@wraps.dev/cli 2.12.4 → 2.13.0

package/dist/cli.js

@@ -2068,6 +2068,17 @@ function calculateAlertingCost(config2) {
     description: `Reputation alerts (${numAlarms} CloudWatch alarms)`
   };
 }
+function calculateUserWebhookCost(config2, emailsPerMonth) {
+  if (!config2.userWebhook?.enabled) {
+    return;
+  }
+  const estimatedInvocations = emailsPerMonth * 2;
+  const monthlyCost = estimatedInvocations / 1e6 * AWS_PRICING.EVENTBRIDGE_API_DEST_PER_MILLION;
+  return {
+    monthly: monthlyCost,
+    description: "User webhook (API Destination invocations)"
+  };
+}
 function calculateCosts(config2, emailsPerMonth = 1e4) {
   const tracking = calculateTrackingCost(config2);
   const reputationMetrics = calculateReputationMetricsCost(config2);
@@ -2078,8 +2089,9 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
   const waf = calculateWafCost(config2, emailsPerMonth);
   const smtpCredentials = calculateSMTPCredentialsCost(config2);
   const alerts = calculateAlertingCost(config2);
+  const userWebhook = calculateUserWebhookCost(config2, emailsPerMonth);
   const sesEmailCost = Math.max(0, emailsPerMonth - FREE_TIER.SES_EMAILS) * AWS_PRICING.SES_PER_EMAIL;
-  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0) + (smtpCredentials?.monthly || 0) + (alerts?.monthly || 0);
+  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0) + (smtpCredentials?.monthly || 0) + (alerts?.monthly || 0) + (userWebhook?.monthly || 0);
   return {
     tracking,
     reputationMetrics,
@@ -2090,6 +2102,7 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
     waf,
     smtpCredentials,
     alerts,
+    userWebhook,
     total: {
       monthly: totalMonthlyCost,
       perEmail: AWS_PRICING.SES_PER_EMAIL,
@@ -2160,6 +2173,11 @@ function getCostSummary(config2, emailsPerMonth = 1e4) {
       `  - ${costs.alerts.description}: ${formatCost(costs.alerts.monthly)}`
     );
   }
+  if (costs.userWebhook) {
+    lines.push(
+      `  - ${costs.userWebhook.description}: ${formatCost(costs.userWebhook.monthly)}`
+    );
+  }
   return lines.join("\n");
 }
 var AWS_PRICING, FREE_TIER;
@@ -2209,8 +2227,11 @@ var init_costs = __esm({
       // $5.00 per Web ACL per month
       WAF_RULE_PER_MONTH: 1,
       // $1.00 per rule per month
-      WAF_REQUESTS_PER_MILLION: 0.6
+      WAF_REQUESTS_PER_MILLION: 0.6,
       // $0.60 per million requests
+      // EventBridge API Destination pricing
+      EVENTBRIDGE_API_DEST_PER_MILLION: 0.2
+      // $0.20 per million API Destination invocations
     };
     FREE_TIER = {
       // SES: 3,000 emails/month for first 12 months (new AWS accounts only)
@@ -5068,10 +5089,10 @@ var init_constants = __esm({
 async function roleExists(roleName) {
   try {
     const { IAMClient: IAMClient4, GetRoleCommand: GetRoleCommand3 } = await import("@aws-sdk/client-iam");
-    const iam9 = new IAMClient4({
+    const iam10 = new IAMClient4({
       region: getDefaultRegion()
     });
-    await iam9.send(new GetRoleCommand3({ RoleName: roleName }));
+    await iam10.send(new GetRoleCommand3({ RoleName: roleName }));
     return true;
   } catch (error) {
     if (error instanceof Error && (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity" || error.Error?.Code === "NoSuchEntity")) {
@@ -5350,6 +5371,104 @@ var init_dist = __esm({
   }
 });
 
+// src/infrastructure/resources/eventbridge-user-webhook.ts
+var eventbridge_user_webhook_exports = {};
+__export(eventbridge_user_webhook_exports, {
+  createUserWebhookResources: () => createUserWebhookResources
+});
+import * as aws6 from "@pulumi/aws";
+function createUserWebhookResources(config2) {
+  const connection = new aws6.cloudwatch.EventConnection(
+    "wraps-user-webhook-connection",
+    {
+      name: "wraps-user-webhook-connection",
+      description: "Connection for user webhook endpoint",
+      authorizationType: "API_KEY",
+      authParameters: {
+        apiKey: {
+          key: "X-Wraps-Signature",
+          value: config2.secret
+        }
+      }
+    }
+  );
+  const apiDestination = new aws6.cloudwatch.EventApiDestination(
+    "wraps-user-webhook-destination",
+    {
+      name: "wraps-user-webhook-destination",
+      description: "Send SES events to user webhook endpoint",
+      connectionArn: connection.arn,
+      httpMethod: "POST",
+      invocationEndpoint: config2.url,
+      invocationRateLimitPerSecond: 300
+    }
+  );
+  const role = new aws6.iam.Role("wraps-user-webhook-role", {
+    name: "wraps-user-webhook-role",
+    assumeRolePolicy: JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Principal: {
+            Service: "events.amazonaws.com"
+          },
+          Action: "sts:AssumeRole"
+        }
+      ]
+    }),
+    tags: {
+      ManagedBy: "wraps-cli",
+      Service: "email"
+    }
+  });
+  new aws6.iam.RolePolicy("wraps-user-webhook-policy", {
+    role: role.name,
+    policy: apiDestination.arn.apply(
+      (destArn) => JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Effect: "Allow",
+            Action: ["events:InvokeApiDestination"],
+            Resource: destArn
+          }
+        ]
+      })
+    )
+  });
+  const target = new aws6.cloudwatch.EventTarget(
+    "wraps-user-webhook-target",
+    {
+      rule: config2.ruleName,
+      eventBusName: config2.eventBusName,
+      arn: apiDestination.arn,
+      roleArn: role.arn,
+      inputTransformer: {
+        inputPaths: {
+          event: "$.detail.eventType",
+          detail: "$.detail",
+          timestamp: "$.time",
+          messageId: "$.detail.mail.messageId"
+        },
+        inputTemplate: '{"event":<event>,"detail":<detail>,"timestamp":<timestamp>,"messageId":<messageId>,"source":"wraps"}'
+      }
+    }
+  );
+  return {
+    connection,
+    apiDestination,
+    target,
+    role
+  };
+}
+var init_eventbridge_user_webhook = __esm({
+  "src/infrastructure/resources/eventbridge-user-webhook.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
 // src/infrastructure/resources/lambda.ts
 var lambda_exports = {};
 __export(lambda_exports, {
@@ -5362,7 +5481,7 @@ import { builtinModules } from "module";
 import { tmpdir } from "os";
 import { dirname as dirname2, join as join7 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
-import * as aws7 from "@pulumi/aws";
+import * as aws8 from "@pulumi/aws";
 import * as pulumi11 from "@pulumi/pulumi";
 import { build } from "esbuild";
 function getPackageRoot() {
@@ -5437,7 +5556,7 @@ Try running: pnpm build`
 }
 async function deployLambdaFunctions(config2) {
   const eventProcessorCode = await getLambdaCode("event-processor");
-  const lambdaRole = new aws7.iam.Role("wraps-email-lambda-role", {
