@wraps.dev/cli 2.7.0 → 2.8.0

package/dist/cli.js

@@ -831,6 +831,9 @@ function sanitizeErrorMessage(error) {
     /arn:aws:[^:]+:[^:]*:\d{12}:/g,
     "arn:aws:[SERVICE]:[REGION]:[ACCOUNT_ID]:"
   );
+  if (message.length > 500) {
+    message = `${message.slice(0, 500)}...`;
+  }
   return message;
 }
 function handleCLIError(error, command) {
@@ -2038,14 +2041,17 @@ __export(prompts_exports, {
   promptDNSManagement: () => promptDNSManagement,
   promptDNSProvider: () => promptDNSProvider,
   promptDomain: () => promptDomain,
+  promptDomainPurpose: () => promptDomainPurpose,
   promptEmailArchiving: () => promptEmailArchiving,
   promptEstimatedVolume: () => promptEstimatedVolume,
   promptFeatureSelection: () => promptFeatureSelection,
   promptInboundSubdomain: () => promptInboundSubdomain,
   promptIntegrationLevel: () => promptIntegrationLevel,
+  promptMailFromSubdomain: () => promptMailFromSubdomain,
   promptProvider: () => promptProvider,
   promptRegion: () => promptRegion,
   promptSelectIdentities: () => promptSelectIdentities,
+  promptSubdomainSuggestions: () => promptSubdomainSuggestions,
   promptVercelConfig: () => promptVercelConfig,
   promptWebhookUrl: () => promptWebhookUrl
 });
@@ -2870,6 +2876,112 @@ async function promptContinueManualDNS() {
   }
   return continueManual;
 }
+async function promptSubdomainSuggestions(primaryDomain) {
+  clack3.log.info(
+    pc4.dim(
+      "Using subdomains isolates sender reputation \u2014 a bounce spike on marketing won't affect transactional mail."
+    )
+  );
+  const choice = await clack3.select({
+    message: `Add a subdomain of ${pc4.cyan(primaryDomain)}?`,
+    options: [
+      {
+        value: `mail.${primaryDomain}`,
+        label: `mail.${primaryDomain}`,
+        hint: "Transactional emails"
+      },
+      {
+        value: `news.${primaryDomain}`,
+        label: `news.${primaryDomain}`,
+        hint: "Newsletters & marketing"
+      },
+      {
+        value: `notify.${primaryDomain}`,
+        label: `notify.${primaryDomain}`,
+        hint: "Notifications & alerts"
+      },
+      {
+        value: "__custom__",
+        label: "Enter a custom domain",
+        hint: "Any domain or subdomain"
+      }
+    ]
+  });
+  if (clack3.isCancel(choice)) {
+    clack3.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  if (choice === "__custom__") {
+    const custom = await clack3.text({
+      message: "Domain to add:",
+      placeholder: `billing.${primaryDomain}`,
+      validate: (value) => {
+        if (!value?.includes(".")) {
+          return "Please enter a valid domain (e.g., billing.myapp.com)";
+        }
+        return;
+      }
+    });
+    if (clack3.isCancel(custom)) {
+      clack3.cancel("Operation cancelled.");
+      process.exit(0);
+    }
+    return custom;
+  }
+  return choice;
+}
+async function promptDomainPurpose() {
+  const purpose = await clack3.select({
+    message: "What will this domain be used for?",
+    options: [
+      {
+        value: "transactional",
+        label: "Transactional",
+        hint: "Password resets, receipts, confirmations"
+      },
+      {
+        value: "marketing",
+        label: "Marketing",
+        hint: "Newsletters, promotions, campaigns"
+      },
+      {
+        value: "notifications",
+        label: "Notifications",
+        hint: "Alerts, digests, system updates"
+      },
+      {
+        value: "other",
+        label: "Other",
