@wraps.dev/cli 2.3.4 → 2.4.0

package/dist/cli.js

@@ -1023,7 +1023,7 @@ To remove: wraps destroy --stack ${stackName}`,
         "The Pulumi stack is locked from a previous run",
         "STACK_LOCKED",
         "This happens when a previous deployment was interrupted.\n\nTo unlock, run:\n  rm -rf ~/.wraps/pulumi/.pulumi/locks\n\nThen try your command again.",
-        "https://wraps.dev/docs/guides/aws-setup/troubleshooting"
+        "https://wraps.dev/docs/guides/aws-setup/permissions/troubleshooting"
       ),
       // SMS-specific errors
       smsNotConfigured: () => new WrapsError(
@@ -1080,7 +1080,7 @@ To remove: wraps destroy --stack ${stackName}`,
         `AWS SSO session has expired${profile ? ` for profile "${profile}"` : ""}`,
         "SSO_SESSION_EXPIRED",
         profile ? `Run: aws sso login --profile ${profile}` : "Run: aws sso login",
-        "https://wraps.dev/docs/guides/aws-setup"
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
       ),
       profileNotFound: (profile, availableProfiles) => new WrapsError(
         `AWS profile "${profile}" not found`,
@@ -1092,25 +1092,25 @@ Set a valid profile:
 
 Or configure a new profile:
   aws configure --profile ${profile}` : "No AWS profiles configured.\n\nConfigure AWS credentials:\n  aws configure\n\nOr set up SSO:\n  aws configure sso",
-        "https://wraps.dev/docs/guides/aws-setup"
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
       ),
       credentialsFileMissing: () => new WrapsError(
         "AWS credentials file not found",
         "CREDENTIALS_FILE_MISSING",
         "Configure AWS credentials:\n  aws configure\n\nOr set environment variables:\n  export AWS_ACCESS_KEY_ID=<your-key>\n  export AWS_SECRET_ACCESS_KEY=<your-secret>",
-        "https://wraps.dev/docs/guides/aws-setup"
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
       ),
       accessKeyInvalid: () => new WrapsError(
         "AWS access key is invalid or has been deactivated",
         "ACCESS_KEY_INVALID",
         "Check your AWS access keys in the IAM console.\n\nReconfigure credentials:\n  aws configure\n\nOr generate new access keys in AWS IAM.",
-        "https://wraps.dev/docs/guides/aws-setup"
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
       ),
       sessionTokenExpired: () => new WrapsError(
         "AWS session token has expired",
         "SESSION_TOKEN_EXPIRED",
         "Your temporary credentials have expired.\n\nFor SSO users:\n  aws sso login\n\nFor assumed roles:\n  Re-run your assume-role command",
-        "https://wraps.dev/docs/guides/aws-setup"
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
       ),
       // IAM permission errors
       iamPermissionDenied: (action, resource, suggestion) => new WrapsError(
@@ -1989,9 +1989,11 @@ __export(prompts_exports, {
   getAvailableFeatures: () => getAvailableFeatures,
   promptConfigPreset: () => promptConfigPreset,
   promptConflictResolution: () => promptConflictResolution,
+  promptContinueManualDNS: () => promptContinueManualDNS,
   promptCustomConfig: () => promptCustomConfig,
   promptDNSConfirmation: () => promptDNSConfirmation,
   promptDNSManagement: () => promptDNSManagement,
+  promptDNSProvider: () => promptDNSProvider,
   promptDomain: () => promptDomain,
   promptEmailArchiving: () => promptEmailArchiving,
   promptEstimatedVolume: () => promptEstimatedVolume,
@@ -2713,6 +2715,58 @@ async function promptDNSManagement(domain) {
   }
   return manage;
 }
+async function promptDNSProvider(domain, availableProviders) {
+  const options = availableProviders.map((p) => {
+    let label;
+    let hint;
+    switch (p.provider) {
+      case "route53":
+        label = "AWS Route53";
+        hint = p.detected ? "Hosted zone detected" : "Requires Route53 hosted zone";
+        break;
+      case "vercel":
+        label = "Vercel DNS";
+        hint = p.detected ? "Token found" : "Requires VERCEL_TOKEN";
+        break;
+      case "cloudflare":
+        label = "Cloudflare";
+        hint = p.detected ? "Token found" : "Requires CLOUDFLARE_API_TOKEN";
+        break;
+      case "manual":
+        label = "Manual";
+        hint = "I'll add DNS records myself";
+        break;
+    }
+    if (p.detected && p.provider !== "manual") {
+      label = `${label} (Recommended)`;
+    }
+    return {
+      value: p.provider,
+      label,
+      hint: p.hint || hint
+    };
+  });
+  const provider = await clack3.select({
+    message: `Where do you manage DNS for ${pc4.cyan(domain)}?`,
+    options
+  });
+  if (clack3.isCancel(provider)) {
+    clack3.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  return provider;
+}
+async function promptContinueManualDNS() {
+  const continueManual = await clack3.confirm({
+    message: "Continue with manual DNS setup?",
+    initialValue: true
+  });
+  if (clack3.isCancel(continueManual)) {
+    clack3.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  return continueManual;
+}
 var DNS_CATEGORY_LABELS, DNS_STATUS_SYMBOLS;
 var init_prompts = __esm({
   "src/utils/shared/prompts.ts"() {
@@ -4407,29 +4461,952 @@ async function createMailManagerArchive(config2) {
     const accountId = identity.Account;
     archiveArn = `arn:aws:ses:${region}:${accountId}:mailmanager-archive/${archiveId}`;
   }
-  const configSetName = await new Promise((resolve) => {
-    config2.configSetName.apply((name) => {
-      resolve(name);
+  const configSetName = await new Promise((resolve) => {
+    config2.configSetName.apply((name) => {
+      resolve(name);
+    });
+  });
+  const putArchivingOptionsCommand = new PutConfigurationSetArchivingOptionsCommand({
+    ConfigurationSetName: configSetName,
+    ArchiveArn: archiveArn
+  });
+  await sesClient.send(putArchivingOptionsCommand);
+  if (!(archiveId && archiveArn)) {
+    throw new Error("Failed to get archive ID or ARN");
+  }
+  return {
+    archiveId,
+    archiveArn,
+    kmsKeyArn
+  };
+}
+var init_mail_manager = __esm({
+  "src/infrastructure/resources/mail-manager.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
+// src/utils/dns/cloudflare.ts
+var CLOUDFLARE_API_BASE, CloudflareDNSClient;
+var init_cloudflare = __esm({
+  "src/utils/dns/cloudflare.ts"() {
+    "use strict";
+    init_esm_shims();
+    CLOUDFLARE_API_BASE = "https://api.cloudflare.com/client/v4";
+    CloudflareDNSClient = class {
+      zoneId;
+      apiToken;
+      constructor(zoneId, apiToken) {
+        this.zoneId = zoneId;
+        this.apiToken = apiToken;
+      }
+      async request(endpoint, method = "GET", body) {
+        const response = await fetch(
+          `${CLOUDFLARE_API_BASE}/zones/${this.zoneId}${endpoint}`,
+          {
+            method,
+            headers: {
+              Authorization: `Bearer ${this.apiToken}`,
+              "Content-Type": "application/json"
+            },
+            body: body ? JSON.stringify(body) : void 0
+          }
+        );
+        return response.json();
+      }
+      async createRecord(name, type, content, priority) {
+        const body = {
+          name,
+          type,
+          content,
+          ttl: 1800,
+          proxied: false
+          // Must not be proxied for email records
+        };
+        if (priority !== void 0) {
+          body.priority = priority;
+        }
+        const result = await this.request(
+          "/dns_records",
+          "POST",
+          body
+        );
+        return result.success;
+      }
+      async findRecord(name, type) {
+        const result = await this.request(
+          `/dns_records?name=${encodeURIComponent(name)}&type=${type}`
+        );
+        if (result.success && result.result.length > 0) {
+          return result.result[0];
+        }
+        return null;
+      }
+      async deleteRecord(recordId) {
+        const result = await this.request(
+          `/dns_records/${recordId}`,
+          "DELETE"
+        );
+        return result.success;
+      }
+      async createEmailRecords(data) {
+        const { domain, dkimTokens, mailFromDomain, region } = data;
+        const errors2 = [];
+        let recordsCreated = 0;
+        try {
+          for (const token of dkimTokens) {
+            const name = `${token}._domainkey.${domain}`;
+            const success = await this.createRecord(
+              name,
+              "CNAME",
+              `${token}.dkim.amazonses.com`
+            );
+            if (success) {
+              recordsCreated++;
+            } else {
+              errors2.push(`Failed to create DKIM record: ${name}`);
+            }
+          }
+          const spfSuccess = await this.createRecord(
+            domain,
+            "TXT",
+            "v=spf1 include:amazonses.com ~all"
+          );
+          if (spfSuccess) {
+            recordsCreated++;
+          } else {
+            errors2.push(`Failed to create SPF record for ${domain}`);
+          }
+          const dmarcSuccess = await this.createRecord(
+            `_dmarc.${domain}`,
+            "TXT",
+            `v=DMARC1; p=quarantine; rua=mailto:postmaster@${mailFromDomain || domain}`
+          );
+          if (dmarcSuccess) {
+            recordsCreated++;
+          } else {
+            errors2.push(`Failed to create DMARC record for ${domain}`);
+          }
+          if (mailFromDomain) {
+            const mxSuccess = await this.createRecord(
+              mailFromDomain,
+              "MX",
+              `feedback-smtp.${region}.amazonses.com`,
+              10
+            );
+            if (mxSuccess) {
+              recordsCreated++;
+            } else {
+              errors2.push(`Failed to create MX record for ${mailFromDomain}`);
+            }