+  const lambdaRole = new aws8.iam.Role("wraps-email-lambda-role", {
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
       Statement: [
@@ -5453,11 +5572,11 @@ async function deployLambdaFunctions(config2) {
       Service: "email"
     }
   });
-  new aws7.iam.RolePolicyAttachment("wraps-email-lambda-basic-execution", {
+  new aws8.iam.RolePolicyAttachment("wraps-email-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws7.iam.RolePolicy("wraps-email-lambda-policy", {
+  new aws8.iam.RolePolicy("wraps-email-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi11.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -5501,7 +5620,7 @@ async function deployLambdaFunctions(config2) {
       RETENTION_DAYS: config2.retentionDays.toString()
     }
   };
-  const eventProcessor = exists ? new aws7.lambda.Function(
+  const eventProcessor = exists ? new aws8.lambda.Function(
     functionName,
     {
       name: functionName,
@@ -5523,7 +5642,7 @@ async function deployLambdaFunctions(config2) {
       import: functionName
       // Import existing function
     }
-  ) : new aws7.lambda.Function(functionName, {
+  ) : new aws8.lambda.Function(functionName, {
     name: functionName,
     runtime: "nodejs24.x",
     handler: "index.handler",
@@ -5553,14 +5672,14 @@ async function deployLambdaFunctions(config2) {
     functionResponseTypes: ["ReportBatchItemFailures"]
     // Enable partial batch responses
   };
-  const eventSourceMapping = existingMappingUuid ? new aws7.lambda.EventSourceMapping(
+  const eventSourceMapping = existingMappingUuid ? new aws8.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
     mappingConfig,
     {
       import: existingMappingUuid
       // Import with the UUID
     }
-  ) : new aws7.lambda.EventSourceMapping(
+  ) : new aws8.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
     mappingConfig
   );
@@ -5587,7 +5706,7 @@ __export(acm_exports, {
   createACMCertificate: () => createACMCertificate
 });
 import { ACMClient as ACMClient2, DescribeCertificateCommand as DescribeCertificateCommand2 } from "@aws-sdk/client-acm";
-import * as aws11 from "@pulumi/aws";
+import * as aws12 from "@pulumi/aws";
 async function checkCertificateValidation(domain) {
   try {
     const acm3 = new ACMClient2({ region: "us-east-1" });
@@ -5614,10 +5733,10 @@ async function checkCertificateValidation(domain) {
   }
 }
 async function createACMCertificate(config2) {
-  const usEast1Provider = new aws11.Provider("acm-us-east-1", {
+  const usEast1Provider = new aws12.Provider("acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws11.acm.Certificate(
+  const certificate = new aws12.acm.Certificate(
     "wraps-email-tracking-cert",
     {
       domainName: config2.domain,
@@ -5640,7 +5759,7 @@ async function createACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws11.route53.Record(
+    const validationRecord = new aws12.route53.Record(
       "wraps-email-tracking-cert-validation",
       {
         zoneId: config2.hostedZoneId,
@@ -5650,7 +5769,7 @@ async function createACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws11.acm.CertificateValidation(
+    certificateValidation = new aws12.acm.CertificateValidation(
       "wraps-email-tracking-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
@@ -5679,7 +5798,7 @@ var cloudfront_exports = {};
 __export(cloudfront_exports, {
   createCloudFrontTracking: () => createCloudFrontTracking
 });
-import * as aws12 from "@pulumi/aws";
+import * as aws13 from "@pulumi/aws";
 async function findDistributionByAlias(alias) {
   try {
     const { CloudFrontClient, ListDistributionsCommand } = await import("@aws-sdk/client-cloudfront");
@@ -5695,10 +5814,10 @@ async function findDistributionByAlias(alias) {
   }
 }
 async function createWAFWebACL() {
-  const usEast1Provider = new aws12.Provider("waf-us-east-1", {
+  const usEast1Provider = new aws13.Provider("waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws12.wafv2.WebAcl(
+  const webAcl = new aws13.wafv2.WebAcl(
     "wraps-email-tracking-waf",
     {
       scope: "CLOUDFRONT",
@@ -5813,14 +5932,14 @@ async function createCloudFrontTracking(config2) {
       Description: "Wraps email tracking CloudFront distribution"
     }
   };
-  const distribution = existingDistributionId ? new aws12.cloudfront.Distribution(
+  const distribution = existingDistributionId ? new aws13.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig,
     {
       import: existingDistributionId
       // Import existing distribution
     }
-  ) : new aws12.cloudfront.Distribution(
+  ) : new aws13.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig
   );
@@ -6002,10 +6121,10 @@ var s3_inbound_exports = {};
 __export(s3_inbound_exports, {
   createS3InboundResources: () => createS3InboundResources
 });
-import * as aws13 from "@pulumi/aws";
+import * as aws14 from "@pulumi/aws";
 async function createS3InboundResources(config2) {
   const bucketName = `wraps-inbound-${config2.accountId}-${config2.region}`;
-  const bucket = new aws13.s3.BucketV2("wraps-inbound-bucket", {
+  const bucket = new aws14.s3.BucketV2("wraps-inbound-bucket", {
     bucket: bucketName,
     forceDestroy: true,
     tags: {
@@ -6013,14 +6132,14 @@ async function createS3InboundResources(config2) {
       Service: "email-inbound"
     }
   });
-  new aws13.s3.BucketPublicAccessBlock("wraps-inbound-public-access-block", {
+  new aws14.s3.BucketPublicAccessBlock("wraps-inbound-public-access-block", {
     bucket: bucket.id,
     blockPublicAcls: true,
     blockPublicPolicy: true,
     ignorePublicAcls: true,
     restrictPublicBuckets: true
   });
-  new aws13.s3.BucketServerSideEncryptionConfigurationV2(
+  new aws14.s3.BucketServerSideEncryptionConfigurationV2(
     "wraps-inbound-encryption",
     {
       bucket: bucket.id,
@@ -6036,7 +6155,7 @@ async function createS3InboundResources(config2) {
   if (config2.retention) {
     const retentionDays = retentionToDays2(config2.retention);
     if (retentionDays > 0) {
-      new aws13.s3.BucketLifecycleConfigurationV2("wraps-inbound-lifecycle", {
+      new aws14.s3.BucketLifecycleConfigurationV2("wraps-inbound-lifecycle", {
         bucket: bucket.id,
         rules: [
           {
@@ -6050,8 +6169,8 @@ async function createS3InboundResources(config2) {
       });
     }
   }
-  const identity = await aws13.getCallerIdentity();
-  new aws13.s3.BucketPolicy("wraps-inbound-bucket-policy", {
+  const identity = await aws14.getCallerIdentity();
+  new aws14.s3.BucketPolicy("wraps-inbound-bucket-policy", {
     bucket: bucket.id,
     policy: bucket.arn.apply(
       (arn) => JSON.stringify({
