@wraps.dev/cli 2.2.7 → 2.3.0

package/dist/cli.js

@@ -147,7 +147,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@wraps.dev/cli",
-      version: "2.2.7",
+      version: "2.3.0",
       description: "CLI for deploying Wraps email infrastructure to your AWS account",
       type: "module",
       main: "./dist/cli.js",
@@ -978,6 +978,18 @@ function calculateSMTPCredentialsCost(config2) {
     description: "SMTP credentials (no additional cost)"
   };
 }
+function calculateAlertingCost(config2) {
+  if (!config2.alerts?.enabled) {
+    return;
+  }
+  const numAlarms = config2.alerts.dlqAlerts !== false ? 5 : 4;
+  const alarmCost = numAlarms * 0.1;
+  const snsCost = 0;
+  return {
+    monthly: alarmCost + snsCost,
+    description: `Reputation alerts (${numAlarms} CloudWatch alarms)`
+  };
+}
 function calculateCosts(config2, emailsPerMonth = 1e4) {
   const tracking = calculateTrackingCost(config2);
   const reputationMetrics = calculateReputationMetricsCost(config2);
@@ -987,8 +999,9 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
   const dedicatedIp = calculateDedicatedIpCost(config2);
   const waf = calculateWafCost(config2, emailsPerMonth);
   const smtpCredentials = calculateSMTPCredentialsCost(config2);
+  const alerts = calculateAlertingCost(config2);
   const sesEmailCost = Math.max(0, emailsPerMonth - FREE_TIER.SES_EMAILS) * AWS_PRICING.SES_PER_EMAIL;
-  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0) + (smtpCredentials?.monthly || 0);
+  const totalMonthlyCost = sesEmailCost + (tracking?.monthly || 0) + (reputationMetrics?.monthly || 0) + (eventTracking?.monthly || 0) + (dynamoDBHistory?.monthly || 0) + (emailArchiving?.monthly || 0) + (dedicatedIp?.monthly || 0) + (waf?.monthly || 0) + (smtpCredentials?.monthly || 0) + (alerts?.monthly || 0);
   return {
     tracking,
     reputationMetrics,
@@ -998,6 +1011,7 @@ function calculateCosts(config2, emailsPerMonth = 1e4) {
     dedicatedIp,
     waf,
     smtpCredentials,
+    alerts,
     total: {
       monthly: totalMonthlyCost,
       perEmail: AWS_PRICING.SES_PER_EMAIL,
@@ -1063,6 +1077,11 @@ function getCostSummary(config2, emailsPerMonth = 1e4) {
       `  - ${costs.smtpCredentials.description}: ${formatCost(costs.smtpCredentials.monthly)}`
     );
   }
+  if (costs.alerts) {
+    lines.push(
+      `  - ${costs.alerts.description}: ${formatCost(costs.alerts.monthly)}`
+    );
+  }
   return lines.join("\n");
 }
 var AWS_PRICING, FREE_TIER;
@@ -1205,6 +1224,7 @@ function getPresetInfo(preset) {
         "Reputation tracking",
         "Real-time event tracking (EventBridge)",
         "90-day email history storage",
+        "Reputation alerts (bounce/complaint rate monitoring)",
         "Optional: Email archiving with rendered viewer",
         "Complete event visibility"
       ]
@@ -1218,6 +1238,7 @@ function getPresetInfo(preset) {
         "Everything in Production",
         "Dedicated IP address",
         "1-year email history",
+        "Stricter alert thresholds (catch issues earlier)",
         "Optional: 1-year+ email archiving",
         "All event types tracked",
         "Priority support eligibility"
@@ -1306,6 +1327,10 @@ var init_presets = __esm({
         enabled: false,
         retention: "30days"
       },
+      // Alerting disabled for starter (no reputation metrics)
+      alerts: {
+        enabled: false
+      },
       sendingEnabled: true
     };
     PRODUCTION_PRESET = {
@@ -1342,6 +1367,12 @@ var init_presets = __esm({
         // User can opt-in
         retention: "90days"
       },
+      // Alerting enabled - warns before AWS/Gmail take action
+      alerts: {
+        enabled: true,
+        dlqAlerts: true
+        // Uses default thresholds: bounce 2%/4%, complaint 0.05%/0.08%
+      },
       sendingEnabled: true
     };
     ENTERPRISE_PRESET = {
@@ -1380,6 +1411,22 @@ var init_presets = __esm({
         // User can opt-in
         retention: "1year"
       },
+      // Alerting with stricter thresholds for high-volume senders
+      alerts: {
+        enabled: true,
+        dlqAlerts: true,
+        thresholds: {
+          // Stricter thresholds for enterprise - catch issues earlier
+          bounceRateWarning: 0.01,
+          // 1% (vs 2% default)
+          bounceRateCritical: 0.02,
+          // 2% (vs 4% default)
+          complaintRateWarning: 3e-4,
+          // 0.03% (vs 0.05% default)
+          complaintRateCritical: 5e-4
+          // 0.05% (vs 0.08% default)
+        }
+      },
       dedicatedIp: true,
       sendingEnabled: true
     };
@@ -3223,7 +3270,7 @@ import { existsSync as existsSync4, mkdirSync } from "fs";
 import { tmpdir } from "os";
 import { dirname, join as join4 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import * as aws7 from "@pulumi/aws";
+import * as aws8 from "@pulumi/aws";
 import * as pulumi11 from "@pulumi/pulumi";
 import { build } from "esbuild";
 function getPackageRoot() {
@@ -3312,7 +3359,7 @@ Try running: pnpm build`
 }
 async function deployLambdaFunctions(config2) {
   const eventProcessorCode = await getLambdaCode("event-processor");
-  const lambdaRole = new aws7.iam.Role("wraps-email-lambda-role", {
+  const lambdaRole = new aws8.iam.Role("wraps-email-lambda-role", {
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
       Statement: [
@@ -3327,11 +3374,11 @@ async function deployLambdaFunctions(config2) {
       ManagedBy: "wraps-cli"
     }
   });
-  new aws7.iam.RolePolicyAttachment("wraps-email-lambda-basic-execution", {
+  new aws8.iam.RolePolicyAttachment("wraps-email-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws7.iam.RolePolicy("wraps-email-lambda-policy", {
+  new aws8.iam.RolePolicy("wraps-email-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi11.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -3375,7 +3422,7 @@ async function deployLambdaFunctions(config2) {
       RETENTION_DAYS: config2.retentionDays.toString()
     }
   };
-  const eventProcessor = exists ? new aws7.lambda.Function(
+  const eventProcessor = exists ? new aws8.lambda.Function(
     functionName,
     {
       name: functionName,
@@ -3383,8 +3430,8 @@ async function deployLambdaFunctions(config2) {
       handler: "index.handler",
       role: lambdaRole.arn,
       code: new pulumi11.asset.FileArchive(eventProcessorCode),