+        hint: "General purpose"
+      }
+    ]
+  });
+  if (clack3.isCancel(purpose)) {
+    clack3.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  return purpose;
+}
+async function promptMailFromSubdomain(domain) {
+  const subdomain = await clack3.text({
+    message: `MAIL FROM subdomain for ${pc4.cyan(domain)}:`,
+    placeholder: "mail",
+    defaultValue: "mail",
+    validate: (value) => {
+      const v = value || "mail";
+      if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/i.test(v)) {
+        return "Invalid subdomain format";
+      }
+      return;
+    }
+  });
+  if (clack3.isCancel(subdomain)) {
+    clack3.cancel("Operation cancelled.");
+    process.exit(0);
+  }
+  const sub = subdomain || "mail";
+  return `${sub}.${domain}`;
+}
 var DNS_CATEGORY_LABELS, DNS_STATUS_SYMBOLS;
 var init_prompts = __esm({
   "src/utils/shared/prompts.ts"() {
@@ -3708,6 +3820,7 @@ var init_fs = __esm({
 // src/utils/shared/metadata.ts
 var metadata_exports = {};
 __export(metadata_exports, {
+  addDomainToMetadata: () => addDomainToMetadata,
   addServiceToConnection: () => addServiceToConnection,
   applyConfigUpdates: () => applyConfigUpdates,
   buildEmailStackConfig: () => buildEmailStackConfig,
@@ -3717,10 +3830,13 @@ __export(metadata_exports, {
   findConnectionsForAccount: () => findConnectionsForAccount,
   findConnectionsWithService: () => findConnectionsWithService,
   generateWebhookSecret: () => generateWebhookSecret,
+  getAllTrackedDomains: () => getAllTrackedDomains,
   getConfiguredServices: () => getConfiguredServices,
+  getDomainFromMetadata: () => getDomainFromMetadata,
   hasService: () => hasService,
   listConnections: () => listConnections,
   loadConnectionMetadata: () => loadConnectionMetadata,
+  removeDomainFromMetadata: () => removeDomainFromMetadata,
   removeServiceFromConnection: () => removeServiceFromConnection,
   saveConnectionMetadata: () => saveConnectionMetadata,
   updateEmailConfig: () => updateEmailConfig,
@@ -4110,6 +4226,74 @@ function buildEmailStackConfig(metadata, region, overrides) {
 function generateWebhookSecret() {
   return randomBytes(32).toString("hex");
 }
+function addDomainToMetadata(metadata, entry) {
+  if (!metadata.services.email) {
+    throw new Error("Email service not configured in metadata");
+  }
+  const config2 = metadata.services.email.config;
+  const existing = config2.additionalDomains ?? [];
+  const idx = existing.findIndex((d) => d.domain === entry.domain);
+  if (idx >= 0) {
+    existing[idx] = entry;
+  } else {
+    existing.push(entry);
+  }
+  config2.additionalDomains = existing;
+  metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+}
+function removeDomainFromMetadata(metadata, domain) {
+  if (!metadata.services.email) {
+    return;
+  }
+  const config2 = metadata.services.email.config;
+  if (!config2.additionalDomains) {
+    return;
+  }
+  config2.additionalDomains = config2.additionalDomains.filter(
+    (d) => d.domain !== domain
+  );
+  metadata.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+}
+function getDomainFromMetadata(metadata, domain) {
+  if (!metadata.services.email) {
+    return null;
+  }
+  const config2 = metadata.services.email.config;
+  if (config2.domain === domain) {
+    return { isPrimary: true };
+  }
+  const entry = config2.additionalDomains?.find((d) => d.domain === domain);
+  if (entry) {
+    return { isPrimary: false, entry };
+  }
+  return null;
+}
