@wraps.dev/cli 2.14.8 → 2.15.1

package/dist/cli.js

@@ -4102,6 +4102,7 @@ var init_route53 = __esm({
 var metadata_exports = {};
 __export(metadata_exports, {
   addDomainToMetadata: () => addDomainToMetadata,
+  addInboundDomainToMetadata: () => addInboundDomainToMetadata,
   addServiceToConnection: () => addServiceToConnection,
   applyConfigUpdates: () => applyConfigUpdates,
   buildEmailStackConfig: () => buildEmailStackConfig,
@@ -4117,7 +4118,9 @@ __export(metadata_exports, {
   hasService: () => hasService,
   listConnections: () => listConnections,
   loadConnectionMetadata: () => loadConnectionMetadata,
+  migrateInboundToMultiDomain: () => migrateInboundToMultiDomain,
   removeDomainFromMetadata: () => removeDomainFromMetadata,
+  removeInboundDomainFromMetadata: () => removeInboundDomainFromMetadata,
   removeServiceFromConnection: () => removeServiceFromConnection,
   saveConnectionMetadata: () => saveConnectionMetadata,
   updateEmailConfig: () => updateEmailConfig,
@@ -4180,6 +4183,9 @@ async function loadConnectionMetadata(accountId, region) {
         }
         localData = data;
       }
+      if (localData && migrateInboundToMultiDomain(localData)) {
+        await saveConnectionMetadataLocal(localData);
+      }
     } catch (error) {
       console.error(
         "Error loading connection metadata:",
@@ -4599,6 +4605,61 @@ function getAllTrackedDomains(metadata) {
   }
   return result;
 }
+function migrateInboundToMultiDomain(metadata) {
+  const emailConfig = metadata.services.email?.config;
+  if (!emailConfig?.inbound?.enabled) {
+    return false;
+  }
+  if (emailConfig.inboundDomains && emailConfig.inboundDomains.length > 0) {
+    return false;
+  }
+  const inbound = emailConfig.inbound;
+  const receivingDomain = inbound.receivingDomain || (inbound.subdomain && emailConfig.domain ? `${inbound.subdomain}.${emailConfig.domain}` : null);
+  if (!receivingDomain) {
+    return false;
+  }
+  const parentDomain = emailConfig.domain || "";
+  const subdomain = inbound.subdomain || "inbound";
+  emailConfig.inboundDomains = [
+    {
+      subdomain,
+      receivingDomain,
+      parentDomain,
+      addedAt: metadata.services.email?.deployedAt || (/* @__PURE__ */ new Date()).toISOString()
+    }
+  ];
+  return true;
+}
+function addInboundDomainToMetadata(metadata, entry) {
+  if (!metadata.services.email) {
+    throw new Error("Email service not configured in metadata");
+  }
+  const config2 = metadata.services.email.config;
+  const existing = config2.inboundDomains ?? [];
+  const idx = existing.findIndex(
+    (d) => d.receivingDomain === entry.receivingDomain
+  );
+  if (idx >= 0) {
+    existing[idx] = entry;
+  } else {
+    existing.push(entry);
+  }
+  config2.inboundDomains = existing;
+  metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+}
+function removeInboundDomainFromMetadata(metadata, receivingDomain) {
+  if (!metadata.services.email) {
+    return;
+  }
+  const config2 = metadata.services.email.config;
+  if (!config2.inboundDomains) {
+    return;
+  }
+  config2.inboundDomains = config2.inboundDomains.filter(
+    (d) => d.receivingDomain !== receivingDomain
+  );
+  metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+}
 var init_metadata = __esm({
   "src/utils/shared/metadata.ts"() {
     "use strict";
@@ -5781,14 +5842,18 @@ var init_lambda = __esm({
 var acm_exports = {};
 __export(acm_exports, {
   checkCertificateValidation: () => checkCertificateValidation,
-  createACMCertificate: () => createACMCertificate
+  createACMCertificate: () => createACMCertificate,
+  getCertificateValidationRecords: () => getCertificateValidationRecords
 });
-import { ACMClient as ACMClient2, DescribeCertificateCommand as DescribeCertificateCommand2 } from "@aws-sdk/client-acm";
+import {
+  ACMClient as ACMClient2,
+  DescribeCertificateCommand as DescribeCertificateCommand2,
+  ListCertificatesCommand
+} from "@aws-sdk/client-acm";
 import * as aws12 from "@pulumi/aws";
 async function checkCertificateValidation(domain) {
   try {
     const acm3 = new ACMClient2({ region: "us-east-1" });
-    const { ListCertificatesCommand } = await import("@aws-sdk/client-acm");
     const listResponse = await acm3.send(
       new ListCertificatesCommand({
         CertificateStatuses: ["ISSUED"]
@@ -5864,6 +5929,31 @@ async function createACMCertificate(config2) {
     validationRecords
   };
 }
