@wraps.dev/cli 2.14.7 → 2.15.0

package/dist/cli.js

@@ -4102,6 +4102,7 @@ var init_route53 = __esm({
 var metadata_exports = {};
 __export(metadata_exports, {
   addDomainToMetadata: () => addDomainToMetadata,
+  addInboundDomainToMetadata: () => addInboundDomainToMetadata,
   addServiceToConnection: () => addServiceToConnection,
   applyConfigUpdates: () => applyConfigUpdates,
   buildEmailStackConfig: () => buildEmailStackConfig,
@@ -4117,7 +4118,9 @@ __export(metadata_exports, {
   hasService: () => hasService,
   listConnections: () => listConnections,
   loadConnectionMetadata: () => loadConnectionMetadata,
+  migrateInboundToMultiDomain: () => migrateInboundToMultiDomain,
   removeDomainFromMetadata: () => removeDomainFromMetadata,
+  removeInboundDomainFromMetadata: () => removeInboundDomainFromMetadata,
   removeServiceFromConnection: () => removeServiceFromConnection,
   saveConnectionMetadata: () => saveConnectionMetadata,
   updateEmailConfig: () => updateEmailConfig,
@@ -4180,6 +4183,9 @@ async function loadConnectionMetadata(accountId, region) {
         }
         localData = data;
       }
+      if (localData && migrateInboundToMultiDomain(localData)) {
+        await saveConnectionMetadataLocal(localData);
+      }
     } catch (error) {
       console.error(
         "Error loading connection metadata:",
@@ -4599,6 +4605,61 @@ function getAllTrackedDomains(metadata) {
   }
   return result;
 }
+function migrateInboundToMultiDomain(metadata) {
+  const emailConfig = metadata.services.email?.config;
+  if (!emailConfig?.inbound?.enabled) {
+    return false;
+  }
+  if (emailConfig.inboundDomains && emailConfig.inboundDomains.length > 0) {
+    return false;
+  }
+  const inbound = emailConfig.inbound;
+  const receivingDomain = inbound.receivingDomain || (inbound.subdomain && emailConfig.domain ? `${inbound.subdomain}.${emailConfig.domain}` : null);
+  if (!receivingDomain) {
+    return false;
+  }
+  const parentDomain = emailConfig.domain || "";
+  const subdomain = inbound.subdomain || "inbound";
+  emailConfig.inboundDomains = [
+    {
+      subdomain,
+      receivingDomain,
+      parentDomain,
+      addedAt: metadata.services.email?.deployedAt || (/* @__PURE__ */ new Date()).toISOString()
+    }
+  ];
+  return true;
+}
+function addInboundDomainToMetadata(metadata, entry) {
+  if (!metadata.services.email) {
+    throw new Error("Email service not configured in metadata");
+  }
+  const config2 = metadata.services.email.config;
+  const existing = config2.inboundDomains ?? [];
+  const idx = existing.findIndex(
+    (d) => d.receivingDomain === entry.receivingDomain
+  );
+  if (idx >= 0) {
+    existing[idx] = entry;
+  } else {
+    existing.push(entry);
+  }
+  config2.inboundDomains = existing;
+  metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+}
+function removeInboundDomainFromMetadata(metadata, receivingDomain) {
+  if (!metadata.services.email) {
+    return;
+  }
+  const config2 = metadata.services.email.config;
+  if (!config2.inboundDomains) {
+    return;
+  }
+  config2.inboundDomains = config2.inboundDomains.filter(
+    (d) => d.receivingDomain !== receivingDomain
+  );
+  metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+}
 var init_metadata = __esm({
   "src/utils/shared/metadata.ts"() {
     "use strict";
@@ -5560,19 +5621,19 @@ import { randomBytes as randomBytes2 } from "crypto";
 import { existsSync as existsSync6, mkdirSync } from "fs";
 import { builtinModules } from "module";
 import { tmpdir } from "os";
-import { dirname as dirname2, join as join7 } from "path";
+import { dirname as dirname3, join as join7 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 import * as aws8 from "@pulumi/aws";
 import * as pulumi11 from "@pulumi/pulumi";
 import { build } from "esbuild";
 function getPackageRoot() {
   const currentFile = fileURLToPath3(import.meta.url);
-  let dir = dirname2(currentFile);
-  while (dir !== dirname2(dir)) {
+  let dir = dirname3(currentFile);
+  while (dir !== dirname3(dir)) {
     if (existsSync6(join7(dir, "package.json"))) {
       return dir;
     }
-    dir = dirname2(dir);
+    dir = dirname3(dir);
   }
   throw new Error("Could not find package.json");
 }