+function getAllTrackedDomains(metadata) {
+  if (!metadata.services.email) {
+    return [];
+  }
+  const config2 = metadata.services.email.config;
+  const result = [];
+  if (config2.domain) {
+    result.push({
+      domain: config2.domain,
+      isPrimary: true,
+      managed: true,
+      mailFromDomain: config2.mailFromDomain
+    });
+  }
+  for (const d of config2.additionalDomains ?? []) {
+    result.push({
+      domain: d.domain,
+      isPrimary: false,
+      managed: true,
+      purpose: d.purpose,
+      mailFromDomain: d.mailFromDomain,
+      addedAt: d.addedAt
+    });
+  }
+  return result;
+}
 var init_metadata = __esm({
   "src/utils/shared/metadata.ts"() {
     "use strict";
@@ -7804,10 +7988,22 @@ function displayStatus(status2) {
     `${pc6.bold("Region:")} ${pc6.cyan(status2.region)}`
   ];
   if (status2.domains.length > 0) {
+    const PURPOSE_DISPLAY = {
+      transactional: "Transactional",
+      marketing: "Marketing",
+      notifications: "Notifications",
+      other: "General"
+    };
     const domainStrings = status2.domains.map((d) => {
       const statusIcon = d.status === "verified" ? "\u2713" : d.status === "pending" ? "\u23F1" : "\u2717";
       const statusColor = d.status === "verified" ? pc6.green : d.status === "pending" ? pc6.yellow : pc6.red;
-      let domainLine = `    ${d.domain} ${statusColor(`${statusIcon} ${d.status}`)}`;
+      let label = "";
+      if (d.isPrimary) {
+        label = pc6.dim(" (Primary)");
+      } else if (d.managed && d.purpose) {
+        label = pc6.dim(` (${PURPOSE_DISPLAY[d.purpose] || d.purpose})`);
+      }
+      let domainLine = `    ${d.domain}${label} ${statusColor(`${statusIcon} ${d.status}`)}`;
       if (d.mailFromDomain) {
         const mailFromStatusIcon = d.mailFromStatus === "SUCCESS" ? "\u2713" : "\u23F1";
         const mailFromColor = d.mailFromStatus === "SUCCESS" ? pc6.green : pc6.yellow;
@@ -16058,11 +16254,14 @@ Run ${pc16.cyan("wraps email init")} to deploy infrastructure again.
 init_esm_shims();
 init_client();
 init_events();
+init_dns();
 init_aws();
+init_metadata();
 import { Resolver as Resolver2 } from "dns/promises";
 import { GetEmailIdentityCommand as GetEmailIdentityCommand2, SESv2Client as SESv2Client3 } from "@aws-sdk/client-sesv2";
 import * as clack16 from "@clack/prompts";
 import pc17 from "picocolors";
+init_prompts();
 async function verifyDomain(options) {
   clack16.intro(pc17.bold(`Verifying ${options.domain}`));
   const progress = new DeploymentProgress();
@@ -16255,20 +16454,74 @@ Run ${pc17.cyan("wraps email status")} to see the correct DNS records.
   });
 }
 async function addDomain(options) {
-  clack16.intro(pc17.bold(`Adding domain ${options.domain} to SES`));
+  clack16.intro(pc17.bold("Add Email Domain"));
   const progress = new DeploymentProgress();
-  const region = await getAWSRegion();
-  const sesClient = new SESv2Client3({ region });
   try {
+    const identity = await progress.execute(
+      "Validating AWS credentials",
+      async () => validateAWSCredentials()
+    );
+    let region = options.region || await getAWSRegion();
+    const emailConnections = await findConnectionsWithService(
+      identity.accountId,
+      "email"
+    );
+    if (emailConnections.length === 0) {
+      progress.stop();
+      clack16.log.error("No email infrastructure found");
+      console.log(
+        `
+Run ${pc17.cyan("wraps email init")} first to deploy email infrastructure.