+            const mailFromSpfSuccess = await this.createRecord(
+              mailFromDomain,
+              "TXT",
+              "v=spf1 include:amazonses.com ~all"
+            );
+            if (mailFromSpfSuccess) {
+              recordsCreated++;
+            } else {
+              errors2.push(`Failed to create SPF record for ${mailFromDomain}`);
+            }
+          }
+          return {
+            success: errors2.length === 0,
+            recordsCreated,
+            errors: errors2.length > 0 ? errors2 : void 0
+          };
+        } catch (error) {
+          return {
+            success: false,
+            recordsCreated,
+            errors: [
+              ...errors2,
+              error instanceof Error ? error.message : "Unknown error"
+            ]
+          };
+        }
+      }
+      async deleteEmailRecords(data) {
+        const { domain, dkimTokens, mailFromDomain } = data;
+        const errors2 = [];
+        let recordsCreated = 0;
+        try {
+          for (const token of dkimTokens) {
+            const name = `${token}._domainkey.${domain}`;
+            const record = await this.findRecord(name, "CNAME");
+            if (record) {
+              const success = await this.deleteRecord(record.id);
+              if (success) {
+                recordsCreated++;
+              } else {
+                errors2.push(`Failed to delete DKIM record: ${name}`);
+              }
+            }
+          }
+          const dmarcRecord = await this.findRecord(`_dmarc.${domain}`, "TXT");
+          if (dmarcRecord) {
+            const success = await this.deleteRecord(dmarcRecord.id);
+            if (success) {
+              recordsCreated++;
+            } else {
+              errors2.push("Failed to delete DMARC record");
+            }
+          }
+          if (mailFromDomain) {
+            const mxRecord = await this.findRecord(mailFromDomain, "MX");
+            if (mxRecord) {
+              const success = await this.deleteRecord(mxRecord.id);
+              if (success) {
+                recordsCreated++;
+              } else {
+                errors2.push(`Failed to delete MX record for ${mailFromDomain}`);
+              }
+            }
+            const spfRecord = await this.findRecord(mailFromDomain, "TXT");
+            if (spfRecord) {
+              const success = await this.deleteRecord(spfRecord.id);
+              if (success) {
+                recordsCreated++;
+              } else {
+                errors2.push(`Failed to delete SPF record for ${mailFromDomain}`);
+              }
+            }
+          }
+          return {
+            success: errors2.length === 0,
+            recordsCreated,
+            errors: errors2.length > 0 ? errors2 : void 0
+          };
+        } catch (error) {
+          return {
+            success: false,
+            recordsCreated,
+            errors: [
+              ...errors2,
+              error instanceof Error ? error.message : "Unknown error"
+            ]
+          };
+        }
+      }
+      async verifyRecords(data) {
+        const { domain, dkimTokens, mailFromDomain, region } = data;
+        const missing = [];
+        const incorrect = [];
+        for (const token of dkimTokens) {
+          const name = `${token}._domainkey.${domain}`;
+          const expectedValue = `${token}.dkim.amazonses.com`;
+          const record = await this.findRecord(name, "CNAME");
+          if (!record) {
+            missing.push(`DKIM: ${name}`);
+          } else if (record.content !== expectedValue) {
+            incorrect.push(`DKIM: ${name} (expected ${expectedValue})`);
+          }
+        }
+        const spfRecord = await this.findRecord(domain, "TXT");
+        if (!spfRecord) {
+          missing.push(`SPF: ${domain}`);
+        } else if (!spfRecord.content.includes("include:amazonses.com")) {
+          incorrect.push(`SPF: ${domain} (missing amazonses.com include)`);
+        }
+        const dmarcRecord = await this.findRecord(`_dmarc.${domain}`, "TXT");
+        if (!dmarcRecord) {
+          missing.push(`DMARC: _dmarc.${domain}`);
+        }
+        if (mailFromDomain) {
+          const mxRecord = await this.findRecord(mailFromDomain, "MX");
+          if (!mxRecord) {
+            missing.push(`MX: ${mailFromDomain}`);
+          } else if (!mxRecord.content.includes(`feedback-smtp.${region}.amazonses.com`)) {
+            incorrect.push(`MX: ${mailFromDomain}`);
+          }
+          const mailFromSpf = await this.findRecord(mailFromDomain, "TXT");
+          if (!mailFromSpf) {
+            missing.push(`SPF: ${mailFromDomain}`);
+          }
+        }
+        return {
+          verified: missing.length === 0 && incorrect.length === 0,
+          missing,
+          incorrect
+        };
+      }
+    };
+  }
+});
+
+// src/utils/dns/vercel.ts
+var VERCEL_API_BASE, VercelDNSClient;
+var init_vercel = __esm({
+  "src/utils/dns/vercel.ts"() {
+    "use strict";
+    init_esm_shims();
+    VERCEL_API_BASE = "https://api.vercel.com";
+    VercelDNSClient = class {
+      domain;
+      apiToken;
+      teamId;
+      constructor(domain, apiToken, teamId) {
+        this.domain = domain;
+        this.apiToken = apiToken;
+        this.teamId = teamId;
+      }
+      get teamParam() {
+        return this.teamId ? `&teamId=${this.teamId}` : "";
+      }
+      async request(endpoint, method = "GET", body) {
+        const url = `${VERCEL_API_BASE}${endpoint}${endpoint.includes("?") ? "&" : "?"}${this.teamParam.slice(1)}`;
+        const response = await fetch(url, {
+          method,
+          headers: {
+            Authorization: `Bearer ${this.apiToken}`,
+            "Content-Type": "application/json"
+          },
+          body: body ? JSON.stringify(body) : void 0
+        });
+        return response.json();
+      }
+      async createRecord(name, type, value, mxPriority) {
+        const relativeName = name === this.domain ? "@" : name.replace(`.${this.domain}`, "");
+        const body = {
+          name: relativeName,
+          type,
+          value,
+          ttl: 1800
+        };
+        if (mxPriority !== void 0) {
+          body.mxPriority = mxPriority;
+        }
+        const result = await this.request(
+          `/v2/domains/${this.domain}/records`,
+          "POST",
+          body
+        );
+        return !result.error;
+      }
+      async findRecord(name, type) {
+        const result = await this.request(
+          `/v4/domains/${this.domain}/records`
+        );
+        if (result.error || !result.records) {
+          return null;
+        }
+        const relativeName = name === this.domain ? "@" : name.replace(`.${this.domain}`, "");
+        return result.records.find(
+          (r) => (r.name === relativeName || r.name === name) && r.type === type
+        ) || null;
+      }
+      async deleteRecord(recordId) {
+        const result = await this.request(
+          `/v2/domains/${this.domain}/records/${recordId}`,
+          "DELETE"
+        );
+        return !result.error;
+      }
+      async createEmailRecords(data) {
+        const { domain, dkimTokens, mailFromDomain, region } = data;
+        const errors2 = [];
+        let recordsCreated = 0;
+        try {
+          for (const token of dkimTokens) {
+            const name = `${token}._domainkey.${domain}`;
+            const success = await this.createRecord(
+              name,
+              "CNAME",
+              `${token}.dkim.amazonses.com`
+            );
+            if (success) {
+              recordsCreated++;
+            } else {
+              errors2.push(`Failed to create DKIM record: ${name}`);
+            }
+          }
+          const spfSuccess = await this.createRecord(
+            domain,
+            "TXT",
+            "v=spf1 include:amazonses.com ~all"
+          );
+          if (spfSuccess) {
+            recordsCreated++;
+          } else {
+            errors2.push(`Failed to create SPF record for ${domain}`);
+          }
+          const dmarcSuccess = await this.createRecord(
+            `_dmarc.${domain}`,
+            "TXT",
+            `v=DMARC1; p=quarantine; rua=mailto:postmaster@${mailFromDomain || domain}`
+          );
+          if (dmarcSuccess) {
+            recordsCreated++;
+          } else {
+            errors2.push(`Failed to create DMARC record for ${domain}`);
+          }
+          if (mailFromDomain) {
+            const mxSuccess = await this.createRecord(
+              mailFromDomain,
+              "MX",
+              `feedback-smtp.${region}.amazonses.com`,
+              10
+            );
+            if (mxSuccess) {
+              recordsCreated++;
+            } else {
+              errors2.push(`Failed to create MX record for ${mailFromDomain}`);
+            }
+            const mailFromSpfSuccess = await this.createRecord(
+              mailFromDomain,
+              "TXT",
+              "v=spf1 include:amazonses.com ~all"
+            );
+            if (mailFromSpfSuccess) {
+              recordsCreated++;
+            } else {
+              errors2.push(`Failed to create SPF record for ${mailFromDomain}`);
+            }
+          }
+          return {
+            success: errors2.length === 0,
+            recordsCreated,
+            errors: errors2.length > 0 ? errors2 : void 0
+          };
+        } catch (error) {
+          return {
+            success: false,
+            recordsCreated,
+            errors: [
+              ...errors2,
+              error instanceof Error ? error.message : "Unknown error"
+            ]
+          };
+        }
+      }
+      async deleteEmailRecords(data) {
+        const { domain, dkimTokens, mailFromDomain } = data;