@@ -5781,14 +5842,18 @@ var init_lambda = __esm({
 var acm_exports = {};
 __export(acm_exports, {
   checkCertificateValidation: () => checkCertificateValidation,
-  createACMCertificate: () => createACMCertificate
+  createACMCertificate: () => createACMCertificate,
+  getCertificateValidationRecords: () => getCertificateValidationRecords
 });
-import { ACMClient as ACMClient2, DescribeCertificateCommand as DescribeCertificateCommand2 } from "@aws-sdk/client-acm";
+import {
+  ACMClient as ACMClient2,
+  DescribeCertificateCommand as DescribeCertificateCommand2,
+  ListCertificatesCommand
+} from "@aws-sdk/client-acm";
 import * as aws12 from "@pulumi/aws";
 async function checkCertificateValidation(domain) {
   try {
     const acm3 = new ACMClient2({ region: "us-east-1" });
-    const { ListCertificatesCommand } = await import("@aws-sdk/client-acm");
     const listResponse = await acm3.send(
       new ListCertificatesCommand({
         CertificateStatuses: ["ISSUED"]
@@ -5864,6 +5929,31 @@ async function createACMCertificate(config2) {
     validationRecords
   };
 }
+async function getCertificateValidationRecords(domain) {
+  const acm3 = new ACMClient2({ region: "us-east-1" });
+  const listResponse = await acm3.send(
+    new ListCertificatesCommand({
+      CertificateStatuses: ["PENDING_VALIDATION", "ISSUED"]
+    })
+  );
+  const cert = listResponse.CertificateSummaryList?.find(
+    (c) => c.DomainName === domain
+  );
+  if (!cert?.CertificateArn) {
+    return [];
+  }
+  const describeResponse = await acm3.send(
+    new DescribeCertificateCommand2({
+      CertificateArn: cert.CertificateArn
+    })
+  );
+  const options = describeResponse.Certificate?.DomainValidationOptions ?? [];
+  return options.filter((opt) => opt.ResourceRecord?.Name && opt.ResourceRecord?.Value).map((opt) => ({
+    name: opt.ResourceRecord.Name,
+    type: opt.ResourceRecord.Type ?? "CNAME",
+    value: opt.ResourceRecord.Value
+  }));
+}
 var init_acm = __esm({
   "src/infrastructure/resources/acm.ts"() {
     "use strict";
@@ -8703,7 +8793,7 @@ var init_dynamodb_metrics = __esm({
 // src/cli.ts
 init_esm_shims();
 import { readFileSync as readFileSync3 } from "fs";
-import { dirname as dirname3, join as join19 } from "path";
+import { dirname as dirname4, join as join19 } from "path";
 import { fileURLToPath as fileURLToPath5 } from "url";
 import * as clack50 from "@clack/prompts";
 import args from "args";
@@ -9902,6 +9992,7 @@ import pc10 from "picocolors";
 init_esm_shims();
 init_errors();
 import { exec } from "child_process";
+import { dirname as dirname2 } from "path";
 import { promisify } from "util";
 import { PulumiCommand } from "@pulumi/pulumi/automation/index.js";
 var execAsync = promisify(exec);
@@ -9917,7 +10008,9 @@ async function ensurePulumiInstalled() {
   const isInstalled = await checkPulumiInstalled();
   if (!isInstalled) {
     try {
-      await PulumiCommand.install();
+      const cmd = await PulumiCommand.install();
+      const binDir = dirname2(cmd.command);
+      process.env.PATH = `${binDir}:${process.env.PATH}`;
       return true;
     } catch (_error) {
       throw errors.pulumiNotInstalled();
@@ -19095,7 +19188,8 @@ import {
   DescribeActiveReceiptRuleSetCommand,
   DescribeReceiptRuleCommand,
   SESClient as SESClient3,
-  SetActiveReceiptRuleSetCommand
+  SetActiveReceiptRuleSetCommand,
+  UpdateReceiptRuleCommand
 } from "@aws-sdk/client-ses";
 var RULE_SET_NAME = "wraps-inbound-rules";
 var RULE_NAME = "wraps-inbound-catch-all";
@@ -19218,6 +19312,77 @@ async function deleteReceiptRuleSet(region) {
     throw error;
   }
 }
+async function addDomainToReceiptRule(region, domain, s3BucketName) {
+  const ses = createSESClient(region);
+  try {
+    const response = await ses.send(
+      new DescribeReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        RuleName: RULE_NAME
+      })
+    );
+    const existingRecipients = response.Rule?.Recipients ?? [];
+    if (existingRecipients.includes(domain)) {
+      return;
+    }
+    await ses.send(
+      new UpdateReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        Rule: {
+          Name: RULE_NAME,
+          Enabled: response.Rule?.Enabled,
+          ScanEnabled: response.Rule?.ScanEnabled,