+`
+      );
+      process.exit(1);
+      return;
+    }
+    if (emailConnections.length === 1) {
+      region = emailConnections[0].region;
+    }
+    const metadata = await loadConnectionMetadata(identity.accountId, region);
+    if (!metadata?.services.email) {
+      progress.stop();
+      clack16.log.error(`No email service found in ${region}`);
+      process.exit(1);
+      return;
+    }
+    const primaryDomain = metadata.services.email.config.domain;
+    let domain = options.domain;
+    if (!domain) {
+      progress.stop();
+      if (primaryDomain) {
+        domain = await promptSubdomainSuggestions(primaryDomain);
+      } else {
+        const entered = await clack16.text({
+          message: "Domain to add:",
+          placeholder: "myapp.com",
+          validate: (value) => {
+            if (!value?.includes(".")) {
+              return "Please enter a valid domain (e.g., myapp.com)";
+            }
+            return;
+          }
+        });
+        if (clack16.isCancel(entered)) {
+          clack16.cancel("Operation cancelled.");
+          process.exit(0);
+        }
+        domain = entered;
+      }
+    }
+    clack16.log.step(`Adding ${pc17.cyan(domain)}`);
+    const sesClient = new SESv2Client3({ region });
     try {
       await sesClient.send(
-        new GetEmailIdentityCommand2({ EmailIdentity: options.domain })
+        new GetEmailIdentityCommand2({ EmailIdentity: domain })
       );
       progress.stop();
-      clack16.log.warn(`Domain ${options.domain} already exists in SES`);
+      clack16.log.warn(`Domain ${domain} already exists in SES`);
       console.log(
         `
-Run ${pc17.cyan(`wraps email domains verify --domain ${options.domain}`)} to check verification status.
+Run ${pc17.cyan(`wraps email domains verify --domain ${domain}`)} to check verification status.
 `
       );
       return;
@@ -16277,51 +16530,168 @@ Run ${pc17.cyan(`wraps email domains verify --domain ${options.domain}`)} to che
         throw error;
       }
     }
+    let purpose = "other";
+    if (!options.yes) {
+      purpose = await promptDomainPurpose();
+    }
     const { CreateEmailIdentityCommand } = await import("@aws-sdk/client-sesv2");
-    await progress.execute("Adding domain to SES", async () => {
+    await progress.execute("Creating SES identity", async () => {
       await sesClient.send(
         new CreateEmailIdentityCommand({
-          EmailIdentity: options.domain,
+          EmailIdentity: domain,
+          ConfigurationSetName: "wraps-email-tracking",
           DkimSigningAttributes: {
             NextSigningKeyLength: "RSA_2048_BIT"
           }
         })
       );
     });
-    const identity = await sesClient.send(
-      new GetEmailIdentityCommand2({ EmailIdentity: options.domain })
+    const sesIdentity = await sesClient.send(
+      new GetEmailIdentityCommand2({ EmailIdentity: domain })
     );
-    const dkimTokens = identity.DkimAttributes?.Tokens || [];
+    const dkimTokens = sesIdentity.DkimAttributes?.Tokens || [];
+    let mailFromDomain;
+    if (options.yes) {
+      mailFromDomain = `mail.${domain}`;
+    } else {
+      const wantsMailFrom = await clack16.confirm({
+        message: `Configure MAIL FROM for ${pc17.cyan(domain)}? ${pc17.dim("(improves DMARC alignment)")}`,
+        initialValue: true
+      });
+      if (clack16.isCancel(wantsMailFrom)) {
+        clack16.cancel("Operation cancelled.");
+        process.exit(0);
+      }
+      if (wantsMailFrom) {
+        mailFromDomain = await promptMailFromSubdomain(domain);
+      }
+    }
+    if (mailFromDomain) {
+      const { PutEmailIdentityMailFromAttributesCommand } = await import("@aws-sdk/client-sesv2");
+      await progress.execute("Setting up MAIL FROM", async () => {
+        await sesClient.send(
+          new PutEmailIdentityMailFromAttributesCommand({
+            EmailIdentity: domain,
+            MailFromDomain: mailFromDomain,
+            BehaviorOnMxFailure: "USE_DEFAULT_VALUE"
+          })
+        );
+      });
+    }