@@ -6093,9 +6212,9 @@ var sqs_inbound_exports = {};
 __export(sqs_inbound_exports, {
   createSQSInboundResources: () => createSQSInboundResources
 });
-import * as aws14 from "@pulumi/aws";
+import * as aws15 from "@pulumi/aws";
 function createSQSInboundResources() {
-  const dlq = new aws14.sqs.Queue("wraps-inbound-events-dlq", {
+  const dlq = new aws15.sqs.Queue("wraps-inbound-events-dlq", {
     name: "wraps-inbound-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -6105,7 +6224,7 @@ function createSQSInboundResources() {
       Description: "Dead letter queue for failed inbound email processing"
     }
   });
-  const queue = new aws14.sqs.Queue("wraps-inbound-events", {
+  const queue = new aws15.sqs.Queue("wraps-inbound-events", {
     name: "wraps-inbound-events",
     visibilityTimeoutSeconds: 300,
     // Must be >= Lambda timeout (120s) * 2 + buffer
@@ -6142,11 +6261,11 @@ var lambda_inbound_exports = {};
 __export(lambda_inbound_exports, {
   deployInboundLambda: () => deployInboundLambda
 });
-import * as aws15 from "@pulumi/aws";
+import * as aws16 from "@pulumi/aws";
 import * as pulumi12 from "@pulumi/pulumi";
 async function deployInboundLambda(config2) {
   const inboundProcessorCode = await getLambdaCode("inbound-processor");
-  const lambdaRole = new aws15.iam.Role("wraps-inbound-lambda-role", {
+  const lambdaRole = new aws16.iam.Role("wraps-inbound-lambda-role", {
     name: "wraps-inbound-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -6163,11 +6282,11 @@ async function deployInboundLambda(config2) {
       Service: "email-inbound"
     }
   });
-  new aws15.iam.RolePolicyAttachment("wraps-inbound-lambda-basic-execution", {
+  new aws16.iam.RolePolicyAttachment("wraps-inbound-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws15.iam.RolePolicy("wraps-inbound-lambda-policy", {
+  new aws16.iam.RolePolicy("wraps-inbound-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi12.all([config2.bucketArn, config2.dlqArn]).apply(
       ([bucketArn, dlqArn]) => JSON.stringify({
@@ -6196,7 +6315,7 @@ async function deployInboundLambda(config2) {
     )
   });
   const functionName = "wraps-inbound-email-processor";
-  const lambdaFunction = new aws15.lambda.Function(functionName, {
+  const lambdaFunction = new aws16.lambda.Function(functionName, {
     name: functionName,
     runtime: "nodejs20.x",
     handler: "index.handler",
@@ -6218,7 +6337,7 @@ async function deployInboundLambda(config2) {
       Service: "email-inbound"
     }
   });
-  const s3InvokePermission = new aws15.lambda.Permission(
+  const s3InvokePermission = new aws16.lambda.Permission(
     "wraps-inbound-s3-invoke",
     {
       action: "lambda:InvokeFunction",
@@ -6246,9 +6365,9 @@ var eventbridge_inbound_exports = {};
 __export(eventbridge_inbound_exports, {
   createEventBridgeInboundResources: () => createEventBridgeInboundResources
 });
-import * as aws16 from "@pulumi/aws";
+import * as aws17 from "@pulumi/aws";
 function createEventBridgeInboundResources(config2) {
-  const rule = new aws16.cloudwatch.EventRule("wraps-inbound-events-rule", {
+  const rule = new aws17.cloudwatch.EventRule("wraps-inbound-events-rule", {
     name: "wraps-inbound-events-to-webhook",
     description: "Route inbound email events to webhook",
     eventBusName: "default",
@@ -6265,7 +6384,7 @@ function createEventBridgeInboundResources(config2) {
   let webhookApiDestination;
   let webhookTarget;
   if (config2.webhookUrl && config2.webhookSecret) {
-    webhookConnection = new aws16.cloudwatch.EventConnection(
+    webhookConnection = new aws17.cloudwatch.EventConnection(
       "wraps-inbound-webhook-connection",
       {
         name: "wraps-inbound-webhook-connection",
@@ -6279,7 +6398,7 @@ function createEventBridgeInboundResources(config2) {
         }
       }
     );
-    webhookApiDestination = new aws16.cloudwatch.EventApiDestination(
+    webhookApiDestination = new aws17.cloudwatch.EventApiDestination(
       "wraps-inbound-webhook-destination",
       {
         name: "wraps-inbound-webhook-destination",
@@ -6290,7 +6409,7 @@ function createEventBridgeInboundResources(config2) {
         invocationRateLimitPerSecond: 100
       }
     );
-    const webhookRole = new aws16.iam.Role("wraps-inbound-webhook-role", {
+    const webhookRole = new aws17.iam.Role("wraps-inbound-webhook-role", {
       name: "wraps-inbound-eventbridge-webhook-role",
       assumeRolePolicy: JSON.stringify({
         Version: "2012-10-17",
@@ -6309,7 +6428,7 @@ function createEventBridgeInboundResources(config2) {
         Service: "email-inbound"
       }
     });
-    new aws16.iam.RolePolicy("wraps-inbound-webhook-policy", {
+    new aws17.iam.RolePolicy("wraps-inbound-webhook-policy", {
       role: webhookRole.name,
       policy: webhookApiDestination.arn.apply(
         (destArn) => JSON.stringify({
@@ -6324,7 +6443,7 @@ function createEventBridgeInboundResources(config2) {
         })
       )
     });
-    webhookTarget = new aws16.cloudwatch.EventTarget(
+    webhookTarget = new aws17.cloudwatch.EventTarget(
       "wraps-inbound-webhook-target",
       {
         rule: rule.name,
@@ -10496,10 +10615,10 @@ import * as aws3 from "@pulumi/aws";
 async function getExistingOIDCProviderArn(url) {
   try {
     const { IAMClient: IAMClient4, ListOpenIDConnectProvidersCommand } = await import("@aws-sdk/client-iam");
-    const iam9 = new IAMClient4({
+    const iam10 = new IAMClient4({
       region: getDefaultRegion()
     });
-    const response = await iam9.send(new ListOpenIDConnectProvidersCommand({}));
+    const response = await iam10.send(new ListOpenIDConnectProvidersCommand({}));
     const expectedArnSuffix = url.replace("https://", "");
     const provider = response.OpenIDConnectProviderList?.find(
       (p) => p.Arn?.endsWith(expectedArnSuffix)
@@ -15439,7 +15558,7 @@ import pc17 from "picocolors";
 // src/infrastructure/email-stack.ts
 init_esm_shims();
 init_dist();
-import * as aws17 from "@pulumi/aws";
+import * as aws18 from "@pulumi/aws";
 
 // src/infrastructure/resources/alerting.ts
 init_esm_shims();
@@ -15713,11 +15832,11 @@ async function createDynamoDBTables(_config) {
 
 // src/infrastructure/resources/eventbridge.ts
 init_esm_shims();
-import * as aws6 from "@pulumi/aws";
+import * as aws7 from "@pulumi/aws";
 import * as pulumi10 from "@pulumi/pulumi";
 async function createEventBridgeResources(config2) {
   const eventBusName = config2.eventBusArn.apply((arn) => arn.split("/").pop());
-  const rule = new aws6.cloudwatch.EventRule("wraps-email-events-rule", {
+  const rule = new aws7.cloudwatch.EventRule("wraps-email-events-rule", {
     name: "wraps-email-events-to-sqs",