+        const errors2 = [];
+        let recordsCreated = 0;
+        try {
+          for (const token of dkimTokens) {
+            const name = `${token}._domainkey.${domain}`;
+            const record = await this.findRecord(name, "CNAME");
+            if (record) {
+              const success = await this.deleteRecord(record.id);
+              if (success) {
+                recordsCreated++;
+              } else {
+                errors2.push(`Failed to delete DKIM record: ${name}`);
+              }
+            }
+          }
+          const dmarcRecord = await this.findRecord(`_dmarc.${domain}`, "TXT");
+          if (dmarcRecord) {
+            const success = await this.deleteRecord(dmarcRecord.id);
+            if (success) {
+              recordsCreated++;
+            } else {
+              errors2.push("Failed to delete DMARC record");
+            }
+          }
+          if (mailFromDomain) {
+            const mxRecord = await this.findRecord(mailFromDomain, "MX");
+            if (mxRecord) {
+              const success = await this.deleteRecord(mxRecord.id);
+              if (success) {
+                recordsCreated++;
+              } else {
+                errors2.push(`Failed to delete MX record for ${mailFromDomain}`);
+              }
+            }
+            const spfRecord = await this.findRecord(mailFromDomain, "TXT");
+            if (spfRecord) {
+              const success = await this.deleteRecord(spfRecord.id);
+              if (success) {
+                recordsCreated++;
+              } else {
+                errors2.push(`Failed to delete SPF record for ${mailFromDomain}`);
+              }
+            }
+          }
+          return {
+            success: errors2.length === 0,
+            recordsCreated,
+            errors: errors2.length > 0 ? errors2 : void 0
+          };
+        } catch (error) {
+          return {
+            success: false,
+            recordsCreated,
+            errors: [
+              ...errors2,
+              error instanceof Error ? error.message : "Unknown error"
+            ]
+          };
+        }
+      }
+      async verifyRecords(data) {
+        const { domain, dkimTokens, mailFromDomain, region } = data;
+        const missing = [];
+        const incorrect = [];
+        for (const token of dkimTokens) {
+          const name = `${token}._domainkey.${domain}`;
+          const expectedValue = `${token}.dkim.amazonses.com`;
+          const record = await this.findRecord(name, "CNAME");
+          if (!record) {
+            missing.push(`DKIM: ${name}`);
+          } else if (record.value !== expectedValue) {
+            incorrect.push(`DKIM: ${name} (expected ${expectedValue})`);
+          }
+        }
+        const spfRecord = await this.findRecord(domain, "TXT");
+        if (!spfRecord) {
+          missing.push(`SPF: ${domain}`);
+        } else if (!spfRecord.value.includes("include:amazonses.com")) {
+          incorrect.push(`SPF: ${domain} (missing amazonses.com include)`);
+        }
+        const dmarcRecord = await this.findRecord(`_dmarc.${domain}`, "TXT");
+        if (!dmarcRecord) {
+          missing.push(`DMARC: _dmarc.${domain}`);
+        }
+        if (mailFromDomain) {
+          const mxRecord = await this.findRecord(mailFromDomain, "MX");
+          if (!mxRecord) {
+            missing.push(`MX: ${mailFromDomain}`);
+          } else if (!mxRecord.value.includes(`feedback-smtp.${region}.amazonses.com`)) {
+            incorrect.push(`MX: ${mailFromDomain}`);
+          }
+          const mailFromSpf = await this.findRecord(mailFromDomain, "TXT");
+          if (!mailFromSpf) {
+            missing.push(`SPF: ${mailFromDomain}`);
+          }
+        }
+        return {
+          verified: missing.length === 0 && incorrect.length === 0,
+          missing,
+          incorrect
+        };
+      }
+    };
+  }
+});
+
+// src/utils/dns/create-records.ts
+function buildEmailDNSRecords(data) {
+  const { domain, dkimTokens, mailFromDomain, region } = data;
+  const records = [];
+  for (const token of dkimTokens) {
+    records.push({
+      name: `${token}._domainkey.${domain}`,
+      type: "CNAME",
+      value: `${token}.dkim.amazonses.com`,
+      category: "dkim"
+    });
+  }
+  records.push({
+    name: domain,
+    type: "TXT",
+    value: "v=spf1 include:amazonses.com ~all",
+    category: "spf"
+  });
+  const dmarcRuaDomain = mailFromDomain || domain;
+  records.push({
+    name: `_dmarc.${domain}`,
+    type: "TXT",
+    value: `v=DMARC1; p=quarantine; rua=mailto:postmaster@${dmarcRuaDomain}`,
+    category: "dmarc"
+  });
+  if (mailFromDomain) {
+    records.push({
+      name: mailFromDomain,
+      type: "MX",
+      value: `feedback-smtp.${region}.amazonses.com`,
+      priority: 10,
+      category: "mailfrom_mx"
+    });
+    records.push({
+      name: mailFromDomain,
+      type: "TXT",
+      value: "v=spf1 include:amazonses.com ~all",
+      category: "mailfrom_spf"
+    });
+  }
+  return records;
+}
+function formatDNSRecordsForDisplay(records) {
+  return records.map((r) => ({
+    name: r.name,
+    type: r.type,
+    value: r.priority ? `${r.priority} ${r.value}` : r.value
+  }));
+}
+async function createDNSRecordsForProvider(credentials, data, selectedCategories) {
+  switch (credentials.provider) {
+    case "route53": {
+      const categories = selectedCategories || /* @__PURE__ */ new Set([
+        "dkim",
+        "spf",
+        "dmarc",
+        "mailfrom_mx",
+        "mailfrom_spf"
+      ]);
+      try {
+        await createSelectedDNSRecords(
+          credentials.hostedZoneId,
+          data.domain,
+          data.dkimTokens,
+          data.region,
+          categories,
+          void 0,
+          // customTrackingDomain - not used here
+          data.mailFromDomain
+        );
+        let recordsCreated = 0;
+        if (categories.has("dkim")) recordsCreated += data.dkimTokens.length;
+        if (categories.has("spf")) recordsCreated += 1;
+        if (categories.has("dmarc")) recordsCreated += 1;
+        if (data.mailFromDomain) {
+          if (categories.has("mailfrom_mx")) recordsCreated += 1;
+          if (categories.has("mailfrom_spf")) recordsCreated += 1;
+        }
+        return {
+          success: true,
+          recordsCreated
+        };
+      } catch (error) {
+        return {
+          success: false,
+          recordsCreated: 0,
+          errors: [error instanceof Error ? error.message : "Unknown error"]
+        };
+      }
+    }
+    case "vercel": {
+      const client = new VercelDNSClient(
+        data.domain,
+        credentials.token,
+        credentials.teamId
+      );
+      return client.createEmailRecords(data);
+    }
+    case "cloudflare": {
+      const client = new CloudflareDNSClient(
+        credentials.zoneId,
+        credentials.token
+      );
+      return client.createEmailRecords(data);
+    }
+    case "manual": {
+      return {
+        success: true,
+        recordsCreated: 0
+      };
+    }
+  }
+}
+function getDNSProviderDisplayName(provider) {
+  switch (provider) {
+    case "route53":
+      return "AWS Route53";
+    case "vercel":
+      return "Vercel DNS";
+    case "cloudflare":
+      return "Cloudflare";
+    case "manual":
+      return "Manual";
+  }
+}
+function getDNSProviderTokenUrl(provider) {
+  switch (provider) {
+    case "vercel":
+      return "https://vercel.com/account/tokens";
+    case "cloudflare":
+      return "https://dash.cloudflare.com/profile/api-tokens";
+  }
+}
+var init_create_records = __esm({
+  "src/utils/dns/create-records.ts"() {
+    "use strict";
+    init_esm_shims();
+    init_route53();
+    init_cloudflare();
+    init_vercel();
+  }
+});
+
+// src/utils/dns/credentials.ts
+function getDNSProviderEnvVars(provider) {
+  switch (provider) {
+    case "route53":
+      return [];
+    // Uses AWS credentials from environment/config
+    case "vercel":
+      return ["VERCEL_TOKEN"];
+    case "cloudflare":
+      return ["CLOUDFLARE_API_TOKEN"];
+    case "manual":
+      return [];
+  }
+}
+function getDNSProviderOptionalEnvVars(provider) {
+  switch (provider) {
+    case "vercel":
+      return ["VERCEL_TEAM_ID"];
+    case "cloudflare":
+      return ["CLOUDFLARE_ZONE_ID"];
+    default:
+      return [];
+  }
+}
+function hasVercelToken() {
+  return !!process.env.VERCEL_TOKEN;
+}
+function hasCloudflareToken() {
+  return !!process.env.CLOUDFLARE_API_TOKEN;
+}
+async function validateVercelCredentials(token) {
+  try {
+    const response = await fetch("https://api.vercel.com/v2/user", {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+async function checkVercelDomain(token, domain, teamId) {
+  try {
+    const teamParam = teamId ? `&teamId=${teamId}` : "";
+    const response = await fetch(
+      `https://api.vercel.com/v5/domains/${domain}?${teamParam}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      }
+    );
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+async function validateCloudflareCredentials(token) {
+  try {
+    const response = await fetch(
+      "https://api.cloudflare.com/client/v4/user/tokens/verify",
+      {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      }
+    );
+    const data = await response.json();
+    return data.success === true;
+  } catch {
+    return false;
+  }
+}
+async function findCloudflareZoneId(token, domain) {
+  try {
+    const response = await fetch(
+      `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(domain)}`,
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json"
+        }
+      }
+    );
+    const data = await response.json();