+    const cachedDnsProvider = metadata.services.email.dnsProvider;
+    let dnsAutoCreated = false;
+    const domainParts = domain.split(".");
+    const rootDomain = domainParts.length > 2 ? domainParts.slice(-2).join(".") : domain;
+    if (!options.yes || cachedDnsProvider) {
+      let dnsProvider = cachedDnsProvider;
+      if (!dnsProvider) {
+        progress.stop();
+        const availableProviders = await detectAvailableDNSProviders(
+          rootDomain,
+          region
+        );
+        dnsProvider = await promptDNSProvider(rootDomain, availableProviders);
+      }
+      if (dnsProvider && dnsProvider !== "manual") {
+        const credResult = await getDNSCredentials(
+          dnsProvider,
+          rootDomain,
+          region
+        );
+        if (credResult.valid && credResult.credentials) {
+          const dnsData = {
+            domain,
+            dkimTokens,
+            mailFromDomain,
+            region
+          };
+          const result = await progress.execute(
+            `Creating DNS records via ${getDNSProviderDisplayName(dnsProvider)}`,
+            async () => createDNSRecordsForProvider(credResult.credentials, dnsData)
+          );
+          if (result.success && result.recordsCreated > 0) {
+            dnsAutoCreated = true;
+            clack16.log.success(
+              `${result.recordsCreated} DNS records created via ${getDNSProviderDisplayName(dnsProvider)}`
+            );
+          } else if (!result.success) {
+            clack16.log.warn(
+              `DNS auto-creation failed: ${result.errors?.join(", ") || "unknown error"}`
+            );
+          }
+          if (!metadata.services.email.dnsProvider) {
+            metadata.services.email.dnsProvider = dnsProvider;
+          }
+        } else {
+          clack16.log.warn(`DNS credentials not available: ${credResult.error}`);
+        }
+      }
+    }
+    if (!dnsAutoCreated) {
+      const dnsRecords = buildEmailDNSRecords({
+        domain,
+        dkimTokens,
+        mailFromDomain,
+        region
+      });
+      const displayRecords = formatDNSRecordsForDisplay(dnsRecords);
+      progress.stop();
+      console.log();
+      clack16.log.info(pc17.bold("Add these DNS records:"));
+      console.log();
+      for (const record of displayRecords) {
+        console.log(`  ${pc17.cyan(record.name)}`);
+        console.log(
+          `    ${pc17.dim("Type:")} ${record.type}  ${pc17.dim("Value:")} ${record.value}`
+        );
+        console.log();
+      }
+    }
+    const entry = {
+      domain,
+      mailFromDomain,
+      purpose,
+      addedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    addDomainToMetadata(metadata, entry);
+    await saveConnectionMetadata(metadata);
     progress.stop();
-    clack16.outro(pc17.green(`\u2713 Domain ${options.domain} added successfully!`));
-    console.log(`
-${pc17.bold("Next steps:")}
-`);
-    console.log("1. Add the following DKIM records to your DNS:\n");
-    for (const token of dkimTokens) {
-      console.log(`   ${pc17.cyan(`${token}._domainkey.${options.domain}`)}`);
+    clack16.outro(pc17.green(`\u2713 Domain ${domain} added successfully!`));
+    if (dnsAutoCreated) {
       console.log(
-        `   ${pc17.dim("Type:")} CNAME  ${pc17.dim("Value:")} ${token}.dkim.amazonses.com
-`
+        `
+${pc17.dim("DNS records were created automatically. Verification should complete within a few minutes.")}`
       );
     }
+    console.log(`
+${pc17.bold("Next steps:")}`);
     console.log(
-      `2. Verify DNS propagation: ${pc17.cyan(`wraps email domains verify --domain ${options.domain}`)}`
+      `  Verify: ${pc17.cyan(`wraps email domains verify --domain ${domain}`)}`
     );
-    console.log(`3. Check status: ${pc17.cyan("wraps email status")}
+    console.log(`  Status: ${pc17.cyan("wraps email status")}
 `);
     trackCommand("email:domains:add", {
-      success: true
+      success: true,
+      dns_auto_created: dnsAutoCreated,
+      has_mail_from: !!mailFromDomain,
+      purpose