     description: "Route all SES email events to SQS for processing",
     eventBusName,
@@ -15731,7 +15850,7 @@ async function createEventBridgeResources(config2) {
       Service: "email"
     }
   });
-  new aws6.sqs.QueuePolicy("wraps-email-events-queue-policy", {
+  new aws7.sqs.QueuePolicy("wraps-email-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi10.all([config2.queueArn, rule.arn]).apply(
       ([queueArn, ruleArn]) => JSON.stringify({
@@ -15754,7 +15873,7 @@ async function createEventBridgeResources(config2) {
       })
     )
   });
-  const target = new aws6.cloudwatch.EventTarget("wraps-email-events-target", {
+  const target = new aws7.cloudwatch.EventTarget("wraps-email-events-target", {
     rule: rule.name,
     eventBusName,
     arn: config2.queueArn
@@ -15765,7 +15884,7 @@ async function createEventBridgeResources(config2) {
   if (config2.webhook) {
     const { awsAccountNumber, webhookSecret, webhookUrl } = config2.webhook;
     const baseUrl = webhookUrl || "https://api.wraps.dev";
-    webhookConnection = new aws6.cloudwatch.EventConnection(
+    webhookConnection = new aws7.cloudwatch.EventConnection(
       "wraps-webhook-connection",
       {
         name: "wraps-webhook-connection",
@@ -15779,7 +15898,7 @@ async function createEventBridgeResources(config2) {
         }
       }
     );
-    webhookApiDestination = new aws6.cloudwatch.EventApiDestination(
+    webhookApiDestination = new aws7.cloudwatch.EventApiDestination(
       "wraps-webhook-destination",
       {
         name: "wraps-webhook-destination",
@@ -15791,7 +15910,7 @@ async function createEventBridgeResources(config2) {
         // Rate limit
       }
     );
-    const webhookRole = new aws6.iam.Role("wraps-webhook-role", {
+    const webhookRole = new aws7.iam.Role("wraps-webhook-role", {
       name: "wraps-eventbridge-webhook-role",
       assumeRolePolicy: JSON.stringify({
         Version: "2012-10-17",
@@ -15810,7 +15929,7 @@ async function createEventBridgeResources(config2) {
         Service: "email"
       }
     });
-    new aws6.iam.RolePolicy("wraps-webhook-policy", {
+    new aws7.iam.RolePolicy("wraps-webhook-policy", {
       role: webhookRole.name,
       policy: webhookApiDestination.arn.apply(
         (destArn) => JSON.stringify({
@@ -15825,19 +15944,37 @@ async function createEventBridgeResources(config2) {
         })
       )
     });
-    webhookTarget = new aws6.cloudwatch.EventTarget("wraps-webhook-target", {
+    webhookTarget = new aws7.cloudwatch.EventTarget("wraps-webhook-target", {
       rule: rule.name,
       eventBusName,
       arn: webhookApiDestination.arn,
       roleArn: webhookRole.arn
     });
   }
+  let userWebhookConnection;
+  let userWebhookApiDestination;
+  let userWebhookTarget;
+  if (config2.userWebhook) {
+    const { createUserWebhookResources: createUserWebhookResources2 } = await Promise.resolve().then(() => (init_eventbridge_user_webhook(), eventbridge_user_webhook_exports));
+    const userWebhookResources = createUserWebhookResources2({
+      url: config2.userWebhook.url,
+      secret: config2.userWebhook.secret,
+      ruleName: rule.name,
+      eventBusName
+    });
+    userWebhookConnection = userWebhookResources.connection;
+    userWebhookApiDestination = userWebhookResources.apiDestination;
+    userWebhookTarget = userWebhookResources.target;
+  }
   return {
     rule,
     target,
     webhookConnection,
     webhookApiDestination,
-    webhookTarget
+    webhookTarget,
+    userWebhookConnection,
+    userWebhookApiDestination,
+    userWebhookTarget
   };
 }
 
@@ -15977,7 +16114,7 @@ init_lambda();
 
 // src/infrastructure/resources/ses.ts
 init_esm_shims();
-import * as aws8 from "@pulumi/aws";
+import * as aws9 from "@pulumi/aws";
 async function configurationSetExists(configSetName, region) {
   try {
     const { SESv2Client: SESv2Client9, GetConfigurationSetCommand: GetConfigurationSetCommand2 } = await import("@aws-sdk/client-sesv2");
@@ -16056,15 +16193,15 @@ async function createSESResources(config2) {
   }
   const configSetName = "wraps-email-tracking";
   const exists = await configurationSetExists(configSetName, config2.region);
-  const configSet = exists && !config2.skipResourceImports ? new aws8.sesv2.ConfigurationSet(configSetName, configSetOptions, {
+  const configSet = exists && !config2.skipResourceImports ? new aws9.sesv2.ConfigurationSet(configSetName, configSetOptions, {
     import: configSetName
-  }) : new aws8.sesv2.ConfigurationSet(configSetName, configSetOptions);
-  const defaultEventBus = aws8.cloudwatch.getEventBusOutput({
+  }) : new aws9.sesv2.ConfigurationSet(configSetName, configSetOptions);
+  const defaultEventBus = aws9.cloudwatch.getEventBusOutput({
     name: "default"
   });
   if (config2.eventTrackingEnabled) {
     const eventDestName = "wraps-email-eventbridge";
-    new aws8.sesv2.ConfigurationSetEventDestination(
+    new aws9.sesv2.ConfigurationSetEventDestination(
       "wraps-email-all-events",
       {
         configurationSetName: configSet.configurationSetName,
@@ -16104,7 +16241,7 @@ async function createSESResources(config2) {
       config2.domain,
       config2.region
     );
-    domainIdentity = identityExists && !config2.skipResourceImports ? new aws8.sesv2.EmailIdentity(
+    domainIdentity = identityExists && !config2.skipResourceImports ? new aws9.sesv2.EmailIdentity(
       "wraps-email-domain",
       {
         emailIdentity: config2.domain,
@@ -16119,7 +16256,7 @@ async function createSESResources(config2) {
       {
         import: config2.domain
       }
-    ) : new aws8.sesv2.EmailIdentity("wraps-email-domain", {
+    ) : new aws9.sesv2.EmailIdentity("wraps-email-domain", {
       emailIdentity: config2.domain,
       configurationSetName: configSet.configurationSetName,
       // Link configuration set to domain
@@ -16136,7 +16273,7 @@ async function createSESResources(config2) {
     );
     if (config2.mailFromDomain) {
       mailFromDomain = config2.mailFromDomain;
-      new aws8.sesv2.EmailIdentityMailFromAttributes(
+      new aws9.sesv2.EmailIdentityMailFromAttributes(
         "wraps-email-mail-from",
         {
           emailIdentity: config2.domain,
@@ -16168,7 +16305,7 @@ async function createSESResources(config2) {
 init_esm_shims();
 init_constants();
 import { createHmac as createHmac2 } from "crypto";
-import * as aws9 from "@pulumi/aws";
+import * as aws10 from "@pulumi/aws";
 function convertToSMTPPassword2(secretAccessKey, region) {
   const DATE = "11111111";
   const SERVICE = "ses";
@@ -16189,10 +16326,10 @@ function convertToSMTPPassword2(secretAccessKey, region) {