+async function getCertificateValidationRecords(domain) {
+  const acm3 = new ACMClient2({ region: "us-east-1" });
+  const listResponse = await acm3.send(
+    new ListCertificatesCommand({
+      CertificateStatuses: ["PENDING_VALIDATION", "ISSUED"]
+    })
+  );
+  const cert = listResponse.CertificateSummaryList?.find(
+    (c) => c.DomainName === domain
+  );
+  if (!cert?.CertificateArn) {
+    return [];
+  }
+  const describeResponse = await acm3.send(
+    new DescribeCertificateCommand2({
+      CertificateArn: cert.CertificateArn
+    })
+  );
+  const options = describeResponse.Certificate?.DomainValidationOptions ?? [];
+  return options.filter((opt) => opt.ResourceRecord?.Name && opt.ResourceRecord?.Value).map((opt) => ({
+    name: opt.ResourceRecord.Name,
+    type: opt.ResourceRecord.Type ?? "CNAME",
+    value: opt.ResourceRecord.Value
+  }));
+}
 var init_acm = __esm({
   "src/infrastructure/resources/acm.ts"() {
     "use strict";
@@ -6638,7 +6728,7 @@ var init_cloudflare = __esm({
         };
       }
       async createEmailRecords(data) {
-        const { domain, dkimTokens, mailFromDomain, region } = data;
+        const { domain, dkimTokens, mailFromDomain, customTrackingDomain, region } = data;
         const errors2 = [];
         let recordsCreated = 0;
         try {
@@ -6675,6 +6765,20 @@ var init_cloudflare = __esm({
           } else {
             errors2.push(`Failed to create DMARC record for ${domain}`);
           }
+          if (customTrackingDomain) {
+            const trackingSuccess = await this.createRecord(
+              customTrackingDomain,
+              "CNAME",
+              `r.${region}.awstrack.me`
+            );
+            if (trackingSuccess) {
+              recordsCreated++;
+            } else {
+              errors2.push(
+                `Failed to create tracking CNAME for ${customTrackingDomain}`
+              );
+            }
+          }
           if (mailFromDomain) {
             const mxSuccess = await this.createRecord(
               mailFromDomain,
@@ -7006,7 +7110,7 @@ var init_vercel = __esm({
         };
       }
       async createEmailRecords(data) {
-        const { domain, dkimTokens, mailFromDomain, region } = data;
+        const { domain, dkimTokens, mailFromDomain, customTrackingDomain, region } = data;
         const errors2 = [];
         let recordsCreated = 0;
         try {
@@ -7043,6 +7147,20 @@ var init_vercel = __esm({
           } else {
             errors2.push(`Failed to create DMARC record for ${domain}`);
           }
+          if (customTrackingDomain) {
+            const trackingSuccess = await this.createRecord(
+              customTrackingDomain,
+              "CNAME",
+              `r.${region}.awstrack.me`
+            );
+            if (trackingSuccess) {
+              recordsCreated++;
+            } else {
+              errors2.push(
+                `Failed to create tracking CNAME for ${customTrackingDomain}`
+              );
+            }
+          }
           if (mailFromDomain) {
             const mxSuccess = await this.createRecord(
               mailFromDomain,
@@ -7258,7 +7376,7 @@ import {
   Route53Client as Route53Client2
 } from "@aws-sdk/client-route-53";
 function buildEmailDNSRecords(data) {
-  const { domain, dkimTokens, mailFromDomain, region } = data;
+  const { domain, dkimTokens, mailFromDomain, customTrackingDomain, region } = data;
   const records = [];
   for (const token of dkimTokens) {
     records.push({
@@ -7281,6 +7399,14 @@ function buildEmailDNSRecords(data) {
     value: `v=DMARC1; p=quarantine; rua=mailto:postmaster@${dmarcRuaDomain}`,
     category: "dmarc"
   });
+  if (customTrackingDomain) {
+    records.push({
+      name: customTrackingDomain,
+      type: "CNAME",
+      value: `r.${region}.awstrack.me`,
+      category: "tracking"
+    });
+  }
   if (mailFromDomain) {
     records.push({
       name: mailFromDomain,
@@ -7341,8 +7467,7 @@ async function createDNSRecordsForProvider(credentials, data, selectedCategories
           data.dkimTokens,
           data.region,
           categories,
-          void 0,
-          // customTrackingDomain - not used here
+          data.customTrackingDomain,
           data.mailFromDomain
         );
         let recordsCreated = 0;
@@ -19098,7 +19223,8 @@ import {
   DescribeActiveReceiptRuleSetCommand,
   DescribeReceiptRuleCommand,