+    if (data.success && data.result.length > 0) {
+      return data.result[0].id;
+    }
+    const parts = domain.split(".");
+    if (parts.length > 2) {
+      const parentDomain = parts.slice(-2).join(".");
+      const parentResponse = await fetch(
+        `https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(parentDomain)}`,
+        {
+          headers: {
+            Authorization: `Bearer ${token}`,
+            "Content-Type": "application/json"
+          }
+        }
+      );
+      const parentData = await parentResponse.json();
+      if (parentData.success && parentData.result.length > 0) {
+        return parentData.result[0].id;
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function getDNSCredentials(provider, domain, region) {
+  switch (provider) {
+    case "route53": {
+      const hostedZone = await findHostedZone(domain, region);
+      if (hostedZone) {
+        return {
+          valid: true,
+          credentials: { provider: "route53", hostedZoneId: hostedZone.id }
+        };
+      }
+      return {
+        valid: false,
+        error: `No Route53 hosted zone found for ${domain}`
+      };
+    }
+    case "vercel": {
+      const token = process.env.VERCEL_TOKEN;
+      if (!token) {
+        return {
+          valid: false,
+          error: "VERCEL_TOKEN environment variable is not set"
+        };
+      }
+      const isValid = await validateVercelCredentials(token);
+      if (!isValid) {
+        return {
+          valid: false,
+          error: "Invalid VERCEL_TOKEN - authentication failed"
+        };
+      }
+      const teamId = process.env.VERCEL_TEAM_ID;
+      const hasDomain = await checkVercelDomain(token, domain, teamId);
+      if (!hasDomain) {
+        return {
+          valid: false,
+          error: `Domain ${domain} not found in Vercel DNS`
+        };
+      }
+      return {
+        valid: true,
+        credentials: { provider: "vercel", token, teamId }
+      };
+    }
+    case "cloudflare": {
+      const token = process.env.CLOUDFLARE_API_TOKEN;
+      if (!token) {
+        return {
+          valid: false,
+          error: "CLOUDFLARE_API_TOKEN environment variable is not set"
+        };
+      }
+      const isValid = await validateCloudflareCredentials(token);
+      if (!isValid) {
+        return {
+          valid: false,
+          error: "Invalid CLOUDFLARE_API_TOKEN - authentication failed"
+        };
+      }
+      let zoneId = process.env.CLOUDFLARE_ZONE_ID;
+      if (!zoneId) {
+        const detectedZoneId = await findCloudflareZoneId(token, domain);
+        zoneId = detectedZoneId ?? void 0;
+      }
+      if (!zoneId) {
+        return {
+          valid: false,
+          error: `Could not find Cloudflare zone for ${domain}. Set CLOUDFLARE_ZONE_ID if the domain uses a different zone.`
+        };
+      }
+      return {
+        valid: true,
+        credentials: { provider: "cloudflare", token, zoneId }
+      };
+    }
+    case "manual":
+      return {
+        valid: true,
+        credentials: { provider: "manual" }
+      };
+  }
+}
+async function detectAvailableDNSProviders(domain, region) {
+  const providers = [];
+  const hostedZone = await findHostedZone(domain, region);
+  providers.push({
+    provider: "route53",
+    detected: !!hostedZone,
+    hint: hostedZone ? "Hosted zone detected" : void 0
+  });
+  const vercelToken = process.env.VERCEL_TOKEN;
+  if (vercelToken) {
+    const teamId = process.env.VERCEL_TEAM_ID;
+    const hasDomain = await checkVercelDomain(vercelToken, domain, teamId);
+    providers.push({
+      provider: "vercel",
+      detected: hasDomain,
+      hint: hasDomain ? "Domain found in Vercel DNS" : "Token found"
+    });
+  } else {
+    providers.push({
+      provider: "vercel",
+      detected: false
+    });
+  }
+  const cfToken = process.env.CLOUDFLARE_API_TOKEN;
+  if (cfToken) {
+    const zoneId = process.env.CLOUDFLARE_ZONE_ID || await findCloudflareZoneId(cfToken, domain);
+    providers.push({
+      provider: "cloudflare",
+      detected: !!zoneId,
+      hint: zoneId ? "Zone found" : "Token found"
+    });
+  } else {
+    providers.push({
+      provider: "cloudflare",
+      detected: false
     });
+  }
+  providers.push({
+    provider: "manual",
+    detected: true,
+    hint: "I'll add DNS records myself"
   });
-  const putArchivingOptionsCommand = new PutConfigurationSetArchivingOptionsCommand({
-    ConfigurationSetName: configSetName,
-    ArchiveArn: archiveArn
+  return providers.sort((a, b) => {
+    if (a.provider === "manual") return 1;
+    if (b.provider === "manual") return -1;
+    if (a.detected && !b.detected) return -1;
+    if (!a.detected && b.detected) return 1;
+    return 0;
   });
-  await sesClient.send(putArchivingOptionsCommand);
-  if (!(archiveId && archiveArn)) {
-    throw new Error("Failed to get archive ID or ARN");
-  }
-  return {
-    archiveId,
-    archiveArn,
-    kmsKeyArn
-  };
 }
-var init_mail_manager = __esm({
-  "src/infrastructure/resources/mail-manager.ts"() {
+var init_credentials = __esm({
+  "src/utils/dns/credentials.ts"() {
+    "use strict";
+    init_esm_shims();
+    init_route53();
+  }
+});
+
+// src/utils/dns/index.ts
+var dns_exports = {};
+__export(dns_exports, {
+  CloudflareDNSClient: () => CloudflareDNSClient,
+  VercelDNSClient: () => VercelDNSClient,
+  buildEmailDNSRecords: () => buildEmailDNSRecords,
+  createDNSRecordsForProvider: () => createDNSRecordsForProvider,
+  detectAvailableDNSProviders: () => detectAvailableDNSProviders,
+  findCloudflareZoneId: () => findCloudflareZoneId,
+  formatDNSRecordsForDisplay: () => formatDNSRecordsForDisplay,
+  getDNSCredentials: () => getDNSCredentials,
+  getDNSProviderDisplayName: () => getDNSProviderDisplayName,
+  getDNSProviderEnvVars: () => getDNSProviderEnvVars,
+  getDNSProviderOptionalEnvVars: () => getDNSProviderOptionalEnvVars,
+  getDNSProviderTokenUrl: () => getDNSProviderTokenUrl,
+  hasCloudflareToken: () => hasCloudflareToken,
+  hasVercelToken: () => hasVercelToken
+});
+var init_dns = __esm({
+  "src/utils/dns/index.ts"() {
     "use strict";
     init_esm_shims();
+    init_cloudflare();
+    init_create_records();
+    init_credentials();
+    init_vercel();
   }
 });
 
@@ -9210,7 +10187,7 @@ function createNodeDnsProvider(options = {}) {
   if (options.servers && options.servers.length > 0) {
     resolver.setServers(options.servers);
   }
-  async function withTimeout(promise, operation) {
+  async function withTimeout2(promise, operation) {
     const timeoutPromise = new Promise((_, reject) => {
       setTimeout(() => {
         reject(new Error(`DNS ${operation} timed out after ${timeout}ms`));
@@ -9220,7 +10197,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolveTxt(domain) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.resolveTxt(domain),
         `TXT lookup for ${domain}`
       );
@@ -9234,7 +10211,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolveMx(domain) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.resolveMx(domain),
         `MX lookup for ${domain}`
       );
@@ -9248,7 +10225,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolveA(domain) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.resolve4(domain),
         `A lookup for ${domain}`
       );
@@ -9262,7 +10239,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolveAaaa(domain) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.resolve6(domain),
         `AAAA lookup for ${domain}`
       );
@@ -9276,7 +10253,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolvePtr(ip) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.reverse(ip),
         `PTR lookup for ${ip}`
       );
@@ -9290,7 +10267,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolveCaa(domain) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.resolveCaa(domain),
         `CAA lookup for ${domain}`
       );
@@ -9322,7 +10299,7 @@ function createNodeDnsProvider(options = {}) {
   }
   async function resolveCname(domain) {
     try {
-      const records = await withTimeout(
+      const records = await withTimeout2(
         dns.resolveCname(domain),
         `CNAME lookup for ${domain}`
       );
@@ -11885,14 +12862,13 @@ async function tryGetSesDkimTokens(domain) {
 // src/commands/email/config.ts
 init_esm_shims();
 import * as clack13 from "@clack/prompts";
-import * as pulumi13 from "@pulumi/pulumi";
+import * as pulumi12 from "@pulumi/pulumi";
 import pc14 from "picocolors";
 
 // src/infrastructure/email-stack.ts
 init_esm_shims();
 init_dist();
 import * as aws14 from "@pulumi/aws";
-import * as pulumi12 from "@pulumi/pulumi";
 
 // src/infrastructure/resources/alerting.ts
 init_esm_shims();
@@ -13066,7 +14042,7 @@ ${pc14.bold("Current Configuration:")}
         "Generating update preview",
         async () => {
           await ensurePulumiWorkDir();
-          const stack = await pulumi13.automation.LocalWorkspace.createOrSelectStack(
+          const stack = await pulumi12.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
               projectName: "wraps-email",
@@ -13130,7 +14106,7 @@ ${pc14.bold("Current Configuration:")}
       "Updating Wraps infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stack = await pulumi13.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi12.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
             projectName: "wraps-email",
@@ -13227,7 +14203,7 @@ ${pc14.green("\u2713")} ${pc14.bold("Update complete!")}
 // src/commands/email/connect.ts
 init_esm_shims();
 import * as clack14 from "@clack/prompts";
-import * as pulumi14 from "@pulumi/pulumi";
+import * as pulumi13 from "@pulumi/pulumi";
 import pc15 from "picocolors";
 init_events();
 init_presets();
@@ -13567,7 +14543,7 @@ async function connect2(options) {
         "Generating infrastructure preview",
         async () => {
           await ensurePulumiWorkDir();
-          const stack = await pulumi14.automation.LocalWorkspace.createOrSelectStack(
+          const stack = await pulumi13.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: `wraps-${identity.accountId}-${region}`,
               projectName: "wraps-email",
@@ -13631,7 +14607,7 @@ async function connect2(options) {
       "Deploying Wraps infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stack = await pulumi14.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi13.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-${identity.accountId}-${region}`,
             projectName: "wraps-email",
@@ -13791,8 +14767,42 @@ init_errors();
 init_fs();
 init_metadata();
 import * as clack15 from "@clack/prompts";
-import * as pulumi15 from "@pulumi/pulumi";
+import * as pulumi14 from "@pulumi/pulumi";
 import pc16 from "picocolors";
+
+// src/utils/shared/timeout.ts
+init_esm_shims();
+init_errors();
+var DEFAULT_PULUMI_TIMEOUT_MS = 10 * 60 * 1e3;
+var TimeoutError = class extends WrapsError {
+  constructor(operation, timeoutMs) {
+    const timeoutMinutes = Math.round(timeoutMs / 6e4);
+    super(
+      `Operation "${operation}" timed out after ${timeoutMinutes} minute${timeoutMinutes === 1 ? "" : "s"}`,
+      "OPERATION_TIMEOUT",
+      "The operation took longer than expected. This can happen due to:\n  - Slow network connection\n  - AWS API throttling\n  - Large number of resources\n\nYou can try:\n  1. Check AWS CloudFormation/Pulumi state for partial deployments\n  2. Run the command again (it will resume where it left off)\n  3. Check your AWS console for any stuck resources",
+      "https://wraps.dev/docs/guides/aws-setup/troubleshooting"
+    );
+  }
+};
+async function withTimeout(promise, timeoutMs, operation) {
+  let timeoutId;
+  const timeoutPromise = new Promise((_, reject) => {
+    timeoutId = setTimeout(() => {
+      reject(new TimeoutError(operation, timeoutMs));
+    }, timeoutMs);
+  });
+  try {
+    const result = await Promise.race([promise, timeoutPromise]);
+    return result;
+  } finally {
+    if (timeoutId) {
+      clearTimeout(timeoutId);
+    }
+  }
+}
+
+// src/commands/email/destroy.ts
 async function getEmailIdentityInfo(domain, region) {
   try {
     const { SESv2Client: SESv2Client6, GetEmailIdentityCommand: GetEmailIdentityCommand5 } = await import("@aws-sdk/client-sesv2");
@@ -13893,10 +14903,10 @@ async function emailDestroy(options) {
         "Generating destruction preview",
         async () => {
           await ensurePulumiWorkDir();
-          const stackName = storedStackName || `wraps-email-${identity.accountId}-${region}`;
+          const stackName = storedStackName || `wraps-${identity.accountId}-${region}`;
           let stack;
           try {
-            stack = await pulumi15.automation.LocalWorkspace.selectStack({
+            stack = await pulumi14.automation.LocalWorkspace.selectStack({
               stackName,
               workDir: getPulumiWorkDir()
             });
@@ -13964,18 +14974,23 @@ async function emailDestroy(options) {
       "Destroying email infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stackName = storedStackName || `wraps-email-${identity.accountId}-${region}`;
+        const stackName = storedStackName || `wraps-${identity.accountId}-${region}`;
         let stack;
         try {
-          stack = await pulumi15.automation.LocalWorkspace.selectStack({
+          stack = await pulumi14.automation.LocalWorkspace.selectStack({
             stackName,
             workDir: getPulumiWorkDir()
           });
         } catch (_error) {
           throw new Error("No email infrastructure found to destroy");
         }
-        await stack.destroy({ onOutput: () => {
-        } });
+        await withTimeout(
+          stack.destroy({ onOutput: () => {
+          } }),
+          // Suppress Pulumi output
+          DEFAULT_PULUMI_TIMEOUT_MS,
+          "Pulumi destroy"
+        );
         await stack.workspace.removeStack(stackName);
       }
     );
@@ -14479,7 +15494,7 @@ async function removeDomain(options) {
 // src/commands/email/init.ts
 init_esm_shims();
 import * as clack17 from "@clack/prompts";
-import * as pulumi16 from "@pulumi/pulumi";
+import * as pulumi15 from "@pulumi/pulumi";
 import pc18 from "picocolors";
 init_events();
 init_costs();
@@ -14487,6 +15502,141 @@ init_presets();
 init_aws();
 init_errors();
 init_fs();
+
+// src/utils/shared/iam-check.ts
+init_esm_shims();
+var CORE_IAM_ACTIONS = [
+  "iam:CreateRole",
+  "iam:GetRole",
+  "iam:PutRolePolicy",
+  "iam:DeleteRole",
+  "iam:DeleteRolePolicy",
+  "iam:TagRole",
+  "ses:CreateConfigurationSet",
+  "ses:DeleteConfigurationSet",
+  "ses:CreateEmailIdentity",
+  "ses:DeleteEmailIdentity",
+  "ses:GetEmailIdentity",
+  "ses:PutEmailIdentityDkimAttributes"
+];
+var EVENT_TRACKING_ACTIONS = [
+  "events:CreateEventBus",
+  "events:DeleteEventBus",
+  "events:PutRule",
+  "events:DeleteRule",
+  "events:PutTargets",
+  "events:RemoveTargets",
+  "sqs:CreateQueue",
+  "sqs:DeleteQueue",
+  "sqs:SetQueueAttributes",
+  "sqs:GetQueueAttributes"
+];
+var DYNAMODB_ACTIONS = [
+  "dynamodb:CreateTable",
+  "dynamodb:DeleteTable",
+  "dynamodb:DescribeTable",
+  "dynamodb:UpdateTable",
+  "dynamodb:TagResource"
+];
+var LAMBDA_ACTIONS = [
+  "lambda:CreateFunction",
+  "lambda:DeleteFunction",
+  "lambda:UpdateFunctionCode",
+  "lambda:UpdateFunctionConfiguration",
+  "lambda:GetFunction",
+  "lambda:AddPermission",
+  "lambda:RemovePermission",
+  "lambda:CreateEventSourceMapping",
+  "lambda:DeleteEventSourceMapping"
+];
+function getRequiredActions(config2) {
+  const actions = [...CORE_IAM_ACTIONS];
+  if (config2.eventTracking?.enabled) {
+    actions.push(...EVENT_TRACKING_ACTIONS);
+  }
+  if (config2.eventTracking?.dynamoDBHistory) {
+    actions.push(...DYNAMODB_ACTIONS);
+    actions.push(...LAMBDA_ACTIONS);
+  }
+  return [...new Set(actions)];
+}
+async function checkIAMPermissions(userArn, actions, region) {
+  try {
+    const { IAMClient: IAMClient3, SimulatePrincipalPolicyCommand } = await import("@aws-sdk/client-iam");
+    const client = new IAMClient3({ region });
+    const batchSize = 100;
+    const batches = [];
+    for (let i = 0; i < actions.length; i += batchSize) {
+      batches.push(actions.slice(i, i + batchSize));
+    }
+    const allowedActions = [];
+    const deniedActions = [];
+    for (const batch of batches) {
+      const command = new SimulatePrincipalPolicyCommand({
+        PolicySourceArn: userArn,
+        ActionNames: batch,
+        // Use a wildcard resource since we're checking general permissions
+        // More specific resource-level checks could be added later
+        ResourceArns: ["*"]
+      });
+      const response = await client.send(command);
+      for (const result of response.EvaluationResults || []) {
+        const actionName = result.EvalActionName;
+        const decision = result.EvalDecision;
+        if (decision === "allowed") {
+          if (actionName) allowedActions.push(actionName);
+        } else if (actionName) deniedActions.push(actionName);
+      }
+    }
+    return {
+      success: deniedActions.length === 0,
+      deniedActions,
+      allowedActions,
+      skipped: false
+    };
+  } catch (error) {
+    if (error instanceof Error && (error.name === "AccessDenied" || error.name === "AccessDeniedException" || error.message?.includes("AccessDenied") || error.message?.includes("iam:SimulatePrincipalPolicy"))) {
+      return {
+        success: true,
+        // Don't block on this
+        deniedActions: [],
+        allowedActions: [],
+        skipped: true,
+        skipReason: "Unable to verify permissions (iam:SimulatePrincipalPolicy not allowed). Deployment will proceed, but may fail if permissions are missing."
+      };
+    }
+    return {
+      success: true,
+      deniedActions: [],
+      allowedActions: [],
+      skipped: true,
+      skipReason: `Permission check failed: ${error instanceof Error ? error.message : "Unknown error"}. Proceeding with deployment.`
+    };
+  }
+}
+function formatDeniedActions(actions) {
+  if (actions.length === 0) return "";
+  const byService = {};
+  for (const action of actions) {
+    const [service, actionName] = action.split(":");
+    if (!byService[service]) {
+      byService[service] = [];
+    }
+    byService[service].push(actionName);
+  }
+  const lines = ["Missing permissions:"];
+  for (const [service, serviceActions] of Object.entries(byService)) {
+    lines.push(`  ${service.toUpperCase()}:`);
+    for (const action of serviceActions) {
+      lines.push(`    - ${service}:${action}`);
+    }
+  }
+  lines.push("");
+  lines.push("Run `wraps permissions --json` to see the full policy document.");
+  return lines.join("\n");
+}
+
+// src/commands/email/init.ts
 init_metadata();
 init_prompts();
 async function init2(options) {
@@ -14594,6 +15744,23 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
       process.exit(0);
     }
   }
+  if (!options.preview) {
+    const iamCheckResult = await progress.execute(
+      "Checking IAM permissions",
+      async () => {
+        const requiredActions = getRequiredActions(emailConfig);
+        return checkIAMPermissions(identity.arn, requiredActions, region);
+      }
+    );
+    if (iamCheckResult.skipped && iamCheckResult.skipReason) {
+      progress.info(pc18.dim(iamCheckResult.skipReason));
+    } else if (!iamCheckResult.success) {
+      clack17.log.warn(
+        pc18.yellow("Some IAM permissions may be missing. Deployment may fail.")
+      );
+      clack17.log.info(formatDeniedActions(iamCheckResult.deniedActions));
+    }
+  }
   const stackConfig = {
     provider,
     region,
@@ -14606,7 +15773,7 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
         "Generating infrastructure preview",
         async () => {
           await ensurePulumiWorkDir();
-          const stack = await pulumi16.automation.LocalWorkspace.createOrSelectStack(
+          const stack = await pulumi15.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: `wraps-${identity.accountId}-${region}`,
               projectName: "wraps-email",
@@ -14675,7 +15842,7 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
       "Deploying infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stack = await pulumi16.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi15.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-${identity.accountId}-${region}`,
             projectName: "wraps-email",
@@ -14712,8 +15879,13 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
           `wraps-${identity.accountId}-${region}`
         );
         await stack.setConfig("aws:region", { value: region });
-        const upResult = await stack.up({ onOutput: () => {
-        } });
+        const upResult = await withTimeout(
+          stack.up({ onOutput: () => {
+          } }),
+          // Suppress Pulumi output
+          DEFAULT_PULUMI_TIMEOUT_MS,
+          "Pulumi deployment"
+        );
         const pulumiOutputs = upResult.outputs;
         return {
           roleArn: pulumiOutputs.roleArn?.value,
@@ -14783,51 +15955,149 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
   await saveConnectionMetadata(metadata);
   progress.info("Connection metadata saved for upgrade and restore capability");
   let dnsAutoCreated = false;
+  let dnsProvider;
   if (outputs.domain && outputs.dkimTokens && outputs.dkimTokens.length > 0) {
-    const { findHostedZone: findHostedZone2, previewDNSChanges: previewDNSChanges2, createSelectedDNSRecords: createSelectedDNSRecords2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
-    const { promptDNSManagement: promptDNSManagement2, promptDNSConfirmation: promptDNSConfirmation2 } = await Promise.resolve().then(() => (init_prompts(), prompts_exports));
-    const hostedZone = await findHostedZone2(outputs.domain, region);
-    if (hostedZone) {
-      const manageDNS = await promptDNSManagement2(outputs.domain);
-      if (manageDNS) {
-        try {
-          progress.start("Checking existing DNS records");
-          const dnsPreview = await previewDNSChanges2(
-            hostedZone.id,
-            outputs.domain,
-            outputs.dkimTokens,
-            region,
-            outputs.customTrackingDomain,
-            outputs.mailFromDomain
-          );
-          progress.stop();
-          const { shouldCreate, selectedCategories } = await promptDNSConfirmation2(dnsPreview);
-          if (shouldCreate && selectedCategories.size > 0) {
-            progress.start("Creating selected DNS records in Route53");
-            await createSelectedDNSRecords2(
-              hostedZone.id,
+    const {
+      detectAvailableDNSProviders: detectAvailableDNSProviders2,
+      getDNSCredentials: getDNSCredentials2,
+      createDNSRecordsForProvider: createDNSRecordsForProvider2,
+      getDNSProviderDisplayName: getDNSProviderDisplayName2,
+      getDNSProviderTokenUrl: getDNSProviderTokenUrl2,
+      buildEmailDNSRecords: buildEmailDNSRecords2
+    } = await Promise.resolve().then(() => (init_dns(), dns_exports));
+    const {
+      promptDNSProvider: promptDNSProvider2,
+      promptDNSConfirmation: promptDNSConfirmation2,
+      promptContinueManualDNS: promptContinueManualDNS2
+    } = await Promise.resolve().then(() => (init_prompts(), prompts_exports));
+    const { previewDNSChanges: previewDNSChanges2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
+    progress.start("Detecting DNS providers");
+    const availableProviders = await detectAvailableDNSProviders2(
+      outputs.domain,
+      region
+    );
+    progress.stop();
+    const selectedProvider = await promptDNSProvider2(
+      outputs.domain,
+      availableProviders
+    );
+    dnsProvider = selectedProvider;
+    if (selectedProvider !== "manual") {
+      progress.start(
+        `Validating ${getDNSProviderDisplayName2(selectedProvider)} credentials`
+      );
+      const credentialResult2 = await getDNSCredentials2(
+        selectedProvider,
+        outputs.domain,
+        region
+      );
+      progress.stop();
+      if (credentialResult2.valid && credentialResult2.credentials) {
+        const credentials = credentialResult2.credentials;
+        if (credentials.provider === "route53") {
+          try {
+            progress.start("Checking existing DNS records");
+            const dnsPreview = await previewDNSChanges2(
+              credentials.hostedZoneId,
               outputs.domain,
               outputs.dkimTokens,
               region,
-              selectedCategories,
               outputs.customTrackingDomain,
               outputs.mailFromDomain
             );
+            progress.stop();
+            const { shouldCreate, selectedCategories } = await promptDNSConfirmation2(dnsPreview);
+            if (shouldCreate && selectedCategories.size > 0) {
+              progress.start("Creating selected DNS records in Route53");
+              const result = await createDNSRecordsForProvider2(
+                credentials,
+                {
+                  domain: outputs.domain,
+                  dkimTokens: outputs.dkimTokens,
+                  mailFromDomain: outputs.mailFromDomain,
+                  region
+                },
+                selectedCategories
+              );
+              if (result.success) {
+                progress.succeed(
+                  `Created ${selectedCategories.size} DNS record group(s) in Route53`
+                );
+                dnsAutoCreated = true;
+              } else {
+                progress.fail("Failed to create some DNS records");
+                if (result.errors) {
+                  for (const error of result.errors) {
+                    clack17.log.warn(error);
+                  }
+                }
+              }
+            } else {
+              clack17.log.info(
+                "Skipping DNS record creation. You can add them manually."
+              );
+            }
+          } catch (error) {
+            progress.stop();
+            clack17.log.warn(`Could not manage DNS records: ${error.message}`);
+          }
+        } else {
+          const recordData = {
+            domain: outputs.domain,
+            dkimTokens: outputs.dkimTokens,
+            mailFromDomain: outputs.mailFromDomain,
+            region
+          };
+          const records = buildEmailDNSRecords2(recordData);
+          clack17.log.info(pc18.bold("DNS records to create:"));
+          for (const record of records) {
+            clack17.log.info(
+              pc18.dim(`  ${record.type} ${record.name} \u2192 ${record.value}`)
+            );
+          }
+          progress.start(
+            `Creating DNS records in ${getDNSProviderDisplayName2(credentials.provider)}`
+          );
+          const result = await createDNSRecordsForProvider2(
+            credentials,
+            recordData
+          );
+          if (result.success) {
             progress.succeed(
-              `Created ${selectedCategories.size} DNS record group(s) in Route53`
+              `Created ${result.recordsCreated} DNS records in ${getDNSProviderDisplayName2(credentials.provider)}`
             );
             dnsAutoCreated = true;
           } else {
-            clack17.log.info(
-              "Skipping DNS record creation. You can add them manually."
-            );
+            progress.fail("Failed to create some DNS records");
+            if (result.errors) {
+              for (const error of result.errors) {
+                clack17.log.warn(error);
+              }
+            }
           }
-        } catch (error) {
-          progress.stop();
-          clack17.log.warn(`Could not manage DNS records: ${error.message}`);
+        }
+      } else {
+        clack17.log.warn(
+          credentialResult2.error || "Could not validate credentials"
+        );
+        if (selectedProvider === "vercel" || selectedProvider === "cloudflare") {
+          clack17.log.info(
+            `Set the ${selectedProvider === "vercel" ? "VERCEL_TOKEN" : "CLOUDFLARE_API_TOKEN"} environment variable to enable automatic DNS management.`
+          );
+          clack17.log.info(
+            `You can create a token at: ${pc18.cyan(getDNSProviderTokenUrl2(selectedProvider))}`
+          );
+        }
+        const continueManual = await promptContinueManualDNS2();
+        if (continueManual) {
+          dnsProvider = "manual";
         }
       }
     }
+    if (dnsProvider && metadata.services.email) {
+      metadata.services.email.dnsProvider = dnsProvider;
+      await saveConnectionMetadata(metadata);
+    }
   }
   const dnsRecords = [];
   if (outputs.domain && outputs.dkimTokens && outputs.dkimTokens.length > 0 && !dnsAutoCreated) {
@@ -14891,7 +16161,7 @@ init_aws();
 init_fs();
 init_metadata();
 import * as clack18 from "@clack/prompts";
-import * as pulumi17 from "@pulumi/pulumi";
+import * as pulumi16 from "@pulumi/pulumi";
 import pc19 from "picocolors";
 async function restore(options) {
   const startTime = Date.now();
@@ -14963,7 +16233,7 @@ ${pc19.bold("The following Wraps resources will be removed:")}
         const previewResult = await progress.execute(
           "Generating removal preview",
           async () => {
-            const stack = await pulumi17.automation.LocalWorkspace.selectStack(
+            const stack = await pulumi16.automation.LocalWorkspace.selectStack(
               {
                 stackName: pulumiStackName,
                 projectName: "wraps-email",
@@ -15015,7 +16285,7 @@ ${pc19.bold("The following Wraps resources will be removed:")}
         if (!metadata.services.email?.pulumiStackName) {
           throw new Error("No Pulumi stack name found in metadata");
         }
-        const stack = await pulumi17.automation.LocalWorkspace.selectStack(
+        const stack = await pulumi16.automation.LocalWorkspace.selectStack(
           {
             stackName: metadata.services.email.pulumiStackName,
             projectName: "wraps-email",
@@ -15069,7 +16339,7 @@ init_aws();
 init_fs();
 init_metadata();
 import * as clack19 from "@clack/prompts";
-import * as pulumi18 from "@pulumi/pulumi";
+import * as pulumi17 from "@pulumi/pulumi";
 import pc20 from "picocolors";
 async function emailStatus(options) {
   const startTime = Date.now();
@@ -15105,7 +16375,7 @@ async function emailStatus(options) {
   let stackOutputs = {};
   try {
     await ensurePulumiWorkDir();
-    const stack = await pulumi18.automation.LocalWorkspace.selectStack({
+    const stack = await pulumi17.automation.LocalWorkspace.selectStack({
       stackName: `wraps-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
@@ -15182,9 +16452,11 @@ Run ${pc20.cyan("wraps email init")} to deploy email infrastructure.
 // src/commands/email/upgrade.ts
 init_esm_shims();
 import * as clack20 from "@clack/prompts";
-import * as pulumi19 from "@pulumi/pulumi";
+import * as pulumi18 from "@pulumi/pulumi";
 import pc21 from "picocolors";
 init_events();
+init_create_records();
+init_credentials();
 init_costs();
 init_presets();
 init_aws();
@@ -15625,35 +16897,54 @@ ${pc21.bold("Current Configuration:")}
             "This ensures all tracking links use secure HTTPS connections."
           )
         );
-        const { findHostedZone: findHostedZone2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
-        const hostedZone = await progress.execute(
-          "Checking for Route53 hosted zone",
-          async () => await findHostedZone2(trackingDomain || config2.domain, region)
-        );
-        if (hostedZone) {
-          progress.info(
-            `Found Route53 hosted zone: ${pc21.cyan(hostedZone.name)} ${pc21.green("\u2713")}`
-          );
-          clack20.log.info(
-            pc21.dim(
-              "DNS records (SSL certificate validation + CloudFront) will be created automatically."
-            )
-          );
+        let trackingDnsProvider = metadata.services.email?.dnsProvider;
+        let canAutomateDNS = false;
+        if (trackingDnsProvider) {
+          canAutomateDNS = trackingDnsProvider !== "manual";
+          if (canAutomateDNS) {
+            progress.info(
+              `Will use ${pc21.cyan(getDNSProviderDisplayName(trackingDnsProvider))} for DNS records ${pc21.green("\u2713")}`
+            );
+          }
         } else {
-          clack20.log.warn(
-            `No Route53 hosted zone found for ${pc21.cyan(trackingDomain || config2.domain)}`
-          );
-          clack20.log.info(
-            pc21.dim(
-              "You'll need to manually create DNS records for SSL certificate validation and CloudFront."
+          const availableProviders = await progress.execute(
+            "Detecting available DNS providers",
+            async () => await detectAvailableDNSProviders(
+              trackingDomain || config2.domain,
+              region
             )
           );
-          clack20.log.info(
-            pc21.dim("DNS record details will be shown after deployment.")
+          const detectedProvider = availableProviders.find(
+            (p) => p.detected && p.provider !== "manual"
           );
+          if (detectedProvider) {
+            trackingDnsProvider = detectedProvider.provider;
+            canAutomateDNS = true;
+            progress.info(
+              `Found ${pc21.cyan(getDNSProviderDisplayName(detectedProvider.provider))} ${pc21.green("\u2713")}`
+            );
+            clack20.log.info(
+              pc21.dim(
+                "DNS records (SSL certificate validation + CloudFront) will be created automatically."
+              )
+            );
+          } else {
+            canAutomateDNS = false;
+            clack20.log.warn(
+              `No automatic DNS provider detected for ${pc21.cyan(trackingDomain || config2.domain)}`
+            );
+            clack20.log.info(
+              pc21.dim(
+                "You'll need to manually create DNS records for SSL certificate validation and CloudFront."
+              )
+            );
+            clack20.log.info(
+              pc21.dim("DNS record details will be shown after deployment.")
+            );
+          }
         }
         const confirmHttps = await clack20.confirm({
-          message: hostedZone ? "Proceed with automatic HTTPS setup?" : "Proceed with manual HTTPS setup (requires DNS configuration)?",
+          message: canAutomateDNS ? "Proceed with automatic HTTPS setup?" : "Proceed with manual HTTPS setup (requires DNS configuration)?",
           initialValue: true
         });
         if (clack20.isCancel(confirmHttps) || !confirmHttps) {
@@ -16303,7 +17594,7 @@ ${pc21.bold("Cost Impact:")}`);
         "Generating upgrade preview",
         async () => {
           await ensurePulumiWorkDir();
-          const stack = await pulumi19.automation.LocalWorkspace.createOrSelectStack(
+          const stack = await pulumi18.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
               projectName: "wraps-email",
@@ -16381,7 +17672,7 @@ ${pc21.bold("Cost Impact:")}`);
       "Updating Wraps infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stack = await pulumi19.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi18.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
             projectName: "wraps-email",
@@ -16465,31 +17756,103 @@ ${pc21.bold("Cost Impact:")}`);
     trackError("UPGRADE_FAILED", "email:upgrade", { step: "deploy" });
     throw new Error(`Pulumi upgrade failed: ${error.message}`);
   }
+  let dnsAutoCreated = false;
   if (outputs.domain && outputs.dkimTokens && outputs.dkimTokens.length > 0) {
-    const { findHostedZone: findHostedZone2, createDNSRecords: createDNSRecords2 } = await Promise.resolve().then(() => (init_route53(), route53_exports));
-    const hostedZone = await findHostedZone2(outputs.domain, region);
-    if (hostedZone) {
-      try {
-        progress.start("Creating DNS records in Route53");
-        const mailFromDomain = updatedConfig.mailFromDomain || `mail.${outputs.domain}`;
-        await createDNSRecords2(
-          hostedZone.id,
+    let dnsProvider = metadata.services.email?.dnsProvider;
+    if (!dnsProvider) {
+      const availableProviders = await progress.execute(
+        "Detecting available DNS providers",
+        async () => await detectAvailableDNSProviders(outputs.domain, region)
+      );
+      const detectedProvider = availableProviders.find(
+        (p) => p.detected && p.provider !== "manual"
+      );
+      if (detectedProvider) {
+        dnsProvider = await promptDNSProvider(
           outputs.domain,
-          outputs.dkimTokens,
-          region,
-          outputs.customTrackingDomain,
-          mailFromDomain,
-          outputs.cloudFrontDomain
-        );
-        progress.succeed("DNS records created in Route53");
-      } catch (error) {
-        progress.fail(
-          `Failed to create DNS records automatically: ${error.message}`
+          availableProviders
         );
-        progress.info(
-          "You can manually add the required DNS records shown below"
+        if (dnsProvider && dnsProvider !== "manual" && metadata.services.email) {
+          metadata.services.email.dnsProvider = dnsProvider;
+        }
+      }
+    }
+    if (dnsProvider && dnsProvider !== "manual") {
+      const credResult = await progress.execute(
+        `Validating ${getDNSProviderDisplayName(dnsProvider)} credentials`,
+        async () => await getDNSCredentials(dnsProvider, outputs.domain, region)
+      );
+      if (credResult.valid && credResult.credentials) {
+        const mailFromDomain = updatedConfig.mailFromDomain || `mail.${outputs.domain}`;
+        const dnsData = {
+          domain: outputs.domain,
+          dkimTokens: outputs.dkimTokens,
+          mailFromDomain,
+          region
+        };
+        try {
+          progress.start(
+            `Creating DNS records in ${getDNSProviderDisplayName(dnsProvider)}`
+          );
+          const result = await createDNSRecordsForProvider(
+            credResult.credentials,
+            dnsData
+          );
+          if (result.success) {
+            progress.succeed(
+              `Created ${result.recordsCreated} DNS records in ${getDNSProviderDisplayName(dnsProvider)}`
+            );
+            dnsAutoCreated = true;
+          } else {
+            progress.fail(
+              `Failed to create some DNS records: ${result.errors?.join(", ")}`
+            );
+            progress.info(
+              "You can manually add the required DNS records shown below"
+            );
+          }
+        } catch (error) {
+          progress.fail(
+            `Failed to create DNS records automatically: ${error.message}`
+          );
+          progress.info(
+            "You can manually add the required DNS records shown below"
+          );
+        }
+      } else {
+        clack20.log.warn(
+          credResult.error || `Unable to validate ${getDNSProviderDisplayName(dnsProvider)} credentials`
         );
+        if (dnsProvider === "vercel" || dnsProvider === "cloudflare") {
+          clack20.log.info(
+            `Set ${dnsProvider === "vercel" ? "VERCEL_TOKEN" : "CLOUDFLARE_API_TOKEN"} to enable automatic DNS management.`
+          );
+          clack20.log.info(
+            `You can create a token at: ${pc21.cyan(getDNSProviderTokenUrl(dnsProvider))}`
+          );
+        }
+      }
+    }
+    if (!dnsAutoCreated) {
+      const mailFromDomain = updatedConfig.mailFromDomain || `mail.${outputs.domain}`;
+      const dnsData = {
+        domain: outputs.domain,
+        dkimTokens: outputs.dkimTokens,
+        mailFromDomain,
+        region
+      };
+      const dnsRecords = buildEmailDNSRecords(dnsData);
+      const displayRecords = formatDNSRecordsForDisplay(dnsRecords);
+      console.log(
+        `
+${pc21.bold("Add these DNS records to your DNS provider:")}
+`
+      );
+      for (const record of displayRecords) {
+        console.log(`  ${pc21.cyan(record.type)} ${record.name}`);
+        console.log(`       ${pc21.dim(record.value)}`);
       }
+      console.log("");
     }
   }
   updateEmailConfig(metadata, updatedConfig);
@@ -17478,7 +18841,7 @@ function buildConsolePolicyDocument(emailConfig, smsConfig) {
 // src/commands/shared/dashboard.ts
 init_esm_shims();
 import * as clack24 from "@clack/prompts";
-import * as pulumi20 from "@pulumi/pulumi";
+import * as pulumi19 from "@pulumi/pulumi";
 import getPort from "get-port";
 import open from "open";
 import pc26 from "picocolors";
@@ -20014,7 +21377,7 @@ async function dashboard(options) {
   try {
     await ensurePulumiWorkDir();
     try {
-      const emailStack = await pulumi20.automation.LocalWorkspace.selectStack({
+      const emailStack = await pulumi19.automation.LocalWorkspace.selectStack({
         stackName: `wraps-${identity.accountId}-${region}`,
         workDir: getPulumiWorkDir()
       });
@@ -20022,7 +21385,7 @@ async function dashboard(options) {
     } catch (_emailError) {
     }
     try {
-      const smsStack = await pulumi20.automation.LocalWorkspace.selectStack({
+      const smsStack = await pulumi19.automation.LocalWorkspace.selectStack({
         stackName: `wraps-sms-${identity.accountId}-${region}`,
         workDir: getPulumiWorkDir()
       });
@@ -20030,7 +21393,7 @@ async function dashboard(options) {
     } catch (_smsError) {
     }
     try {
-      const cdnStack = await pulumi20.automation.LocalWorkspace.selectStack({
+      const cdnStack = await pulumi19.automation.LocalWorkspace.selectStack({
         stackName: `wraps-cdn-${identity.accountId}-${region}`,
         workDir: getPulumiWorkDir()
       });
@@ -20207,7 +21570,7 @@ init_events();
 init_aws();
 init_fs();
 import * as clack26 from "@clack/prompts";
-import * as pulumi21 from "@pulumi/pulumi";
+import * as pulumi20 from "@pulumi/pulumi";
 import pc28 from "picocolors";
 async function status(_options) {
   const startTime = Date.now();
@@ -20223,7 +21586,7 @@ async function status(_options) {
   const services = [];
   try {
     await ensurePulumiWorkDir();
-    const emailStack = await pulumi21.automation.LocalWorkspace.selectStack({
+    const emailStack = await pulumi20.automation.LocalWorkspace.selectStack({
       stackName: `wraps-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
@@ -20242,7 +21605,7 @@ async function status(_options) {
     services.push({ name: "Email", status: "not_deployed" });
   }
   try {
-    const smsStack = await pulumi21.automation.LocalWorkspace.selectStack({
+    const smsStack = await pulumi20.automation.LocalWorkspace.selectStack({
       stackName: `wraps-sms-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
     });
@@ -20302,13 +21665,13 @@ ${pc28.bold("Dashboard:")} ${pc28.blue("https://app.wraps.dev")}`);
 // src/commands/sms/destroy.ts
 init_esm_shims();
 import * as clack27 from "@clack/prompts";
-import * as pulumi23 from "@pulumi/pulumi";
+import * as pulumi22 from "@pulumi/pulumi";
 import pc29 from "picocolors";
 
 // src/infrastructure/sms-stack.ts
 init_esm_shims();
 import * as aws15 from "@pulumi/aws";
-import * as pulumi22 from "@pulumi/pulumi";
+import * as pulumi21 from "@pulumi/pulumi";
 async function roleExists3(roleName) {
   try {
     const { IAMClient: IAMClient3, GetRoleCommand: GetRoleCommand2 } = await import("@aws-sdk/client-iam");
@@ -20342,7 +21705,7 @@ async function tableExists2(tableName) {
 async function createSMSIAMRole(config2) {
   let assumeRolePolicy;
   if (config2.provider === "vercel" && config2.oidcProvider) {
-    assumeRolePolicy = pulumi22.interpolate`{
+    assumeRolePolicy = pulumi21.interpolate`{
       "Version": "2012-10-17",
       "Statement": [
         {
@@ -20370,7 +21733,7 @@ async function createSMSIAMRole(config2) {
       ]
     }`;
   } else if (config2.provider === "aws") {
-    assumeRolePolicy = pulumi22.output(`{
+    assumeRolePolicy = pulumi21.output(`{
       "Version": "2012-10-17",
       "Statement": [{
         "Effect": "Allow",
@@ -20725,7 +22088,7 @@ async function createSMSSNSResources(config2) {
   });
   new aws15.sqs.QueuePolicy("wraps-sms-events-queue-policy", {
     queueUrl: config2.queueUrl,
-    policy: pulumi22.all([config2.queueArn, topic.arn]).apply(
+    policy: pulumi21.all([config2.queueArn, topic.arn]).apply(
       ([queueArn, topicArn2]) => JSON.stringify({
         Version: "2012-10-17",
         Statement: [
@@ -20824,7 +22187,7 @@ async function deploySMSLambdaFunction(config2) {
   });
   new aws15.iam.RolePolicy("wraps-sms-lambda-policy", {
     role: lambdaRole.name,
-    policy: pulumi22.all([config2.tableName, config2.queueArn]).apply(
+    policy: pulumi21.all([config2.tableName, config2.queueArn]).apply(
       ([tableName, queueArn]) => JSON.stringify({
         Version: "2012-10-17",
         Statement: [
@@ -20861,7 +22224,7 @@ async function deploySMSLambdaFunction(config2) {
       runtime: "nodejs20.x",
       handler: "index.handler",
       role: lambdaRole.arn,
-      code: new pulumi22.asset.FileArchive(codeDir),
+      code: new pulumi21.asset.FileArchive(codeDir),
       timeout: 300,
       // 5 minutes
       memorySize: 512,
@@ -21272,7 +22635,7 @@ async function smsDestroy(options) {
           const stackName = storedStackName || `wraps-sms-${identity.accountId}-${region}`;
           let stack;
           try {
-            stack = await pulumi23.automation.LocalWorkspace.selectStack({
+            stack = await pulumi22.automation.LocalWorkspace.selectStack({
               stackName,
               workDir: getPulumiWorkDir()
             });
@@ -21329,7 +22692,7 @@ async function smsDestroy(options) {
         const stackName = storedStackName || `wraps-sms-${identity.accountId}-${region}`;
         let stack;
         try {
-          stack = await pulumi23.automation.LocalWorkspace.selectStack({
+          stack = await pulumi22.automation.LocalWorkspace.selectStack({
             stackName,
             workDir: getPulumiWorkDir()
           });
@@ -21386,7 +22749,7 @@ Run ${pc29.cyan("wraps sms init")} to deploy infrastructure again.
 // src/commands/sms/init.ts
 init_esm_shims();
 import * as clack28 from "@clack/prompts";
-import * as pulumi24 from "@pulumi/pulumi";
+import * as pulumi23 from "@pulumi/pulumi";
 import pc30 from "picocolors";
 init_events();
 init_aws();
@@ -22033,7 +23396,7 @@ ${pc30.yellow(pc30.bold("Important Notes:"))}`);
       "Deploying SMS infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stack = await pulumi24.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi23.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-sms-${identity.accountId}-${region}`,
             projectName: "wraps-sms",
@@ -22379,7 +23742,7 @@ init_aws();
 init_fs();
 init_metadata();
 import * as clack30 from "@clack/prompts";
-import * as pulumi25 from "@pulumi/pulumi";
+import * as pulumi24 from "@pulumi/pulumi";
 import pc32 from "picocolors";
 function displaySMSStatus(options) {
   const lines = [];
@@ -22444,7 +23807,7 @@ Run ${pc32.cyan("wraps sms init")} to deploy SMS infrastructure.
   try {
     await ensurePulumiWorkDir();
     const stackName = metadata.services.sms.pulumiStackName || `wraps-sms-${identity.accountId}-${region}`;
-    const stack = await pulumi25.automation.LocalWorkspace.selectStack({
+    const stack = await pulumi24.automation.LocalWorkspace.selectStack({
       stackName,
       workDir: getPulumiWorkDir()
     });
@@ -22483,7 +23846,7 @@ Run ${pc32.cyan("wraps sms init")} to deploy SMS infrastructure.
 // src/commands/sms/sync.ts
 init_esm_shims();
 import * as clack31 from "@clack/prompts";
-import * as pulumi26 from "@pulumi/pulumi";
+import * as pulumi25 from "@pulumi/pulumi";
 import pc33 from "picocolors";
 init_events();
 init_aws();
@@ -22541,7 +23904,7 @@ Run ${pc33.cyan("wraps sms init")} to deploy SMS infrastructure first.
     outputs = await progress.execute("Syncing SMS infrastructure", async () => {
       await ensurePulumiWorkDir();
       const stackName = storedStackName || `wraps-sms-${identity.accountId}-${region}`;
-      const stack = await pulumi26.automation.LocalWorkspace.createOrSelectStack(
+      const stack = await pulumi25.automation.LocalWorkspace.createOrSelectStack(
         {
           stackName,
           projectName: "wraps-sms",
@@ -22862,7 +24225,7 @@ Run ${pc34.cyan("wraps sms register")} to complete registration.
 // src/commands/sms/upgrade.ts
 init_esm_shims();
 import * as clack33 from "@clack/prompts";
-import * as pulumi27 from "@pulumi/pulumi";
+import * as pulumi26 from "@pulumi/pulumi";
 import pc35 from "picocolors";
 init_events();
 init_aws();
@@ -23605,7 +24968,7 @@ ${pc35.bold("Cost Impact:")}`);
       "Updating SMS infrastructure (this may take 2-3 minutes)",
       async () => {
         await ensurePulumiWorkDir();
-        const stack = await pulumi27.automation.LocalWorkspace.createOrSelectStack(
+        const stack = await pulumi26.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.sms?.pulumiStackName || `wraps-sms-${identity.accountId}-${region}`,
             projectName: "wraps-sms",
@@ -24270,6 +25633,20 @@ function printCompletionScript() {
 
 // src/cli.ts
 init_errors();
+var [nodeMajorVersion] = process.versions.node.split(".").map(Number);
+if (nodeMajorVersion < 20) {
+  console.error(
+    "\x1B[31mError: Wraps CLI requires Node.js 20 or higher.\x1B[0m"
+  );
+  console.error(`Current version: ${process.versions.node}`);
+  console.error("");
+  console.error("To upgrade Node.js:");
+  console.error("  macOS/Linux (nvm): nvm install 20 && nvm use 20");
+  console.error("  macOS (Homebrew):  brew install node@20");
+  console.error("  Windows:           Download from https://nodejs.org/");
+  console.error("");
+  process.exit(1);
+}
 var __filename2 = fileURLToPath4(import.meta.url);
 var __dirname3 = dirname2(__filename2);
 var packageJson = JSON.parse(