 async function userExists(userName) {
   try {
     const { IAMClient: IAMClient4, GetUserCommand } = await import("@aws-sdk/client-iam");
-    const iam9 = new IAMClient4({
+    const iam10 = new IAMClient4({
       region: getDefaultRegion()
     });
-    await iam9.send(new GetUserCommand({ UserName: userName }));
+    await iam10.send(new GetUserCommand({ UserName: userName }));
     return true;
   } catch (error) {
     if (error instanceof Error && (error.name === "NoSuchEntityException" || error.Code === "NoSuchEntity")) {
@@ -16204,7 +16341,7 @@ async function userExists(userName) {
 async function createSMTPCredentials(config2) {
   const userName = "wraps-email-smtp-user";
   const userAlreadyExists = await userExists(userName);
-  const iamUser = userAlreadyExists ? new aws9.iam.User(
+  const iamUser = userAlreadyExists ? new aws10.iam.User(
     userName,
     {
       name: userName,
@@ -16215,14 +16352,14 @@ async function createSMTPCredentials(config2) {
       }
     },
     { import: userName }
-  ) : new aws9.iam.User(userName, {
+  ) : new aws10.iam.User(userName, {
     name: userName,
     tags: {
       ManagedBy: "wraps-cli",
       Purpose: "SES SMTP Authentication"
     }
   });
-  new aws9.iam.UserPolicy("wraps-email-smtp-policy", {
+  new aws10.iam.UserPolicy("wraps-email-smtp-policy", {
     user: iamUser.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -16240,7 +16377,7 @@ async function createSMTPCredentials(config2) {
       ]
     })
   });
-  const accessKey = new aws9.iam.AccessKey("wraps-email-smtp-key", {
+  const accessKey = new aws10.iam.AccessKey("wraps-email-smtp-key", {
     user: iamUser.name
   });
   const smtpPassword = accessKey.secret.apply(
@@ -16255,9 +16392,9 @@ async function createSMTPCredentials(config2) {
 
 // src/infrastructure/resources/sqs.ts
 init_esm_shims();
-import * as aws10 from "@pulumi/aws";
+import * as aws11 from "@pulumi/aws";
 async function createSQSResources() {
-  const dlq = new aws10.sqs.Queue("wraps-email-events-dlq", {
+  const dlq = new aws11.sqs.Queue("wraps-email-events-dlq", {
     name: "wraps-email-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -16267,7 +16404,7 @@ async function createSQSResources() {
       Description: "Dead letter queue for failed SES event processing"
     }
   });
-  const queue = new aws10.sqs.Queue("wraps-email-events", {
+  const queue = new aws11.sqs.Queue("wraps-email-events", {
     name: "wraps-email-events",
     visibilityTimeoutSeconds: 60,
     // Must be >= Lambda timeout
@@ -16296,7 +16433,7 @@ async function createSQSResources() {
 
 // src/infrastructure/email-stack.ts
 async function deployEmailStack(config2) {
-  const identity = await aws17.getCallerIdentity();
+  const identity = await aws18.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -16400,7 +16537,12 @@ async function deployEmailStack(config2) {
       queueArn: sqsResources.queue.arn,
       queueUrl: sqsResources.queue.url,
       // Include webhook config if provided (for Wraps platform integration)
-      webhook: config2.webhook
+      webhook: config2.webhook,
+      // Include user webhook config if provided
+      userWebhook: emailConfig.userWebhook?.enabled && emailConfig.userWebhook.url && emailConfig.userWebhook.secret ? {
+        url: emailConfig.userWebhook.url,
+        secret: emailConfig.userWebhook.secret
+      } : void 0
     });
   }
   let lambdaFunctions;
@@ -16461,7 +16603,7 @@ async function deployEmailStack(config2) {
       region: config2.region,
       dlqArn: sqsInbound.dlq.arn
     });
-    new aws17.s3.BucketNotification(
+    new aws18.s3.BucketNotification(
       "wraps-inbound-s3-notification",
       {
         bucket: s3Inbound.bucket.id,
@@ -16522,7 +16664,10 @@ async function deployEmailStack(config2) {
     inboundBucketName: inboundResources?.bucketName,
     inboundBucketArn: inboundResources?.bucketArn,
     inboundLambdaArn: inboundResources?.lambdaArn,
-    inboundReceivingDomain: emailConfig.inbound?.receivingDomain
+    inboundReceivingDomain: emailConfig.inbound?.receivingDomain,
+    // User webhook outputs
+    userWebhookUrl: emailConfig.userWebhook?.enabled ? emailConfig.userWebhook.url : void 0,
+    userWebhookSecret: emailConfig.userWebhook?.enabled ? emailConfig.userWebhook.secret : void 0
   };
 }
 
@@ -16998,13 +17143,13 @@ async function scanLambdaFunctions(region) {
   }
 }
 async function scanIAMRoles(region) {
-  const iam9 = new IAMClient({ region });
+  const iam10 = new IAMClient({ region });
   const roles = [];
   try {
     let marker;
     let hasMore = true;
     while (hasMore) {
-      const listResponse = await iam9.send(
+      const listResponse = await iam10.send(
         new ListRolesCommand({
           Marker: marker,
           MaxItems: 100
@@ -21792,6 +21937,12 @@ ${pc30.bold("Current Configuration:")}
       );
     }
   }
+  if (config2.userWebhook?.enabled) {
+    console.log(`  ${pc30.green("\u2713")} Webhook Endpoint`);
+    console.log(
+      `    ${pc30.dim("\u2514\u2500")} URL: ${pc30.cyan(config2.userWebhook.url)}`
+    );
+  }
   const currentCostData = calculateCosts(config2, 5e4);
   console.log(
     `
@@ -21852,6 +22003,11 @@ ${pc30.bold("Current Configuration:")}
       label: metadata.services.email?.webhookSecret ? "Manage Wraps Dashboard connection" : "Connect to Wraps Dashboard",
       hint: metadata.services.email?.webhookSecret ? "Regenerate secret or disconnect" : "Send events to dashboard for analytics"
     },
+    {
+      value: "user-webhook",
+      label: config2.userWebhook?.enabled ? "Manage webhook endpoint" : "Configure webhook endpoint",
+      hint: config2.userWebhook?.enabled ? `Sending events to ${config2.userWebhook.url}` : "Send SES events to your own URL"
+    },
     {
       value: "smtp-credentials",
       label: metadata.services.email?.smtpCredentials?.enabled ? "Manage SMTP credentials" : "Enable SMTP credentials",
@@ -22679,6 +22835,166 @@ ${pc30.bold("Webhook Configuration:")}`);
       newPreset = void 0;
       break;
     }
+    case "user-webhook": {
+      const validateWebhookUrl = (value) => {
+        try {
+          const url = new URL(value);
+          if (url.protocol !== "https:") {
+            return "Webhook URL must use HTTPS";
+          }
+          if (!url.hostname.includes(".")) {
+            return "Webhook URL must use a public hostname";
+          }
+        } catch {
+          return "Please enter a valid URL";
+        }
+      };
+      if (!config2.eventTracking?.enabled) {
+        clack29.log.warn(
+          "Event tracking must be enabled to configure a webhook endpoint."