-      timeout: 300,
-      // 5 minutes (matches SQS visibility timeout)
+      timeout: 30,
+      // Lambda just parses JSON and writes to DynamoDB
       memorySize: 512,
       environment: lambdaEnvironment,
       tags: {
@@ -3396,14 +3443,14 @@ async function deployLambdaFunctions(config2) {
       import: functionName
       // Import existing function
     }
-  ) : new aws7.lambda.Function(functionName, {
+  ) : new aws8.lambda.Function(functionName, {
     name: functionName,
     runtime: "nodejs24.x",
     handler: "index.handler",
     role: lambdaRole.arn,
     code: new pulumi11.asset.FileArchive(eventProcessorCode),
-    timeout: 300,
-    // 5 minutes (matches SQS visibility timeout)
+    timeout: 30,
+    // Lambda just parses JSON and writes to DynamoDB
     memorySize: 512,
     environment: lambdaEnvironment,
     tags: {
@@ -3426,14 +3473,14 @@ async function deployLambdaFunctions(config2) {
     functionResponseTypes: ["ReportBatchItemFailures"]
     // Enable partial batch responses
   };
-  const eventSourceMapping = existingMappingUuid ? new aws7.lambda.EventSourceMapping(
+  const eventSourceMapping = existingMappingUuid ? new aws8.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
     mappingConfig,
     {
       import: existingMappingUuid
       // Import with the UUID
     }
-  ) : new aws7.lambda.EventSourceMapping(
+  ) : new aws8.lambda.EventSourceMapping(
     "wraps-email-event-source-mapping",
     mappingConfig
   );
@@ -3454,12 +3501,12 @@ var acm_exports = {};
 __export(acm_exports, {
   createACMCertificate: () => createACMCertificate
 });
-import * as aws11 from "@pulumi/aws";
+import * as aws12 from "@pulumi/aws";
 async function createACMCertificate(config2) {
-  const usEast1Provider = new aws11.Provider("acm-us-east-1", {
+  const usEast1Provider = new aws12.Provider("acm-us-east-1", {
     region: "us-east-1"
   });
-  const certificate = new aws11.acm.Certificate(
+  const certificate = new aws12.acm.Certificate(
     "wraps-email-tracking-cert",
     {
       domainName: config2.domain,
@@ -3482,7 +3529,7 @@ async function createACMCertificate(config2) {
   );
   let certificateValidation;
   if (config2.hostedZoneId) {
-    const validationRecord = new aws11.route53.Record(
+    const validationRecord = new aws12.route53.Record(
       "wraps-email-tracking-cert-validation",
       {
         zoneId: config2.hostedZoneId,
@@ -3492,7 +3539,7 @@ async function createACMCertificate(config2) {
         ttl: 60
       }
     );
-    certificateValidation = new aws11.acm.CertificateValidation(
+    certificateValidation = new aws12.acm.CertificateValidation(
       "wraps-email-tracking-cert-validation-waiter",
       {
         certificateArn: certificate.arn,
@@ -3521,7 +3568,7 @@ var cloudfront_exports = {};
 __export(cloudfront_exports, {
   createCloudFrontTracking: () => createCloudFrontTracking
 });
-import * as aws12 from "@pulumi/aws";
+import * as aws13 from "@pulumi/aws";
 async function findDistributionByAlias(alias) {
   try {
     const { CloudFrontClient, ListDistributionsCommand } = await import("@aws-sdk/client-cloudfront");
@@ -3537,10 +3584,10 @@ async function findDistributionByAlias(alias) {
   }
 }
 async function createWAFWebACL() {
-  const usEast1Provider = new aws12.Provider("waf-us-east-1", {
+  const usEast1Provider = new aws13.Provider("waf-us-east-1", {
     region: "us-east-1"
   });
-  const webAcl = new aws12.wafv2.WebAcl(
+  const webAcl = new aws13.wafv2.WebAcl(
     "wraps-email-tracking-waf",
     {
       scope: "CLOUDFRONT",
@@ -3655,14 +3702,14 @@ async function createCloudFrontTracking(config2) {
       Description: "Wraps email tracking CloudFront distribution"
     }
   };
-  const distribution = existingDistributionId ? new aws12.cloudfront.Distribution(
+  const distribution = existingDistributionId ? new aws13.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig,
     {
       import: existingDistributionId
       // Import existing distribution
     }
-  ) : new aws12.cloudfront.Distribution(
+  ) : new aws13.cloudfront.Distribution(
     "wraps-email-tracking-cdn",
     distributionConfig
   );
@@ -11611,12 +11658,200 @@ import pc14 from "picocolors";
 // src/infrastructure/email-stack.ts
 init_esm_shims();
 init_dist();
-import * as aws13 from "@pulumi/aws";
+import * as aws14 from "@pulumi/aws";
 import * as pulumi12 from "@pulumi/pulumi";
 
-// src/infrastructure/resources/dynamodb.ts
+// src/infrastructure/resources/alerting.ts
 init_esm_shims();
 import * as aws4 from "@pulumi/aws";
+
+// src/types/index.ts
+init_esm_shims();
+
+// src/types/email.ts
+init_esm_shims();
+var DEFAULT_ALERT_THRESHOLDS = {
+  bounceRateWarning: 0.02,
+  // 2% - gives time before AWS 5% warning
+  bounceRateCritical: 0.04,
+  // 4% - urgent, approaching AWS warning
+  complaintRateWarning: 5e-4,
+  // 0.05% - half of AWS warning threshold
+  complaintRateCritical: 8e-4,
+  // 0.08% - urgent, approaching AWS 0.1% warning
+  dlqMessageThreshold: 1
+  // Any failed message processing
+};
+
+// src/infrastructure/resources/alerting.ts
+function getThresholds(custom) {
+  return {
+    ...DEFAULT_ALERT_THRESHOLDS,
+    ...custom
+  };
+}
+async function createAlertingResources(config2) {
+  const thresholds = getThresholds(config2.alertConfig.thresholds);
+  const topic = new aws4.sns.Topic("wraps-email-alerts", {
+    name: "wraps-email-alerts",
+    displayName: "Wraps Email Alerts",
+    tags: {
+      ManagedBy: "wraps-cli",
+      Description: "Alert notifications for email reputation and health"
+    }
+  });
+  let emailSubscription;
+  if (config2.alertConfig.notificationEmail) {
+    emailSubscription = new aws4.sns.TopicSubscription(
+      "wraps-email-alerts-email",
+      {
+        topic: topic.arn,
+        protocol: "email",
+        endpoint: config2.alertConfig.notificationEmail
+      }
+    );
+  }
+  let webhookSubscription;
+  if (config2.alertConfig.webhookUrl) {
+    webhookSubscription = new aws4.sns.TopicSubscription(
+      "wraps-email-alerts-webhook",
+      {
+        topic: topic.arn,
+        protocol: "https",
+        endpoint: config2.alertConfig.webhookUrl
+      }
+    );
+  }
+  const bounceRateWarningAlarm = new aws4.cloudwatch.MetricAlarm(
+    "wraps-bounce-rate-warning",
+    {
+      name: "wraps-email-bounce-rate-warning",
+      alarmDescription: `Bounce rate exceeded ${thresholds.bounceRateWarning * 100}% - investigate before AWS takes action (warns at 5%, suspends at 10%)`,
+      comparisonOperator: "GreaterThanThreshold",
+      evaluationPeriods: 2,
+      // Require 2 consecutive periods to reduce noise
+      metricName: "Reputation.BounceRate",
+      namespace: "AWS/SES",
+      period: 300,
+      // 5 minutes
+      statistic: "Average",
+      threshold: thresholds.bounceRateWarning,
+      alarmActions: [topic.arn],
+      okActions: [topic.arn],
+      // Notify when resolved
+      treatMissingData: "notBreaching",
+      // Don't alarm if no data (no emails sent)
+      tags: {
+        ManagedBy: "wraps-cli",
+        Severity: "warning"
+      }
+    }
+  );
+  const bounceRateCriticalAlarm = new aws4.cloudwatch.MetricAlarm(
+    "wraps-bounce-rate-critical",
+    {
+      name: "wraps-email-bounce-rate-critical",
+      alarmDescription: `CRITICAL: Bounce rate exceeded ${thresholds.bounceRateCritical * 100}% - approaching AWS warning threshold (5%). Immediate action required!`,
+      comparisonOperator: "GreaterThanThreshold",
+      evaluationPeriods: 1,
+      // Alert immediately on critical
+      metricName: "Reputation.BounceRate",
+      namespace: "AWS/SES",
+      period: 300,
+      // 5 minutes
+      statistic: "Average",
+      threshold: thresholds.bounceRateCritical,
+      alarmActions: [topic.arn],
+      okActions: [topic.arn],
+      treatMissingData: "notBreaching",
+      tags: {
+        ManagedBy: "wraps-cli",
+        Severity: "critical"
+      }
+    }
+  );
+  const complaintRateWarningAlarm = new aws4.cloudwatch.MetricAlarm(
+    "wraps-complaint-rate-warning",
+    {
+      name: "wraps-email-complaint-rate-warning",
+      alarmDescription: `Complaint rate exceeded ${thresholds.complaintRateWarning * 100}% - investigate before AWS (0.1%) or Gmail (0.3%) take action`,
+      comparisonOperator: "GreaterThanThreshold",
+      evaluationPeriods: 2,
+      metricName: "Reputation.ComplaintRate",
+      namespace: "AWS/SES",
+      period: 300,
+      statistic: "Average",
+      threshold: thresholds.complaintRateWarning,
+      alarmActions: [topic.arn],
+      okActions: [topic.arn],
+      treatMissingData: "notBreaching",
+      tags: {
+        ManagedBy: "wraps-cli",
+        Severity: "warning"
+      }
+    }
+  );
+  const complaintRateCriticalAlarm = new aws4.cloudwatch.MetricAlarm(
+    "wraps-complaint-rate-critical",
+    {
+      name: "wraps-email-complaint-rate-critical",
+      alarmDescription: `CRITICAL: Complaint rate exceeded ${thresholds.complaintRateCritical * 100}% - approaching AWS warning (0.1%). Immediate action required!`,
+      comparisonOperator: "GreaterThanThreshold",
+      evaluationPeriods: 1,
+      metricName: "Reputation.ComplaintRate",
+      namespace: "AWS/SES",
+      period: 300,
+      statistic: "Average",
+      threshold: thresholds.complaintRateCritical,
+      alarmActions: [topic.arn],
+      okActions: [topic.arn],
+      treatMissingData: "notBreaching",
+      tags: {
+        ManagedBy: "wraps-cli",
+        Severity: "critical"
+      }
+    }
+  );
+  let dlqAlarm;
+  if (config2.alertConfig.dlqAlerts !== false && config2.dlqName) {
+    dlqAlarm = new aws4.cloudwatch.MetricAlarm("wraps-dlq-alarm", {
+      name: "wraps-email-dlq-messages",
+      alarmDescription: "Messages in dead letter queue - event processing is failing. Check Lambda logs for errors.",
+      comparisonOperator: "GreaterThanOrEqualToThreshold",
+      evaluationPeriods: 1,
+      metricName: "ApproximateNumberOfMessagesVisible",
+      namespace: "AWS/SQS",
+      period: 60,
+      // Check every minute
+      statistic: "Sum",
+      threshold: thresholds.dlqMessageThreshold,
+      dimensions: {
+        QueueName: config2.dlqName
+      },
+      alarmActions: [topic.arn],
+      okActions: [topic.arn],
+      treatMissingData: "notBreaching",
+      tags: {
+        ManagedBy: "wraps-cli",
+        Severity: "warning"
+      }
+    });
+  }
+  return {
+    topic,
+    emailSubscription,
+    webhookSubscription,
+    bounceRateWarningAlarm,
+    bounceRateCriticalAlarm,
+    complaintRateWarningAlarm,
+    complaintRateCriticalAlarm,
+    dlqAlarm
+  };
+}
+
+// src/infrastructure/resources/dynamodb.ts
+init_esm_shims();
+import * as aws5 from "@pulumi/aws";
 async function tableExists(tableName) {
   try {
     const { DynamoDBClient: DynamoDBClient6, DescribeTableCommand: DescribeTableCommand2 } = await import("@aws-sdk/client-dynamodb");
@@ -11636,7 +11871,7 @@ async function tableExists(tableName) {
 async function createDynamoDBTables(_config) {
   const tableName = "wraps-email-history";
   const exists = await tableExists(tableName);
-  const emailHistory = exists ? new aws4.dynamodb.Table(
+  const emailHistory = exists ? new aws5.dynamodb.Table(
     tableName,
     {
       name: tableName,
@@ -11668,7 +11903,7 @@ async function createDynamoDBTables(_config) {
       import: tableName
       // Import existing table
     }
-  ) : new aws4.dynamodb.Table(tableName, {
+  ) : new aws5.dynamodb.Table(tableName, {
     name: tableName,
     billingMode: "PAY_PER_REQUEST",
     hashKey: "messageId",
@@ -11701,11 +11936,11 @@ async function createDynamoDBTables(_config) {
 
 // src/infrastructure/resources/eventbridge.ts
 init_esm_shims();
-import * as aws5 from "@pulumi/aws";
+import * as aws6 from "@pulumi/aws";
 import * as pulumi9 from "@pulumi/pulumi";
 async function createEventBridgeResources(config2) {
   const eventBusName = config2.eventBusArn.apply((arn) => arn.split("/").pop());
-  const rule = new aws5.cloudwatch.EventRule("wraps-email-events-rule", {
+  const rule = new aws6.cloudwatch.EventRule("wraps-email-events-rule", {
     name: "wraps-email-events-to-sqs",
     description: "Route all SES email events to SQS for processing",
     eventBusName,
@@ -11718,7 +11953,7 @@ async function createEventBridgeResources(config2) {
       ManagedBy: "wraps-cli"
     }
   });
-  new aws5.sqs.QueuePolicy("wraps-email-events-queue-policy", {
+  new aws6.sqs.QueuePolicy("wraps-email-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi9.all([config2.queueArn, rule.arn]).apply(
       ([queueArn, ruleArn]) => JSON.stringify({
@@ -11741,7 +11976,7 @@ async function createEventBridgeResources(config2) {
       })
     )
   });
-  const target = new aws5.cloudwatch.EventTarget("wraps-email-events-target", {
+  const target = new aws6.cloudwatch.EventTarget("wraps-email-events-target", {
     rule: rule.name,
     eventBusName,
     arn: config2.queueArn
@@ -11752,7 +11987,7 @@ async function createEventBridgeResources(config2) {
   if (config2.webhook) {
     const { awsAccountNumber, webhookSecret, webhookUrl } = config2.webhook;
     const baseUrl = webhookUrl || "https://api.wraps.dev";
-    webhookConnection = new aws5.cloudwatch.EventConnection(
+    webhookConnection = new aws6.cloudwatch.EventConnection(
       "wraps-webhook-connection",
       {
         name: "wraps-webhook-connection",
@@ -11766,7 +12001,7 @@ async function createEventBridgeResources(config2) {
         }
       }
     );
-    webhookApiDestination = new aws5.cloudwatch.EventApiDestination(
+    webhookApiDestination = new aws6.cloudwatch.EventApiDestination(
       "wraps-webhook-destination",
       {
         name: "wraps-webhook-destination",
@@ -11778,7 +12013,7 @@ async function createEventBridgeResources(config2) {
         // Rate limit
       }
     );
-    const webhookRole = new aws5.iam.Role("wraps-webhook-role", {
+    const webhookRole = new aws6.iam.Role("wraps-webhook-role", {
       name: "wraps-eventbridge-webhook-role",
       assumeRolePolicy: JSON.stringify({
         Version: "2012-10-17",
@@ -11796,7 +12031,7 @@ async function createEventBridgeResources(config2) {
         ManagedBy: "wraps-cli"
       }
     });
-    new aws5.iam.RolePolicy("wraps-webhook-policy", {
+    new aws6.iam.RolePolicy("wraps-webhook-policy", {
       role: webhookRole.name,
       policy: webhookApiDestination.arn.apply(
         (destArn) => JSON.stringify({
@@ -11811,7 +12046,7 @@ async function createEventBridgeResources(config2) {
         })
       )
     });
-    webhookTarget = new aws5.cloudwatch.EventTarget("wraps-webhook-target", {
+    webhookTarget = new aws6.cloudwatch.EventTarget("wraps-webhook-target", {
       rule: rule.name,
       eventBusName,
       arn: webhookApiDestination.arn,
@@ -11829,7 +12064,7 @@ async function createEventBridgeResources(config2) {
 
 // src/infrastructure/resources/iam.ts
 init_esm_shims();
-import * as aws6 from "@pulumi/aws";
+import * as aws7 from "@pulumi/aws";
 import * as pulumi10 from "@pulumi/pulumi";
 async function roleExists2(roleName) {
   try {
@@ -11884,7 +12119,7 @@ async function createIAMRole(config2) {
   }
   const roleName = "wraps-email-role";
   const exists = await roleExists2(roleName);
-  const role = exists ? new aws6.iam.Role(
+  const role = exists ? new aws7.iam.Role(
     roleName,
     {
       name: roleName,
@@ -11898,7 +12133,7 @@ async function createIAMRole(config2) {
       import: roleName
       // Import existing role (use role name, not ARN)
     }
-  ) : new aws6.iam.Role(roleName, {
+  ) : new aws7.iam.Role(roleName, {
     name: roleName,
     assumeRolePolicy,
     tags: {
@@ -11993,7 +12228,7 @@ async function createIAMRole(config2) {
       Resource: "arn:aws:ses:*:*:mailmanager-archive/*"
     });
   }
-  new aws6.iam.RolePolicy("wraps-email-policy", {
+  new aws7.iam.RolePolicy("wraps-email-policy", {
     role: role.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -12008,7 +12243,7 @@ init_lambda();
 
 // src/infrastructure/resources/ses.ts
 init_esm_shims();
-import * as aws8 from "@pulumi/aws";
+import * as aws9 from "@pulumi/aws";
 async function configurationSetExists(configSetName, region) {
   try {
     const { SESv2Client: SESv2Client6, GetConfigurationSetCommand: GetConfigurationSetCommand2 } = await import("@aws-sdk/client-sesv2");
@@ -12086,16 +12321,16 @@ async function createSESResources(config2) {
   }
   const configSetName = "wraps-email-tracking";
   const exists = await configurationSetExists(configSetName, config2.region);
-  const configSet = exists ? new aws8.sesv2.ConfigurationSet(configSetName, configSetOptions, {
+  const configSet = exists ? new aws9.sesv2.ConfigurationSet(configSetName, configSetOptions, {
     import: configSetName
     // Import existing configuration set
-  }) : new aws8.sesv2.ConfigurationSet(configSetName, configSetOptions);
-  const defaultEventBus = aws8.cloudwatch.getEventBusOutput({
+  }) : new aws9.sesv2.ConfigurationSet(configSetName, configSetOptions);
+  const defaultEventBus = aws9.cloudwatch.getEventBusOutput({
     name: "default"
   });
   if (config2.eventTrackingEnabled) {
     const eventDestName = "wraps-email-eventbridge";
-    new aws8.sesv2.ConfigurationSetEventDestination(
+    new aws9.sesv2.ConfigurationSetEventDestination(
       "wraps-email-all-events",
       {
         configurationSetName: configSet.configurationSetName,
@@ -12135,7 +12370,7 @@ async function createSESResources(config2) {
       config2.domain,
       config2.region
     );
-    domainIdentity = identityExists ? new aws8.sesv2.EmailIdentity(
+    domainIdentity = identityExists ? new aws9.sesv2.EmailIdentity(
       "wraps-email-domain",
       {
         emailIdentity: config2.domain,
@@ -12152,7 +12387,7 @@ async function createSESResources(config2) {
         import: config2.domain
         // Import existing identity
       }
-    ) : new aws8.sesv2.EmailIdentity("wraps-email-domain", {
+    ) : new aws9.sesv2.EmailIdentity("wraps-email-domain", {
       emailIdentity: config2.domain,
       configurationSetName: configSet.configurationSetName,
       // Link configuration set to domain
@@ -12168,7 +12403,7 @@ async function createSESResources(config2) {
     );
     if (config2.mailFromDomain) {
       mailFromDomain = config2.mailFromDomain;
-      new aws8.sesv2.EmailIdentityMailFromAttributes(
+      new aws9.sesv2.EmailIdentityMailFromAttributes(
         "wraps-email-mail-from",
         {
           emailIdentity: config2.domain,
@@ -12199,7 +12434,7 @@ async function createSESResources(config2) {
 // src/infrastructure/resources/smtp-credentials.ts
 init_esm_shims();
 import { createHmac as createHmac2 } from "crypto";
-import * as aws9 from "@pulumi/aws";
+import * as aws10 from "@pulumi/aws";
 function convertToSMTPPassword2(secretAccessKey, region) {
   const DATE = "11111111";
   const SERVICE = "ses";
@@ -12235,7 +12470,7 @@ async function userExists(userName) {
 async function createSMTPCredentials(config2) {
   const userName = "wraps-email-smtp-user";
   const userAlreadyExists = await userExists(userName);
-  const iamUser = userAlreadyExists ? new aws9.iam.User(
+  const iamUser = userAlreadyExists ? new aws10.iam.User(
     userName,
     {
       name: userName,
@@ -12245,14 +12480,14 @@ async function createSMTPCredentials(config2) {
       }
     },
     { import: userName }
-  ) : new aws9.iam.User(userName, {
+  ) : new aws10.iam.User(userName, {
     name: userName,
     tags: {
       ManagedBy: "wraps-cli",
       Purpose: "SES SMTP Authentication"
     }
   });
-  new aws9.iam.UserPolicy("wraps-email-smtp-policy", {
+  new aws10.iam.UserPolicy("wraps-email-smtp-policy", {
     user: iamUser.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -12270,7 +12505,7 @@ async function createSMTPCredentials(config2) {
       ]
     })
   });
-  const accessKey = new aws9.iam.AccessKey("wraps-email-smtp-key", {
+  const accessKey = new aws10.iam.AccessKey("wraps-email-smtp-key", {
     user: iamUser.name
   });
   const smtpPassword = accessKey.secret.apply(
@@ -12285,9 +12520,9 @@ async function createSMTPCredentials(config2) {
 
 // src/infrastructure/resources/sqs.ts
 init_esm_shims();
-import * as aws10 from "@pulumi/aws";
+import * as aws11 from "@pulumi/aws";
 async function createSQSResources() {
-  const dlq = new aws10.sqs.Queue("wraps-email-events-dlq", {
+  const dlq = new aws11.sqs.Queue("wraps-email-events-dlq", {
     name: "wraps-email-events-dlq",
     messageRetentionSeconds: 1209600,
     // 14 days
@@ -12296,10 +12531,10 @@ async function createSQSResources() {
       Description: "Dead letter queue for failed SES event processing"
     }
   });
-  const queue = new aws10.sqs.Queue("wraps-email-events", {
+  const queue = new aws11.sqs.Queue("wraps-email-events", {
     name: "wraps-email-events",
-    visibilityTimeoutSeconds: 300,
-    // 5 minutes (Lambda timeout)
+    visibilityTimeoutSeconds: 60,
+    // Must be >= Lambda timeout
     messageRetentionSeconds: 345600,
     // 4 days
     receiveWaitTimeSeconds: 20,
@@ -12324,7 +12559,7 @@ async function createSQSResources() {
 
 // src/infrastructure/email-stack.ts
 async function deployEmailStack(config2) {
-  const identity = await aws13.getCallerIdentity();
+  const identity = await aws14.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {
@@ -12440,6 +12675,15 @@ async function deployEmailStack(config2) {
       region: config2.region
     });
   }
+  let alertingResources;
+  if (emailConfig.alerts?.enabled) {
+    alertingResources = await createAlertingResources({
+      alertConfig: emailConfig.alerts,
+      configSetName: sesResources?.configSet.configurationSetName,
+      dlqName: sqsResources ? "wraps-email-events-dlq" : void 0,
+      region: config2.region
+    });
+  }
   return {
     roleArn: role.arn,
     configSetName: sesResources?.configSet.configurationSetName,
@@ -12464,7 +12708,10 @@ async function deployEmailStack(config2) {
     smtpUserArn: smtpResources?.iamUser.arn,
     smtpUsername: smtpResources?.accessKey.id,
     smtpPassword: smtpResources?.smtpPassword,
-    smtpEndpoint: smtpResources ? `email-smtp.${config2.region}.amazonaws.com` : void 0
+    smtpEndpoint: smtpResources ? `email-smtp.${config2.region}.amazonaws.com` : void 0,
+    // Alerting outputs
+    alertsEnabled: emailConfig.alerts?.enabled,
+    alertTopicArn: alertingResources?.topic.arn
   };
 }
 
@@ -12837,14 +13084,14 @@ async function scanSESConfigurationSets(region) {
   }
 }
 async function scanSNSTopics(region) {
-  const sns2 = new SNSClient({ region });
+  const sns3 = new SNSClient({ region });
   const topics = [];
   try {
-    const listResponse = await sns2.send(new ListTopicsCommand({}));
+    const listResponse = await sns3.send(new ListTopicsCommand({}));
     const topicArns = listResponse.Topics?.map((t) => t.TopicArn).filter(Boolean) || [];
     for (const arn of topicArns) {
       try {
-        const attrsResponse = await sns2.send(
+        const attrsResponse = await sns3.send(
           new GetTopicAttributesCommand({ TopicArn: arn })
         );
         const name = arn.split(":").pop() || arn;
@@ -14777,6 +15024,14 @@ ${pc21.bold("Current Configuration:")}
     }[config2.emailArchiving.retention] || "90 days";
     console.log(`  ${pc21.green("\u2713")} Email Archiving (${retentionLabel})`);
   }
+  if (config2.alerts?.enabled) {
+    console.log(`  ${pc21.green("\u2713")} Reputation Alerts`);
+    if (config2.alerts.notificationEmail) {
+      console.log(
+        `    ${pc21.dim("\u2514\u2500")} Email: ${pc21.cyan(config2.alerts.notificationEmail)}`
+      );
+    }
+  }
   const currentCostData = calculateCosts(config2, 5e4);
   console.log(
     `
@@ -14816,6 +15071,11 @@ ${pc21.bold("Current Configuration:")}
         label: "Enable dedicated IP address",
         hint: "Requires 100k+ emails/day ($50-100/mo)"
       },
+      {
+        value: "alerts",
+        label: config2.alerts?.enabled ? "Manage reputation alerts" : "Enable reputation alerts",
+        hint: config2.alerts?.enabled ? "Update thresholds or notification settings" : "Get notified before AWS suspends your account"
+      },
       {
         value: "custom",
         label: "Custom configuration",
@@ -15297,6 +15557,208 @@ ${pc21.bold("Current Configuration:")}
       newPreset = void 0;
       break;
     }
+    case "alerts": {
+      if (!config2.reputationMetrics) {
+        clack20.log.warn("Reputation metrics must be enabled to use alerting.");
+        clack20.log.info(
+          "This requires the Production or Enterprise preset, or enabling reputation metrics manually."
+        );
+        const enableReputationMetrics = await clack20.confirm({
+          message: "Enable reputation metrics now?",
+          initialValue: true
+        });
+        if (clack20.isCancel(enableReputationMetrics) || !enableReputationMetrics) {
+          clack20.cancel("Alerting not enabled.");
+          process.exit(0);
+        }
+        updatedConfig = {
+          ...config2,
+          reputationMetrics: true
+        };
+      }
+      if (config2.alerts?.enabled) {
+        clack20.log.info(`Alerting is currently ${pc21.green("enabled")}`);
+        if (config2.alerts.notificationEmail) {
+          clack20.log.info(
+            `  Notification email: ${pc21.cyan(config2.alerts.notificationEmail)}`
+          );
+        }
+        const alertsAction = await clack20.select({
+          message: "What would you like to do?",
+          options: [
+            {
+              value: "change-email",
+              label: "Change notification email",
+              hint: config2.alerts.notificationEmail || "Not set"
+            },
+            {
+              value: "change-thresholds",
+              label: "Customize alert thresholds",
+              hint: "Adjust bounce/complaint rate thresholds"
+            },
+            {
+              value: "disable",
+              label: "Disable alerting",
+              hint: "Remove CloudWatch alarms and SNS topic"
+            }
+          ]
+        });
+        if (clack20.isCancel(alertsAction)) {
+          clack20.cancel("Upgrade cancelled.");
+          process.exit(0);
+        }
+        if (alertsAction === "disable") {
+          const confirmDisable = await clack20.confirm({
+            message: "Are you sure? You won't be notified if your reputation degrades.",
+            initialValue: false
+          });
+          if (clack20.isCancel(confirmDisable) || !confirmDisable) {
+            clack20.log.info("Alerting not disabled.");
+            process.exit(0);
+          }
+          updatedConfig = {
+            ...config2,
+            alerts: { enabled: false }
+          };
+        } else if (alertsAction === "change-email") {
+          const notificationEmail = await clack20.text({
+            message: "Notification email address:",
+            placeholder: "alerts@yourcompany.com",
+            initialValue: config2.alerts.notificationEmail || "",
+            validate: (value) => {
+              if (value && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)) {
+                return "Please enter a valid email address";
+              }
+            }
+          });
+          if (clack20.isCancel(notificationEmail)) {
+            clack20.cancel("Upgrade cancelled.");
+            process.exit(0);
+          }
+          updatedConfig = {
+            ...config2,
+            alerts: {
+              ...config2.alerts,
+              enabled: true,
+              notificationEmail: notificationEmail || void 0
+            }
+          };
+        } else if (alertsAction === "change-thresholds") {
+          clack20.log.info(`
+${pc21.bold("Alert Thresholds")}`);
+          clack20.log.info(
+            pc21.dim("These thresholds warn you BEFORE AWS takes action:")
+          );
+          clack20.log.info(pc21.dim("  AWS warns at 5% bounce, 0.1% complaint"));
+          clack20.log.info(pc21.dim("  Gmail blocks at 0.3% complaint rate\n"));
+          const thresholdPreset = await clack20.select({
+            message: "Choose threshold sensitivity:",
+            options: [
+              {
+                value: "standard",
+                label: "Standard (recommended)",
+                hint: "Bounce: 2%/4%, Complaint: 0.05%/0.08%"
+              },
+              {
+                value: "strict",
+                label: "Strict (enterprise)",
+                hint: "Bounce: 1%/2%, Complaint: 0.03%/0.05%"
+              },
+              {
+                value: "relaxed",
+                label: "Relaxed",
+                hint: "Bounce: 3%/5%, Complaint: 0.08%/0.1%"
+              }
+            ]
+          });
+          if (clack20.isCancel(thresholdPreset)) {
+            clack20.cancel("Upgrade cancelled.");
+            process.exit(0);
+          }
+          const thresholdConfigs = {
+            standard: {
+              bounceRateWarning: 0.02,
+              bounceRateCritical: 0.04,
+              complaintRateWarning: 5e-4,
+              complaintRateCritical: 8e-4
+            },
+            strict: {
+              bounceRateWarning: 0.01,
+              bounceRateCritical: 0.02,
+              complaintRateWarning: 3e-4,
+              complaintRateCritical: 5e-4
+            },
+            relaxed: {
+              bounceRateWarning: 0.03,
+              bounceRateCritical: 0.05,
+              complaintRateWarning: 8e-4,
+              complaintRateCritical: 1e-3
+            }
+          };
+          updatedConfig = {
+            ...config2,
+            alerts: {
+              ...config2.alerts,
+              enabled: true,
+              thresholds: thresholdConfigs[thresholdPreset]
+            }
+          };
+        }
+      } else {
+        clack20.log.info(`
+${pc21.bold("Reputation Alerts")}
+`);
+        clack20.log.info(
+          pc21.dim("Get notified when your email reputation is at risk:")
+        );
+        clack20.log.info(pc21.dim("  - Bounce rate warnings (before AWS review)"));
+        clack20.log.info(
+          pc21.dim("  - Complaint rate warnings (before Gmail blocks you)")
+        );
+        clack20.log.info(pc21.dim("  - DLQ alerts (event processing failures)"));
+        clack20.log.info(pc21.dim("\nCost: ~$0.50/mo (5 CloudWatch alarms)\n"));
+        const enableAlerts = await clack20.confirm({
+          message: "Enable reputation alerts?",
+          initialValue: true
+        });
+        if (clack20.isCancel(enableAlerts) || !enableAlerts) {
+          clack20.log.info("Alerting not enabled.");
+          process.exit(0);
+        }
+        const notificationEmail = await clack20.text({
+          message: "Notification email address:",
+          placeholder: "alerts@yourcompany.com",
+          validate: (value) => {
+            if (!value) {
+              return "Email address is required for alerts";
+            }
+            if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)) {
+              return "Please enter a valid email address";
+            }
+          }
+        });
+        if (clack20.isCancel(notificationEmail)) {
+          clack20.cancel("Upgrade cancelled.");
+          process.exit(0);
+        }
+        clack20.log.info(
+          pc21.dim("\nYou'll receive an email to confirm your subscription.")
+        );
+        updatedConfig = {
+          ...config2,
+          reputationMetrics: true,
+          // Required for alerts
+          alerts: {
+            enabled: true,
+            notificationEmail,
+            dlqAlerts: true
+            // Uses default thresholds
+          }
+        };
+      }
+      newPreset = void 0;
+      break;
+    }
     case "custom": {
       const { promptCustomConfig: promptCustomConfig2 } = await Promise.resolve().then(() => (init_prompts(), prompts_exports));
       const customConfig = await promptCustomConfig2(config2);
@@ -15905,6 +16367,9 @@ ${pc21.green("\u2713")} ${pc21.bold("Upgrade complete!")}
   if (updatedConfig.smtpCredentials?.enabled) {
     enabledFeatures.push("smtp_credentials");
   }
+  if (updatedConfig.alerts?.enabled) {
+    enabledFeatures.push("alerts");
+  }
   trackServiceUpgrade("email", {
     from_preset: metadata.services.email?.preset,
     to_preset: newPreset,
@@ -17261,7 +17726,7 @@ import {
 } from "@aws-sdk/client-cloudwatch";
 async function fetchSESMetrics(roleArn, region, timeRange, tableName) {
   const credentials = roleArn ? await assumeRole(roleArn, region) : void 0;
-  const cloudwatch3 = new CloudWatchClient({ region, credentials });
+  const cloudwatch4 = new CloudWatchClient({ region, credentials });
   const queries = [
     {
       Id: "sends",
@@ -17309,7 +17774,7 @@ async function fetchSESMetrics(roleArn, region, timeRange, tableName) {
       }
     }
   ];
-  const response = await cloudwatch3.send(
+  const response = await cloudwatch4.send(
     new GetMetricDataCommand({
       MetricDataQueries: queries,
       StartTime: timeRange.start,
@@ -18094,7 +18559,7 @@ import {
 import { unmarshall as unmarshall4 } from "@aws-sdk/util-dynamodb";
 async function fetchSMSSpendLimits(region) {
   const smsClient = new PinpointSMSVoiceV2Client({ region });
-  const cloudwatch3 = new CloudWatchClient2({ region });
+  const cloudwatch4 = new CloudWatchClient2({ region });
   try {
     const spendLimits = await smsClient.send(
       new DescribeSpendLimitsCommand({})
@@ -18108,7 +18573,7 @@ async function fetchSMSSpendLimits(region) {
     }
     const now = /* @__PURE__ */ new Date();
     const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
-    const metricsResponse = await cloudwatch3.send(
+    const metricsResponse = await cloudwatch4.send(
       new GetMetricDataCommand2({
         MetricDataQueries: [
           {
@@ -19095,7 +19560,7 @@ import pc28 from "picocolors";
 
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
-import * as aws14 from "@pulumi/aws";
+import * as aws15 from "@pulumi/aws";
 import * as pulumi22 from "@pulumi/pulumi";
 async function roleExists3(roleName) {
   try {
@@ -19173,7 +19638,7 @@ async function createSMSIAMRole(config2) {
   }
   const roleName = "wraps-sms-role";
   const exists = await roleExists3(roleName);
-  const role = exists ? new aws14.iam.Role(
+  const role = exists ? new aws15.iam.Role(
     roleName,
     {
       name: roleName,
@@ -19188,7 +19653,7 @@ async function createSMSIAMRole(config2) {
       import: roleName,
       customTimeouts: { create: "2m", update: "2m", delete: "2m" }
     }
-  ) : new aws14.iam.Role(
+  ) : new aws15.iam.Role(
     roleName,
     {
       name: roleName,
@@ -19283,7 +19748,7 @@ async function createSMSIAMRole(config2) {
       Resource: "arn:aws:logs:*:*:log-group:/aws/lambda/wraps-sms-*"
     });
   }
-  new aws14.iam.RolePolicy("wraps-sms-policy", {
+  new aws15.iam.RolePolicy("wraps-sms-policy", {
     role: role.name,
     policy: JSON.stringify({
       Version: "2012-10-17",
@@ -19293,7 +19758,7 @@ async function createSMSIAMRole(config2) {
   return role;
 }
 function createSMSConfigurationSet() {
-  return new aws14.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
+  return new aws15.pinpoint.Smsvoicev2ConfigurationSet("wraps-sms-config", {
     name: "wraps-sms-config",
     defaultMessageType: "TRANSACTIONAL",
     tags: {
@@ -19303,7 +19768,7 @@ function createSMSConfigurationSet() {
   });
 }
 function createSMSOptOutList() {
-  return new aws14.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
+  return new aws15.pinpoint.Smsvoicev2OptOutList("wraps-sms-optouts", {
     name: "wraps-sms-optouts",
     tags: {
       ManagedBy: "wraps-cli",
@@ -19367,7 +19832,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
     }
   };
   if (existingArn) {
-    return new aws14.pinpoint.Smsvoicev2PhoneNumber(
+    return new aws15.pinpoint.Smsvoicev2PhoneNumber(
       "wraps-sms-number",
       phoneConfig,
       {
@@ -19376,7 +19841,7 @@ async function createSMSPhoneNumber(phoneNumberType, optOutList) {
       }
     );
   }
-  return new aws14.pinpoint.Smsvoicev2PhoneNumber(
+  return new aws15.pinpoint.Smsvoicev2PhoneNumber(
     "wraps-sms-number",
     phoneConfig,
     {
@@ -19419,10 +19884,10 @@ async function createSMSSQSResources() {
       Description: "Dead letter queue for failed SMS event processing"
     }
   };
-  const dlq = dlqUrl ? new aws14.sqs.Queue(dlqName, dlqConfig, {
+  const dlq = dlqUrl ? new aws15.sqs.Queue(dlqName, dlqConfig, {
     import: dlqUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws14.sqs.Queue(dlqName, dlqConfig, {
+  }) : new aws15.sqs.Queue(dlqName, dlqConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   const queueConfig = {
@@ -19445,10 +19910,10 @@ async function createSMSSQSResources() {
       Description: "Queue for SMS events from SNS"
     }
   };
-  const queue = queueUrl ? new aws14.sqs.Queue(queueName, queueConfig, {
+  const queue = queueUrl ? new aws15.sqs.Queue(queueName, queueConfig, {
     import: queueUrl,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws14.sqs.Queue(queueName, queueConfig, {
+  }) : new aws15.sqs.Queue(queueName, queueConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
   return { queue, dlq };
@@ -19456,12 +19921,12 @@ async function createSMSSQSResources() {
 async function snsTopicExists(topicName) {
   try {
     const { SNSClient: SNSClient2, ListTopicsCommand: ListTopicsCommand2 } = await import("@aws-sdk/client-sns");
-    const sns2 = new SNSClient2({
+    const sns3 = new SNSClient2({
       region: process.env.AWS_REGION || "us-east-1"
     });
     let nextToken;
     do {
-      const response = await sns2.send(
+      const response = await sns3.send(
         new ListTopicsCommand2({ NextToken: nextToken })
       );
       const found = response.Topics?.find(
@@ -19488,13 +19953,13 @@ async function createSMSSNSResources(config2) {
       Description: "SNS topic for SMS delivery events"
     }
   };
-  const topic = topicArn ? new aws14.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  const topic = topicArn ? new aws15.sns.Topic("wraps-sms-events-topic", topicConfig, {
     import: topicArn,
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
-  }) : new aws14.sns.Topic("wraps-sms-events-topic", topicConfig, {
+  }) : new aws15.sns.Topic("wraps-sms-events-topic", topicConfig, {
     customTimeouts: { create: "2m", update: "2m", delete: "2m" }
   });
-  new aws14.sns.TopicPolicy("wraps-sms-events-topic-policy", {
+  new aws15.sns.TopicPolicy("wraps-sms-events-topic-policy", {
     arn: topic.arn,
     policy: topic.arn.apply(
       (topicArn2) => JSON.stringify({
@@ -19511,7 +19976,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  new aws14.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
+  new aws15.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
     queueUrl: config2.queueUrl,
     policy: pulumi22.all([config2.queueArn, topic.arn]).apply(
       ([queueArn, topicArn2]) => JSON.stringify({
@@ -19530,7 +19995,7 @@ async function createSMSSNSResources(config2) {
       })
     )
   });
-  const subscription = new aws14.sns.TopicSubscription(
+  const subscription = new aws15.sns.TopicSubscription(
     "wraps-sms-events-subscription",
     {
       topic: topic.arn,
@@ -19579,17 +20044,17 @@ async function createSMSDynamoDBTable() {
       Service: "sms"
     }
   };
-  return exists ? new aws14.dynamodb.Table(tableName, tableConfig, {
+  return exists ? new aws15.dynamodb.Table(tableName, tableConfig, {
     import: tableName,
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
-  }) : new aws14.dynamodb.Table(tableName, tableConfig, {
+  }) : new aws15.dynamodb.Table(tableName, tableConfig, {
     customTimeouts: { create: "5m", update: "5m", delete: "5m" }
   });
 }
 async function deploySMSLambdaFunction(config2) {
   const { getLambdaCode: getLambdaCode2 } = await Promise.resolve().then(() => (init_lambda(), lambda_exports));
   const codeDir = await getLambdaCode2("sms-event-processor");
-  const lambdaRole = new aws14.iam.Role("wraps-sms-lambda-role", {
+  const lambdaRole = new aws15.iam.Role("wraps-sms-lambda-role", {
     name: "wraps-sms-lambda-role",
     assumeRolePolicy: JSON.stringify({
       Version: "2012-10-17",
@@ -19606,11 +20071,11 @@ async function deploySMSLambdaFunction(config2) {
       Service: "sms"
     }
   });
-  new aws14.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
+  new aws15.iam.RolePolicyAttachment("wraps-sms-lambda-basic-execution", {
     role: lambdaRole.name,
     policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   });
-  new aws14.iam.RolePolicy("wraps-sms-lambda-policy", {
+  new aws15.iam.RolePolicy("wraps-sms-lambda-policy", {
     role: lambdaRole.name,
     policy: pulumi22.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
@@ -19642,7 +20107,7 @@ async function deploySMSLambdaFunction(config2) {
       })
     )
   });
-  const eventProcessor = new aws14.lambda.Function(
+  const eventProcessor = new aws15.lambda.Function(
     "wraps-sms-event-processor",
     {
       name: "wraps-sms-event-processor",
@@ -19670,7 +20135,7 @@ async function deploySMSLambdaFunction(config2) {
       customTimeouts: { create: "5m", update: "5m", delete: "2m" }
     }
   );
-  new aws14.lambda.EventSourceMapping(
+  new aws15.lambda.EventSourceMapping(
     "wraps-sms-event-source-mapping",
     {
       eventSourceArn: config2.queueArn,
@@ -19686,7 +20151,7 @@ async function deploySMSLambdaFunction(config2) {
   return eventProcessor;
 }
 async function deploySMSStack(config2) {
-  const identity = await aws14.getCallerIdentity();
+  const identity = await aws15.getCallerIdentity();
   const accountId = identity.accountId;
   let oidcProvider;
   if (config2.provider === "vercel" && config2.vercel) {