   SESClient as SESClient3,
-  SetActiveReceiptRuleSetCommand
+  SetActiveReceiptRuleSetCommand,
+  UpdateReceiptRuleCommand
 } from "@aws-sdk/client-ses";
 var RULE_SET_NAME = "wraps-inbound-rules";
 var RULE_NAME = "wraps-inbound-catch-all";
@@ -19221,6 +19347,77 @@ async function deleteReceiptRuleSet(region) {
     throw error;
   }
 }
+async function addDomainToReceiptRule(region, domain, s3BucketName) {
+  const ses = createSESClient(region);
+  try {
+    const response = await ses.send(
+      new DescribeReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        RuleName: RULE_NAME
+      })
+    );
+    const existingRecipients = response.Rule?.Recipients ?? [];
+    if (existingRecipients.includes(domain)) {
+      return;
+    }
+    await ses.send(
+      new UpdateReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        Rule: {
+          Name: RULE_NAME,
+          Enabled: response.Rule?.Enabled,
+          ScanEnabled: response.Rule?.ScanEnabled,
+          TlsPolicy: response.Rule?.TlsPolicy,
+          Actions: response.Rule?.Actions,
+          Recipients: [...existingRecipients, domain]
+        }
+      })
+    );
+  } catch (error) {
+    if (error instanceof Error && (error.name === "RuleDoesNotExistException" || error.name === "RuleSetDoesNotExistException")) {
+      await createReceiptRuleSet(region);
+      await createReceiptRule(region, domain, s3BucketName);
+      await setActiveReceiptRuleSet(region, RULE_SET_NAME);
+      return;
+    }
+    throw error;
+  }
+}
+async function removeDomainFromReceiptRule(region, domain) {
+  const ses = createSESClient(region);
+  try {
+    const response = await ses.send(
+      new DescribeReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        RuleName: RULE_NAME
+      })
+    );
+    const existingRecipients = response.Rule?.Recipients ?? [];
+    const updated = existingRecipients.filter((r) => r !== domain);
+    if (updated.length === 0) {
+      await deleteReceiptRule(region);
+      return;
+    }
+    await ses.send(
+      new UpdateReceiptRuleCommand({
+        RuleSetName: RULE_SET_NAME,
+        Rule: {
+          Name: RULE_NAME,
+          Enabled: response.Rule?.Enabled,
+          ScanEnabled: response.Rule?.ScanEnabled,
+          TlsPolicy: response.Rule?.TlsPolicy,
+          Actions: response.Rule?.Actions,
+          Recipients: updated
+        }
+      })
+    );
+  } catch (error) {
+    if (error instanceof Error && (error.name === "RuleDoesNotExistException" || error.name === "RuleSetDoesNotExistException")) {
+      return;
+    }
+    throw error;
+  }
+}
 
 // src/commands/email/inbound.ts
 init_aws();
@@ -19299,7 +19496,15 @@ async function inboundInit(options) {
       bucketName: `wraps-inbound-${identity.accountId}-${region}`,
       webhookUrl,
       webhookSecret
-    }
+    },
+    inboundDomains: [
+      {
+        subdomain,
+        receivingDomain,
+        parentDomain: domain,
+        addedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    ]
   };
   const stackConfig = buildEmailStackConfig(metadata, region, {
     emailConfig: updatedEmailConfig
@@ -19540,7 +19745,8 @@ Deploy first: ${pc21.cyan("wraps email inbound init")}
   const stackName = emailService.pulumiStackName || `wraps-${identity.accountId}-${region}`;
   const updatedEmailConfig = {
     ...emailService.config,
-    inbound: void 0
+    inbound: void 0,
+    inboundDomains: void 0
   };
   const stackConfig = buildEmailStackConfig(metadata, region, {
     emailConfig: updatedEmailConfig
@@ -19609,13 +19815,18 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
 `);
     return;
   }
-  const inbound = metadata.services.email.config.inbound;
+  const emailConfig = metadata.services.email.config;
+  const inbound = emailConfig.inbound;
+  const inboundDomains = emailConfig.inboundDomains ?? [];
   const activeRuleSet = await getActiveReceiptRuleSet(region);
-  const receivingDomain = inbound.receivingDomain || `${inbound.subdomain}.${metadata.services.email.config.domain}`;
+  const domainList = inboundDomains.length > 0 ? inboundDomains.map((d) => d.receivingDomain) : [
+    inbound.receivingDomain || `${inbound.subdomain}.${emailConfig.domain}`
+  ];
   if (isJsonMode()) {
     jsonSuccess("email.inbound.status", {
       enabled: true,
-      receivingDomain,
+      receivingDomains: domainList,
+      receivingDomain: domainList[0],