+        );
+        clack29.log.info(
+          "Enabling event tracking will allow SES events to be sent to your endpoint."
+        );
+        const enableEventTracking = await clack29.confirm({
+          message: "Enable event tracking now?",
+          initialValue: true
+        });
+        if (clack29.isCancel(enableEventTracking) || !enableEventTracking) {
+          clack29.cancel("Webhook configuration cancelled.");
+          process.exit(0);
+        }
+        updatedConfig = {
+          ...config2,
+          eventTracking: {
+            enabled: true,
+            eventBridge: true,
+            events: [
+              "SEND",
+              "DELIVERY",
+              "OPEN",
+              "CLICK",
+              "BOUNCE",
+              "COMPLAINT"
+            ],
+            dynamoDBHistory: config2.eventTracking?.dynamoDBHistory ?? false,
+            archiveRetention: config2.eventTracking?.archiveRetention ?? "90days"
+          }
+        };
+      }
+      if (config2.userWebhook?.enabled) {
+        clack29.log.info(
+          `Webhook endpoint currently sending events to: ${pc30.cyan(config2.userWebhook.url)}`
+        );
+        const action = await clack29.select({
+          message: "What would you like to do?",
+          options: [
+            {
+              value: "change-url",
+              label: "Change webhook URL",
+              hint: config2.userWebhook.url
+            },
+            {
+              value: "regenerate-secret",
+              label: "Regenerate webhook secret",
+              hint: "Create new secret (update your endpoint)"
+            },
+            {
+              value: "disable",
+              label: "Disable webhook",
+              hint: "Stop sending events to your endpoint"
+            },
+            {
+              value: "cancel",
+              label: "Cancel",
+              hint: "Keep current settings"
+            }
+          ]
+        });
+        if (clack29.isCancel(action) || action === "cancel") {
+          clack29.log.info("No changes made.");
+          process.exit(0);
+        }
+        if (action === "disable") {
+          const confirmDisable = await clack29.confirm({
+            message: "Are you sure? Events will no longer be sent to your webhook endpoint.",
+            initialValue: false
+          });
+          if (clack29.isCancel(confirmDisable) || !confirmDisable) {
+            clack29.log.info("Webhook not disabled.");
+            process.exit(0);
+          }
+          updatedConfig = {
+            ...updatedConfig,
+            userWebhook: { enabled: false }
+          };
+          newPreset = void 0;
+          break;
+        }
+        if (action === "change-url") {
+          const newUrl = await clack29.text({
+            message: "New webhook URL:",
+            placeholder: "https://your-app.com/webhooks/email-events",
+            validate: validateWebhookUrl
+          });
+          if (clack29.isCancel(newUrl)) {
+            clack29.cancel("Webhook configuration cancelled.");
+            process.exit(0);
+          }
+          updatedConfig = {
+            ...updatedConfig,
+            userWebhook: {
+              enabled: true,
+              url: newUrl,
+              secret: config2.userWebhook.secret
+            }
+          };
+          newPreset = void 0;
+          break;
+        }
+        if (action === "regenerate-secret") {
+          const newSecret = generateWebhookSecret();
+          updatedConfig = {
+            ...updatedConfig,
+            userWebhook: {
+              enabled: true,
+              url: config2.userWebhook.url,
+              secret: newSecret
+            }
+          };
+          newPreset = void 0;
+          break;
+        }
+      } else {
+        clack29.log.info(`
+${pc30.bold("Webhook Endpoint")}
+`);
+        clack29.log.info(
+          pc30.dim("Send SES events (send, delivery, open, click, bounce, etc.)")
+        );
+        clack29.log.info(pc30.dim("to your own HTTP endpoint in real-time.\n"));
+        const webhookUrl = await clack29.text({
+          message: "Webhook URL (must be HTTPS):",
+          placeholder: "https://your-app.com/webhooks/email-events",
+          validate: validateWebhookUrl
+        });
+        if (clack29.isCancel(webhookUrl)) {
+          clack29.cancel("Webhook configuration cancelled.");
+          process.exit(0);
+        }
+        const secret = generateWebhookSecret();
+        updatedConfig = {
+          ...updatedConfig,
+          userWebhook: {
+            enabled: true,
+            url: webhookUrl,
+            secret
+          }
+        };
+        newPreset = void 0;
+      }
+      break;
+    }
     case "smtp-credentials": {
       if (metadata.services.email?.smtpCredentials?.enabled) {
         clack29.log.info(
@@ -23318,6 +23634,29 @@ ${pc30.green("\u2713")} ${pc30.bold("Upgrade complete!")}
       )
     );
   }
+  if (upgradeAction === "user-webhook" && updatedConfig.userWebhook?.enabled) {
+    console.log(pc30.bold("Webhook Endpoint Configuration\n"));
+    console.log(`  ${pc30.green("\u2713")} EventBridge API Destination created`);
+    console.log(
+      `  ${pc30.green("\u2713")} Events will be sent to: ${pc30.cyan(updatedConfig.userWebhook.url)}
+`
+    );
+    if (updatedConfig.userWebhook.secret !== config2.userWebhook?.secret) {
+      console.log(pc30.bold("  Webhook Secret (save this now!):\n"));
+      console.log(
+        `     ${pc30.bgBlack(pc30.white(` ${updatedConfig.userWebhook.secret} `))}
+`
+      );
+      console.log(
+        pc30.dim("  Include this in the X-Wraps-Signature header validation")
+      );
+      console.log(
+        pc30.dim(
+          "  to verify requests are from your Wraps deployment.\n"
+        )
+      );
+    }
+  }
   if (upgradeAction === "smtp-credentials" && outputs.smtpUsername && outputs.smtpPassword) {
     console.log(pc30.bold("\n\u{1F4E7} SMTP Connection Details\n"));
     console.log(`  ${pc30.cyan("Server:")}     ${outputs.smtpEndpoint}`);
@@ -23368,6 +23707,9 @@ ${pc30.green("\u2713")} ${pc30.bold("Upgrade complete!")}
   if (updatedConfig.alerts?.enabled) {
     enabledFeatures.push("alerts");
   }
+  if (updatedConfig.userWebhook?.enabled) {
+    enabledFeatures.push("user_webhook");
+  }
   trackServiceUpgrade("email", {