+    });
+    trackFeature("domain_added", {
+      purpose,
+      subdomain: domain !== primaryDomain
     });
-    trackFeature("domain_added", {});
   } catch (error) {
     progress.stop();
-    trackCommand("email:domains:add", {
-      success: false
-    });
+    trackCommand("email:domains:add", { success: false });
     throw error;
   }
 }
+var PURPOSE_LABELS = {
+  transactional: "Transactional",
+  marketing: "Marketing",
+  notifications: "Notifications",
+  other: "General"
+};
 async function listDomains() {
   clack16.intro(pc17.bold("SES Email Domains"));
   const progress = new DeploymentProgress();
@@ -16338,21 +16708,34 @@ async function listDomains() {
         return response.EmailIdentities || [];
       }
     );
-    const domains = identities.filter(
+    const sesDomains = identities.filter(
       (identity) => identity.IdentityType === "DOMAIN" || identity.IdentityName && !identity.IdentityName.includes("@")
     );
+    let trackedDomains = [];
+    try {
+      const awsIdentity = await validateAWSCredentials();
+      const metadata = await loadConnectionMetadata(
+        awsIdentity.accountId,
+        region
+      );
+      if (metadata) {
+        trackedDomains = getAllTrackedDomains(metadata);
+      }
+    } catch {
+    }
+    const trackedSet = new Map(trackedDomains.map((d) => [d.domain, d]));
     progress.stop();
-    if (domains.length === 0) {
+    if (sesDomains.length === 0) {
       clack16.outro("No domains found in SES");
       console.log(
         `
-Run ${pc17.cyan("wraps email domains add <domain>")} to add a domain.
+Run ${pc17.cyan("wraps email domains add")} to add a domain.
 `
       );
       return;
     }
     const domainDetails = await Promise.all(
-      domains.map(async (domain) => {
+      sesDomains.map(async (domain) => {
         try {
           const details = await sesClient.send(
             new GetEmailIdentityCommand2({
@@ -16373,15 +16756,26 @@ Run ${pc17.cyan("wraps email domains add <domain>")} to add a domain.
         }
       })
     );
-    const domainLines = domainDetails.map((domain) => {
-      const statusIcon = domain.verified ? pc17.green("\u2713") : pc17.yellow("\u23F1");
-      const dkimIcon = domain.dkimStatus === "SUCCESS" ? pc17.green("\u2713") : pc17.yellow("\u23F1");
-      return `  ${statusIcon} ${pc17.bold(domain.name)}  DKIM: ${dkimIcon} ${domain.dkimStatus}`;
-    });
-    clack16.note(
-      domainLines.join("\n"),
-      `${domains.length} domain(s) in ${region}`
-    );
+    const managed = domainDetails.filter((d) => trackedSet.has(d.name));
+    const unmanaged = domainDetails.filter((d) => !trackedSet.has(d.name));
+    if (managed.length > 0) {
+      const managedLines = managed.map((d) => {
+        const tracked = trackedSet.get(d.name);
+        const statusIcon = d.verified ? pc17.green("\u2713") : pc17.yellow("\u23F1");
+        const dkimIcon = d.dkimStatus === "SUCCESS" ? pc17.green("\u2713 SUCCESS") : pc17.yellow(`\u23F1 ${d.dkimStatus}`);
+        const label = tracked.isPrimary ? pc17.dim("Primary") : pc17.dim(PURPOSE_LABELS[tracked.purpose || "other"] || "General");
+        return `  ${statusIcon} ${pc17.bold(d.name.padEnd(30))} ${label.padEnd(24)} DKIM: ${dkimIcon}`;
+      });
+      clack16.note(managedLines.join("\n"), "Managed by Wraps");
+    }
+    if (unmanaged.length > 0) {
+      const unmanagedLines = unmanaged.map((d) => {
+        const statusIcon = d.verified ? pc17.green("\u2713") : pc17.yellow("\u23F1");
+        const dkimIcon = d.dkimStatus === "SUCCESS" ? pc17.green("\u2713 SUCCESS") : pc17.yellow(`\u23F1 ${d.dkimStatus}`);
+        return `  ${statusIcon} ${pc17.bold(d.name.padEnd(30))} ${pc17.dim("".padEnd(16))} DKIM: ${dkimIcon}`;
+      });
+      clack16.note(unmanagedLines.join("\n"), "Other SES domains");
+    }
     clack16.outro(
       pc17.dim(
         `Run ${pc17.cyan("wraps email domains verify --domain <domain>")} for details`
@@ -16389,7 +16783,8 @@ Run ${pc17.cyan("wraps email domains add <domain>")} to add a domain.