       bucketName: inbound.bucketName || "",
       region,
       webhookUrl: inbound.webhookUrl || null,
@@ -19627,7 +19838,14 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
   console.log();
   console.log(pc21.bold("  Inbound Email Configuration"));
   console.log();
-  console.log(`  ${pc21.dim("Receiving domain:")}  ${pc21.cyan(receivingDomain)}`);
+  if (domainList.length === 1) {
+    console.log(`  ${pc21.dim("Receiving domain:")}  ${pc21.cyan(domainList[0])}`);
+  } else {
+    console.log(`  ${pc21.dim("Receiving domains:")}`);
+    for (const d of domainList) {
+      console.log(`    ${pc21.cyan(d)}`);
+    }
+  }
   console.log(
     `  ${pc21.dim("S3 bucket:")}         ${pc21.cyan(inbound.bucketName || "")}`
   );
@@ -19661,61 +19879,77 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
 `);
     process.exit(1);
   }
-  const inbound = metadata.services.email.config.inbound;
-  const receivingDomain = inbound.receivingDomain || `${inbound.subdomain}.${metadata.services.email.config.domain}`;
+  const emailConfig = metadata.services.email.config;
+  const inbound = emailConfig.inbound;
+  const inboundDomains = emailConfig.inboundDomains ?? [];
+  const domainList = inboundDomains.length > 0 ? inboundDomains.map((d) => d.receivingDomain) : [
+    inbound.receivingDomain || `${inbound.subdomain}.${emailConfig.domain}`
+  ];
   let allPassed = true;
+  const domainChecks = {};
   console.log();
-  const mxResult = await progress.execute(
-    `Checking MX record for ${receivingDomain}`,
-    async () => {
-      try {
-        const records = await dns2.resolveMx(receivingDomain);
-        const hasSES = records.some((r) => r.exchange.includes("inbound-smtp"));
-        return { found: true, hasSES, records };
-      } catch {
-        return { found: false, hasSES: false, records: [] };
-      }
+  for (const receivingDomain of domainList) {
+    if (domainList.length > 1) {
+      clack20.log.info(pc21.bold(`Checking ${pc21.cyan(receivingDomain)}`));
     }
-  );
-  if (mxResult.hasSES) {
-    clack20.log.success(
-      `MX record: ${pc21.green("verified")} \u2192 inbound-smtp.${region}.amazonaws.com`
-    );
-  } else if (mxResult.found) {
-    clack20.log.warn(
-      `MX record found but not pointing to SES. Expected: ${pc21.cyan(`10 inbound-smtp.${region}.amazonaws.com`)}`
-    );
-    allPassed = false;
-  } else {
-    clack20.log.error(
-      `MX record: ${pc21.red("not found")}. Add: ${pc21.cyan(`${receivingDomain} MX 10 inbound-smtp.${region}.amazonaws.com`)}`
-    );
-    allPassed = false;
-  }
-  const spfResult = await progress.execute(
-    `Checking SPF record for ${receivingDomain}`,
-    async () => {
-      try {
-        const records = await dns2.resolveTxt(receivingDomain);
-        const flat = records.map((r) => r.join(""));
-        const spf = flat.find((r) => r.startsWith("v=spf1"));
-        const hasSES = spf?.includes("amazonses.com") ?? false;
-        return { found: !!spf, hasSES, value: spf };
-      } catch {
-        return { found: false, hasSES: false, value: null };
+    const mxResult = await progress.execute(
+      `Checking MX record for ${receivingDomain}`,
+      async () => {
+        try {
+          const records = await dns2.resolveMx(receivingDomain);
+          const hasSES = records.some(
+            (r) => r.exchange.includes("inbound-smtp")
+          );
+          return { found: true, hasSES, records };
+        } catch {
+          return { found: false, hasSES: false, records: [] };
+        }
       }
+    );
+    if (mxResult.hasSES) {
+      clack20.log.success(
+        `MX record: ${pc21.green("verified")} \u2192 inbound-smtp.${region}.amazonaws.com`
+      );
+    } else if (mxResult.found) {
+      clack20.log.warn(
+        `MX record found but not pointing to SES. Expected: ${pc21.cyan(`10 inbound-smtp.${region}.amazonaws.com`)}`
+      );
+      allPassed = false;
+    } else {
+      clack20.log.error(
+        `MX record: ${pc21.red("not found")}. Add: ${pc21.cyan(`${receivingDomain} MX 10 inbound-smtp.${region}.amazonaws.com`)}`
+      );
+      allPassed = false;
     }
-  );
-  if (spfResult.hasSES) {
-    clack20.log.success(`SPF record: ${pc21.green("verified")}`);
-  } else if (spfResult.found) {
-    clack20.log.warn("SPF record exists but missing amazonses.com include");
-    allPassed = false;
-  } else {
-    clack20.log.error(
-      `SPF record: ${pc21.red("not found")}. Add TXT: ${pc21.cyan("v=spf1 include:amazonses.com ~all")}`
+    const spfResult = await progress.execute(
+      `Checking SPF record for ${receivingDomain}`,
+      async () => {
+        try {
+          const records = await dns2.resolveTxt(receivingDomain);
+          const flat = records.map((r) => r.join(""));
+          const spf = flat.find((r) => r.startsWith("v=spf1"));
+          const hasSES = spf?.includes("amazonses.com") ?? false;
+          return { found: !!spf, hasSES, value: spf };
+        } catch {
+          return { found: false, hasSES: false, value: null };
+        }
+      }
     );
-    allPassed = false;
+    if (spfResult.hasSES) {
+      clack20.log.success(`SPF record: ${pc21.green("verified")}`);
+    } else if (spfResult.found) {
+      clack20.log.warn("SPF record exists but missing amazonses.com include");
+      allPassed = false;
+    } else {
+      clack20.log.error(
+        `SPF record: ${pc21.red("not found")}. Add TXT: ${pc21.cyan("v=spf1 include:amazonses.com ~all")}`
+      );
+      allPassed = false;
+    }
+    domainChecks[receivingDomain] = {
+      mx: { found: mxResult.found, verified: mxResult.hasSES },
+      spf: { found: spfResult.found, verified: spfResult.hasSES }
+    };
   }
   const activeRuleSet = await getActiveReceiptRuleSet(region);
   if (activeRuleSet === RULE_SET_NAME) {
@@ -19728,13 +19962,11 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
   }
   if (isJsonMode()) {
     jsonSuccess("email.inbound.verify", {
-      receivingDomain,
+      receivingDomains: domainList,
+      receivingDomain: domainList[0],
       allPassed,
-      checks: {
-        mx: { found: mxResult.found, verified: mxResult.hasSES },
-        spf: { found: spfResult.found, verified: spfResult.hasSES },
-        receiptRuleSet: { active: activeRuleSet === RULE_SET_NAME }
-      }
+      domainChecks,
+      receiptRuleSet: { active: activeRuleSet === RULE_SET_NAME }
     });
     return;
   }
@@ -19891,6 +20123,296 @@ Enable it: ${pc21.cyan("wraps email inbound init")}
   clack20.log.success(pc21.bold("Inbound email is working correctly!"));
   console.log();
 }
+async function inboundAdd(options) {
+  if (!isJsonMode()) {
+    clack20.intro(pc21.bold("Add Inbound Receiving Domain"));
+  }
+  const progress = new DeploymentProgress();
+  const identity = await progress.execute(
+    "Validating AWS credentials",
+    async () => validateAWSCredentials()
+  );
+  const region = options.region || await getAWSRegion();
+  if (!SES_RECEIVING_REGIONS.includes(
+    region
+  )) {
+    throw errors.inboundRegionNotSupported(region);
+  }
+  const metadata = await loadConnectionMetadata(identity.accountId, region);
+  if (!metadata?.services?.email?.config?.inbound?.enabled) {
+    clack20.log.error("Inbound email infrastructure is not deployed.");
+    console.log(`
+Deploy first: ${pc21.cyan("wraps email inbound init")}
+`);
+    process.exit(1);
+  }
+  const emailConfig = metadata.services.email.config;
+  const primaryDomain = emailConfig.domain || "";
+  const allDomains = [primaryDomain];
+  for (const d of emailConfig.additionalDomains ?? []) {
+    if (!allDomains.includes(d.domain)) {
+      allDomains.push(d.domain);
+    }
+  }
+  let parentDomain = options.domain;
+  if (!parentDomain) {
+    if (options.yes) {
+      parentDomain = primaryDomain;
+    } else if (allDomains.length === 1) {
+      parentDomain = allDomains[0];
+    } else {
+      const selected = await clack20.select({
+        message: "Which domain should the inbound subdomain be under?",
+        options: allDomains.map((d) => ({
+          value: d,
+          label: d,
+          hint: d === primaryDomain ? "primary" : void 0
+        }))
+      });
+      if (clack20.isCancel(selected)) {
+        clack20.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      parentDomain = selected;
+    }
+  }
+  const subdomain = options.subdomain || (options.yes ? "inbound" : await promptInboundSubdomain(parentDomain));
+  const receivingDomain = `${subdomain}.${parentDomain}`;
+  const existingDomains = emailConfig.inboundDomains ?? [];
+  if (existingDomains.some((d) => d.receivingDomain === receivingDomain)) {
+    clack20.log.warn(
+      `${pc21.cyan(receivingDomain)} is already configured as an inbound domain.`
+    );
+    return;
+  }
+  clack20.log.info(`Adding receiving domain: ${pc21.cyan(receivingDomain)}`);
+  const bucketName = emailConfig.inbound?.bucketName || `wraps-inbound-${identity.accountId}-${region}`;
+  await progress.execute("Updating SES receipt rule", async () => {
+    await addDomainToReceiptRule(region, receivingDomain, bucketName);
+  });
+  let dnsAutoCreated = false;
+  const {
+    detectAvailableDNSProviders: detectAvailableDNSProviders2,
+    getDNSCredentials: getDNSCredentials2,
+    createInboundDNSRecordsForProvider: createInboundDNSRecordsForProvider2,
+    getDNSProviderDisplayName: getDNSProviderDisplayName2,
+    getDNSProviderTokenUrl: getDNSProviderTokenUrl2,
+    buildInboundDNSRecords: buildRecords,
+    formatDNSRecordsForDisplay: formatRecords
+  } = await Promise.resolve().then(() => (init_dns(), dns_exports));
+  const { promptDNSProvider: promptDNSProvider2, promptContinueManualDNS: promptContinueManualDNS2 } = await Promise.resolve().then(() => (init_prompts(), prompts_exports));
+  const existingDnsProvider = metadata.services.email.dnsProvider;
+  let dnsProvider = existingDnsProvider;
+  if (!dnsProvider || dnsProvider === "manual") {
+    progress.start("Detecting DNS providers");
+    const availableProviders = await detectAvailableDNSProviders2(
+      parentDomain,
+      region
+    );
+    progress.stop();
+    dnsProvider = options.yes ? "manual" : await promptDNSProvider2(parentDomain, availableProviders);
+  }
+  if (dnsProvider !== "manual") {
+    progress.start(
+      `Validating ${getDNSProviderDisplayName2(dnsProvider)} credentials`
+    );
+    const credentialResult = await getDNSCredentials2(
+      dnsProvider,
+      parentDomain,
+      region
+    );
+    progress.stop();
+    if (credentialResult.valid && credentialResult.credentials) {
+      const records = buildRecords(receivingDomain, region);
+      clack20.log.info(pc21.bold("DNS records to create:"));
+      for (const record of records) {
+        const value = record.priority ? `${record.priority} ${record.value}` : record.value;
+        clack20.log.info(pc21.dim(`  ${record.type} ${record.name} \u2192 ${value}`));
+      }
+      progress.start(
+        `Creating DNS records in ${getDNSProviderDisplayName2(dnsProvider)}`
+      );
+      const result = await createInboundDNSRecordsForProvider2(
+        credentialResult.credentials,
+        receivingDomain,
+        region,
+        parentDomain
+      );
+      if (result.success && result.recordsCreated > 0) {
+        progress.succeed(
+          `Created ${result.recordsCreated} DNS records in ${getDNSProviderDisplayName2(dnsProvider)}`
+        );
+        dnsAutoCreated = true;
+      } else {
+        progress.fail("Failed to create some DNS records");
+        if (result.errors) {
+          for (const err of result.errors) {
+            clack20.log.warn(err);
+          }
+        }
+      }
+    } else {
+      clack20.log.warn(
+        credentialResult.error || "Could not validate credentials"
+      );
+      if (dnsProvider === "vercel" || dnsProvider === "cloudflare") {
+        clack20.log.info(
+          `Set the ${dnsProvider === "vercel" ? "VERCEL_TOKEN" : "CLOUDFLARE_API_TOKEN"} environment variable to enable automatic DNS management.`
+        );
+        clack20.log.info(
+          `You can create a token at: ${pc21.cyan(getDNSProviderTokenUrl2(dnsProvider))}`
+        );
+      }
+      if (!options.yes) {
+        const continueManual = await promptContinueManualDNS2();
+        if (continueManual) {
+          dnsProvider = "manual";
+        }
+      }
+    }
+  }
+  if (!dnsAutoCreated) {
+    const dnsRecords = buildRecords(receivingDomain, region);
+    const formattedRecords = formatRecords(dnsRecords);
+    console.log();
+    clack20.log.info(pc21.bold("DNS Records Required"));
+    console.log(
+      `  Add these records to your DNS provider for ${pc21.cyan(receivingDomain)}:
+`
+    );
+    for (const record of formattedRecords) {
+      console.log(`  ${pc21.dim(record.type.padEnd(6))} ${record.name}`);
+      console.log(`  ${pc21.dim("\u2192")} ${pc21.green(record.value)}
+`);
+    }
+  }
+  await progress.execute("Saving configuration", async () => {
+    addInboundDomainToMetadata(metadata, {
+      subdomain,
+      receivingDomain,
+      parentDomain,
+      addedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    await saveConnectionMetadata(metadata);
+  });
+  if (isJsonMode()) {
+    jsonSuccess("email.inbound.add", {
+      receivingDomain,
+      subdomain,
+      parentDomain,
+      dnsAutoCreated,
+      region
+    });
+    return;
+  }
+  console.log();
+  clack20.log.success(
+    `${pc21.bold("Added inbound domain:")} ${pc21.cyan(receivingDomain)}`
+  );
+  console.log();
+  if (dnsAutoCreated) {
+    console.log(`  Verify: ${pc21.cyan("wraps email inbound verify")}`);
+  } else {
+    console.log(`  ${pc21.dim("1.")} Add DNS records above to your DNS provider`);
+    console.log(
+      `  ${pc21.dim("2.")} Verify: ${pc21.cyan("wraps email inbound verify")}`
+    );
+  }
+  console.log();
+}
+async function inboundRemove(options) {
+  if (!isJsonMode()) {
+    clack20.intro(pc21.bold("Remove Inbound Receiving Domain"));
+  }
+  const progress = new DeploymentProgress();
+  const identity = await progress.execute(
+    "Validating AWS credentials",
+    async () => validateAWSCredentials()
+  );
+  const region = options.region || await getAWSRegion();
+  const metadata = await loadConnectionMetadata(identity.accountId, region);
+  if (!metadata?.services?.email?.config?.inbound?.enabled) {
+    clack20.log.error("Inbound email infrastructure is not deployed.");
+    console.log(`
+Deploy first: ${pc21.cyan("wraps email inbound init")}
+`);
+    process.exit(1);
+  }
+  const emailConfig = metadata.services.email.config;
+  const inboundDomains = emailConfig.inboundDomains ?? [];
+  if (inboundDomains.length === 0) {
+    clack20.log.warn("No inbound domains configured.");
+    return;
+  }
+  let domainToRemove = options.domain;
+  if (!domainToRemove) {
+    if (inboundDomains.length === 1) {
+      domainToRemove = inboundDomains[0].receivingDomain;
+    } else {
+      const selected = await clack20.select({
+        message: "Which inbound domain do you want to remove?",
+        options: inboundDomains.map((d) => ({
+          value: d.receivingDomain,
+          label: d.receivingDomain,
+          hint: `added ${d.addedAt.split("T")[0]}`
+        }))
+      });
+      if (clack20.isCancel(selected)) {
+        clack20.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      domainToRemove = selected;
+    }
+  }
+  if (!inboundDomains.some((d) => d.receivingDomain === domainToRemove)) {
+    clack20.log.error(
+      `${pc21.cyan(domainToRemove)} is not in the inbound domains list.`
+    );
+    return;
+  }
+  if (inboundDomains.length === 1) {
+    clack20.log.error(
+      "Cannot remove the last inbound domain. Use " + pc21.cyan("wraps email inbound destroy") + " to remove all inbound infrastructure."
+    );
+    return;
+  }
+  if (!options.yes) {
+    const confirmed = await clack20.confirm({
+      message: `Remove inbound domain ${pc21.cyan(domainToRemove)}?`,
+      initialValue: false
+    });
+    if (clack20.isCancel(confirmed) || !confirmed) {
+      clack20.cancel("Operation cancelled.");
+      process.exit(0);
+    }
+  }
+  await progress.execute("Updating SES receipt rule", async () => {
+    await removeDomainFromReceiptRule(region, domainToRemove);
+  });
+  await progress.execute("Saving configuration", async () => {
+    removeInboundDomainFromMetadata(metadata, domainToRemove);
+    await saveConnectionMetadata(metadata);
+  });
+  if (isJsonMode()) {
+    jsonSuccess("email.inbound.remove", {
+      removedDomain: domainToRemove,
+      remainingDomains: (emailConfig.inboundDomains ?? []).map(
+        (d) => d.receivingDomain
+      ),
+      region
+    });
+    return;
+  }
+  console.log();
+  clack20.log.success(
+    `${pc21.bold("Removed inbound domain:")} ${pc21.cyan(domainToRemove)}`
+  );
+  console.log();
+  console.log(
+    `  ${pc21.dim("Remember to remove the MX and SPF DNS records for")} ${pc21.cyan(domainToRemove)}`
+  );
+  console.log();
+}
 
 // src/commands/email/init.ts
 init_esm_shims();
@@ -20459,6 +20981,7 @@ ${pc24.yellow(pc24.bold("Configuration Warnings:"))}`);
                   domain: outputs.domain,
                   dkimTokens: outputs.dkimTokens,
                   mailFromDomain: outputs.mailFromDomain,
+                  customTrackingDomain: outputs.customTrackingDomain,
                   region
                 },
                 selectedCategories
@@ -20491,6 +21014,7 @@ ${pc24.yellow(pc24.bold("Configuration Warnings:"))}`);
             domain: outputs.domain,
             dkimTokens: outputs.dkimTokens,
             mailFromDomain: outputs.mailFromDomain,
+            customTrackingDomain: outputs.customTrackingDomain,
             region
           };
           const records = buildEmailDNSRecords2(recordData);
@@ -24367,6 +24891,7 @@ ${pc30.bold("Cost Impact:")}`);
           domain: outputs.domain,
           dkimTokens: outputs.dkimTokens,
           mailFromDomain,
+          customTrackingDomain: outputs.customTrackingDomain,
           region
         };
         try {
@@ -24417,6 +24942,7 @@ ${pc30.bold("Cost Impact:")}`);
         domain: outputs.domain,
         dkimTokens: outputs.dkimTokens,
         mailFromDomain,
+        customTrackingDomain: outputs.customTrackingDomain,
         region
       };
       const dnsRecords = buildEmailDNSRecords(dnsData);
@@ -24461,6 +24987,13 @@ ${pc30.bold("Add these DNS records to your DNS provider:")}
   if (outputs.httpsTrackingEnabled && outputs.acmCertificateValidationRecords) {
     acmValidationRecords.push(...outputs.acmCertificateValidationRecords);
   }
+  if (acmValidationRecords.length === 0 && outputs.httpsTrackingPending && outputs.customTrackingDomain) {
+    const { getCertificateValidationRecords: getCertificateValidationRecords2 } = await Promise.resolve().then(() => (init_acm(), acm_exports));
+    const directRecords = await getCertificateValidationRecords2(
+      outputs.customTrackingDomain
+    );
+    acmValidationRecords.push(...directRecords);
+  }
   let acmDnsAutoCreated = false;
   if (outputs.httpsTrackingPending && acmValidationRecords.length > 0 && outputs.customTrackingDomain) {
     const trackingDnsProvider = metadata.services.email?.dnsProvider;
@@ -27140,7 +27673,7 @@ import {
   IAMClient as IAMClient2,
   PutRolePolicyCommand
 } from "@aws-sdk/client-iam";
-import { confirm as confirm14, intro as intro32, isCancel as isCancel20, log as log32, outro as outro19, select as select14 } from "@clack/prompts";
+import { confirm as confirm14, intro as intro32, isCancel as isCancel20, log as log32, outro as outro19, select as select15 } from "@clack/prompts";
 import * as pulumi21 from "@pulumi/pulumi";
 import pc36 from "picocolors";
 init_events();
@@ -27483,7 +28016,7 @@ async function resolveOrganization() {
   if (orgs.length === 1) {
     return orgs[0];
   }
-  const selected = await select14({
+  const selected = await select15({
     message: "Which organization should this AWS account connect to?",
     options: orgs.map((org) => ({
       value: org.id,
@@ -27779,7 +28312,7 @@ Run ${pc36.cyan("wraps email init")} or ${pc36.cyan("wraps sms init")} first.
         log32.info(
           `Already connected to Wraps Platform (AWS Account: ${pc36.cyan(metadata.accountId)})`
         );
-        const action = await select14({
+        const action = await select15({
           message: "What would you like to do?",
           options: [
             {
@@ -36139,6 +36672,11 @@ args.options([
     name: "org",
     description: "Organization slug",
     defaultValue: void 0
+  },
+  {
+    name: "subdomain",
+    description: "Subdomain for inbound email (e.g., inbound, support)",
+    defaultValue: void 0
   }
 ]);
 var flags = args.parse(process.argv);
@@ -36453,13 +36991,30 @@ Usage: ${pc53.cyan("wraps email verify --domain yourapp.com")}
                 json: flags.json
               });
               break;
+            case "add":
+              await inboundAdd({
+                region: flags.region,
+                subdomain: flags.subdomain,
+                domain: flags.domain,
+                yes: flags.yes,
+                json: flags.json
+              });
+              break;
+            case "remove":
+              await inboundRemove({
+                region: flags.region,
+                domain: flags.domain,
+                yes: flags.yes,
+                json: flags.json
+              });
+              break;
             default:
               clack50.log.error(
                 `Unknown inbound command: ${inboundSubCommand || "(none)"}`
               );
               console.log(
                 `
-Available commands: ${pc53.cyan("init")}, ${pc53.cyan("destroy")}, ${pc53.cyan("status")}, ${pc53.cyan("verify")}, ${pc53.cyan("test")}
+Available commands: ${pc53.cyan("init")}, ${pc53.cyan("destroy")}, ${pc53.cyan("status")}, ${pc53.cyan("verify")}, ${pc53.cyan("test")}, ${pc53.cyan("add")}, ${pc53.cyan("remove")}
 `
               );
               throw new Error(