     from_preset: metadata.services.email?.preset,
     to_preset: newPreset,
@@ -23454,33 +23796,59 @@ function getTriggerName(type) {
   return names[type] || "Trigger";
 }
 function flattenSteps(stepDefs, steps, transitions, fromStepId, branch) {
-  let prevId = fromStepId;
+  let prevIds = [fromStepId];
   let firstStepInBranch = true;
   for (const def of stepDefs) {
     const step = toWorkflowStep(def);
     steps.push(step);
-    const transition = {
-      id: `t-${prevId}-${step.id}`,
-      fromStepId: prevId,
-      toStepId: step.id
-    };
-    if (firstStepInBranch && branch) {
-      transition.condition = { branch };
+    for (const prevId of prevIds) {
+      const transition = {
+        id: `t-${prevId}-${step.id}`,
+        fromStepId: prevId,
+        toStepId: step.id
+      };
+      if (firstStepInBranch && branch && prevId === fromStepId) {
+        transition.condition = { branch };
+      }
+      transitions.push(transition);
     }
-    transitions.push(transition);
     firstStepInBranch = false;
     if (def.type === "condition" && def.branches) {
+      const leafIds = [];
       if (def.branches.yes && def.branches.yes.length > 0) {
-        flattenSteps(def.branches.yes, steps, transitions, step.id, "yes");
+        const yesLeaves = flattenSteps(
+          def.branches.yes,
+          steps,
+          transitions,
+          step.id,
+          "yes"
+        );
+        leafIds.push(...yesLeaves);
+      } else {
+        leafIds.push(step.id);
       }
       if (def.branches.no && def.branches.no.length > 0) {
-        flattenSteps(def.branches.no, steps, transitions, step.id, "no");
+        const noLeaves = flattenSteps(
+          def.branches.no,
+          steps,
+          transitions,
+          step.id,
+          "no"
+        );
+        leafIds.push(...noLeaves);
+      } else if (!leafIds.includes(step.id)) {
+        leafIds.push(step.id);
       }
-      return null;
+      prevIds = leafIds;
+      continue;
+    }
+    if (def.type === "exit") {
+      prevIds = [];
+      continue;
     }
-    prevId = step.id;
+    prevIds = [step.id];
   }
-  return prevId;
+  return prevIds;
 }
 function toWorkflowStep(def) {
   return {
@@ -25434,10 +25802,10 @@ async function deployEventBridge(metadata, region, identity, webhookSecret, prog
 var WRAPS_PLATFORM_ACCOUNT_ID = "905130073023";
 async function updatePlatformRole(metadata, progress, externalId) {
   const roleName = "wraps-console-access-role";
-  const iam9 = new IAMClient2({ region: "us-east-1" });
+  const iam10 = new IAMClient2({ region: "us-east-1" });
   let roleExists2 = false;
   try {
-    await iam9.send(new GetRoleCommand({ RoleName: roleName }));
+    await iam10.send(new GetRoleCommand({ RoleName: roleName }));
     roleExists2 = true;
   } catch (error) {
     const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
@@ -25450,7 +25818,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
   const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
   if (roleExists2) {
     await progress.execute("Updating platform access role", async () => {
-      await iam9.send(
+      await iam10.send(
         new PutRolePolicyCommand({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -25478,7 +25846,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
           }
         ]
       };
-      await iam9.send(
+      await iam10.send(
         new CreateRoleCommand({
           RoleName: roleName,
           Description: "Allows Wraps dashboard to access CloudWatch metrics and SES data",
@@ -25489,7 +25857,7 @@ async function updatePlatformRole(metadata, progress, externalId) {
           ]
         })
       );
-      await iam9.send(
+      await iam10.send(
         new PutRolePolicyCommand({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -25910,10 +26278,10 @@ Run ${pc35.cyan("wraps email init")} or ${pc35.cyan("wraps sms init")} first.
       progress.succeed("Event streaming already configured");
     }
     const roleName = "wraps-console-access-role";
-    const iam9 = new IAMClient2({ region: "us-east-1" });
+    const iam10 = new IAMClient2({ region: "us-east-1" });
     let roleExists2 = false;
     try {
-      await iam9.send(new GetRoleCommand({ RoleName: roleName }));
+      await iam10.send(new GetRoleCommand({ RoleName: roleName }));
       roleExists2 = true;
     } catch (error) {
       const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
@@ -25926,7 +26294,7 @@ Run ${pc35.cyan("wraps email init")} or ${pc35.cyan("wraps sms init")} first.
       const smsConfig = metadata.services.sms?.config;
       const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
       await progress.execute("Updating platform access role", async () => {
-        await iam9.send(
+        await iam10.send(
           new PutRolePolicyCommand({
             RoleName: roleName,
             PolicyName: "wraps-console-access-policy",
@@ -26078,10 +26446,10 @@ Run ${pc37.cyan("wraps email init")} to deploy infrastructure first.
     process.exit(1);
   }
   const roleName = "wraps-console-access-role";
-  const iam9 = new IAMClient3({ region: "us-east-1" });
+  const iam10 = new IAMClient3({ region: "us-east-1" });
   let roleExists2 = false;
   try {
-    await iam9.send(new GetRoleCommand2({ RoleName: roleName }));
+    await iam10.send(new GetRoleCommand2({ RoleName: roleName }));
     roleExists2 = true;
   } catch (error) {
     const isNotFound = error instanceof Error && (error.name === "NoSuchEntityException" || error.name === "NoSuchEntity" || error.message.includes("NoSuchEntity"));
@@ -26150,7 +26518,7 @@ Run ${pc37.cyan("wraps email init")} to deploy infrastructure first.
           }
         ]
       };
-      await iam9.send(
+      await iam10.send(
         new CreateRoleCommand2({
           RoleName: roleName,
           Description: "Allows Wraps dashboard to access CloudWatch metrics and SES data",
@@ -26162,7 +26530,7 @@ Run ${pc37.cyan("wraps email init")} to deploy infrastructure first.
         })
       );
       const { PutRolePolicyCommand: PutRolePolicyCommand2 } = await import("@aws-sdk/client-iam");
-      await iam9.send(
+      await iam10.send(
         new PutRolePolicyCommand2({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -26173,7 +26541,7 @@ Run ${pc37.cyan("wraps email init")} to deploy infrastructure first.