+          TlsPolicy: response.Rule?.TlsPolicy,
+          Actions: response.Rule?.Actions,
+          Recipients: [...existingRecipients, domain]
+        }
+      })
+    );
+  } catch (error) {
+    if (error instanceof Error && (error.name === "RuleDoesNotExistException" || error.name === "RuleSetDoesNotExistException")) {
+      await createReceiptRuleSet(region);
+      await createReceiptRule(region, domain, s3BucketName);
+      await setActiveReceiptRuleSet(region, RULE_SET_NAME);
+      return;
+    }
+    throw error;
+  }
+}
+async function removeDomainFromReceiptRule(region, domain) {
+  const ses = createSESClient(region);
+  try {
+    const response = await ses.send(
+      new DescribeReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        RuleName: RULE_NAME
+      })
+    );
+    const existingRecipients = response.Rule?.Recipients ?? [];
+    const updated = existingRecipients.filter((r) => r !== domain);
+    if (updated.length === 0) {
+      await deleteReceiptRule(region);
+      return;
+    }
+    await ses.send(
+      new UpdateReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        Rule: {
+          Name: RULE_NAME,
+          Enabled: response.Rule?.Enabled,
+          ScanEnabled: response.Rule?.ScanEnabled,
+          TlsPolicy: response.Rule?.TlsPolicy,
+          Actions: response.Rule?.Actions,
+          Recipients: updated
+        }
+      })
+    );
+  } catch (error) {
+    if (error instanceof Error && (error.name === "RuleDoesNotExistException" || error.name === "RuleSetDoesNotExistException")) {
+      return;
+    }
+    throw error;
+  }
+}
 
 // src/commands/email/inbound.ts
 init_aws();
@@ -19296,7 +19461,15 @@ async function inboundInit(options) {
       bucketName: `wraps-inbound-${identity.accountId}-${region}`,
       webhookUrl,
       webhookSecret
-    }
+    },
+    inboundDomains: [
+      {
+        subdomain,
+        receivingDomain,
+        parentDomain: domain,
+        addedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    ]
   };
   const stackConfig = buildEmailStackConfig(metadata, region, {
     emailConfig: updatedEmailConfig
@@ -19537,7 +19710,8 @@ Deploy first: ${pc21.cyan("wraps email inbound init")}
   const stackName = emailService.pulumiStackName || `wraps-${identity.accountId}-${region}`;
   const updatedEmailConfig = {
     ...emailService.config,
-    inbound: void 0
+    inbound: void 0,
+    inboundDomains: void 0
   };
   const stackConfig = buildEmailStackConfig(metadata, region, {
     emailConfig: updatedEmailConfig
@@ -19606,13 +19780,18 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
 `);
     return;
   }
-  const inbound = metadata.services.email.config.inbound;
+  const emailConfig = metadata.services.email.config;
+  const inbound = emailConfig.inbound;
+  const inboundDomains = emailConfig.inboundDomains ?? [];
   const activeRuleSet = await getActiveReceiptRuleSet(region);
-  const receivingDomain = inbound.receivingDomain || `${inbound.subdomain}.${metadata.services.email.config.domain}`;
+  const domainList = inboundDomains.length > 0 ? inboundDomains.map((d) => d.receivingDomain) : [
+    inbound.receivingDomain || `${inbound.subdomain}.${emailConfig.domain}`
+  ];
   if (isJsonMode()) {
     jsonSuccess("email.inbound.status", {
       enabled: true,
-      receivingDomain,
+      receivingDomains: domainList,
+      receivingDomain: domainList[0],
       bucketName: inbound.bucketName || "",
       region,
       webhookUrl: inbound.webhookUrl || null,
@@ -19624,7 +19803,16 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
   console.log();
   console.log(pc21.bold("  Inbound Email Configuration"));
   console.log();
-  console.log(`  ${pc21.dim("Receiving domain:")}  ${pc21.cyan(receivingDomain)}`);
+  if (domainList.length === 1) {
+    console.log(
+      `  ${pc21.dim("Receiving domain:")}  ${pc21.cyan(domainList[0])}`
+    );
+  } else {
+    console.log(`  ${pc21.dim("Receiving domains:")}`);
+    for (const d of domainList) {
+      console.log(`    ${pc21.cyan(d)}`);
+    }
+  }
   console.log(
     `  ${pc21.dim("S3 bucket:")}         ${pc21.cyan(inbound.bucketName || "")}`
   );