     );
     trackCommand("email:domains:list", {
       success: true,
-      domain_count: domains.length
+      domain_count: sesDomains.length,
+      managed_count: managed.length
     });
     getTelemetryClient().showFooterOnce();
   } catch (error) {
@@ -16468,6 +16863,31 @@ async function removeDomain(options) {
         new GetEmailIdentityCommand2({ EmailIdentity: options.domain })
       );
     });
+    let metadata = null;
+    try {
+      const awsIdentity = await validateAWSCredentials();
+      metadata = await loadConnectionMetadata(awsIdentity.accountId, region);
+    } catch {
+    }
+    if (metadata) {
+      const domainInfo = getDomainFromMetadata(metadata, options.domain);
+      if (domainInfo?.isPrimary && !options.force) {
+        progress.stop();
+        clack16.log.error(
+          `${options.domain} is the primary domain (managed by Pulumi).`
+        );
+        console.log(
+          `
+Use ${pc17.cyan(`wraps email domains remove --domain ${options.domain} --force`)} to remove it,`
+        );
+        console.log(
+          `or ${pc17.cyan("wraps email destroy")} to remove all email infrastructure.
+`
+        );
+        process.exit(1);
+        return;
+      }
+    }
     progress.stop();
     if (!options.force) {
       const shouldContinue = await clack16.confirm({
@@ -16487,6 +16907,10 @@ async function removeDomain(options) {
         })
       );
     });
+    if (metadata) {
+      removeDomainFromMetadata(metadata, options.domain);
+      await saveConnectionMetadata(metadata);
+    }
     progress.stop();
     clack16.outro(pc17.green(`\u2713 Domain ${options.domain} removed successfully`));
     trackCommand("email:domains:remove", {
@@ -18158,18 +18582,25 @@ Run ${pc21.cyan("wraps email init")} to deploy email infrastructure.
   const domains = await listSESDomains(region);
   const { SESv2Client: SESv2Client6, GetEmailIdentityCommand: GetEmailIdentityCommand5 } = await import("@aws-sdk/client-sesv2");
   const sesv2Client = new SESv2Client6({ region });
+  const metadata = await loadConnectionMetadata(identity.accountId, region);
+  const trackedDomains = metadata ? getAllTrackedDomains(metadata) : [];
+  const trackedMap = new Map(trackedDomains.map((d) => [d.domain, d]));
   const domainsWithTokens = await Promise.all(
     domains.map(async (d) => {
+      const tracked = trackedMap.get(d.domain);
       try {
-        const identity2 = await sesv2Client.send(
+        const sesIdentity = await sesv2Client.send(
           new GetEmailIdentityCommand5({ EmailIdentity: d.domain })
         );
         return {
           domain: d.domain,
           status: d.verified ? "verified" : "pending",
-          dkimTokens: identity2.DkimAttributes?.Tokens || [],
-          mailFromDomain: identity2.MailFromAttributes?.MailFromDomain,
-          mailFromStatus: identity2.MailFromAttributes?.MailFromDomainStatus
+          dkimTokens: sesIdentity.DkimAttributes?.Tokens || [],
+          mailFromDomain: sesIdentity.MailFromAttributes?.MailFromDomain,
+          mailFromStatus: sesIdentity.MailFromAttributes?.MailFromDomainStatus,
+          managed: tracked?.managed,
+          isPrimary: tracked?.isPrimary,
+          purpose: tracked?.purpose
         };
       } catch (_error) {
         return {
@@ -18177,7 +18608,10 @@ Run ${pc21.cyan("wraps email init")} to deploy email infrastructure.
           status: d.verified ? "verified" : "pending",
           dkimTokens: void 0,
           mailFromDomain: void 0,
-          mailFromStatus: void 0
+          mailFromStatus: void 0,
+          managed: tracked?.managed,
+          isPrimary: tracked?.isPrimary,
+          purpose: tracked?.purpose
         };
       }
     })
@@ -20861,6 +21295,7 @@ ${pc27.bold("Updated Permissions:")}`);
     `  ${pc27.green("\u2713")} SES metrics and identity verification (always enabled)`
   );
   console.log(`  ${pc27.green("\u2713")} SES template management (always enabled)`);
+  console.log(`  ${pc27.green("\u2713")} Inbound bucket detection (always enabled)`);
   if (sendingEnabled) {
     console.log(`  ${pc27.green("\u2713")} Email sending via SES`);
   }
@@ -20875,6 +21310,10 @@ ${pc27.bold("Updated Permissions:")}`);
   if (emailArchiving?.enabled) {
     console.log(`  ${pc27.green("\u2713")} Mail Manager Archive access`);
   }
+  const inbound = emailConfig?.inbound;
+  if (inbound?.enabled) {
+    console.log(`  ${pc27.green("\u2713")} S3 access for inbound email`);
+  }
   if (smsEnabled) {
     console.log(`
   ${pc27.bold(pc27.cyan("SMS:"))}`);
@@ -20914,10 +21353,17 @@ function buildConsolePolicyDocument2(emailConfig, smsConfig) {
       "ses:GetConfigurationSet",
       "ses:GetConfigurationSetEventDestinations",
       "cloudwatch:GetMetricData",
-      "cloudwatch:GetMetricStatistics"
+      "cloudwatch:GetMetricStatistics",
+      // SES dedicated IP scanning
+      "ses:GetDedicatedIps"
     ],
     Resource: "*"
   });
+  statements.push({
+    Effect: "Allow",
+    Action: ["s3:HeadBucket"],
+    Resource: "arn:aws:s3:::wraps-inbound-*"
+  });
   statements.push({
     Effect: "Allow",
     Action: [
@@ -20999,6 +21445,22 @@ function buildConsolePolicyDocument2(emailConfig, smsConfig) {
       Resource: "arn:aws:ses:*:*:mailmanager-archive/*"
     });
   }
+  const inbound = emailConfig?.inbound;
+  if (inbound?.enabled) {
+    statements.push({
+      Effect: "Allow",
+      Action: [
+        "s3:HeadBucket",
+        "s3:ListBucket",
+        "s3:GetObject",
+        "s3:GetObjectTagging"
+      ],
+      Resource: [
+        "arn:aws:s3:::wraps-inbound-*",
+        "arn:aws:s3:::wraps-inbound-*/*"
+      ]
+    });
+  }
   if (smsConfig) {
     statements.push({
       Effect: "Allow",
@@ -27942,10 +28404,8 @@ function printCompletionScript() {
   console.log("#   wraps console [--port <port>] [--no-open]");
   console.log("#   wraps completion");
   console.log("#   wraps telemetry [enable|disable|status]\n");
-  console.log("# Dashboard Commands:");
-  console.log(
-    "#   wraps dashboard update-role [--region <region>] [--force]\n"
-  );
+  console.log("# Platform Commands:");
+  console.log("#   wraps platform update-role [--region <region>] [--force]\n");
   console.log("# Flags:");
   console.log("#   -p, --provider  : vercel, aws, railway, other");
   console.log(
@@ -28532,16 +28992,11 @@ Available commands: ${pc41.cyan("init")}, ${pc41.cyan("destroy")}, ${pc41.cyan("
           const domainsSubCommand = args.sub[2];
           switch (domainsSubCommand) {
             case "add": {
-              if (!flags.domain) {
-                clack38.log.error("--domain flag is required");
-                console.log(
-                  `
-Usage: ${pc41.cyan("wraps email domains add --domain yourapp.com")}
-`
-                );
-                process.exit(1);
-              }
-              await addDomain({ domain: flags.domain });
+              await addDomain({
+                domain: flags.domain,
+                region: flags.region,
+                yes: flags.yes
+              });
               break;
             }
             case "list":