   } else {
     await progress.execute("Updating IAM role permissions", async () => {
       const { PutRolePolicyCommand: PutRolePolicyCommand2 } = await import("@aws-sdk/client-iam");
-      await iam9.send(
+      await iam10.send(
         new PutRolePolicyCommand2({
           RoleName: roleName,
           PolicyName: "wraps-console-access-policy",
@@ -27523,7 +27891,7 @@ import {
 } from "@aws-sdk/client-cloudwatch";
 async function fetchSESMetrics(roleArn, region, timeRange, tableName) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
-  const cloudwatch5 = new CloudWatchClient({ region, credentials });
+  const cloudwatch6 = new CloudWatchClient({ region, credentials });
   const queries = [
     {
       Id: "sends",
@@ -27571,7 +27939,7 @@ async function fetchSESMetrics(roleArn, region, timeRange, tableName) {
       }
     }
   ];
-  const response = await cloudwatch5.send(
+  const response = await cloudwatch6.send(
     new GetMetricDataCommand({
       MetricDataQueries: queries,
       StartTime: timeRange.start,
@@ -28356,7 +28724,7 @@ import {
 import { unmarshall as unmarshall4 } from "@aws-sdk/util-dynamodb";
 async function fetchSMSSpendLimits(region) {
   const smsClient = new PinpointSMSVoiceV2Client({ region });
-  const cloudwatch5 = new CloudWatchClient2({ region });
+  const cloudwatch6 = new CloudWatchClient2({ region });
   try {
     const spendLimits = await smsClient.send(
       new DescribeSpendLimitsCommand({})
@@ -28370,7 +28738,7 @@ async function fetchSMSSpendLimits(region) {
     }
     const now = /* @__PURE__ */ new Date();
     const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
-    const metricsResponse = await cloudwatch5.send(
+    const metricsResponse = await cloudwatch6.send(
       new GetMetricDataCommand2({
         MetricDataQueries: [
           {
@@ -29370,7 +29738,7 @@ import pc41 from "picocolors";
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
 init_constants();
-import * as aws18 from "@pulumi/aws";
+import * as aws19 from "@pulumi/aws";
 import * as pulumi24 from "@pulumi/pulumi";
 init_resource_checks();
 async function createSMSIAMRole(config2) {
@@ -29467,7 +29835,7 @@ async function createSMSIAMRole(config2) {
   });
 }
 function createSMSConfigurationSet() {
-  return new aws18.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
+  return new aws19.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
     name: "wraps-sms-config",
     defaultMessageType: "TRANSACTIONAL",
     tags: {
@@ -29477,7 +29845,7 @@ function createSMSConfigurationSet() {
   });
 }
 function createSMSOptOutList() {
-  return new aws18.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
+  return new aws19.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
     name: "wraps-sms-optouts",
     tags: {
       ManagedBy: "wraps-cli",
@@ -29545,7 +29913,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
     }
   };
   if (existingArn) {
-    return new aws18.pinpoint.Smsvoicev2PhoneNumber(
+    return new aws19.pinpoint.Smsvoicev2PhoneNumber(
       "wraps-sms-number",
       phoneConfig,
       {
@@ -29554,7 +29922,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
       }
     );
   }
-  return new aws18.pinpoint.Smsvoicev2PhoneNumber(
+  return new aws19.pinpoint.Smsvoicev2PhoneNumber(
     "wraps-sms-number",
     phoneConfig,
     {
@@ -29583,10 +29951,10 @@ async function createSMSSQSResources() {
       Description: "Dead letter queue for failed SMS event processing"
     }
   };
-  const dlq = dlqUrl ? new aws18.sqs.Queue(dlqName, dlqConfig, {
+  const dlq = dlqUrl ? new aws19.sqs.Queue(dlqName, dlqConfig, {
     import: dlqUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws18.sqs.Queue(dlqName, dlqConfig, {
+  }) : new aws19.sqs.Queue(dlqName, dlqConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   const queueConfig = {
@@ -29609,10 +29977,10 @@ async function createSMSSQSResources() {
       Description: "Queue for SMS events from SNS"
     }
   };
-  const queue = queueUrl ? new aws18.sqs.Queue(queueName, queueConfig, {
+  const queue = queueUrl ? new aws19.sqs.Queue(queueName, queueConfig, {
     import: queueUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws18.sqs.Queue(queueName, queueConfig, {
+  }) : new aws19.sqs.Queue(queueName, queueConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   return { queue, dlq };
@@ -29628,13 +29996,13 @@ async function createSMSSNSResources(config2) {
       Description: "SNS topic for SMS delivery events"
     }
   };
-  const topic = topicArn ? new aws18.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  const topic = topicArn ? new aws19.sns.Topic("wraps-sms-events-topic", topicConfig, {
     import: topicArn,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws18.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  }) : new aws19.sns.Topic("wraps-sms-events-topic", topicConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
-  new aws18.sns.TopicPolicy("wraps-sms-events-topic-policy", {
+  new aws19.sns.TopicPolicy("wraps-sms-events-topic-policy", {
     arn: topic.arn,
     policy: topic.arn.apply(
       (topicArn2) => JSON.stringify({
@@ -29651,7 +30019,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  new aws18.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
+  new aws19.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi24.all([config2.queueArn, topic.arn]).apply(
       ([queueArn, topicArn2]) => JSON.stringify({
@@ -29670,7 +30038,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  const subscription = new aws18.sns.TopicSubscription(
+  const subscription = new aws19.sns.TopicSubscription(
     "wraps-sms-events-subscription",
     {
       topic: topic.arn,
@@ -29719,17 +30087,17 @@ async function createSMSDynamoDBTable() {
       Service: "sms"
     }
   };
-  return exists ? new aws18.dynamodb.Table(tableName, tableConfig, {
+  return exists ? new aws19.dynamodb.Table(tableName, tableConfig, {
     import: tableName,
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
-  }) : new aws18.dynamodb.Table(tableName, tableConfig, {
+  }) : new aws19.dynamodb.Table(tableName, tableConfig, {
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
   });
 }
 async function deploySMSLambdaFunction(config2) {
   const { getLambdaCode: getLambdaCode2 } = await Promise.resolve().then(() => (init_lambda(), lambda_exports));
   const codeDir = await getLambdaCode2("sms-event-processor");
-  const lambdaRole = new aws18.iam.Role("wraps-sms-lambda-role", {
+  const lambdaRole = new aws19.iam.Role("wraps-sms-lambda-role", {
     name: "wraps-sms-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -29746,11 +30114,11 @@ async function deploySMSLambdaFunction(config2) {
       Service: "sms"
     }
   });
-  new aws18.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
+  new aws19.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws18.iam.RolePolicy("wraps-sms-lambda-policy", {
+  new aws19.iam.RolePolicy("wraps-sms-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi24.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -29782,7 +30150,7 @@ async function deploySMSLambdaFunction(config2) {
       })
     )
   });
-  const eventProcessor = new aws18.lambda.Function(
+  const eventProcessor = new aws19.lambda.Function(
     "wraps-sms-event-processor",
     {
       name: "wraps-sms-event-processor",
@@ -29810,7 +30178,7 @@ async function deploySMSLambdaFunction(config2) {
       customTimeouts: { create: "5m", update: "5m", delete: "2m" }
     }
   );
-  new aws18.lambda.EventSourceMapping(
+  new aws19.lambda.EventSourceMapping(
     "wraps-sms-event-source-mapping",
     {
       eventSourceArn: config2.queueArn,
@@ -29826,7 +30194,7 @@ async function deploySMSLambdaFunction(config2) {
   return eventProcessor;
 }
 async function deploySMSStack(config2) {
-  const identity = await aws18.getCallerIdentity();
+  const identity = await aws19.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {