@wraps.dev/cli 2.5.1 → 2.6.0

package/dist/cli.js

@@ -737,7 +737,9 @@ var init_events = __esm({
 import * as clack from "@clack/prompts";
 import pc2 from "picocolors";
 function isAWSError(error) {
-  if (!(error instanceof Error)) return false;
+  if (!(error instanceof Error)) {
+    return false;
+  }
   const awsErrorNames = [
     "ExpiredTokenException",
     "InvalidClientTokenId",
@@ -754,7 +756,9 @@ function isAWSError(error) {
   return awsErrorNames.includes(error.name) || "$metadata" in error;
 }
 function isPulumiError(error) {
-  if (!(error instanceof Error)) return false;
+  if (!(error instanceof Error)) {
+    return false;
+  }
   return error.message?.includes("pulumi") || error.message?.includes("Pulumi") || error.message?.includes("resource") || error.message?.includes("creating") || error.message?.includes("AccessDenied");
 }
 function parseAWSError(error) {
@@ -805,7 +809,9 @@ function parsePulumiError(error) {
   return { code: "PULUMI_ERROR" };
 }
 function sanitizeErrorMessage(error) {
-  if (!error) return "Unknown error";
+  if (!error) {
+    return "Unknown error";
+  }
   let message = error instanceof Error ? error.message : String(error);
   message = message.replace(/\b\d{12}\b/g, "[ACCOUNT_ID]");
   message = message.replace(
@@ -1022,7 +1028,7 @@ To remove: wraps destroy --stack ${stackName}`,
       stackLocked: () => new WrapsError(
         "The Pulumi stack is locked from a previous run",
         "STACK_LOCKED",
-        "This happens when a previous deployment was interrupted.\n\nTo unlock, run:\n  rm -rf ~/.wraps/pulumi/.pulumi/locks\n\nThen try your command again.",
+        "This happens when a previous deployment was interrupted.\n\nFor local state, run:\n  rm -rf ~/.wraps/pulumi/.pulumi/locks\n\nFor S3 state, delete the lock object in your wraps-state-* bucket under .pulumi/locks/\n\nThen try your command again.",
         "https://wraps.dev/docs/guides/aws-setup/permissions/troubleshooting"
       ),
       // SMS-specific errors
@@ -1162,6 +1168,24 @@ View required SES permissions:
         "ROUTE53_PERMISSION_DENIED",
         "Your IAM user/role needs Route53 permissions for automatic DNS management.\nRequired actions: ChangeResourceRecordSets, ListHostedZones\n\nThis is optional - you can add DNS records manually instead.",
         "https://wraps.dev/docs/guides/aws-setup/permissions"
+      ),
+      s3StateBucketCreationFailed: (bucketName) => new WrapsError(
+        `Failed to create S3 state bucket: ${bucketName}`,
+        "S3_STATE_BUCKET_CREATION_FAILED",
+        "Ensure your IAM user/role has s3:CreateBucket, s3:PutBucketEncryption, s3:PutBucketVersioning permissions.\n\nTo use local-only state instead:\n  export WRAPS_LOCAL_ONLY=1",
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
+      ),
+      s3StateAccessDenied: () => new WrapsError(
+        "Access denied to S3 state bucket",
+        "S3_STATE_ACCESS_DENIED",
+        "Ensure your IAM user/role has s3:GetObject, s3:PutObject, s3:ListBucket permissions on wraps-state-* buckets.\n\nTo use local-only state instead:\n  export WRAPS_LOCAL_ONLY=1",
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
+      ),
+      stateMigrationFailed: () => new WrapsError(
+        "Failed to migrate Pulumi state to S3",
+        "STATE_MIGRATION_FAILED",
+        "The migration from local to S3 state storage failed.\nYour local state is still intact.\n\nTo skip migration and use local-only state:\n  export WRAPS_LOCAL_ONLY=1",
+        "https://wraps.dev/docs/guides/aws-setup/permissions"
       )
     };
   }
@@ -3308,31 +3332,285 @@ var init_route53 = __esm({
   }
 });
 
-// src/utils/shared/fs.ts
+// src/utils/shared/s3-state.ts
+var s3_state_exports = {};
+__export(s3_state_exports, {
+  downloadMetadata: () => downloadMetadata,
+  ensureStateBucket: () => ensureStateBucket,
+  getS3BackendUrl: () => getS3BackendUrl,
+  getStateBucketName: () => getStateBucketName,
+  migrateLocalPulumiState: () => migrateLocalPulumiState,
+  needsMigration: () => needsMigration,
+  stateBucketExists: () => stateBucketExists,
+  uploadMetadata: () => uploadMetadata
+});
 import { existsSync as existsSync2 } from "fs";
+import { readdir, writeFile } from "fs/promises";
+import { join as join2 } from "path";
+function getStateBucketName(accountId, region) {
+  return `wraps-state-${accountId}-${region}`;
+}
+function getS3BackendUrl(accountId, region) {
+  return `s3://${getStateBucketName(accountId, region)}`;
+}
+async function stateBucketExists(accountId, region) {
+  const { S3Client, HeadBucketCommand } = await import("@aws-sdk/client-s3");
+  const client = new S3Client({ region });
+  const bucketName = getStateBucketName(accountId, region);
+  try {
+    await client.send(new HeadBucketCommand({ Bucket: bucketName }));
+    return true;
+  } catch (error) {
+    if (error.name === "NotFound" || error.name === "NoSuchBucket" || error.$metadata?.httpStatusCode === 404) {
+      return false;
+    }
+    throw error;
+  }
+}
+async function ensureStateBucket(accountId, region) {
+  const {
+    S3Client,
+    HeadBucketCommand,
+    CreateBucketCommand,
+    PutBucketEncryptionCommand,
+    PutBucketVersioningCommand,
+    PutPublicAccessBlockCommand,
+    PutBucketTaggingCommand
+  } = await import("@aws-sdk/client-s3");
+  const client = new S3Client({ region });
+  const bucketName = getStateBucketName(accountId, region);
+  try {
+    await client.send(new HeadBucketCommand({ Bucket: bucketName }));
+    return bucketName;
+  } catch (error) {
+    if (error.name !== "NotFound" && error.name !== "NoSuchBucket" && error.$metadata?.httpStatusCode !== 404) {
+      throw error;
+    }
+  }
+  const createParams = { Bucket: bucketName };
+  if (region !== "us-east-1") {
+    createParams.CreateBucketConfiguration = {
+      LocationConstraint: region
+    };
+  }
+  await client.send(new CreateBucketCommand(createParams));
+  await client.send(
+    new PutBucketEncryptionCommand({
+      Bucket: bucketName,
+      ServerSideEncryptionConfiguration: {
+        Rules: [
+          {
+            ApplyServerSideEncryptionByDefault: {
+              SSEAlgorithm: "AES256"
+            }
+          }
+        ]
+      }
+    })
+  );
+  await client.send(
+    new PutBucketVersioningCommand({
+      Bucket: bucketName,
+      VersioningConfiguration: {
+        Status: "Enabled"
+      }
+    })
+  );
+  await client.send(
+    new PutPublicAccessBlockCommand({
+      Bucket: bucketName,
+      PublicAccessBlockConfiguration: {
+        BlockPublicAcls: true,
+        BlockPublicPolicy: true,
+        IgnorePublicAcls: true,
+        RestrictPublicBuckets: true
+      }
+    })
+  );
+  await client.send(
+    new PutBucketTaggingCommand({
+      Bucket: bucketName,
+      Tagging: {
+        TagSet: [
+          { Key: "ManagedBy", Value: "wraps-cli" },
+          { Key: "Purpose", Value: "state" }
+        ]
+      }
+    })
+  );
+  return bucketName;
+}
+async function uploadMetadata(bucketName, metadata) {
+  const { S3Client, PutObjectCommand } = await import("@aws-sdk/client-s3");
+  const client = new S3Client({ region: metadata.region });
+  const key = `metadata/${metadata.accountId}-${metadata.region}.json`;
+  await client.send(
+    new PutObjectCommand({
+      Bucket: bucketName,
+      Key: key,
+      Body: JSON.stringify(metadata, null, 2),
+      ContentType: "application/json"
+    })
+  );
+}
+async function downloadMetadata(bucketName, accountId, region) {
+  const { S3Client, GetObjectCommand } = await import("@aws-sdk/client-s3");
+  const client = new S3Client({ region });
+  const key = `metadata/${accountId}-${region}.json`;
+  try {
+    const response = await client.send(
+      new GetObjectCommand({
+        Bucket: bucketName,
+        Key: key
+      })
+    );
+    const body = await response.Body?.transformToString();
+    if (!body) {
+      return null;
+    }
+    return JSON.parse(body);
+  } catch (error) {
+    if (error.name === "NoSuchKey" || error.$metadata?.httpStatusCode === 404) {
+      return null;
+    }
+    throw error;
+  }
+}
+async function needsMigration(localPulumiDir, accountId, region) {
+  const markerPath = join2(localPulumiDir, `.migrated-${accountId}-${region}`);
+  if (existsSync2(markerPath)) {
+    return false;
+  }
+  const stacksDir = join2(localPulumiDir, ".pulumi", "stacks");
+  if (!existsSync2(stacksDir)) {
+    return false;
+  }
+  try {
+    const files = await readdir(stacksDir);
+    const matchingStacks = files.filter(
+      (f) => f.includes(accountId) && f.includes(region) && f.endsWith(".json")
+    );
+    return matchingStacks.length > 0;
+  } catch {
+    return false;
+  }
+}
+async function migrateLocalPulumiState(localPulumiDir, bucketName, accountId, region) {
+  const pulumi28 = await import("@pulumi/pulumi/automation/index.js");
+  const stacksDir = join2(localPulumiDir, ".pulumi", "stacks");
+  const files = await readdir(stacksDir);
+  const stackFiles = files.filter(
+    (f) => f.includes(accountId) && f.includes(region) && f.endsWith(".json")
+  );
+  for (const stackFile of stackFiles) {
+    const stackName = stackFile.replace(".json", "");
+    let projectName = "wraps-email";
+    if (stackName.startsWith("wraps-sms-")) {
+      projectName = "wraps-sms";
+    } else if (stackName.startsWith("wraps-cdn-")) {
+      projectName = "wraps-cdn";
+    }
+    try {
+      const localStack = await pulumi28.LocalWorkspace.selectStack({
+        stackName,
+        workDir: localPulumiDir
+      });
+      const state = await localStack.exportStack();
+      const s3Stack = await pulumi28.LocalWorkspace.createOrSelectStack(
+        {
+          stackName,
+          projectName,
+          program: async () => ({})
+        },
+        {
+          workDir: localPulumiDir,
+          envVars: {
+            PULUMI_BACKEND_URL: `s3://${bucketName}`,
+            PULUMI_CONFIG_PASSPHRASE: ""
+          }
+        }
+      );
+      await s3Stack.importStack(state);
+    } catch (error) {
+      console.error(
+        `Warning: Failed to migrate stack ${stackName}: ${error.message}`
+      );
+    }
+  }
+  const markerPath = join2(localPulumiDir, `.migrated-${accountId}-${region}`);
+  await writeFile(markerPath, (/* @__PURE__ */ new Date()).toISOString(), "utf-8");
+}
+var init_s3_state = __esm({
+  "src/utils/shared/s3-state.ts"() {
+    "use strict";
+    init_esm_shims();
+  }
+});
+
+// src/utils/shared/fs.ts
+import { existsSync as existsSync3 } from "fs";
 import { mkdir } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 function getWrapsDir() {
-  return join2(homedir2(), ".wraps");
+  return join3(homedir2(), ".wraps");
 }
 function getPulumiWorkDir() {
-  return join2(getWrapsDir(), "pulumi");
+  return join3(getWrapsDir(), "pulumi");
 }
 async function ensureWrapsDir() {
   const wrapsDir = getWrapsDir();
-  if (!existsSync2(wrapsDir)) {
+  if (!existsSync3(wrapsDir)) {
     await mkdir(wrapsDir, { recursive: true });
   }
 }
-async function ensurePulumiWorkDir() {
+async function ensurePulumiWorkDir(options) {
   await ensureWrapsDir();
   const pulumiDir = getPulumiWorkDir();
-  if (!existsSync2(pulumiDir)) {
+  if (!existsSync3(pulumiDir)) {
     await mkdir(pulumiDir, { recursive: true });
   }
-  process.env.PULUMI_BACKEND_URL = `file://${pulumiDir}`;
   process.env.PULUMI_CONFIG_PASSPHRASE = "";
+  const useS3 = options?.accountId && options?.region && process.env.WRAPS_LOCAL_ONLY !== "1";
+  if (useS3) {
+    try {
+      const {
+        ensureStateBucket: ensureStateBucket2,
+        getS3BackendUrl: getS3BackendUrl2,
+        needsMigration: needsMigration2,
+        migrateLocalPulumiState: migrateLocalPulumiState2
+      } = await Promise.resolve().then(() => (init_s3_state(), s3_state_exports));
+      const bucketName = await ensureStateBucket2(
+        options.accountId,
+        options.region
+      );
+      const shouldMigrate = await needsMigration2(
+        pulumiDir,
+        options.accountId,
+        options.region
+      );
+      if (shouldMigrate) {
+        process.env.PULUMI_BACKEND_URL = `file://${pulumiDir}`;
+        await migrateLocalPulumiState2(
+          pulumiDir,
+          bucketName,
+          options.accountId,
+          options.region
+        );
+      }
+      process.env.PULUMI_BACKEND_URL = getS3BackendUrl2(
+        options.accountId,
+        options.region
+      );
+      return;
+    } catch (error) {
+      const clack38 = await import("@clack/prompts");
+      clack38.log.warn(
+        `S3 state backend unavailable (${error.message}). Using local state.`
+      );
+    }
+  }
+  process.env.PULUMI_BACKEND_URL = `file://${pulumiDir}`;
 }
 var init_fs = __esm({
   "src/utils/shared/fs.ts"() {
@@ -3346,6 +3624,7 @@ var metadata_exports = {};
 __export(metadata_exports, {
   addServiceToConnection: () => addServiceToConnection,
   applyConfigUpdates: () => applyConfigUpdates,
+  buildEmailStackConfig: () => buildEmailStackConfig,
   connectionExists: () => connectionExists,
   createConnectionMetadata: () => createConnectionMetadata,
   deleteConnectionMetadata: () => deleteConnectionMetadata,
@@ -3362,19 +3641,19 @@ __export(metadata_exports, {
   updateServiceConfig: () => updateServiceConfig
 });
 import { randomBytes } from "crypto";
-import { existsSync as existsSync3 } from "fs";
-import { readFile, writeFile } from "fs/promises";
-import { join as join3 } from "path";
+import { existsSync as existsSync4 } from "fs";
+import { readFile, writeFile as writeFile2 } from "fs/promises";
+import { join as join4 } from "path";
 function getConnectionsDir() {
-  return join3(getWrapsDir(), "connections");
+  return join4(getWrapsDir(), "connections");
 }
 function getMetadataPath(accountId, region) {
-  return join3(getConnectionsDir(), `${accountId}-${region}.json`);
+  return join4(getConnectionsDir(), `${accountId}-${region}.json`);
 }
 async function ensureConnectionsDir() {
   await ensureWrapsDir();
   const connectionsDir = getConnectionsDir();
-  if (!existsSync3(connectionsDir)) {
+  if (!existsSync4(connectionsDir)) {
     const { mkdir: mkdir2 } = await import("fs/promises");
     await mkdir2(connectionsDir, { recursive: true });
   }
@@ -3402,57 +3681,121 @@ function isLegacyMetadata(data) {
 }
 async function loadConnectionMetadata(accountId, region) {
   const metadataPath = getMetadataPath(accountId, region);
-  if (!existsSync3(metadataPath)) {
-    return null;
+  let localData = null;
+  if (existsSync4(metadataPath)) {
+    try {
+      const content = await readFile(metadataPath, "utf-8");
+      const data = JSON.parse(content);
+      if (isLegacyMetadata(data)) {
+        const migrated = migrateLegacyMetadata(data);
+        await saveConnectionMetadataLocal(migrated);
+        localData = migrated;
+      } else {
+        if (!data.version) {
+          data.version = "1.0.0";
+          await saveConnectionMetadataLocal(data);
+        }
+        localData = data;
+      }
+    } catch (error) {
+      console.error("Error loading connection metadata:", error.message);
+    }
   }
-  try {
-    const content = await readFile(metadataPath, "utf-8");
-    const data = JSON.parse(content);
-    if (isLegacyMetadata(data)) {
-      const migrated = migrateLegacyMetadata(data);
-      await saveConnectionMetadata(migrated);
-      return migrated;
-    }
-    if (!data.version) {
-      data.version = "1.0.0";
-      await saveConnectionMetadata(data);
-    }
-    return data;
-  } catch (error) {
-    console.error("Error loading connection metadata:", error.message);
-    return null;
+  if (process.env.WRAPS_LOCAL_ONLY !== "1") {
+    try {
+      const {
+        stateBucketExists: stateBucketExists2,
+        downloadMetadata: downloadMetadata2,
+        uploadMetadata: uploadMetadata2,
+        getStateBucketName: getStateBucketName2
+      } = await Promise.resolve().then(() => (init_s3_state(), s3_state_exports));
+      const bucketExists = await stateBucketExists2(accountId, region);
+      if (bucketExists) {
+        const bucketName = getStateBucketName2(accountId, region);
+        const remoteData = await downloadMetadata2(
+          bucketName,
+          accountId,
+          region
+        );
+        if (remoteData && localData) {
+          if (remoteData.timestamp > localData.timestamp) {
+            await saveConnectionMetadataLocal(remoteData);
+            return remoteData;
+          }
+          if (localData.timestamp > remoteData.timestamp) {
+            await uploadMetadata2(bucketName, localData).catch(() => {
+            });
+            return localData;
+          }
+          return localData;
+        }
+        if (remoteData && !localData) {
+          await saveConnectionMetadataLocal(remoteData);
+          return remoteData;
+        }
+        if (localData && !remoteData) {
+          await uploadMetadata2(bucketName, localData).catch(() => {
+          });
+        }
+      }
+    } catch {
+    }
   }
+  return localData;
+}
+async function saveConnectionMetadataLocal(metadata) {
+  await ensureConnectionsDir();
+  const metadataPath = getMetadataPath(metadata.accountId, metadata.region);
+  const content = JSON.stringify(metadata, null, 2);
+  await writeFile2(metadataPath, content, "utf-8");
 }
 async function saveConnectionMetadata(metadata) {
   await ensureConnectionsDir();
   const metadataPath = getMetadataPath(metadata.accountId, metadata.region);
   try {
     const content = JSON.stringify(metadata, null, 2);
-    await writeFile(metadataPath, content, "utf-8");
+    await writeFile2(metadataPath, content, "utf-8");
   } catch (error) {
     console.error("Error saving connection metadata:", error.message);
     throw error;
   }
+  if (process.env.WRAPS_LOCAL_ONLY !== "1") {
+    try {
+      const { stateBucketExists: stateBucketExists2, uploadMetadata: uploadMetadata2, getStateBucketName: getStateBucketName2 } = await Promise.resolve().then(() => (init_s3_state(), s3_state_exports));
+      const bucketExists = await stateBucketExists2(
+        metadata.accountId,
+        metadata.region
+      );
+      if (bucketExists) {
+        const bucketName = getStateBucketName2(
+          metadata.accountId,
+          metadata.region
+        );
+        await uploadMetadata2(bucketName, metadata);
+      }
+    } catch {
+    }
+  }
 }
 async function deleteConnectionMetadata(accountId, region) {
   const metadataPath = getMetadataPath(accountId, region);
-  if (existsSync3(metadataPath)) {
+  if (existsSync4(metadataPath)) {
     const { unlink } = await import("fs/promises");
     await unlink(metadataPath);
   }
 }
 async function listConnections() {
   const connectionsDir = getConnectionsDir();
-  if (!existsSync3(connectionsDir)) {
+  if (!existsSync4(connectionsDir)) {
     return [];
   }
   try {
-    const { readdir } = await import("fs/promises");
-    const files = await readdir(connectionsDir);
+    const { readdir: readdir2 } = await import("fs/promises");
+    const files = await readdir2(connectionsDir);
     const connections = [];
     for (const file of files) {
       if (file.endsWith(".json")) {
-        const content = await readFile(join3(connectionsDir, file), "utf-8");
+        const content = await readFile(join4(connectionsDir, file), "utf-8");
         try {
           const metadata = JSON.parse(content);
           connections.push(metadata);
@@ -3469,7 +3812,7 @@ async function listConnections() {
 }
 async function connectionExists(accountId, region) {
   const metadataPath = getMetadataPath(accountId, region);
-  return existsSync3(metadataPath);
+  return existsSync4(metadataPath);
 }
 function createConnectionMetadata(accountId, region, provider, emailConfig, preset) {
   return {
@@ -3659,6 +4002,25 @@ async function findConnectionsWithService(accountId, service) {
   const accountConnections = await findConnectionsForAccount(accountId);
   return accountConnections.filter((conn) => hasService(conn, service));
 }
+function buildEmailStackConfig(metadata, region, overrides) {
+  const emailService = metadata.services.email;
+  let webhook;
+  if (overrides && "webhook" in overrides) {
+    webhook = overrides.webhook;
+  } else if (emailService?.webhookSecret) {
+    webhook = {
+      awsAccountNumber: metadata.accountId,
+      webhookSecret: emailService.webhookSecret
+    };
+  }
+  return {
+    provider: metadata.provider,
+    region,
+    vercel: metadata.vercel,
+    emailConfig: overrides?.emailConfig ?? emailService.config,
+    webhook
+  };
+}
 function generateWebhookSecret() {
   return randomBytes(32).toString("hex");
 }
@@ -3868,9 +4230,9 @@ __export(lambda_exports, {
   getLambdaCode: () => getLambdaCode
 });
 import { randomBytes as randomBytes2 } from "crypto";
-import { existsSync as existsSync4, mkdirSync } from "fs";
+import { existsSync as existsSync5, mkdirSync } from "fs";
 import { tmpdir } from "os";
-import { dirname, join as join4 } from "path";
+import { dirname, join as join5 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import * as aws8 from "@pulumi/aws";
 import * as pulumi11 from "@pulumi/pulumi";
@@ -3879,7 +4241,7 @@ function getPackageRoot() {
   const currentFile = fileURLToPath2(import.meta.url);
   let dir = dirname(currentFile);
   while (dir !== dirname(dir)) {
-    if (existsSync4(join4(dir, "package.json"))) {
+    if (existsSync5(join5(dir, "package.json"))) {
       return dir;
     }
     dir = dirname(dir);
@@ -3922,18 +4284,18 @@ async function findEventSourceMapping(functionName, queueArn) {
 }
 async function getLambdaCode(functionName) {
   const packageRoot = getPackageRoot();
-  const distLambdaPath = join4(packageRoot, "dist", "lambda", functionName);
-  const distBundleMarker = join4(distLambdaPath, ".bundled");
-  if (existsSync4(distBundleMarker)) {
+  const distLambdaPath = join5(packageRoot, "dist", "lambda", functionName);
+  const distBundleMarker = join5(distLambdaPath, ".bundled");
+  if (existsSync5(distBundleMarker)) {
     return distLambdaPath;
   }
-  const lambdaPath = join4(packageRoot, "lambda", functionName);
-  const lambdaBundleMarker = join4(lambdaPath, ".bundled");
-  if (existsSync4(lambdaBundleMarker)) {
+  const lambdaPath = join5(packageRoot, "lambda", functionName);
+  const lambdaBundleMarker = join5(lambdaPath, ".bundled");
+  if (existsSync5(lambdaBundleMarker)) {
     return lambdaPath;
   }
-  const sourcePath = join4(lambdaPath, "index.ts");
-  if (!existsSync4(sourcePath)) {
+  const sourcePath = join5(lambdaPath, "index.ts");
+  if (!existsSync5(sourcePath)) {
     throw new Error(
       `Lambda source not found: ${sourcePath}
 This usually means the build process didn't complete successfully.
@@ -3941,8 +4303,8 @@ Try running: pnpm build`
     );
   }
   const buildId = randomBytes2(8).toString("hex");
-  const outdir = join4(tmpdir(), `wraps-lambda-${buildId}`);
-  if (!existsSync4(outdir)) {
+  const outdir = join5(tmpdir(), `wraps-lambda-${buildId}`);
+  if (!existsSync5(outdir)) {
     mkdirSync(outdir, { recursive: true });
   }
   await build({
@@ -3951,7 +4313,7 @@ Try running: pnpm build`
     platform: "node",
     target: "node24",
     format: "esm",
-    outfile: join4(outdir, "index.mjs"),
+    outfile: join5(outdir, "index.mjs"),
     external: ["@aws-sdk/*"],
     // AWS SDK v3 is included in Lambda runtime
     minify: true,
@@ -5059,12 +5421,22 @@ async function createDNSRecordsForProvider(credentials, data, selectedCategories
           data.mailFromDomain
         );
         let recordsCreated = 0;
-        if (categories.has("dkim")) recordsCreated += data.dkimTokens.length;
-        if (categories.has("spf")) recordsCreated += 1;
-        if (categories.has("dmarc")) recordsCreated += 1;
+        if (categories.has("dkim")) {
+          recordsCreated += data.dkimTokens.length;
+        }
+        if (categories.has("spf")) {
+          recordsCreated += 1;
+        }
+        if (categories.has("dmarc")) {
+          recordsCreated += 1;
+        }
         if (data.mailFromDomain) {
-          if (categories.has("mailfrom_mx")) recordsCreated += 1;
-          if (categories.has("mailfrom_spf")) recordsCreated += 1;
+          if (categories.has("mailfrom_mx")) {
+            recordsCreated += 1;
+          }
+          if (categories.has("mailfrom_spf")) {
+            recordsCreated += 1;
+          }
         }
         return {
           success: true,
@@ -5366,10 +5738,18 @@ async function detectAvailableDNSProviders(domain, region) {
     hint: "I'll add DNS records myself"
   });
   return providers.sort((a, b) => {
-    if (a.provider === "manual") return 1;
-    if (b.provider === "manual") return -1;
-    if (a.detected && !b.detected) return -1;
-    if (!a.detected && b.detected) return 1;
+    if (a.provider === "manual") {
+      return 1;
+    }
+    if (b.provider === "manual") {
+      return -1;
+    }
+    if (a.detected && !b.detected) {
+      return -1;
+    }
+    if (!a.detected && b.detected) {
+      return 1;
+    }
     return 0;
   });
 }
@@ -5731,7 +6111,7 @@ var init_dynamodb_metrics = __esm({
 // src/cli.ts
 init_esm_shims();
 import { readFileSync as readFileSync2 } from "fs";
-import { dirname as dirname2, join as join5 } from "path";
+import { dirname as dirname2, join as join6 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 import * as clack37 from "@clack/prompts";
 import args from "args";
@@ -7316,7 +7696,7 @@ async function cdnDestroy(options) {
       const previewResult = await progress.execute(
         "Generating destruction preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stackName = storedStackName || `wraps-cdn-${identity.accountId}-${region}`;
           let stack;
           try {
@@ -7394,7 +7774,7 @@ async function cdnDestroy(options) {
     await progress.execute(
       "Destroying CDN infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stackName = storedStackName || `wraps-cdn-${identity.accountId}-${region}`;
         let stack;
         try {
@@ -7591,6 +7971,8 @@ async function createCdnBucket(config2) {
     "https://*.wraps.dev",
     "http://localhost:3000",
     "http://localhost:3001",
+    "http://localhost:3002",
+    "http://localhost:3003",
     "http://localhost:4000",
     "http://localhost:5173",
     "http://localhost:5174",
@@ -8649,7 +9031,7 @@ ${pc8.yellow(pc8.bold("Configuration Notes:"))}`);
       const previewResult = await progress.execute(
         "Generating infrastructure preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stack = await pulumi4.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: `wraps-cdn-${identity.accountId}-${region}`,
@@ -8713,7 +9095,7 @@ ${pc8.yellow(pc8.bold("Configuration Notes:"))}`);
     outputs = await progress.execute(
       "Deploying CDN infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi4.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-cdn-${identity.accountId}-${region}`,
@@ -9082,7 +9464,7 @@ async function cdnStatus(options) {
   }
   let stackOutputs = {};
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     const stack = await pulumi5.automation.LocalWorkspace.selectStack({
       stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
@@ -9260,7 +9642,7 @@ async function cdnSync(options) {
   let existingCertArn;
   if (cdnConfig.cdn.customDomain) {
     try {
-      await ensurePulumiWorkDir();
+      await ensurePulumiWorkDir({ accountId: identity.accountId, region });
       const checkStack = await pulumi6.automation.LocalWorkspace.selectStack({
         stackName: `wraps-cdn-${identity.accountId}-${region}`,
         workDir: getPulumiWorkDir()
@@ -9297,7 +9679,7 @@ async function cdnSync(options) {
   };
   try {
     await progress.execute("Syncing CDN infrastructure", async () => {
-      await ensurePulumiWorkDir();
+      await ensurePulumiWorkDir({ accountId: identity.accountId, region });
       const stack = await pulumi6.automation.LocalWorkspace.createOrSelectStack(
         {
           stackName: `wraps-cdn-${identity.accountId}-${region}`,
@@ -9414,7 +9796,7 @@ async function cdnUpgrade(options) {
   const cdnConfig = cdnService.config;
   let stackOutputs = {};
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     const stack = await pulumi7.automation.LocalWorkspace.selectStack({
       stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
@@ -9551,7 +9933,7 @@ Ready to add custom domain: ${pc11.cyan(pendingDomain)}`);
     await progress.execute(
       "Updating CloudFront distribution (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi7.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-cdn-${identity.accountId}-${region}`,
@@ -9721,7 +10103,7 @@ async function cdnVerify(options) {
   }
   let stackOutputs = {};
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     const stack = await pulumi8.automation.LocalWorkspace.selectStack({
       stackName: `wraps-cdn-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
@@ -14026,22 +14408,13 @@ ${pc14.bold("Current Configuration:")}
       process.exit(0);
     }
   }
-  let vercelConfig;
-  if (metadata.provider === "vercel" && metadata.vercel) {
-    vercelConfig = metadata.vercel;
-  }
-  const stackConfig = {
-    provider: metadata.provider,
-    region,
-    vercel: vercelConfig,
-    emailConfig: config2
-  };
+  const stackConfig = buildEmailStackConfig(metadata, region);
   if (options.preview) {
     try {
       const previewResult = await progress.execute(
         "Generating update preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stack = await pulumi12.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
@@ -14105,7 +14478,7 @@ ${pc14.bold("Current Configuration:")}
     outputs = await progress.execute(
       "Updating Wraps infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi12.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
@@ -14542,7 +14915,7 @@ async function connect2(options) {
       const previewResult = await progress.execute(
         "Generating infrastructure preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stack = await pulumi13.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: `wraps-${identity.accountId}-${region}`,
@@ -14606,7 +14979,7 @@ async function connect2(options) {
     outputs = await progress.execute(
       "Deploying Wraps infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi13.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-${identity.accountId}-${region}`,
@@ -14902,7 +15275,7 @@ async function emailDestroy(options) {
       const previewResult = await progress.execute(
         "Generating destruction preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stackName = storedStackName || `wraps-${identity.accountId}-${region}`;
           let stack;
           try {
@@ -14973,7 +15346,7 @@ async function emailDestroy(options) {
     await progress.execute(
       "Destroying email infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stackName = storedStackName || `wraps-${identity.accountId}-${region}`;
         let stack;
         try {
@@ -15517,7 +15890,11 @@ var CORE_IAM_ACTIONS = [
   "ses:CreateEmailIdentity",
   "ses:DeleteEmailIdentity",
   "ses:GetEmailIdentity",
-  "ses:PutEmailIdentityDkimAttributes"
+  "ses:PutEmailIdentityDkimAttributes",
+  "s3:HeadBucket",
+  "s3:CreateBucket",
+  "s3:GetObject",
+  "s3:PutObject"
 ];
 var EVENT_TRACKING_ACTIONS = [
   "events:CreateEventBus",
@@ -15584,8 +15961,12 @@ async function checkIAMPermissions(userArn, actions, region) {
         const actionName = result.EvalActionName;
         const decision = result.EvalDecision;
         if (decision === "allowed") {
-          if (actionName) allowedActions.push(actionName);
-        } else if (actionName) deniedActions.push(actionName);
+          if (actionName) {
+            allowedActions.push(actionName);
+          }
+        } else if (actionName) {
+          deniedActions.push(actionName);
+        }
       }
     }
     return {
@@ -15615,7 +15996,9 @@ async function checkIAMPermissions(userArn, actions, region) {
   }
 }
 function formatDeniedActions(actions) {
-  if (actions.length === 0) return "";
+  if (actions.length === 0) {
+    return "";
+  }
   const byService = {};
   for (const action of actions) {
     const [service, actionName] = action.split(":");
@@ -15772,7 +16155,7 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
       const previewResult = await progress.execute(
         "Generating infrastructure preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stack = await pulumi15.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: `wraps-${identity.accountId}-${region}`,
@@ -15841,7 +16224,7 @@ ${pc18.yellow(pc18.bold("Configuration Warnings:"))}`);
     outputs = await progress.execute(
       "Deploying infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi15.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-${identity.accountId}-${region}`,
@@ -16374,7 +16757,7 @@ async function emailStatus(options) {
   }
   let stackOutputs = {};
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     const stack = await pulumi17.automation.LocalWorkspace.selectStack({
       stackName: `wraps-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
@@ -17570,30 +17953,18 @@ ${pc21.bold("Cost Impact:")}`);
       process.exit(0);
     }
   }
-  let vercelConfig;
   if (metadata.provider === "vercel" && !metadata.vercel) {
-    vercelConfig = await promptVercelConfig();
-  } else if (metadata.provider === "vercel") {
-    vercelConfig = metadata.vercel;
+    metadata.vercel = await promptVercelConfig();
   }
-  const stackConfig = {
-    provider: metadata.provider,
-    region,
-    vercel: vercelConfig,
-    emailConfig: updatedConfig,
-    // Include webhook config if Wraps Dashboard is connected
-    webhook: metadata.services.email?.webhookSecret ? {
-      awsAccountNumber: metadata.accountId,
-      // User's 12-digit AWS account ID
-      webhookSecret: metadata.services.email.webhookSecret
-    } : void 0
-  };
+  const stackConfig = buildEmailStackConfig(metadata, region, {
+    emailConfig: updatedConfig
+  });
   if (options.preview) {
     try {
       const previewResult = await progress.execute(
         "Generating upgrade preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stack = await pulumi18.automation.LocalWorkspace.createOrSelectStack(
             {
               stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
@@ -17671,7 +18042,7 @@ ${pc21.bold("Cost Impact:")}`);
     outputs = await progress.execute(
       "Updating Wraps infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi18.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
@@ -18290,6 +18661,26 @@ function getS3Statements() {
     }
   ];
 }
+function getS3StateStatements() {
+  return [
+    {
+      Sid: "S3StateManagement",
+      Effect: "Allow",
+      Action: [
+        "s3:CreateBucket",
+        "s3:HeadBucket",
+        "s3:PutBucketEncryption",
+        "s3:PutBucketVersioning",
+        "s3:PutPublicAccessBlock",
+        "s3:PutBucketTagging",
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:ListBucket"
+      ],
+      Resource: ["arn:aws:s3:::wraps-state-*", "arn:aws:s3:::wraps-state-*/*"]
+    }
+  ];
+}
 function getCloudFrontStatements() {
   return [
     {
@@ -18364,7 +18755,10 @@ function getSMSStatements() {
   ];
 }
 function buildPolicy(service, preset) {
-  const statements = [...getBaseStatements()];
+  const statements = [
+    ...getBaseStatements(),
+    ...getS3StateStatements()
+  ];
   if (!service || service === "email") {
     statements.push(...getSESStatements());
     if (!preset || preset === "production" || preset === "enterprise") {
@@ -18413,6 +18807,9 @@ ${pc23.dim("Service:")} ${pc23.cyan(serviceLabel)}`);
   console.log(`  ${pc23.green("+")} ${pc23.bold("IAM")} - Role management`);
   console.log(`  ${pc23.green("+")} ${pc23.bold("STS")} - Credential validation`);
   console.log(`  ${pc23.green("+")} ${pc23.bold("CloudWatch")} - Metrics access`);
+  console.log(
+    `  ${pc23.green("+")} ${pc23.bold("S3")} - State management ${pc23.dim("(wraps-state-* buckets)")}`
+  );
   if (!service || service === "email") {
     console.log(
       `  ${pc23.green("+")} ${pc23.bold("SES")} - Email sending & configuration`
@@ -18725,9 +19122,9 @@ Run ${pc24.cyan("wraps email init")} or ${pc24.cyan("wraps sms init")} first.
     let webhookSecret;
     let needsDeployment = false;
     if (hasEmail) {
-      const emailConfig = metadata.services.email.config;
-      const existingSecret = metadata.services.email.webhookSecret;
-      if (!emailConfig.eventTracking?.enabled) {
+      const emailConfig = metadata.services.email?.config;
+      const existingSecret = metadata.services.email?.webhookSecret;
+      if (!emailConfig?.eventTracking?.enabled) {
         progress.stop();
         log21.warn(
           "Event tracking must be enabled to connect to the Wraps Platform."
@@ -18756,8 +19153,8 @@ Run ${pc24.cyan("wraps email init")} or ${pc24.cyan("wraps sms init")} first.
               "BOUNCE",
               "COMPLAINT"
             ],
-            dynamoDBHistory: emailConfig.eventTracking?.dynamoDBHistory ?? false,
-            archiveRetention: emailConfig.eventTracking?.archiveRetention ?? "90days"
+            dynamoDBHistory: emailConfig?.eventTracking?.dynamoDBHistory ?? false,
+            archiveRetention: emailConfig?.eventTracking?.archiveRetention ?? "90days"
           }
         };
         needsDeployment = true;
@@ -18817,25 +19214,15 @@ Run ${pc24.cyan("wraps email init")} or ${pc24.cyan("wraps sms init")} first.
       }
     }
     if (needsDeployment && hasEmail) {
-      let vercelConfig;
       if (metadata.provider === "vercel" && !metadata.vercel) {
         progress.stop();
-        vercelConfig = await promptVercelConfig();
-      } else if (metadata.provider === "vercel") {
-        vercelConfig = metadata.vercel;
+        metadata.vercel = await promptVercelConfig();
       }
-      const stackConfig = {
-        provider: metadata.provider,
-        region,
-        vercel: vercelConfig,
-        emailConfig: metadata.services.email.config,
-        webhook: webhookSecret ? {
-          awsAccountNumber: metadata.accountId,
-          webhookSecret
-        } : void 0
-      };
+      const stackConfig = buildEmailStackConfig(metadata, region, {
+        webhook: webhookSecret ? { awsAccountNumber: metadata.accountId, webhookSecret } : void 0
+      });
       await progress.execute("Configuring event streaming", async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi19.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.email?.pulumiStackName || `wraps-${identity.accountId}-${region}`,
@@ -21827,7 +22214,7 @@ async function dashboard(options) {
   let smsStackOutputs = {};
   let storageStackOutputs = {};
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     try {
       const emailStack = await pulumi20.automation.LocalWorkspace.selectStack({
         stackName: `wraps-${identity.accountId}-${region}`,
@@ -22037,7 +22424,7 @@ async function status(_options) {
   progress.info(`Region: ${pc29.cyan(region)}`);
   const services = [];
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     const emailStack = await pulumi21.automation.LocalWorkspace.selectStack({
       stackName: `wraps-${identity.accountId}-${region}`,
       workDir: getPulumiWorkDir()
@@ -23083,7 +23470,7 @@ async function smsDestroy(options) {
       const previewResult = await progress.execute(
         "Generating destruction preview",
         async () => {
-          await ensurePulumiWorkDir();
+          await ensurePulumiWorkDir({ accountId: identity.accountId, region });
           const stackName = storedStackName || `wraps-sms-${identity.accountId}-${region}`;
           let stack;
           try {
@@ -23140,7 +23527,7 @@ async function smsDestroy(options) {
     await progress.execute(
       "Destroying SMS infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stackName = storedStackName || `wraps-sms-${identity.accountId}-${region}`;
         let stack;
         try {
@@ -23847,7 +24234,7 @@ ${pc31.yellow(pc31.bold("Important Notes:"))}`);
     outputs = await progress.execute(
       "Deploying SMS infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi24.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: `wraps-sms-${identity.accountId}-${region}`,
@@ -24257,7 +24644,7 @@ Run ${pc33.cyan("wraps sms init")} to deploy SMS infrastructure.
   }
   let stackOutputs = {};
   try {
-    await ensurePulumiWorkDir();
+    await ensurePulumiWorkDir({ accountId: identity.accountId, region });
     const stackName = metadata.services.sms.pulumiStackName || `wraps-sms-${identity.accountId}-${region}`;
     const stack = await pulumi25.automation.LocalWorkspace.selectStack({
       stackName,
@@ -24354,7 +24741,7 @@ Run ${pc34.cyan("wraps sms init")} to deploy SMS infrastructure first.
   let outputs;
   try {
     outputs = await progress.execute("Syncing SMS infrastructure", async () => {
-      await ensurePulumiWorkDir();
+      await ensurePulumiWorkDir({ accountId: identity.accountId, region });
       const stackName = storedStackName || `wraps-sms-${identity.accountId}-${region}`;
       const stack = await pulumi26.automation.LocalWorkspace.createOrSelectStack(
         {
@@ -25419,7 +25806,7 @@ ${pc36.bold("Cost Impact:")}`);
     outputs = await progress.execute(
       "Updating SMS infrastructure (this may take 2-3 minutes)",
       async () => {
-        await ensurePulumiWorkDir();
+        await ensurePulumiWorkDir({ accountId: identity.accountId, region });
         const stack = await pulumi27.automation.LocalWorkspace.createOrSelectStack(
           {
             stackName: metadata.services.sms?.pulumiStackName || `wraps-sms-${identity.accountId}-${region}`,
@@ -26102,7 +26489,7 @@ if (nodeMajorVersion < 20) {
 var __filename2 = fileURLToPath4(import.meta.url);
 var __dirname3 = dirname2(__filename2);
 var packageJson = JSON.parse(
-  readFileSync2(join5(__dirname3, "../package.json"), "utf-8")
+  readFileSync2(join6(__dirname3, "../package.json"), "utf-8")
 );
 var VERSION = packageJson.version;
 setupTabCompletion();