@@ -19658,61 +19846,77 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
 `);
     process.exit(1);
   }
-  const inbound = metadata.services.email.config.inbound;
-  const receivingDomain = inbound.receivingDomain || `${inbound.subdomain}.${metadata.services.email.config.domain}`;
+  const emailConfig = metadata.services.email.config;
+  const inbound = emailConfig.inbound;
+  const inboundDomains = emailConfig.inboundDomains ?? [];
+  const domainList = inboundDomains.length > 0 ? inboundDomains.map((d) => d.receivingDomain) : [
+    inbound.receivingDomain || `${inbound.subdomain}.${emailConfig.domain}`
+  ];
   let allPassed = true;
+  const domainChecks = {};
   console.log();
-  const mxResult = await progress.execute(
-    `Checking MX record for ${receivingDomain}`,
-    async () => {
-      try {
-        const records = await dns2.resolveMx(receivingDomain);
-        const hasSES = records.some((r) => r.exchange.includes("inbound-smtp"));
-        return { found: true, hasSES, records };
-      } catch {
-        return { found: false, hasSES: false, records: [] };
-      }
+  for (const receivingDomain of domainList) {
+    if (domainList.length > 1) {
+      clack20.log.info(pc21.bold(`Checking ${pc21.cyan(receivingDomain)}`));
     }
-  );
-  if (mxResult.hasSES) {
-    clack20.log.success(
-      `MX record: ${pc21.green("verified")} \u2192 inbound-smtp.${region}.amazonaws.com`
-    );
-  } else if (mxResult.found) {
-    clack20.log.warn(
-      `MX record found but not pointing to SES. Expected: ${pc21.cyan(`10 inbound-smtp.${region}.amazonaws.com`)}`
-    );
-    allPassed = false;
-  } else {
-    clack20.log.error(
-      `MX record: ${pc21.red("not found")}. Add: ${pc21.cyan(`${receivingDomain} MX 10 inbound-smtp.${region}.amazonaws.com`)}`
-    );
-    allPassed = false;
-  }
-  const spfResult = await progress.execute(
-    `Checking SPF record for ${receivingDomain}`,
-    async () => {
-      try {
-        const records = await dns2.resolveTxt(receivingDomain);
-        const flat = records.map((r) => r.join(""));
-        const spf = flat.find((r) => r.startsWith("v=spf1"));
-        const hasSES = spf?.includes("amazonses.com") ?? false;
-        return { found: !!spf, hasSES, value: spf };
-      } catch {
-        return { found: false, hasSES: false, value: null };
+    const mxResult = await progress.execute(
+      `Checking MX record for ${receivingDomain}`,
+      async () => {
+        try {
+          const records = await dns2.resolveMx(receivingDomain);
+          const hasSES = records.some(
+            (r) => r.exchange.includes("inbound-smtp")
+          );
+          return { found: true, hasSES, records };
+        } catch {
+          return { found: false, hasSES: false, records: [] };
+        }
       }
+    );
+    if (mxResult.hasSES) {
+      clack20.log.success(
+        `MX record: ${pc21.green("verified")} \u2192 inbound-smtp.${region}.amazonaws.com`
+      );
+    } else if (mxResult.found) {
+      clack20.log.warn(
+        `MX record found but not pointing to SES. Expected: ${pc21.cyan(`10 inbound-smtp.${region}.amazonaws.com`)}`
+      );
+      allPassed = false;
+    } else {
+      clack20.log.error(
+        `MX record: ${pc21.red("not found")}. Add: ${pc21.cyan(`${receivingDomain} MX 10 inbound-smtp.${region}.amazonaws.com`)}`
+      );
+      allPassed = false;
     }
-  );
-  if (spfResult.hasSES) {
-    clack20.log.success(`SPF record: ${pc21.green("verified")}`);
-  } else if (spfResult.found) {
-    clack20.log.warn("SPF record exists but missing amazonses.com include");
-    allPassed = false;
-  } else {
-    clack20.log.error(
-      `SPF record: ${pc21.red("not found")}. Add TXT: ${pc21.cyan("v=spf1 include:amazonses.com ~all")}`
+    const spfResult = await progress.execute(
+      `Checking SPF record for ${receivingDomain}`,
+      async () => {
+        try {
+          const records = await dns2.resolveTxt(receivingDomain);
+          const flat = records.map((r) => r.join(""));
+          const spf = flat.find((r) => r.startsWith("v=spf1"));
+          const hasSES = spf?.includes("amazonses.com") ?? false;
+          return { found: !!spf, hasSES, value: spf };
+        } catch {
+          return { found: false, hasSES: false, value: null };
+        }
+      }
     );
-    allPassed = false;
+    if (spfResult.hasSES) {
+      clack20.log.success(`SPF record: ${pc21.green("verified")}`);
+    } else if (spfResult.found) {
+      clack20.log.warn("SPF record exists but missing amazonses.com include");
+      allPassed = false;
+    } else {
+      clack20.log.error(
+        `SPF record: ${pc21.red("not found")}. Add TXT: ${pc21.cyan("v=spf1 include:amazonses.com ~all")}`
+      );
+      allPassed = false;
+    }
+    domainChecks[receivingDomain] = {
+      mx: { found: mxResult.found, verified: mxResult.hasSES },
+      spf: { found: spfResult.found, verified: spfResult.hasSES }
+    };
   }
   const activeRuleSet = await getActiveReceiptRuleSet(region);
   if (activeRuleSet === RULE_SET_NAME) {
@@ -19725,13 +19929,11 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
   }
   if (isJsonMode()) {
     jsonSuccess("email.inbound.verify", {
-      receivingDomain,
+      receivingDomains: domainList,
+      receivingDomain: domainList[0],
       allPassed,
-      checks: {
-        mx: { found: mxResult.found, verified: mxResult.hasSES },
-        spf: { found: spfResult.found, verified: spfResult.hasSES },
-        receiptRuleSet: { active: activeRuleSet === RULE_SET_NAME }
-      }
+      domainChecks,
+      receiptRuleSet: { active: activeRuleSet === RULE_SET_NAME }
     });
     return;
   }
@@ -19888,6 +20090,304 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
   clack20.log.success(pc21.bold("Inbound email is working correctly!"));
   console.log();
 }
+async function inboundAdd(options) {
+  if (!isJsonMode()) {
+    clack20.intro(pc21.bold("Add Inbound Receiving Domain"));
+  }
+  const progress = new DeploymentProgress();
+  const identity = await progress.execute(
+    "Validating AWS credentials",
+    async () => validateAWSCredentials()
+  );
+  const region = options.region || await getAWSRegion();
+  if (!SES_RECEIVING_REGIONS.includes(
+    region
+  )) {
+    throw errors.inboundRegionNotSupported(region);
+  }
+  const metadata = await loadConnectionMetadata(identity.accountId, region);
+  if (!metadata?.services?.email?.config?.inbound?.enabled) {
+    clack20.log.error("Inbound email infrastructure is not deployed.");
+    console.log(
+      `
+Deploy first: ${pc21.cyan("wraps email inbound init")}
+`
+    );
+    process.exit(1);
+  }
+  const emailConfig = metadata.services.email.config;
+  const primaryDomain = emailConfig.domain || "";
+  const allDomains = [primaryDomain];
+  for (const d of emailConfig.additionalDomains ?? []) {
+    if (!allDomains.includes(d.domain)) {
+      allDomains.push(d.domain);
+    }
+  }
+  let parentDomain = options.domain;
+  if (!parentDomain) {
+    if (options.yes) {
+      parentDomain = primaryDomain;
+    } else if (allDomains.length === 1) {
+      parentDomain = allDomains[0];
+    } else {
+      const selected = await clack20.select({
+        message: "Which domain should the inbound subdomain be under?",
+        options: allDomains.map((d) => ({
+          value: d,
+          label: d,
+          hint: d === primaryDomain ? "primary" : void 0
+        }))
+      });
+      if (clack20.isCancel(selected)) {
+        clack20.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      parentDomain = selected;
+    }
+  }
+  const subdomain = options.subdomain || (options.yes ? "inbound" : await promptInboundSubdomain(parentDomain));
+  const receivingDomain = `${subdomain}.${parentDomain}`;
+  const existingDomains = emailConfig.inboundDomains ?? [];
+  if (existingDomains.some((d) => d.receivingDomain === receivingDomain)) {
+    clack20.log.warn(
+      `${pc21.cyan(receivingDomain)} is already configured as an inbound domain.`
+    );
+    return;
+  }
+  clack20.log.info(`Adding receiving domain: ${pc21.cyan(receivingDomain)}`);
+  const bucketName = emailConfig.inbound?.bucketName || `wraps-inbound-${identity.accountId}-${region}`;
+  await progress.execute("Updating SES receipt rule", async () => {
+    await addDomainToReceiptRule(region, receivingDomain, bucketName);
+  });
+  let dnsAutoCreated = false;
+  const {
+    detectAvailableDNSProviders: detectAvailableDNSProviders2,
+    getDNSCredentials: getDNSCredentials2,
+    createInboundDNSRecordsForProvider: createInboundDNSRecordsForProvider2,
+    getDNSProviderDisplayName: getDNSProviderDisplayName2,
+    getDNSProviderTokenUrl: getDNSProviderTokenUrl2,
+    buildInboundDNSRecords: buildRecords,
+    formatDNSRecordsForDisplay: formatRecords
+  } = await Promise.resolve().then(() => (init_dns(), dns_exports));
+  const { promptDNSProvider: promptDNSProvider2, promptContinueManualDNS: promptContinueManualDNS2 } = await Promise.resolve().then(() => (init_prompts(), prompts_exports));
+  const existingDnsProvider = metadata.services.email.dnsProvider;
+  let dnsProvider = existingDnsProvider;
+  if (!dnsProvider || dnsProvider === "manual") {
+    progress.start("Detecting DNS providers");
+    const availableProviders = await detectAvailableDNSProviders2(
+      parentDomain,
+      region
+    );
+    progress.stop();
+    dnsProvider = options.yes ? "manual" : await promptDNSProvider2(parentDomain, availableProviders);
+  }
+  if (dnsProvider !== "manual") {
+    progress.start(
+      `Validating ${getDNSProviderDisplayName2(dnsProvider)} credentials`
+    );
+    const credentialResult = await getDNSCredentials2(
+      dnsProvider,
+      parentDomain,
+      region
+    );
+    progress.stop();
+    if (credentialResult.valid && credentialResult.credentials) {
+      const records = buildRecords(receivingDomain, region);
+      clack20.log.info(pc21.bold("DNS records to create:"));
+      for (const record of records) {
+        const value = record.priority ? `${record.priority} ${record.value}` : record.value;
+        clack20.log.info(pc21.dim(`  ${record.type} ${record.name} \u2192 ${value}`));
+      }
+      progress.start(
+        `Creating DNS records in ${getDNSProviderDisplayName2(dnsProvider)}`
+      );
+      const result = await createInboundDNSRecordsForProvider2(
+        credentialResult.credentials,
+        receivingDomain,
+        region,
+        parentDomain
+      );
+      if (result.success && result.recordsCreated > 0) {
+        progress.succeed(
+          `Created ${result.recordsCreated} DNS records in ${getDNSProviderDisplayName2(dnsProvider)}`
+        );
+        dnsAutoCreated = true;
+      } else {
+        progress.fail("Failed to create some DNS records");
+        if (result.errors) {
+          for (const err of result.errors) {
+            clack20.log.warn(err);
+          }
+        }
+      }
+    } else {
+      clack20.log.warn(
+        credentialResult.error || "Could not validate credentials"
+      );
+      if (dnsProvider === "vercel" || dnsProvider === "cloudflare") {
+        clack20.log.info(
+          `Set the ${dnsProvider === "vercel" ? "VERCEL_TOKEN" : "CLOUDFLARE_API_TOKEN"} environment variable to enable automatic DNS management.`
+        );
+        clack20.log.info(
+          `You can create a token at: ${pc21.cyan(getDNSProviderTokenUrl2(dnsProvider))}`
+        );
+      }
+      if (!options.yes) {
+        const continueManual = await promptContinueManualDNS2();
+        if (continueManual) {
+          dnsProvider = "manual";
+        }
+      }
+    }
+  }
+  if (!dnsAutoCreated) {
+    const dnsRecords = buildRecords(receivingDomain, region);
+    const formattedRecords = formatRecords(dnsRecords);
+    console.log();
+    clack20.log.info(pc21.bold("DNS Records Required"));
+    console.log(
+      `  Add these records to your DNS provider for ${pc21.cyan(receivingDomain)}:
+`
+    );
+    for (const record of formattedRecords) {
+      console.log(`  ${pc21.dim(record.type.padEnd(6))} ${record.name}`);
+      console.log(`  ${pc21.dim("\u2192")} ${pc21.green(record.value)}
+`);
+    }
+  }
+  await progress.execute("Saving configuration", async () => {
+    addInboundDomainToMetadata(metadata, {
+      subdomain,
+      receivingDomain,
+      parentDomain,
+      addedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    await saveConnectionMetadata(metadata);
+  });
+  if (isJsonMode()) {
+    jsonSuccess("email.inbound.add", {
+      receivingDomain,
+      subdomain,
+      parentDomain,
+      dnsAutoCreated,
+      region
+    });
+    return;
+  }
+  console.log();
+  clack20.log.success(
+    `${pc21.bold("Added inbound domain:")} ${pc21.cyan(receivingDomain)}`
+  );
+  console.log();
+  if (!dnsAutoCreated) {
+    console.log(
+      `  ${pc21.dim("1.")} Add DNS records above to your DNS provider`
+    );
+    console.log(
+      `  ${pc21.dim("2.")} Verify: ${pc21.cyan("wraps email inbound verify")}`
+    );
+  } else {
+    console.log(
+      `  Verify: ${pc21.cyan("wraps email inbound verify")}`
+    );
+  }
+  console.log();
+}
+async function inboundRemove(options) {
+  if (!isJsonMode()) {
+    clack20.intro(pc21.bold("Remove Inbound Receiving Domain"));
+  }
+  const progress = new DeploymentProgress();
+  const identity = await progress.execute(
+    "Validating AWS credentials",
+    async () => validateAWSCredentials()
+  );
+  const region = options.region || await getAWSRegion();
+  const metadata = await loadConnectionMetadata(identity.accountId, region);
+  if (!metadata?.services?.email?.config?.inbound?.enabled) {
+    clack20.log.error("Inbound email infrastructure is not deployed.");
+    console.log(
+      `
+Deploy first: ${pc21.cyan("wraps email inbound init")}
+`
+    );
+    process.exit(1);
+  }
+  const emailConfig = metadata.services.email.config;
+  const inboundDomains = emailConfig.inboundDomains ?? [];
+  if (inboundDomains.length === 0) {
+    clack20.log.warn("No inbound domains configured.");
+    return;
+  }
+  let domainToRemove = options.domain;
+  if (!domainToRemove) {
+    if (inboundDomains.length === 1) {
+      domainToRemove = inboundDomains[0].receivingDomain;
+    } else {
+      const selected = await clack20.select({
+        message: "Which inbound domain do you want to remove?",
+        options: inboundDomains.map((d) => ({
+          value: d.receivingDomain,
+          label: d.receivingDomain,
+          hint: `added ${d.addedAt.split("T")[0]}`
+        }))
+      });
+      if (clack20.isCancel(selected)) {
+        clack20.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      domainToRemove = selected;
+    }
+  }
+  if (!inboundDomains.some((d) => d.receivingDomain === domainToRemove)) {
+    clack20.log.error(
+      `${pc21.cyan(domainToRemove)} is not in the inbound domains list.`
+    );
+    return;
+  }
+  if (inboundDomains.length === 1) {
+    clack20.log.error(
+      "Cannot remove the last inbound domain. Use " + pc21.cyan("wraps email inbound destroy") + " to remove all inbound infrastructure."
+    );
+    return;
+  }
+  if (!options.yes) {
+    const confirmed = await clack20.confirm({
+      message: `Remove inbound domain ${pc21.cyan(domainToRemove)}?`,
+      initialValue: false
+    });
+    if (clack20.isCancel(confirmed) || !confirmed) {
+      clack20.cancel("Operation cancelled.");
+      process.exit(0);
+    }
+  }
+  await progress.execute("Updating SES receipt rule", async () => {
+    await removeDomainFromReceiptRule(region, domainToRemove);
+  });
+  await progress.execute("Saving configuration", async () => {
+    removeInboundDomainFromMetadata(metadata, domainToRemove);
+    await saveConnectionMetadata(metadata);
+  });
+  if (isJsonMode()) {
+    jsonSuccess("email.inbound.remove", {
+      removedDomain: domainToRemove,
+      remainingDomains: (emailConfig.inboundDomains ?? []).map(
+        (d) => d.receivingDomain
+      ),
+      region
+    });
+    return;
+  }
+  console.log();
+  clack20.log.success(
+    `${pc21.bold("Removed inbound domain:")} ${pc21.cyan(domainToRemove)}`
+  );
+  console.log();
+  console.log(
+    `  ${pc21.dim("Remember to remove the MX and SPF DNS records for")} ${pc21.cyan(domainToRemove)}`
+  );
+  console.log();
+}
 
 // src/commands/email/init.ts
 init_esm_shims();
@@ -21870,7 +22370,7 @@ async function findCliNodeModules() {
   const paths = [];
   try {
     const { createRequire } = await import("module");
-    const { dirname: dirname4 } = await import("path");
+    const { dirname: dirname5 } = await import("path");
     for (const base of [
       // The current file's location (works when running from source)
       import.meta.url,
@@ -21880,7 +22380,7 @@ async function findCliNodeModules() {
       try {
         const req = createRequire(base);
         const reactPkg = req.resolve("react/package.json");
-        const reactNodeModules = join10(dirname4(reactPkg), "..");
+        const reactNodeModules = join10(dirname5(reactPkg), "..");
         if (existsSync9(join10(reactNodeModules, "react"))) {
           paths.push(reactNodeModules);
           break;
@@ -24458,6 +24958,13 @@ ${pc30.bold("Add these DNS records to your DNS provider:")}
   if (outputs.httpsTrackingEnabled && outputs.acmCertificateValidationRecords) {
     acmValidationRecords.push(...outputs.acmCertificateValidationRecords);
   }
+  if (acmValidationRecords.length === 0 && outputs.httpsTrackingPending && outputs.customTrackingDomain) {
+    const { getCertificateValidationRecords: getCertificateValidationRecords2 } = await Promise.resolve().then(() => (init_acm(), acm_exports));
+    const directRecords = await getCertificateValidationRecords2(
+      outputs.customTrackingDomain
+    );
+    acmValidationRecords.push(...directRecords);
+  }
   let acmDnsAutoCreated = false;
   if (outputs.httpsTrackingPending && acmValidationRecords.length > 0 && outputs.customTrackingDomain) {
     const trackingDnsProvider = metadata.services.email?.dnsProvider;
@@ -27137,7 +27644,7 @@ import {
   IAMClient as IAMClient2,
   PutRolePolicyCommand
 } from "@aws-sdk/client-iam";
-import { confirm as confirm14, intro as intro32, isCancel as isCancel20, log as log32, outro as outro19, select as select14 } from "@clack/prompts";
+import { confirm as confirm14, intro as intro32, isCancel as isCancel20, log as log32, outro as outro19, select as select15 } from "@clack/prompts";
 import * as pulumi21 from "@pulumi/pulumi";
 import pc36 from "picocolors";
 init_events();
@@ -27480,7 +27987,7 @@ async function resolveOrganization() {
   if (orgs.length === 1) {
     return orgs[0];
   }
-  const selected = await select14({
+  const selected = await select15({
     message: "Which organization should this AWS account connect to?",
     options: orgs.map((org) => ({
       value: org.id,
@@ -27776,7 +28283,7 @@ Run ${pc36.cyan("wraps email init")} or ${pc36.cyan("wraps sms init")} first.
         log32.info(
           `Already connected to Wraps Platform (AWS Account: ${pc36.cyan(metadata.accountId)})`
         );
-        const action = await select14({
+        const action = await select15({
           message: "What would you like to do?",
           options: [
             {
@@ -35746,7 +36253,7 @@ if (nodeMajorVersion < 20) {
   process.exit(1);
 }
 var __filename2 = fileURLToPath5(import.meta.url);
-var __dirname3 = dirname3(__filename2);
+var __dirname3 = dirname4(__filename2);
 var packageJson = JSON.parse(
   readFileSync3(join19(__dirname3, "../package.json"), "utf-8")
 );
@@ -36136,6 +36643,11 @@ args.options([
     name: "org",
     description: "Organization slug",
     defaultValue: void 0
+  },
+  {
+    name: "subdomain",
+    description: "Subdomain for inbound email (e.g., inbound, support)",
+    defaultValue: void 0
   }
 ]);
 var flags = args.parse(process.argv);
@@ -36450,13 +36962,30 @@ Usage: ${pc53.cyan("wraps email verify --domain yourapp.com")}
                 json: flags.json
               });
               break;
+            case "add":
+              await inboundAdd({
+                region: flags.region,
+                subdomain: flags.subdomain,
+                domain: flags.domain,
+                yes: flags.yes,
+                json: flags.json
+              });
+              break;
+            case "remove":
+              await inboundRemove({
+                region: flags.region,
+                domain: flags.domain,
+                yes: flags.yes,
+                json: flags.json
+              });
+              break;
             default:
               clack50.log.error(
                 `Unknown inbound command: ${inboundSubCommand || "(none)"}`
               );
               console.log(
                 `
-Available commands: ${pc53.cyan("init")}, ${pc53.cyan("destroy")}, ${pc53.cyan("status")}, ${pc53.cyan("verify")}, ${pc53.cyan("test")}
+Available commands: ${pc53.cyan("init")}, ${pc53.cyan("destroy")}, ${pc53.cyan("status")}, ${pc53.cyan("verify")}, ${pc53.cyan("test")}, ${pc53.cyan("add")}, ${pc53.cyan("remove")}
 `
               );
               throw new Error(