@wraps.dev/cli 2.21.16 → 2.21.17

package/dist/cli.js

@@ -32520,9 +32520,9 @@ Run ${pc43.cyan("wraps email init")} or ${pc43.cyan("wraps sms init")} first.
     let webhookSecret;
     let needsDeployment = false;
     if (hasEmail) {
-      const emailConfig = metadata.services.email?.config;
+      const emailConfig2 = metadata.services.email?.config;
       const existingSecret = metadata.services.email?.webhookSecret;
-      if (!emailConfig?.eventTracking?.enabled) {
+      if (!emailConfig2?.eventTracking?.enabled) {
         progress.stop();
         log37.warn(
           "Event tracking must be enabled to connect to the Wraps Platform."
@@ -32539,7 +32539,7 @@ Run ${pc43.cyan("wraps email init")} or ${pc43.cyan("wraps sms init")} first.
           process.exit(0);
         }
         metadata.services.email.config = {
-          ...emailConfig,
+          ...emailConfig2,
           eventTracking: {
             enabled: true,
             eventBridge: true,
@@ -32551,8 +32551,8 @@ Run ${pc43.cyan("wraps email init")} or ${pc43.cyan("wraps sms init")} first.
               "BOUNCE",
               "COMPLAINT"
             ],
-            dynamoDBHistory: emailConfig?.eventTracking?.dynamoDBHistory ?? false,
-            archiveRetention: emailConfig?.eventTracking?.archiveRetention ?? "90days"
+            dynamoDBHistory: emailConfig2?.eventTracking?.dynamoDBHistory ?? false,
+            archiveRetention: emailConfig2?.eventTracking?.archiveRetention ?? "90days"
           }
         };
         needsDeployment = true;
@@ -32661,6 +32661,7 @@ Run ${pc43.cyan("wraps email init")} or ${pc43.cyan("wraps sms init")} first.
     }
     const roleName = "wraps-console-access-role";
     const iam11 = new IAMClient3({ region: "us-east-1" });
+    const trustedAccountId = metadata.services?.selfhost ? metadata.accountId : WRAPS_PLATFORM_ACCOUNT_ID;
     let roleExists2 = false;
     try {
       await iam11.send(new GetRoleCommand({ RoleName: roleName }));
@@ -32671,20 +32672,66 @@ Run ${pc43.cyan("wraps email init")} or ${pc43.cyan("wraps sms init")} first.
         throw error;
       }
     }
+    const emailConfig = metadata.services.email?.config;
+    const smsConfig = metadata.services.sms?.config;
+    const consolePolicy = buildConsolePolicyDocument(emailConfig, smsConfig);
     if (roleExists2) {
-      const emailConfig = metadata.services.email?.config;
-      const smsConfig = metadata.services.sms?.config;
-      const policy = buildConsolePolicyDocument(emailConfig, smsConfig);
       await progress.execute("Updating platform access role", async () => {
         await iam11.send(
           new PutRolePolicyCommand({
             RoleName: roleName,
             PolicyName: "wraps-console-access-policy",
-            PolicyDocument: JSON.stringify(policy, null, 2)
+            PolicyDocument: JSON.stringify(consolePolicy, null, 2)
           })
         );
+        if (metadata.services?.selfhost) {
+          const trustPolicy = {
+            Version: "2012-10-17",
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: { AWS: `arn:aws:iam::${trustedAccountId}:root` },
+                Action: "sts:AssumeRole"
+              }
+            ]
+          };
+          await iam11.send(
+            new UpdateAssumeRolePolicyCommand({
+              RoleName: roleName,
+              PolicyDocument: JSON.stringify(trustPolicy)
+            })
+          );
+        }
       });
       progress.succeed("Platform access role updated");
+    } else if (metadata.services?.selfhost) {
+      const trustPolicy = {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Effect: "Allow",
+            Principal: { AWS: `arn:aws:iam::${trustedAccountId}:root` },
+            Action: "sts:AssumeRole"
+          }
+        ]
+      };
+      await progress.execute("Creating platform access role", async () => {
+        await iam11.send(
+          new CreateRoleCommand({
+            RoleName: roleName,
+            AssumeRolePolicyDocument: JSON.stringify(trustPolicy),
+            Description: "Wraps Platform console access role"
+          })
+        );
+        await iam11.send(
+          new PutRolePolicyCommand({
+            RoleName: roleName,
+            PolicyName: "wraps-console-access-policy",
+            PolicyDocument: JSON.stringify(consolePolicy, null, 2)
+          })
+        );
+      });
+      progress.succeed("Platform access role created");
     } else {
       progress.info(
         `IAM role ${pc43.cyan(roleName)} will be created when you add your AWS account in the dashboard`
@@ -33583,7 +33630,12 @@ async function selfhostDeploy(options) {
       if (dbChoice === "url") {
         const dbUrlAnswer = await clack43.text({
           message: "Postgres connection string:",
-          placeholder: "postgres://user:pass@host:5432/dbname"
+          placeholder: "postgres://user:pass@host:5432/dbname",
+          validate: (v) => {
+            if (!v.trim()) return "Connection string cannot be empty";
+            if (!v.startsWith("postgres://") && !v.startsWith("postgresql://"))
+              return "Must be a valid postgres:// or postgresql:// connection string";
+          }
         });
         if (clack43.isCancel(dbUrlAnswer)) {
           clack43.cancel("Operation cancelled.");
@@ -33895,6 +33947,16 @@ Run ${pc47.cyan("wraps selfhost deploy")} to deploy the self-hosted control plan
     return;
   }
   const { config: config2, apiUrl } = metadata.services.selfhost;
+  if (!apiUrl) {
+    clack44.log.error("Self-hosted deployment is incomplete \u2014 API URL is not available yet.");
+    console.log(
+      `
+The deployment may have failed partway through. Re-run ${pc47.cyan("wraps selfhost deploy")} to complete it.
+`
+    );
+    process.exit(1);
+    return;
+  }
   const env = {
     DATABASE_URL: config2.databaseUrl,
     NEXT_PUBLIC_APP_URL: config2.appUrl,