": {
-            "StringEquals": {
-              "oidc.vercel.com/${config2.vercelTeamSlug}:aud": "https://vercel.com/${config2.vercelTeamSlug}"
-            },
-            "StringLike": {
-              "oidc.vercel.com/${config2.vercelTeamSlug}:sub": "owner:${config2.vercelTeamSlug}:project:${config2.vercelProjectName}:environment:*"
-            }
-          }
-        },
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "Service": "lambda.amazonaws.com"
-          },
-          "Action": "sts:AssumeRole"
-        }
-      ]
-    }`;
-  } else if (config2.provider === "aws") {
-    assumeRolePolicy = pulumi24.output(`{
-      "Version": "2012-10-17",
-      "Statement": [{
-        "Effect": "Allow",
-        "Principal": {
-          "Service": ["lambda.amazonaws.com", "ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
-        },
-        "Action": "sts:AssumeRole"
-      }]
-    }`);
-  } else {
-    throw new Error("Other providers not yet implemented");
-  }
-  const roleName = "wraps-sms-role";
-  const exists = await roleExists(roleName);
-  const role = exists ? new aws19.iam.Role(
-    roleName,
-    {
-      name: roleName,
-      assumeRolePolicy,
-      tags: {
-        ManagedBy: "wraps-cli",
-        Service: "sms",
-        Provider: config2.provider
-      }
-    },
-    {
-      import: roleName,
-      customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-    }
-  ) : new aws19.iam.Role(
-    roleName,
-    {
-      name: roleName,
-      assumeRolePolicy,
-      tags: {
-        ManagedBy: "wraps-cli",
-        Service: "sms",
-        Provider: config2.provider
-      }
-    },
-    {
-      customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-    }
-  );
   const statements = [];
   statements.push({
     Effect: "Allow",
@@ -28660,17 +28613,20 @@ async function createSMSIAMRole(config2) {
       Resource: "arn:aws:logs:*:*:log-group:/aws/lambda/wraps-sms-*"
     });
   }
-  new aws19.iam.RolePolicy("wraps-sms-policy", {
-    role: role.name,
-    policy: JSON.stringify({
-      Version: "2012-10-17",
-      Statement: statements
-    })
+  return createServiceIAMRole({
+    serviceName: "sms",
+    provider: config2.provider,
+    oidcProvider: config2.oidcProvider,
+    vercelTeamSlug: config2.vercelTeamSlug,
+    vercelProjectName: config2.vercelProjectName,
+    additionalVercelPrincipals: ["lambda.amazonaws.com"],
+    policyStatements: statements,
+    extraTags: { Service: "sms" },
+    customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
-  return role;
 }
 function createSMSConfigurationSet() {
-  return new aws19.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
+  return new aws18.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
     name: "wraps-sms-config",
     defaultMessageType: "TRANSACTIONAL",
     tags: {
@@ -28680,7 +28636,7 @@ function createSMSConfigurationSet() {
   });
 }
 function createSMSOptOutList() {
-  return new aws19.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
+  return new aws18.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
     name: "wraps-sms-optouts",
     tags: {
       ManagedBy: "wraps-cli",
@@ -28744,7 +28700,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
     }
   };
   if (existingArn) {
-    return new aws19.pinpoint.Smsvoicev2PhoneNumber(
+    return new aws18.pinpoint.Smsvoicev2PhoneNumber(
       "wraps-sms-number",
       phoneConfig,
       {
@@ -28753,7 +28709,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
       }
     );
   }
-  return new aws19.pinpoint.Smsvoicev2PhoneNumber(
+  return new aws18.pinpoint.Smsvoicev2PhoneNumber(
     "wraps-sms-number",
     phoneConfig,
     {
@@ -28782,10 +28738,10 @@ async function createSMSSQSResources() {
       Description: "Dead letter queue for failed SMS event processing"
     }
   };
-  const dlq = dlqUrl ? new aws19.sqs.Queue(dlqName, dlqConfig, {
+  const dlq = dlqUrl ? new aws18.sqs.Queue(dlqName, dlqConfig, {
     import: dlqUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws19.sqs.Queue(dlqName, dlqConfig, {
+  }) : new aws18.sqs.Queue(dlqName, dlqConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   const queueConfig = {
@@ -28808,10 +28764,10 @@ async function createSMSSQSResources() {
       Description: "Queue for SMS events from SNS"
     }
   };
-  const queue = queueUrl ? new aws19.sqs.Queue(queueName, queueConfig, {
+  const queue = queueUrl ? new aws18.sqs.Queue(queueName, queueConfig, {
     import: queueUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws19.sqs.Queue(queueName, queueConfig, {
+  }) : new aws18.sqs.Queue(queueName, queueConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   return { queue, dlq };
@@ -28827,13 +28783,13 @@ async function createSMSSNSResources(config2) {
       Description: "SNS topic for SMS delivery events"
     }
   };
-  const topic = topicArn ? new aws19.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  const topic = topicArn ? new aws18.sns.Topic("wraps-sms-events-topic", topicConfig, {
     import: topicArn,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws19.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  }) : new aws18.sns.Topic("wraps-sms-events-topic", topicConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
-  new aws19.sns.TopicPolicy("wraps-sms-events-topic-policy", {
+  new aws18.sns.TopicPolicy("wraps-sms-events-topic-policy", {
     arn: topic.arn,
     policy: topic.arn.apply(
       (topicArn2) => JSON.stringify({
@@ -28850,7 +28806,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  new aws19.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
+  new aws18.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi24.all([config2.queueArn, topic.arn]).apply(
       ([queueArn, topicArn2]) => JSON.stringify({
@@ -28869,7 +28825,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  const subscription = new aws19.sns.TopicSubscription(
+  const subscription = new aws18.sns.TopicSubscription(
     "wraps-sms-events-subscription",
     {
       topic: topic.arn,
@@ -28918,17 +28874,17 @@ async function createSMSDynamoDBTable() {
       Service: "sms"
     }
   };
-  return exists ? new aws19.dynamodb.Table(tableName, tableConfig, {
+  return exists ? new aws18.dynamodb.Table(tableName, tableConfig, {
     import: tableName,
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
-  }) : new aws19.dynamodb.Table(tableName, tableConfig, {
+  }) : new aws18.dynamodb.Table(tableName, tableConfig, {
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
   });
 }
 async function deploySMSLambdaFunction(config2) {
   const { getLambdaCode: getLambdaCode2 } = await Promise.resolve().then(() => (init_lambda(), lambda_exports));
   const codeDir = await getLambdaCode2("sms-event-processor");
-  const lambdaRole = new aws19.iam.Role("wraps-sms-lambda-role", {
+  const lambdaRole = new aws18.iam.Role("wraps-sms-lambda-role", {
     name: "wraps-sms-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -28945,11 +28901,11 @@ async function deploySMSLambdaFunction(config2) {
       Service: "sms"
     }
   });
-  new aws19.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
+  new aws18.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws19.iam.RolePolicy("wraps-sms-lambda-policy", {
+  new aws18.iam.RolePolicy("wraps-sms-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi24.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -28981,7 +28937,7 @@ async function deploySMSLambdaFunction(config2) {
       })
     )
   });
-  const eventProcessor = new aws19.lambda.Function(
+  const eventProcessor = new aws18.lambda.Function(
     "wraps-sms-event-processor",
     {
       name: "wraps-sms-event-processor",
@@ -29009,7 +28965,7 @@ async function deploySMSLambdaFunction(config2) {
       customTimeouts: { create: "5m", update: "5m", delete: "2m" }
     }
   );
-  new aws19.lambda.EventSourceMapping(
+  new aws18.lambda.EventSourceMapping(
     "wraps-sms-event-source-mapping",
     {
       eventSourceArn: config2.queueArn,
@@ -29025,7 +28981,7 @@ async function deploySMSLambdaFunction(config2) {
   return eventProcessor;
 }
 async function deploySMSStack(config2) {
-  const identity = await aws19.getCallerIdentity();
+  const identity = await aws18.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {