@agenticmail/api 0.2.26

package/dist/index.js

@@ -0,0 +1,3248 @@
+// src/index.ts
+import "dotenv/config";
+import { networkInterfaces } from "os";
+
+// src/app.ts
+import express from "express";
+import cors from "cors";
+import rateLimit from "express-rate-limit";
+import {
+  resolveConfig,
+  getDatabase,
+  StalwartAdmin,
+  AccountManager,
+  DomainManager,
+  GatewayManager as GatewayManager2
+} from "@agenticmail/core";
+
+// src/middleware/auth.ts
+import { createHash, timingSafeEqual } from "crypto";
+var lastActivityUpdate = /* @__PURE__ */ new Map();
+var ACTIVITY_THROTTLE_MS = 6e4;
+function touchActivity(db, agentId) {
+  const now = Date.now();
+  const last = lastActivityUpdate.get(agentId) ?? 0;
+  if (now - last > ACTIVITY_THROTTLE_MS) {
+    lastActivityUpdate.set(agentId, now);
+    try {
+      db.prepare("UPDATE agents SET last_activity_at = datetime('now') WHERE id = ?").run(agentId);
+    } catch {
+    }
+  }
+}
+function safeEqual(a, b) {
+  const ha = createHash("sha256").update(a).digest();
+  const hb = createHash("sha256").update(b).digest();
+  return timingSafeEqual(ha, hb);
+}
+function createAuthMiddleware(masterKey, accountManager, db) {
+  return async (req, res, next) => {
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+      res.status(401).json({ error: "Missing or invalid Authorization header" });
+      return;
+    }
+    const token = authHeader.slice(7);
+    if (!token) {
+      res.status(401).json({ error: "Invalid API key" });
+      return;
+    }
+    if (masterKey && safeEqual(token, masterKey)) {
+      req.isMaster = true;
+      next();
+      return;
+    }
+    try {
+      const agent = await accountManager.getByApiKey(token);
+      if (agent) {
+        req.agent = agent;
+        if (db) {
+          touchActivity(db, agent.id);
+        }
+        next();
+        return;
+      }
+    } catch (err) {
+      next(err);
+      return;
+    }
+    res.status(401).json({ error: "Invalid API key" });
+  };
+}
+function requireMaster(req, res, next) {
+  if (!req.isMaster) {
+    res.status(403).json({ error: "Master API key required" });
+    return;
+  }
+  next();
+}
+function requireAuth(req, res, next) {
+  if (!req.agent && !req.isMaster) {
+    res.status(403).json({ error: "Authentication required" });
+    return;
+  }
+  next();
+}
+function requireAgent(req, res, next) {
+  if (!req.agent) {
+    res.status(403).json({ error: "Agent API key required (master key alone is not sufficient)" });
+    return;
+  }
+  next();
+}
+
+// src/middleware/error-handler.ts
+function errorHandler(err, req, res, _next) {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(`[ERROR] ${req.method} ${req.path}:`, err instanceof Error ? err.stack || message : message);
+  if (res.headersSent) return;
+  if (err instanceof SyntaxError && err.status === 400) {
+    res.status(400).json({ error: "Invalid JSON in request body" });
+    return;
+  }
+  if (typeof err.statusCode === "number") {
+    res.status(err.statusCode).json({ error: message });
+    return;
+  }
+  const lowerMsg = message.toLowerCase();
+  if (lowerMsg.includes("not found") && !lowerMsg.includes("not found a")) {
+    res.status(404).json({ error: message });
+    return;
+  }
+  if (lowerMsg.includes("already exists") || lowerMsg.includes("unique constraint")) {
+    res.status(409).json({ error: "Resource already exists" });
+    return;
+  }
+  if (lowerMsg.includes("invalid") || lowerMsg.includes("required") || lowerMsg.includes("must ")) {
+    res.status(400).json({ error: message });
+    return;
+  }
+  res.status(500).json({ error: "Internal server error" });
+}
+
+// src/routes/health.ts
+import { Router } from "express";
+var ABOUT = {
+  name: "\u{1F380} AgenticMail",
+  version: "0.2.26",
+  description: "\u{1F380} AgenticMail \u2014 Email infrastructure for AI agents. Send, receive, coordinate, and automate email with full DKIM/SPF/DMARC authentication.",
+  author: {
+    name: "Ope Olatunji",
+    github: "https://github.com/agenticmail/agenticmail"
+  },
+  license: "MIT",
+  repository: "https://github.com/agenticmail/agenticmail",
+  contributing: "Contributions and feature requests welcome! Visit the GitHub repo to open issues, suggest features, or submit pull requests.",
+  tools: 54,
+  features: {
+    email: {
+      summary: "Full email lifecycle \u2014 send, receive, reply, forward, search, batch operations",
+      highlights: [
+        "DKIM/SPF/DMARC authentication out of the box",
+        "Custom domain support via Cloudflare (agent@yourdomain.com)",
+        "Gmail/Outlook relay mode for quick setup",
+        "Batch operations for token-efficient bulk processing",
+        "Server-side rules for auto-triage before the agent even sees the email"
+      ]
+    },
+    coordination: {
+      summary: "Structured multi-agent coordination that replaces fire-and-forget session spawning",
+      highlights: [
+        "Task queue with assign \u2192 claim \u2192 submit lifecycle (persistent, survives crashes)",
+        "Synchronous RPC \u2014 call another agent and wait for structured results",
+        "Push notifications via SSE \u2014 no wasted polling cycles",
+        "Agent discovery \u2014 agents find each other by name and role",
+        "Email threading \u2014 agents naturally build conversation history"
+      ],
+      comparison: {
+        without_agenticmail: {
+          method: "sessions_spawn + sessions_send + sessions_history",
+          problems: [
+            "No persistence \u2014 if a sub-agent crashes, all context is lost",
+            "No structured results \u2014 just text messages, no schemas or status tracking",
+            "No task lifecycle \u2014 no way to know if a task was claimed, in progress, or completed",
+            "No agent discovery \u2014 agents cannot find or learn about each other",
+            "Polling required \u2014 must repeatedly check sessions_history to see if work is done",
+            "No async handoff \u2014 parent must stay alive waiting for the child to finish"
+          ]
+        },
+        with_agenticmail: {
+          method: "assign_task \u2192 claim_task \u2192 submit_result (or call_agent for sync RPC)",
+          benefits: [
+            "Persistent task state \u2014 tasks survive agent crashes and restarts",
+            "Structured results \u2014 JSON payloads with status tracking (pending \u2192 claimed \u2192 completed)",
+            "Push-based \u2014 agents get notified instantly when tasks complete (SSE + email)",
+            "Agent discovery \u2014 list_agents shows all available agents by name and role",
+            "Async capable \u2014 assign a task and check results later, no blocking required",
+            "Audit trail \u2014 every coordination action is an email, naturally logged"
+          ]
+        }
+      }
+    },
+    security: {
+      summary: "Enterprise-grade email security for autonomous agents",
+      highlights: [
+        "Outbound PII/credential scanning (SSN, credit cards, API keys, passwords \u2014 including attachments)",
+        "Human-in-the-loop approval for blocked emails \u2014 owner gets notified, agent cannot self-approve",
+        "Inbound spam filtering with scoring (phishing, lottery scams, social engineering detection)",
+        "Agent cannot bypass security guardrails \u2014 architectural enforcement, not just prompt rules"
+      ]
+    }
+  },
+  impact: {
+    tokenSavings: {
+      estimate: "~60% fewer tokens on multi-agent coordination tasks",
+      explanation: 'Without \u{1F380} AgenticMail, agents poll sessions_history repeatedly to check if sub-agents finished \u2014 each poll costs 500-2000 tokens and most return "still working." With push notifications and structured task results, the coordinator gets notified exactly once when work completes. For a 5-agent team doing 10 tasks, that eliminates roughly 40-80 redundant polling calls.'
+    },
+    reliability: {
+      estimate: "Near-zero lost work from agent crashes",
+      explanation: "Session-based coordination loses all context when a sub-agent times out or crashes. \u{1F380} AgenticMail tasks persist in the database \u2014 a crashed agent can be restarted and pick up exactly where it left off. The task queue acts as a durable work ledger."
+    },
+    productivity: {
+      estimate: "3-5x more effective multi-agent workflows",
+      explanation: "Agents can discover teammates, delegate structured tasks, get push notifications on completion, and build on each other's results through email threads. This turns a collection of isolated agents into an actual coordinated team. The difference is like going from passing sticky notes under a door to having a proper project management system."
+    }
+  }
+};
+function createHealthRoutes(stalwart) {
+  const router = Router();
+  router.get("/health", async (_req, res) => {
+    try {
+      const stalwartOk = await stalwart.healthCheck();
+      res.status(stalwartOk ? 200 : 503).json({
+        status: stalwartOk ? "ok" : "degraded",
+        version: ABOUT.version,
+        services: {
+          api: "ok",
+          stalwart: stalwartOk ? "ok" : "unreachable"
+        },
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch {
+      res.status(500).json({
+        status: "error",
+        version: ABOUT.version,
+        services: { api: "ok", stalwart: "unreachable" },
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  });
+  router.get("/about", (_req, res) => {
+    res.json(ABOUT);
+  });
+  return router;
+}
+
+// src/routes/accounts.ts
+import { Router as Router2 } from "express";
+import { AGENT_ROLES, AgentDeletionService } from "@agenticmail/core";
+function sanitizeAgent(agent) {
+  if (!agent) return agent;
+  const { metadata, ...rest } = agent;
+  if (metadata && typeof metadata === "object") {
+    const clean = {};
+    for (const [k, v] of Object.entries(metadata)) {
+      if (!k.startsWith("_")) clean[k] = v;
+    }
+    return { ...rest, metadata: clean };
+  }
+  return agent;
+}
+function createAccountRoutes(accountManager, db, config) {
+  const router = Router2();
+  const deletionService = new AgentDeletionService(db, accountManager, config);
+  router.post("/accounts", requireMaster, async (req, res, next) => {
+    try {
+      if (!req.body || typeof req.body !== "object") {
+        res.status(400).json({ error: "Request body must be JSON" });
+        return;
+      }
+      const { name: name2, domain, password, metadata, role, persistent } = req.body;
+      if (!name2 || typeof name2 !== "string") {
+        res.status(400).json({ error: "name is required and must be a string" });
+        return;
+      }
+      if (name2.length > 64) {
+        res.status(400).json({ error: "name must be 64 characters or fewer" });
+        return;
+      }
+      if (metadata !== void 0 && (typeof metadata !== "object" || Array.isArray(metadata) || metadata === null)) {
+        res.status(400).json({ error: "metadata must be an object" });
+        return;
+      }
+      if (password !== void 0 && typeof password !== "string") {
+        res.status(400).json({ error: "password must be a string" });
+        return;
+      }
+      if (role !== void 0 && !AGENT_ROLES.includes(role)) {
+        res.status(400).json({ error: `Invalid role. Must be one of: ${AGENT_ROLES.join(", ")}` });
+        return;
+      }
+      const cleanMeta = metadata ? Object.fromEntries(
+        Object.entries(metadata).filter(([k]) => !k.startsWith("_"))
+      ) : void 0;
+      const agent = await accountManager.create({ name: name2, domain, password: password || void 0, metadata: cleanMeta, role });
+      try {
+        db.prepare("UPDATE agents SET last_activity_at = datetime('now') WHERE id = ?").run(agent.id);
+      } catch {
+      }
+      const agentCount = db.prepare("SELECT COUNT(*) as cnt FROM agents").get()?.cnt ?? 0;
+      const shouldPersist = persistent || agentCount <= 1;
+      if (shouldPersist) {
+        try {
+          db.prepare("UPDATE agents SET persistent = 1 WHERE id = ?").run(agent.id);
+        } catch {
+        }
+      }
+      res.status(201).json(sanitizeAgent(agent));
+    } catch (err) {
+      const msg = err.message ?? "";
+      if (msg.includes("UNIQUE") || msg.includes("unique") || msg.includes("already exists") || msg.includes("duplicate")) {
+        res.status(409).json({ error: `Agent "${name}" already exists` });
+        return;
+      }
+      next(err);
+    }
+  });
+  router.get("/accounts", requireMaster, async (_req, res, next) => {
+    try {
+      const agents = await accountManager.list();
+      res.json({ agents: agents.map(sanitizeAgent) });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/accounts/directory", requireAuth, async (_req, res, next) => {
+    try {
+      const agents = await accountManager.list();
+      const directory = agents.map((a) => ({ name: a.name, email: a.email, role: a.role }));
+      res.json({ agents: directory });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/accounts/directory/:name", requireAuth, async (req, res, next) => {
+    try {
+      const agent = await accountManager.getByName(req.params.name);
+      if (!agent) {
+        res.status(404).json({ error: "Agent not found" });
+        return;
+      }
+      res.json({ name: agent.name, email: agent.email, role: agent.role });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/accounts/me", requireAgent, async (req, res) => {
+    if (req.agent) {
+      res.json(sanitizeAgent(req.agent));
+    } else {
+      res.status(404).json({ error: "Agent not found" });
+    }
+  });
+  router.get("/accounts/deletions", requireMaster, async (_req, res, next) => {
+    try {
+      const reports = deletionService.listReports();
+      res.json({ deletions: reports });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/accounts/deletions/:id", requireMaster, async (req, res, next) => {
+    try {
+      const report = deletionService.getReport(req.params.id);
+      if (!report) {
+        res.status(404).json({ error: "Deletion report not found" });
+        return;
+      }
+      res.json(report);
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/accounts/inactive", requireMaster, async (_req, res, next) => {
+    try {
+      const hours = Math.max(parseInt(_req.query.hours) || 24, 1);
+      const rows = db.prepare(
+        `SELECT id, name, email, role, last_activity_at, persistent, created_at FROM agents
+         WHERE persistent = 0 AND COALESCE(last_activity_at, created_at) < datetime('now', '-${hours} hours')
+         ORDER BY COALESCE(last_activity_at, created_at) ASC`
+      ).all();
+      res.json({ agents: rows, count: rows.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/accounts/cleanup", requireMaster, async (req, res, next) => {
+    try {
+      const hours = Math.max(parseInt(req.body?.hours) || 24, 1);
+      const dryRun = req.body?.dryRun === true;
+      const rows = db.prepare(
+        `SELECT id, name, email FROM agents
+         WHERE persistent = 0 AND COALESCE(last_activity_at, created_at) < datetime('now', '-${hours} hours')`
+      ).all();
+      if (dryRun) {
+        res.json({ wouldDelete: rows, count: rows.length, dryRun: true });
+        return;
+      }
+      const deleted = [];
+      for (const row of rows) {
+        try {
+          await accountManager.delete(row.id);
+          deleted.push(row.name);
+        } catch {
+        }
+      }
+      res.json({ deleted, count: deleted.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/accounts/:id", requireMaster, async (req, res, next) => {
+    try {
+      const agent = await accountManager.getById(req.params.id);
+      if (!agent) {
+        res.status(404).json({ error: "Agent not found" });
+        return;
+      }
+      res.json(sanitizeAgent(agent));
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.patch("/accounts/me", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { metadata } = req.body || {};
+      if (!metadata || typeof metadata !== "object" || Array.isArray(metadata)) {
+        res.status(400).json({ error: "metadata must be an object" });
+        return;
+      }
+      const updated = await accountManager.updateMetadata(agent.id, metadata);
+      if (!updated) {
+        res.status(404).json({ error: "Agent not found" });
+        return;
+      }
+      res.json(sanitizeAgent(updated));
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.patch("/accounts/:id/persistent", requireMaster, async (req, res, next) => {
+    try {
+      const persistent = req.body?.persistent === true ? 1 : 0;
+      const result = db.prepare("UPDATE agents SET persistent = ? WHERE id = ?").run(persistent, req.params.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Agent not found" });
+        return;
+      }
+      res.json({ ok: true, persistent: persistent === 1 });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/accounts/:id", requireMaster, async (req, res, next) => {
+    try {
+      const allAgents = await accountManager.list();
+      if (allAgents.length <= 1) {
+        res.status(400).json({ error: "Cannot delete the last agent. At least one agent must remain." });
+        return;
+      }
+      const archive = req.query.archive !== "false";
+      const reason = req.query.reason || void 0;
+      const deletedBy = req.query.deletedBy || "api";
+      if (archive) {
+        const report = await deletionService.archiveAndDelete(req.params.id, { deletedBy, reason });
+        const { emails: _emails, ...summary } = report;
+        res.json(summary);
+      } else {
+        const deleted = await accountManager.delete(req.params.id);
+        if (!deleted) {
+          res.status(404).json({ error: "Agent not found" });
+          return;
+        }
+        res.status(204).send();
+      }
+    } catch (err) {
+      const msg = err.message ?? "";
+      if (msg.includes("not found")) {
+        res.status(404).json({ error: msg });
+        return;
+      }
+      next(err);
+    }
+  });
+  return router;
+}
+
+// src/routes/mail.ts
+import { Router as Router3 } from "express";
+import crypto from "crypto";
+import {
+  MailSender,
+  MailReceiver,
+  parseEmail,
+  scoreEmail,
+  sanitizeEmail,
+  isInternalEmail,
+  scanOutboundEmail
+} from "@agenticmail/core";
+var senderCache = /* @__PURE__ */ new Map();
+var receiverCache = /* @__PURE__ */ new Map();
+var receiverPending = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 10 * 60 * 1e3;
+var MAX_CACHE_SIZE = 100;
+var draining = false;
+function getAgentPassword(agent) {
+  return agent.metadata?._password || agent.name;
+}
+var evictionTimer = null;
+function startEvictionTimer() {
+  if (evictionTimer) return;
+  evictionTimer = setInterval(evictStaleEntries, 6e4);
+}
+function evictStaleEntries() {
+  const now = Date.now();
+  for (const [key, entry] of senderCache) {
+    if (now - entry.createdAt > CACHE_TTL_MS) {
+      try {
+        entry.sender.close();
+      } catch {
+      }
+      senderCache.delete(key);
+    }
+  }
+  for (const [key, entry] of receiverCache) {
+    if (now - entry.createdAt > CACHE_TTL_MS) {
+      entry.receiver.disconnect().catch(() => {
+      });
+      receiverCache.delete(key);
+    }
+  }
+}
+function getSender(authUser, fromEmail, password, config) {
+  if (draining) throw new Error("Server is shutting down");
+  const cacheKey = `${authUser}:${fromEmail}`;
+  const cached = senderCache.get(cacheKey);
+  if (cached) return cached.sender;
+  if (senderCache.size >= MAX_CACHE_SIZE) {
+    const oldest = senderCache.keys().next().value;
+    if (oldest) {
+      try {
+        senderCache.get(oldest)?.sender.close();
+      } catch {
+      }
+      senderCache.delete(oldest);
+    }
+  }
+  const sender = new MailSender({
+    host: config.smtp.host,
+    port: config.smtp.port,
+    email: fromEmail,
+    password,
+    authUser
+  });
+  senderCache.set(cacheKey, { sender, createdAt: Date.now() });
+  startEvictionTimer();
+  return sender;
+}
+async function getReceiver(authUser, password, config) {
+  if (draining) throw new Error("Server is shutting down");
+  const cached = receiverCache.get(authUser);
+  if (cached) {
+    try {
+      const client = cached.receiver.getImapClient();
+      if (client.usable) return cached.receiver;
+    } catch {
+    }
+    try {
+      await cached.receiver.disconnect();
+    } catch {
+    }
+    receiverCache.delete(authUser);
+  }
+  const pending = receiverPending.get(authUser);
+  if (pending) return pending;
+  const promise = createReceiver(authUser, password, config);
+  receiverPending.set(authUser, promise);
+  try {
+    return await promise;
+  } finally {
+    receiverPending.delete(authUser);
+  }
+}
+async function createReceiver(authUser, password, config) {
+  if (receiverCache.size >= MAX_CACHE_SIZE) {
+    const oldest = receiverCache.keys().next().value;
+    if (oldest) {
+      receiverCache.get(oldest)?.receiver.disconnect().catch(() => {
+      });
+      receiverCache.delete(oldest);
+    }
+  }
+  const receiver = new MailReceiver({
+    host: config.imap.host,
+    port: config.imap.port,
+    email: authUser,
+    password
+  });
+  try {
+    await receiver.connect();
+  } catch (err) {
+    try {
+      await receiver.disconnect();
+    } catch {
+    }
+    throw err;
+  }
+  receiverCache.set(authUser, { receiver, createdAt: Date.now() });
+  startEvictionTimer();
+  return receiver;
+}
+async function closeCaches() {
+  draining = true;
+  if (evictionTimer) {
+    clearInterval(evictionTimer);
+    evictionTimer = null;
+  }
+  for (const [, entry] of senderCache) {
+    try {
+      entry.sender.close();
+    } catch {
+    }
+  }
+  senderCache.clear();
+  for (const [, entry] of receiverCache) {
+    try {
+      await entry.receiver.disconnect();
+    } catch {
+    }
+  }
+  receiverCache.clear();
+}
+function saveSentCopy(authUser, password, config, raw) {
+  (async () => {
+    try {
+      const receiver = await getReceiver(authUser, password, config);
+      await receiver.appendMessage(raw, "Sent Items", ["\\Seen"]);
+    } catch (err) {
+      console.warn(`[mail] Failed to save Sent copy for ${authUser}: ${err.message}`);
+    }
+  })();
+}
+function createMailRoutes(accountManager, config, db, gatewayManager) {
+  const router = Router3();
+  router.post("/mail/send", requireAgent, async (req, res, next) => {
+    try {
+      if (!req.body || typeof req.body !== "object") {
+        res.status(400).json({ error: "Request body must be JSON" });
+        return;
+      }
+      const agent = req.agent;
+      const { to, subject, text, html, cc, bcc, replyTo, inReplyTo, references, attachments, allowSensitive } = req.body;
+      if (!to || !subject) {
+        res.status(400).json({ error: "to and subject are required" });
+        return;
+      }
+      if (typeof to !== "string" && !Array.isArray(to)) {
+        res.status(400).json({ error: "to must be a string or array of strings" });
+        return;
+      }
+      let outboundWarnings;
+      let outboundSummary;
+      if (!(allowSensitive && req.isMaster)) {
+        const scanResult = scanOutboundEmail({
+          to: Array.isArray(to) ? to.join(", ") : to,
+          subject,
+          text,
+          html,
+          attachments: Array.isArray(attachments) ? attachments.map((a) => ({
+            filename: a.filename || "",
+            contentType: a.contentType,
+            content: a.content,
+            encoding: a.encoding
+          })) : void 0
+        });
+        if (scanResult.blocked) {
+          const pendingId = crypto.randomUUID();
+          const ownerName2 = agent.metadata?.ownerName;
+          const fromName2 = ownerName2 ? `${agent.name} from ${ownerName2}` : agent.name;
+          const mailOptions = { to, subject, text, html, cc, bcc, replyTo, inReplyTo, references, attachments, fromName: fromName2 };
+          db.prepare(
+            `INSERT INTO pending_outbound (id, agent_id, mail_options, warnings, summary) VALUES (?, ?, ?, ?, ?)`
+          ).run(pendingId, agent.id, JSON.stringify(mailOptions), JSON.stringify(scanResult.warnings), scanResult.summary);
+          if (gatewayManager) {
+            const ownerEmail = gatewayManager.getConfig()?.relay?.email;
+            if (ownerEmail) {
+              const warningList = scanResult.warnings.map((w) => `  - [${w.severity.toUpperCase()}] ${w.ruleId}: ${w.description}${w.match ? ` (matched: ${w.match})` : ""}`).join("\n");
+              const recipientLine = Array.isArray(to) ? to.join(", ") : to;
+              const emailPreview = [
+                "\u2500".repeat(50),
+                `From: ${fromName2} <${agent.email}>`,
+                `To: ${recipientLine}`
+              ];
+              if (cc) emailPreview.push(`CC: ${Array.isArray(cc) ? cc.join(", ") : cc}`);
+              if (bcc) emailPreview.push(`BCC: ${Array.isArray(bcc) ? bcc.join(", ") : bcc}`);
+              emailPreview.push(`Subject: ${subject}`);
+              if (Array.isArray(attachments) && attachments.length > 0) {
+                const attNames = attachments.map((a) => a.filename || "unnamed").join(", ");
+                emailPreview.push(`Attachments: ${attNames}`);
+              }
+              emailPreview.push("\u2500".repeat(50));
+              if (text) emailPreview.push("", text);
+              else if (html) emailPreview.push("", "[HTML content \u2014 see original for formatted version]");
+              else emailPreview.push("", "[No body content]");
+              emailPreview.push("\u2500".repeat(50));
+              gatewayManager.routeOutbound(agent.name, {
+                to: ownerEmail,
+                subject: `[Approval Required] Blocked email from "${agent.name}" \u2014 "${subject}"`,
+                text: [
+                  `Your agent "${agent.name}" attempted to send an email that was blocked by the outbound security guard.`,
+                  "",
+                  "SECURITY WARNINGS:",
+                  warningList,
+                  "",
+                  "FULL EMAIL FOR REVIEW:",
+                  ...emailPreview,
+                  "",
+                  `Pending ID: ${pendingId}`,
+                  "",
+                  "ACTION REQUIRED:",
+                  'Reply "approve" to this email to send it, or "reject" to discard it.',
+                  "If you do not respond, the agent will follow up with you."
+                ].join("\n"),
+                fromName: "Agentic Mail"
+              }).then((result2) => {
+                if (result2?.messageId) {
+                  db.prepare("UPDATE pending_outbound SET notification_message_id = ? WHERE id = ?").run(result2.messageId, pendingId);
+                }
+              }).catch(() => {
+              });
+            }
+          }
+          res.json({
+            sent: false,
+            blocked: true,
+            pendingId,
+            warnings: scanResult.warnings,
+            summary: scanResult.summary
+          });
+          return;
+        }
+        if (scanResult.warnings.length > 0) {
+          outboundWarnings = scanResult.warnings;
+          outboundSummary = scanResult.summary;
+        }
+      }
+      const ownerName = agent.metadata?.ownerName;
+      const fromName = ownerName ? `${agent.name} from ${ownerName}` : agent.name;
+      const mailOpts = { to, subject, text, html, cc, bcc, replyTo, inReplyTo, references, attachments, fromName };
+      const password = getAgentPassword(agent);
+      if (gatewayManager) {
+        const gatewayResult = await gatewayManager.routeOutbound(agent.name, mailOpts);
+        if (gatewayResult) {
+          if (gatewayResult.raw) {
+            saveSentCopy(agent.stalwartPrincipal, password, config, gatewayResult.raw);
+          }
+          const { raw: _raw2, ...response2 } = gatewayResult;
+          res.json({ ...response2, ...outboundWarnings ? { outboundWarnings, outboundSummary } : {} });
+          return;
+        }
+      }
+      const sender = getSender(agent.stalwartPrincipal, agent.email, password, config);
+      const result = await sender.send(mailOpts);
+      saveSentCopy(agent.stalwartPrincipal, password, config, result.raw);
+      const { raw: _raw, ...response } = result;
+      res.json({ ...response, ...outboundWarnings ? { outboundWarnings, outboundSummary } : {} });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/inbox", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const limit = Math.min(Math.max(parseInt(req.query.limit) || 20, 1), 200);
+      const offset = Math.max(parseInt(req.query.offset) || 0, 0);
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const mailboxInfo = await receiver.getMailboxInfo("INBOX");
+      const envelopes = await receiver.listEnvelopes("INBOX", { limit, offset });
+      res.json({ messages: envelopes, count: envelopes.length, total: mailboxInfo.exists });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/messages/:uid", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const folder = req.query.folder || "INBOX";
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const raw = await receiver.fetchMessage(uid, folder);
+      const parsed = await parseEmail(raw);
+      if (isInternalEmail(parsed)) {
+        res.json({
+          ...parsed,
+          security: { internal: true, spamScore: 0, isSpam: false, isWarning: false }
+        });
+        return;
+      }
+      const sanitized = sanitizeEmail(parsed);
+      const spamScore = scoreEmail(parsed);
+      res.json({
+        ...parsed,
+        text: sanitized.text,
+        html: sanitized.html,
+        security: {
+          spamScore: spamScore.score,
+          isSpam: spamScore.isSpam,
+          isWarning: spamScore.isWarning,
+          topCategory: spamScore.topCategory,
+          matches: spamScore.matches.map((m) => m.ruleId),
+          sanitized: sanitized.wasModified,
+          sanitizeDetections: sanitized.detections
+        }
+      });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/messages/:uid/attachments/:index", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      const index = parseInt(req.params.index);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      if (isNaN(index) || index < 0) {
+        res.status(400).json({ error: "Invalid attachment index" });
+        return;
+      }
+      const folder = req.query.folder || "INBOX";
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const raw = await receiver.fetchMessage(uid, folder);
+      const parsed = await parseEmail(raw);
+      if (!parsed.attachments || index >= parsed.attachments.length) {
+        res.status(404).json({ error: "Attachment not found" });
+        return;
+      }
+      const att = parsed.attachments[index];
+      res.setHeader("Content-Type", att.contentType || "application/octet-stream");
+      res.setHeader("Content-Disposition", `attachment; filename="${att.filename.replace(/"/g, '\\"')}"`);
+      res.setHeader("Content-Length", att.content.length);
+      res.send(att.content);
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/search", requireAgent, async (req, res, next) => {
+    try {
+      if (!req.body || typeof req.body !== "object") {
+        res.status(400).json({ error: "Request body must be JSON" });
+        return;
+      }
+      const agent = req.agent;
+      const { from, to, subject, since, before, seen, text, searchRelay } = req.body;
+      const password = getAgentPassword(agent);
+      const sinceDate = since ? new Date(since) : void 0;
+      const beforeDate = before ? new Date(before) : void 0;
+      if (sinceDate && isNaN(sinceDate.getTime())) {
+        res.status(400).json({ error: 'Invalid "since" date' });
+        return;
+      }
+      if (beforeDate && isNaN(beforeDate.getTime())) {
+        res.status(400).json({ error: 'Invalid "before" date' });
+        return;
+      }
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const uids = await receiver.search({
+        from,
+        to,
+        subject,
+        since: sinceDate,
+        before: beforeDate,
+        seen,
+        text
+      });
+      let relayResults;
+      if (searchRelay === true && gatewayManager) {
+        try {
+          const relayHits = await gatewayManager.searchRelay({
+            from,
+            to,
+            subject,
+            text,
+            since: sinceDate,
+            before: beforeDate,
+            seen
+          });
+          if (relayHits.length > 0) {
+            relayResults = relayHits.map((r) => ({
+              uid: r.uid,
+              source: r.source,
+              account: r.account,
+              messageId: r.messageId,
+              subject: r.subject,
+              from: r.from,
+              to: r.to,
+              date: r.date,
+              flags: r.flags
+            }));
+          }
+        } catch {
+        }
+      }
+      res.json({ uids, ...relayResults ? { relayResults } : {} });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/import-relay", requireAgent, async (req, res, next) => {
+    try {
+      const { uid } = req.body || {};
+      if (!uid || typeof uid !== "number" || uid < 1) {
+        res.status(400).json({ error: "uid (number) is required" });
+        return;
+      }
+      if (!gatewayManager) {
+        res.status(400).json({ error: "No gateway configured" });
+        return;
+      }
+      const agent = req.agent;
+      const result = await gatewayManager.importRelayMessage(uid, agent.name);
+      if (!result.success) {
+        res.status(400).json({ error: result.error || "Import failed" });
+        return;
+      }
+      res.json({ ok: true, message: "Email imported to local inbox. Use /inbox or list_inbox to see it." });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/messages/:uid/seen", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.markSeen(uid);
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/mail/messages/:uid", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.deleteMessage(uid);
+      res.status(204).send();
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/messages/:uid/unseen", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.markUnseen(uid);
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/messages/:uid/move", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const { from: fromFolder, to: toFolder } = req.body || {};
+      if (!toFolder) {
+        res.status(400).json({ error: "to (destination folder) is required" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.moveMessage(uid, fromFolder || "INBOX", toFolder);
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/folders", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const folders = await receiver.listFolders();
+      res.json({ folders });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/folders", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { name: name2 } = req.body || {};
+      if (!name2 || typeof name2 !== "string" || !name2.trim()) {
+        res.status(400).json({ error: "name is required" });
+        return;
+      }
+      if (name2.length > 200 || /[\\*%]/.test(name2)) {
+        res.status(400).json({ error: "Invalid folder name" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.createFolder(name2);
+      res.json({ ok: true, folder: name2 });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/folders/:folder", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const folder = decodeURIComponent(req.params.folder);
+      const limit = Math.min(Math.max(parseInt(req.query.limit) || 20, 1), 200);
+      const offset = Math.max(parseInt(req.query.offset) || 0, 0);
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      let mailboxInfo;
+      try {
+        mailboxInfo = await receiver.getMailboxInfo(folder);
+      } catch {
+        res.json({ messages: [], count: 0, total: 0, folder });
+        return;
+      }
+      const envelopes = await receiver.listEnvelopes(folder, { limit, offset });
+      res.json({ messages: envelopes, count: envelopes.length, total: mailboxInfo.exists, folder });
+    } catch (err) {
+      next(err);
+    }
+  });
+  function validateUids(raw) {
+    if (!Array.isArray(raw) || raw.length === 0) return null;
+    if (raw.length > 1e3) return null;
+    const nums = raw.map(Number).filter((n) => Number.isInteger(n) && n > 0);
+    return nums.length > 0 ? nums : null;
+  }
+  router.post("/mail/batch/delete", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { uids: rawUids, folder } = req.body || {};
+      const uids = validateUids(rawUids);
+      if (!uids) {
+        res.status(400).json({ error: "uids must be a non-empty array of positive integers (max 1000)" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.batchDelete(uids, folder || "INBOX");
+      res.json({ ok: true, deleted: uids.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/batch/seen", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { uids: rawUids, folder } = req.body || {};
+      const uids = validateUids(rawUids);
+      if (!uids) {
+        res.status(400).json({ error: "uids must be a non-empty array of positive integers (max 1000)" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.batchMarkSeen(uids, folder || "INBOX");
+      res.json({ ok: true, marked: uids.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/batch/unseen", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { uids: rawUids, folder } = req.body || {};
+      const uids = validateUids(rawUids);
+      if (!uids) {
+        res.status(400).json({ error: "uids must be a non-empty array of positive integers (max 1000)" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.batchMarkUnseen(uids, folder || "INBOX");
+      res.json({ ok: true, marked: uids.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/batch/move", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { uids: rawUids, from: fromFolder, to: toFolder } = req.body || {};
+      const uids = validateUids(rawUids);
+      if (!uids) {
+        res.status(400).json({ error: "uids must be a non-empty array of positive integers (max 1000)" });
+        return;
+      }
+      if (!toFolder) {
+        res.status(400).json({ error: "to (destination folder) is required" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.batchMove(uids, fromFolder || "INBOX", toFolder);
+      res.json({ ok: true, moved: uids.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/batch/read", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const { uids: rawUids, folder } = req.body || {};
+      const uids = validateUids(rawUids);
+      if (!uids) {
+        res.status(400).json({ error: "uids must be a non-empty array of positive integers (max 1000)" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const rawMap = await receiver.batchFetch(uids, folder || "INBOX");
+      const messages = [];
+      for (const [uid, raw] of rawMap) {
+        const parsed = await parseEmail(raw);
+        messages.push({ uid, ...parsed });
+      }
+      res.json({ messages, count: messages.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/spam", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const limit = Math.min(Math.max(parseInt(req.query.limit) || 20, 1), 200);
+      const offset = Math.max(parseInt(req.query.offset) || 0, 0);
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      let mailboxInfo;
+      try {
+        mailboxInfo = await receiver.getMailboxInfo("Spam");
+      } catch {
+        res.json({ messages: [], count: 0, total: 0, folder: "Spam" });
+        return;
+      }
+      const envelopes = await receiver.listEnvelopes("Spam", { limit, offset });
+      res.json({ messages: envelopes, count: envelopes.length, total: mailboxInfo.exists, folder: "Spam" });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/messages/:uid/spam", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const folder = req.body?.folder || "INBOX";
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      try {
+        await receiver.createFolder("Spam");
+      } catch {
+      }
+      await receiver.moveMessage(uid, folder, "Spam");
+      res.json({ ok: true, movedToSpam: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/messages/:uid/not-spam", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      await receiver.moveMessage(uid, "Spam", "INBOX");
+      res.json({ ok: true, movedToInbox: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/messages/:uid/spam-score", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const uid = parseInt(req.params.uid);
+      if (isNaN(uid) || uid < 1) {
+        res.status(400).json({ error: "Invalid UID" });
+        return;
+      }
+      const folder = req.query.folder || "INBOX";
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const raw = await receiver.fetchMessage(uid, folder);
+      const parsed = await parseEmail(raw);
+      if (isInternalEmail(parsed)) {
+        res.json({ score: 0, isSpam: false, isWarning: false, matches: [], topCategory: null, internal: true });
+        return;
+      }
+      const result = scoreEmail(parsed);
+      res.json(result);
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/digest", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const limit = Math.min(Math.max(parseInt(req.query.limit) || 20, 1), 50);
+      const offset = Math.max(parseInt(req.query.offset) || 0, 0);
+      const previewLen = Math.min(Math.max(parseInt(req.query.previewLength) || 200, 50), 500);
+      const folder = req.query.folder || "INBOX";
+      const password = getAgentPassword(agent);
+      const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
+      const mailboxInfo = await receiver.getMailboxInfo(folder);
+      const envelopes = await receiver.listEnvelopes(folder, { limit, offset });
+      const uids = envelopes.map((e) => e.uid);
+      const rawMap = uids.length > 0 ? await receiver.batchFetch(uids, folder) : /* @__PURE__ */ new Map();
+      const messages = [];
+      for (const env of envelopes) {
+        let preview = "";
+        const raw = rawMap.get(env.uid);
+        if (raw) {
+          const parsed = await parseEmail(raw);
+          preview = (parsed.text || "").slice(0, previewLen);
+        }
+        messages.push({
+          uid: env.uid,
+          subject: env.subject,
+          from: env.from,
+          to: env.to,
+          date: env.date,
+          flags: [...env.flags],
+          size: env.size,
+          preview
+        });
+      }
+      res.json({ messages, count: messages.length, total: mailboxInfo.exists });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/mail/pending", requireAuth, async (req, res) => {
+    const rows = req.isMaster ? db.prepare(
+      `SELECT id, agent_id, mail_options, warnings, summary, status, created_at, resolved_at, resolved_by
+           FROM pending_outbound ORDER BY created_at DESC LIMIT 50`
+    ).all() : db.prepare(
+      `SELECT id, agent_id, mail_options, warnings, summary, status, created_at, resolved_at, resolved_by
+           FROM pending_outbound WHERE agent_id = ? ORDER BY created_at DESC LIMIT 50`
+    ).all(req.agent.id);
+    const pending = rows.map((r) => {
+      const opts = JSON.parse(r.mail_options);
+      return {
+        id: r.id,
+        agentId: r.agent_id,
+        to: opts.to,
+        subject: opts.subject,
+        warnings: JSON.parse(r.warnings),
+        summary: r.summary,
+        status: r.status,
+        createdAt: r.created_at,
+        resolvedAt: r.resolved_at,
+        resolvedBy: r.resolved_by
+      };
+    });
+    res.json({ pending, count: pending.length });
+  });
+  router.get("/mail/pending/:id", requireAuth, async (req, res) => {
+    const row = req.isMaster ? db.prepare(`SELECT * FROM pending_outbound WHERE id = ?`).get(req.params.id) : db.prepare(`SELECT * FROM pending_outbound WHERE id = ? AND agent_id = ?`).get(req.params.id, req.agent.id);
+    if (!row) {
+      res.status(404).json({ error: "Pending email not found" });
+      return;
+    }
+    res.json({
+      id: row.id,
+      mailOptions: JSON.parse(row.mail_options),
+      warnings: JSON.parse(row.warnings),
+      summary: row.summary,
+      status: row.status,
+      createdAt: row.created_at,
+      resolvedAt: row.resolved_at,
+      resolvedBy: row.resolved_by
+    });
+  });
+  router.post("/mail/pending/:id/approve", requireMaster, async (req, res, next) => {
+    try {
+      const row = db.prepare(
+        `SELECT * FROM pending_outbound WHERE id = ?`
+      ).get(req.params.id);
+      if (!row) {
+        res.status(404).json({ error: "Pending email not found" });
+        return;
+      }
+      if (row.status !== "pending") {
+        res.status(400).json({ error: `Email already ${row.status}` });
+        return;
+      }
+      const agent = await accountManager.getById(row.agent_id);
+      if (!agent) {
+        res.status(404).json({ error: "Agent account no longer exists" });
+        return;
+      }
+      const mailOpts = JSON.parse(row.mail_options);
+      const ownerName = agent.metadata?.ownerName;
+      mailOpts.fromName = ownerName ? `${agent.name} from ${ownerName}` : agent.name;
+      if (Array.isArray(mailOpts.attachments)) {
+        for (const att of mailOpts.attachments) {
+          if (att.content && typeof att.content === "object" && att.content.type === "Buffer" && Array.isArray(att.content.data)) {
+            att.content = Buffer.from(att.content.data);
+          }
+        }
+      }
+      const password = getAgentPassword(agent);
+      let response;
+      if (gatewayManager) {
+        const gatewayResult = await gatewayManager.routeOutbound(agent.name, mailOpts);
+        if (gatewayResult) {
+          if (gatewayResult.raw) {
+            saveSentCopy(agent.stalwartPrincipal, password, config, gatewayResult.raw);
+          }
+          const { raw: _raw, ...rest } = gatewayResult;
+          response = rest;
+        }
+      }
+      if (!response) {
+        const sender = getSender(agent.stalwartPrincipal, agent.email, password, config);
+        const result = await sender.send(mailOpts);
+        saveSentCopy(agent.stalwartPrincipal, password, config, result.raw);
+        const { raw: _raw, ...rest } = result;
+        response = rest;
+      }
+      db.prepare(
+        `UPDATE pending_outbound SET status = 'approved', resolved_at = datetime('now'), resolved_by = ? WHERE id = ?`
+      ).run("master", row.id);
+      res.json({ ...response, approved: true, pendingId: row.id });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/mail/pending/:id/reject", requireMaster, async (req, res) => {
+    const row = db.prepare(
+      `SELECT * FROM pending_outbound WHERE id = ?`
+    ).get(req.params.id);
+    if (!row) {
+      res.status(404).json({ error: "Pending email not found" });
+      return;
+    }
+    if (row.status !== "pending") {
+      res.status(400).json({ error: `Email already ${row.status}` });
+      return;
+    }
+    db.prepare(
+      `UPDATE pending_outbound SET status = 'rejected', resolved_at = datetime('now'), resolved_by = ? WHERE id = ?`
+    ).run("master", row.id);
+    res.json({ ok: true, rejected: true, pendingId: row.id });
+  });
+  return router;
+}
+
+// src/routes/inbound.ts
+import { Router as Router4 } from "express";
+import {
+  parseEmail as parseEmail2,
+  MailSender as MailSender2
+} from "@agenticmail/core";
+var INBOUND_SECRET = process.env.AGENTICMAIL_INBOUND_SECRET || "inbound_2sabi_secret_key";
+var DEBUG = () => !!process.env.AGENTICMAIL_DEBUG;
+function createInboundRoutes(accountManager, config, gatewayManager) {
+  const router = Router4();
+  router.post("/mail/inbound", async (req, res, next) => {
+    try {
+      const secret = req.headers["x-inbound-secret"];
+      if (secret !== INBOUND_SECRET) {
+        res.status(401).json({ error: "Invalid inbound secret" });
+        return;
+      }
+      const { from, to, subject, rawEmail } = req.body;
+      if (!to || !rawEmail) {
+        res.status(400).json({ error: "to and rawEmail are required" });
+        return;
+      }
+      const recipientEmail = typeof to === "string" ? to : to[0];
+      const localPart = recipientEmail.split("@")[0];
+      const agent = await accountManager.getByName(localPart);
+      if (!agent) {
+        console.warn(`[Inbound] No agent found for "${localPart}" (${recipientEmail})`);
+        res.status(404).json({ error: `No agent found for ${recipientEmail}` });
+        return;
+      }
+      const agentPassword = agent.metadata?._password;
+      if (!agentPassword) {
+        console.warn(`[Inbound] No password for agent "${agent.name}"`);
+        res.status(500).json({ error: "Agent has no password configured" });
+        return;
+      }
+      const rawBuffer = Buffer.from(rawEmail, "base64");
+      const parsed = await parseEmail2(rawBuffer);
+      const originalMessageId = parsed.messageId;
+      if (originalMessageId && gatewayManager?.isAlreadyDelivered(originalMessageId, agent.name)) {
+        if (DEBUG()) console.log(`[Inbound] Skipping duplicate: ${originalMessageId} \u2192 ${agent.name}`);
+        res.json({ ok: true, delivered: agent.email, duplicate: true });
+        return;
+      }
+      if (DEBUG()) console.log(`[Inbound] Delivering email to ${agent.email} from ${from} (subject: ${subject || parsed.subject})`);
+      const sender = new MailSender2({
+        host: config.smtp.host,
+        port: config.smtp.port,
+        email: agent.email,
+        password: agentPassword,
+        authUser: agent.stalwartPrincipal
+      });
+      try {
+        await sender.send({
+          to: agent.email,
+          subject: parsed.subject || subject || "(no subject)",
+          text: parsed.text || void 0,
+          html: parsed.html || void 0,
+          replyTo: from || parsed.from?.[0]?.address,
+          inReplyTo: parsed.inReplyTo,
+          references: parsed.references,
+          headers: {
+            "X-AgenticMail-Inbound": "cloudflare-worker",
+            "X-Original-From": from || parsed.from?.[0]?.address || "",
+            ...parsed.messageId ? { "X-Original-Message-Id": parsed.messageId } : {}
+          },
+          attachments: parsed.attachments?.map((a) => ({
+            filename: a.filename,
+            content: a.content,
+            contentType: a.contentType
+          }))
+        });
+        if (originalMessageId) gatewayManager?.recordDelivery(originalMessageId, agent.name);
+        if (DEBUG()) console.log(`[Inbound] Delivered to ${agent.email}`);
+        res.json({ ok: true, delivered: agent.email });
+      } finally {
+        sender.close();
+      }
+    } catch (err) {
+      next(err);
+    }
+  });
+  return router;
+}
+
+// src/routes/events.ts
+import { Router as Router6 } from "express";
+import {
+  InboxWatcher,
+  MailReceiver as MailReceiver2,
+  parseEmail as parseEmail3,
+  scoreEmail as scoreEmail2,
+  isInternalEmail as isInternalEmail2
+} from "@agenticmail/core";
+import { v4 as uuidv42 } from "uuid";
+
+// src/routes/features.ts
+import { Router as Router5 } from "express";
+import { v4 as uuidv4 } from "uuid";
+import {
+  MailSender as MailSender3
+} from "@agenticmail/core";
+function parseScheduleTime(input) {
+  const trimmed = input.trim();
+  if (/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}/.test(trimmed)) {
+    const d = new Date(trimmed);
+    return isNaN(d.getTime()) ? null : d;
+  }
+  const lower = trimmed.toLowerCase();
+  const relativeMatch = lower.match(/^in\s+(\d+)\s+(minute|minutes|min|mins|hour|hours|hr|hrs|day|days)$/);
+  if (relativeMatch) {
+    const amount = parseInt(relativeMatch[1], 10);
+    const unit = relativeMatch[2];
+    const now = Date.now();
+    if (unit.startsWith("min")) return new Date(now + amount * 6e4);
+    if (unit.startsWith("h")) return new Date(now + amount * 36e5);
+    if (unit.startsWith("d")) return new Date(now + amount * 864e5);
+  }
+  const tomorrowMatch = lower.match(/^tomorrow\s+(?:at\s+)?(\d{1,2})(?::(\d{2}))?\s*(am|pm)?$/);
+  if (tomorrowMatch) {
+    const tomorrow = /* @__PURE__ */ new Date();
+    tomorrow.setDate(tomorrow.getDate() + 1);
+    let hour = parseInt(tomorrowMatch[1], 10);
+    const min = tomorrowMatch[2] ? parseInt(tomorrowMatch[2], 10) : 0;
+    const ampm = tomorrowMatch[3];
+    if (ampm === "pm" && hour !== 12) hour += 12;
+    if (ampm === "am" && hour === 12) hour = 0;
+    tomorrow.setHours(hour, min, 0, 0);
+    return tomorrow;
+  }
+  const dayNames = ["sunday", "monday", "tuesday", "wednesday", "thursday", "friday", "saturday"];
+  const nextDayMatch = lower.match(/^next\s+(sunday|monday|tuesday|wednesday|thursday|friday|saturday)\s+(?:at\s+)?(\d{1,2})(?::(\d{2}))?\s*(am|pm)?$/);
+  if (nextDayMatch) {
+    const targetDay = dayNames.indexOf(nextDayMatch[1]);
+    let hour = parseInt(nextDayMatch[2], 10);
+    const min = nextDayMatch[3] ? parseInt(nextDayMatch[3], 10) : 0;
+    const ampm = nextDayMatch[4];
+    if (ampm === "pm" && hour !== 12) hour += 12;
+    if (ampm === "am" && hour === 12) hour = 0;
+    const result = /* @__PURE__ */ new Date();
+    const currentDay = result.getDay();
+    let daysUntil = targetDay - currentDay;
+    if (daysUntil <= 0) daysUntil += 7;
+    result.setDate(result.getDate() + daysUntil);
+    result.setHours(hour, min, 0, 0);
+    return result;
+  }
+  if (lower === "tonight" || lower === "this evening") {
+    const d = /* @__PURE__ */ new Date();
+    d.setHours(20, 0, 0, 0);
+    if (d.getTime() <= Date.now()) d.setDate(d.getDate() + 1);
+    return d;
+  }
+  const humanMatch = trimmed.match(
+    /^(\d{1,2})[\/\-](\d{1,2})[\/\-](\d{4})\s+(\d{1,2}):(\d{2})\s*(AM|PM|am|pm)\s*(.+)?$/
+  );
+  if (humanMatch) {
+    const [, mStr, dStr, yStr, hStr, minStr, ampmRaw, tzRaw] = humanMatch;
+    const month = parseInt(mStr, 10);
+    const day = parseInt(dStr, 10);
+    const year = parseInt(yStr, 10);
+    let hour = parseInt(hStr, 10);
+    const min = parseInt(minStr, 10);
+    const ampm = ampmRaw.toUpperCase();
+    if (month < 1 || month > 12 || day < 1 || day > 31 || hour < 1 || hour > 12) return null;
+    if (ampm === "PM" && hour !== 12) hour += 12;
+    if (ampm === "AM" && hour === 12) hour = 0;
+    const result = new Date(year, month - 1, day, hour, min, 0, 0);
+    if (tzRaw?.trim()) {
+      const TZ_OFFSETS = {
+        EST: -5,
+        EDT: -4,
+        CST: -6,
+        CDT: -5,
+        MST: -7,
+        MDT: -6,
+        PST: -8,
+        PDT: -7,
+        GMT: 0,
+        UTC: 0,
+        BST: 1,
+        CET: 1,
+        CEST: 2,
+        IST: 5.5,
+        JST: 9,
+        AEST: 10,
+        AEDT: 11,
+        NZST: 12,
+        NZDT: 13,
+        WAT: 1,
+        EAT: 3,
+        SAST: 2,
+        HKT: 8,
+        SGT: 8,
+        KST: 9,
+        HST: -10,
+        AKST: -9,
+        AKDT: -8,
+        AST: -4,
+        ADT: -3,
+        NST: -3.5,
+        NDT: -2.5
+      };
+      const tz = tzRaw.trim().toUpperCase();
+      if (TZ_OFFSETS[tz] !== void 0) {
+        const tzOffsetMs = TZ_OFFSETS[tz] * 36e5;
+        const serverOffsetMs = result.getTimezoneOffset() * -6e4;
+        const diff = serverOffsetMs - tzOffsetMs;
+        result.setTime(result.getTime() + diff);
+      }
+    }
+    return isNaN(result.getTime()) ? null : result;
+  }
+  const fallback = new Date(trimmed);
+  return isNaN(fallback.getTime()) ? null : fallback;
+}
+function createFeatureRoutes(db, _accountManager, config, gatewayManager) {
+  const router = Router5();
+  router.get("/contacts", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM contacts WHERE agent_id = ? ORDER BY name, email").all(req.agent.id);
+      res.json({ contacts: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/contacts", requireAgent, async (req, res, next) => {
+    try {
+      const { name: name2, email, notes } = req.body || {};
+      if (!email) {
+        res.status(400).json({ error: "email is required" });
+        return;
+      }
+      const id = uuidv4();
+      db.prepare("INSERT OR REPLACE INTO contacts (id, agent_id, name, email, notes) VALUES (?, ?, ?, ?, ?)").run(id, req.agent.id, name2 || null, email, notes || null);
+      res.json({ ok: true, id, email });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/contacts/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM contacts WHERE id = ? AND agent_id = ?").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Contact not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/drafts", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM drafts WHERE agent_id = ? ORDER BY updated_at DESC").all(req.agent.id);
+      res.json({ drafts: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/drafts", requireAgent, async (req, res, next) => {
+    try {
+      const { to, subject, text, html, cc, bcc, inReplyTo, references } = req.body || {};
+      const id = uuidv4();
+      db.prepare(`INSERT INTO drafts (id, agent_id, to_addr, subject, text_body, html_body, cc, bcc, in_reply_to, refs)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(
+        id,
+        req.agent.id,
+        to || null,
+        subject || null,
+        text || null,
+        html || null,
+        cc || null,
+        bcc || null,
+        inReplyTo || null,
+        references ? JSON.stringify(references) : null
+      );
+      res.json({ ok: true, id });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.put("/drafts/:id", requireAgent, async (req, res, next) => {
+    try {
+      const { to, subject, text, html, cc, bcc, inReplyTo, references } = req.body || {};
+      const result = db.prepare(`UPDATE drafts SET to_addr=?, subject=?, text_body=?, html_body=?,
+        cc=?, bcc=?, in_reply_to=?, refs=?, updated_at=datetime('now')
+        WHERE id=? AND agent_id=?`).run(
+        to || null,
+        subject || null,
+        text || null,
+        html || null,
+        cc || null,
+        bcc || null,
+        inReplyTo || null,
+        references ? JSON.stringify(references) : null,
+        req.params.id,
+        req.agent.id
+      );
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Draft not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/drafts/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM drafts WHERE id = ? AND agent_id = ?").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Draft not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/drafts/:id/send", requireAgent, async (req, res, next) => {
+    try {
+      const draft = db.prepare("SELECT * FROM drafts WHERE id = ? AND agent_id = ?").get(req.params.id, req.agent.id);
+      if (!draft) {
+        res.status(404).json({ error: "Draft not found" });
+        return;
+      }
+      if (!draft.to_addr) {
+        res.status(400).json({ error: "Draft has no recipient" });
+        return;
+      }
+      const agent = req.agent;
+      const mailOpts = {
+        to: draft.to_addr,
+        subject: draft.subject || "(no subject)",
+        text: draft.text_body || void 0,
+        html: draft.html_body || void 0,
+        cc: draft.cc || void 0,
+        bcc: draft.bcc || void 0,
+        inReplyTo: draft.in_reply_to || void 0,
+        references: draft.refs ? JSON.parse(draft.refs) : void 0
+      };
+      if (gatewayManager) {
+        const gatewayResult = await gatewayManager.routeOutbound(agent.name, mailOpts);
+        if (gatewayResult) {
+          db.prepare("DELETE FROM drafts WHERE id = ?").run(draft.id);
+          res.json(gatewayResult);
+          return;
+        }
+      }
+      const password = getAgentPassword(agent);
+      const sender = new MailSender3({
+        host: config.smtp.host,
+        port: config.smtp.port,
+        email: agent.email,
+        password,
+        authUser: agent.stalwartPrincipal
+      });
+      try {
+        const result = await sender.send(mailOpts);
+        db.prepare("DELETE FROM drafts WHERE id = ?").run(draft.id);
+        res.json(result);
+      } finally {
+        sender.close();
+      }
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/signatures", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM signatures WHERE agent_id = ? ORDER BY is_default DESC, name").all(req.agent.id);
+      res.json({ signatures: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/signatures", requireAgent, async (req, res, next) => {
+    try {
+      const { name: name2, text, html, isDefault } = req.body || {};
+      if (!name2) {
+        res.status(400).json({ error: "name is required" });
+        return;
+      }
+      const id = uuidv4();
+      if (isDefault) {
+        db.prepare("UPDATE signatures SET is_default = 0 WHERE agent_id = ?").run(req.agent.id);
+      }
+      db.prepare("INSERT OR REPLACE INTO signatures (id, agent_id, name, text_content, html_content, is_default) VALUES (?, ?, ?, ?, ?, ?)").run(id, req.agent.id, name2, text || null, html || null, isDefault ? 1 : 0);
+      res.json({ ok: true, id });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/signatures/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM signatures WHERE id = ? AND agent_id = ?").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Signature not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/templates", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM templates WHERE agent_id = ? ORDER BY name").all(req.agent.id);
+      res.json({ templates: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/templates", requireAgent, async (req, res, next) => {
+    try {
+      const { name: name2, subject, text, html } = req.body || {};
+      if (!name2) {
+        res.status(400).json({ error: "name is required" });
+        return;
+      }
+      const id = uuidv4();
+      db.prepare("INSERT OR REPLACE INTO templates (id, agent_id, name, subject, text_body, html_body) VALUES (?, ?, ?, ?, ?, ?)").run(id, req.agent.id, name2, subject || null, text || null, html || null);
+      res.json({ ok: true, id });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/templates/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM templates WHERE id = ? AND agent_id = ?").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Template not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/scheduled", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM scheduled_emails WHERE agent_id = ? ORDER BY send_at ASC").all(req.agent.id);
+      res.json({ scheduled: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/scheduled", requireAgent, async (req, res, next) => {
+    try {
+      const { to, subject, text, html, cc, bcc, sendAt } = req.body || {};
+      if (!to || !subject || !sendAt) {
+        res.status(400).json({ error: "to, subject, and sendAt are required" });
+        return;
+      }
+      const sendDate = parseScheduleTime(String(sendAt));
+      if (!sendDate || isNaN(sendDate.getTime())) {
+        res.status(400).json({
+          error: "Invalid sendAt date. Accepted formats: ISO 8601 (2026-02-14T10:00:00), presets (in 30 minutes, in 1 hour, in 3 hours, tomorrow 8am, tomorrow 9am, next monday 9am), or MM-DD-YYYY H:MM AM/PM TZ"
+        });
+        return;
+      }
+      if (sendDate.getTime() <= Date.now()) {
+        res.status(400).json({ error: "sendAt must be in the future" });
+        return;
+      }
+      const id = uuidv4();
+      db.prepare(`INSERT INTO scheduled_emails (id, agent_id, to_addr, subject, text_body, html_body, cc, bcc, send_at)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(id, req.agent.id, to, subject, text || null, html || null, cc || null, bcc || null, sendDate.toISOString());
+      res.json({ ok: true, id, sendAt: sendDate.toISOString() });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/scheduled/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM scheduled_emails WHERE id = ? AND agent_id = ? AND status = 'pending'").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Scheduled email not found or already sent" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/tags", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM tags WHERE agent_id = ? ORDER BY name").all(req.agent.id);
+      res.json({ tags: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tags", requireAgent, async (req, res, next) => {
+    try {
+      const { name: name2, color } = req.body || {};
+      if (!name2) {
+        res.status(400).json({ error: "name is required" });
+        return;
+      }
+      const id = uuidv4();
+      db.prepare("INSERT OR IGNORE INTO tags (id, agent_id, name, color) VALUES (?, ?, ?, ?)").run(id, req.agent.id, name2.trim(), color || "#888888");
+      res.json({ ok: true, id, name: name2.trim(), color: color || "#888888" });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/tags/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM tags WHERE id = ? AND agent_id = ?").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Tag not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tags/:id/messages", requireAgent, async (req, res, next) => {
+    try {
+      const { uid, folder } = req.body || {};
+      if (!uid) {
+        res.status(400).json({ error: "uid is required" });
+        return;
+      }
+      const tag = db.prepare("SELECT * FROM tags WHERE id = ? AND agent_id = ?").get(req.params.id, req.agent.id);
+      if (!tag) {
+        res.status(404).json({ error: "Tag not found" });
+        return;
+      }
+      db.prepare("INSERT OR IGNORE INTO message_tags (agent_id, message_uid, tag_id, folder) VALUES (?, ?, ?, ?)").run(req.agent.id, uid, req.params.id, folder || "INBOX");
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/tags/:id/messages/:uid", requireAgent, async (req, res, next) => {
+    try {
+      const folder = req.query.folder || "INBOX";
+      db.prepare("DELETE FROM message_tags WHERE agent_id = ? AND message_uid = ? AND tag_id = ? AND folder = ?").run(req.agent.id, parseInt(String(req.params.uid)), req.params.id, folder);
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/tags/:id/messages", requireAgent, async (req, res, next) => {
+    try {
+      const tag = db.prepare("SELECT * FROM tags WHERE id = ? AND agent_id = ?").get(req.params.id, req.agent.id);
+      if (!tag) {
+        res.status(404).json({ error: "Tag not found" });
+        return;
+      }
+      const rows = db.prepare(
+        "SELECT message_uid, folder FROM message_tags WHERE agent_id = ? AND tag_id = ? ORDER BY created_at DESC"
+      ).all(req.agent.id, req.params.id);
+      res.json({ tag, messages: rows.map((r) => ({ uid: r.message_uid, folder: r.folder })) });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/messages/:uid/tags", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare(`
+        SELECT t.* FROM tags t
+        JOIN message_tags mt ON mt.tag_id = t.id
+        WHERE mt.agent_id = ? AND mt.message_uid = ?
+        ORDER BY t.name
+      `).all(req.agent.id, parseInt(String(req.params.uid)));
+      res.json({ tags: rows });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/templates/:id/send", requireAgent, async (req, res, next) => {
+    try {
+      const template = db.prepare("SELECT * FROM templates WHERE id = ? AND agent_id = ?").get(req.params.id, req.agent.id);
+      if (!template) {
+        res.status(404).json({ error: "Template not found" });
+        return;
+      }
+      const { to, variables, cc, bcc } = req.body || {};
+      if (!to) {
+        res.status(400).json({ error: "to is required" });
+        return;
+      }
+      const applyVars = (text, vars2) => text.replace(/\{\{(\w+)\}\}/g, (m, key) => vars2[key] ?? m);
+      const vars = variables && typeof variables === "object" ? variables : {};
+      const mailOpts = {
+        to,
+        subject: applyVars(template.subject || "(no subject)", vars),
+        text: template.text_body ? applyVars(template.text_body, vars) : void 0,
+        html: template.html_body ? applyVars(template.html_body, vars) : void 0,
+        cc: cc || void 0,
+        bcc: bcc || void 0
+      };
+      const agent = req.agent;
+      if (gatewayManager) {
+        const gatewayResult = await gatewayManager.routeOutbound(agent.name, mailOpts);
+        if (gatewayResult) {
+          res.json(gatewayResult);
+          return;
+        }
+      }
+      const password = getAgentPassword(agent);
+      const sender = new MailSender3({
+        host: config.smtp.host,
+        port: config.smtp.port,
+        email: agent.email,
+        password,
+        authUser: agent.stalwartPrincipal
+      });
+      try {
+        const result = await sender.send(mailOpts);
+        res.json(result);
+      } finally {
+        sender.close();
+      }
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/rules", requireAgent, async (req, res, next) => {
+    try {
+      const rows = db.prepare("SELECT * FROM email_rules WHERE agent_id = ? ORDER BY priority DESC, created_at").all(req.agent.id);
+      res.json({ rules: rows.map((r) => ({ ...r, conditions: JSON.parse(r.conditions), actions: JSON.parse(r.actions) })) });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/rules", requireAgent, async (req, res, next) => {
+    try {
+      const { name: name2, conditions, actions, priority, enabled } = req.body || {};
+      if (!name2) {
+        res.status(400).json({ error: "name is required" });
+        return;
+      }
+      const id = uuidv4();
+      db.prepare(
+        "INSERT INTO email_rules (id, agent_id, name, priority, enabled, conditions, actions) VALUES (?, ?, ?, ?, ?, ?, ?)"
+      ).run(id, req.agent.id, name2, priority ?? 0, enabled !== false ? 1 : 0, JSON.stringify(conditions || {}), JSON.stringify(actions || {}));
+      res.status(201).json({ id, name: name2, conditions: conditions || {}, actions: actions || {}, priority: priority ?? 0, enabled: enabled !== false });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/rules/:id", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare("DELETE FROM email_rules WHERE id = ? AND agent_id = ?").run(req.params.id, req.agent.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Rule not found" });
+        return;
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      next(err);
+    }
+  });
+  return router;
+}
+function evaluateRules(db, agentId, email) {
+  const rules = db.prepare("SELECT * FROM email_rules WHERE agent_id = ? AND enabled = 1 ORDER BY priority DESC").all(agentId);
+  for (const rule of rules) {
+    const cond = JSON.parse(rule.conditions);
+    let match = true;
+    const fromAddr = (email.from?.[0]?.address ?? "").toLowerCase();
+    const toAddr = (email.to?.[0]?.address ?? "").toLowerCase();
+    const subject = (email.subject ?? "").toLowerCase();
+    if (cond.from_contains && !fromAddr.includes(cond.from_contains.toLowerCase())) match = false;
+    if (cond.from_exact && fromAddr !== cond.from_exact.toLowerCase()) match = false;
+    if (cond.subject_contains && !subject.includes(cond.subject_contains.toLowerCase())) match = false;
+    if (cond.subject_regex) {
+      try {
+        if (!new RegExp(cond.subject_regex, "i").test(email.subject ?? "")) match = false;
+      } catch {
+        match = false;
+      }
+    }
+    if (cond.to_contains && !toAddr.includes(cond.to_contains.toLowerCase())) match = false;
+    if (cond.has_attachment === true && (!email.attachments || email.attachments.length === 0)) match = false;
+    if (match) return { ruleId: rule.id, actions: JSON.parse(rule.actions) };
+  }
+  return null;
+}
+function startScheduledSender(db, accountManager, config, gatewayManager) {
+  return setInterval(async () => {
+    try {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const pending = db.prepare(
+        "SELECT * FROM scheduled_emails WHERE status = 'pending' AND send_at <= ?"
+      ).all(now);
+      for (const row of pending) {
+        try {
+          const agent = await accountManager.getById(row.agent_id);
+          if (!agent) {
+            db.prepare("UPDATE scheduled_emails SET status = 'failed', error = ? WHERE id = ?").run("Agent not found", row.id);
+            continue;
+          }
+          const mailOpts = {
+            to: row.to_addr,
+            subject: row.subject,
+            text: row.text_body || void 0,
+            html: row.html_body || void 0,
+            cc: row.cc || void 0,
+            bcc: row.bcc || void 0
+          };
+          if (gatewayManager) {
+            const gResult = await gatewayManager.routeOutbound(agent.name, mailOpts);
+            if (gResult) {
+              db.prepare("UPDATE scheduled_emails SET status = 'sent', sent_at = datetime('now') WHERE id = ?").run(row.id);
+              continue;
+            }
+          }
+          const password = agent.metadata?._password || agent.name;
+          const sender = new MailSender3({
+            host: config.smtp.host,
+            port: config.smtp.port,
+            email: agent.email,
+            password,
+            authUser: agent.stalwartPrincipal
+          });
+          try {
+            await sender.send(mailOpts);
+            db.prepare("UPDATE scheduled_emails SET status = 'sent', sent_at = datetime('now') WHERE id = ?").run(row.id);
+          } finally {
+            sender.close();
+          }
+        } catch (err) {
+          db.prepare("UPDATE scheduled_emails SET status = 'failed', error = ? WHERE id = ?").run(err.message, row.id);
+        }
+      }
+      try {
+        db.prepare("DELETE FROM delivered_messages WHERE delivered_at < datetime('now', '-30 days')").run();
+      } catch {
+      }
+      try {
+        db.prepare("DELETE FROM spam_log WHERE created_at < datetime('now', '-30 days')").run();
+      } catch {
+      }
+    } catch {
+    }
+  }, 3e4);
+}
+
+// src/routes/events.ts
+var MAX_SSE_PER_AGENT = 5;
+var activeWatchers = /* @__PURE__ */ new Map();
+function pushEventToAgent(agentId, event) {
+  const watchers = activeWatchers.get(agentId);
+  if (!watchers || watchers.size === 0) return false;
+  const data = `data: ${JSON.stringify(event)}
+
+`;
+  for (const entry of watchers) {
+    try {
+      entry.res.write(data);
+    } catch {
+    }
+  }
+  return true;
+}
+function broadcastEvent(event) {
+  const data = `data: ${JSON.stringify(event)}
+
+`;
+  let count = 0;
+  for (const [, watchers] of activeWatchers) {
+    for (const entry of watchers) {
+      try {
+        entry.res.write(data);
+        count++;
+      } catch {
+      }
+    }
+  }
+  return count;
+}
+async function closeAllWatchers() {
+  for (const [, watchers] of activeWatchers) {
+    for (const entry of watchers) {
+      try {
+        await entry.watcher.stop();
+      } catch {
+      }
+      try {
+        entry.res.end();
+      } catch {
+      }
+    }
+  }
+  activeWatchers.clear();
+}
+function createEventRoutes(accountManager, config, db) {
+  const router = Router6();
+  router.get("/events", requireAgent, async (req, res, next) => {
+    try {
+      const agent = req.agent;
+      const password = getAgentPassword(agent);
+      const agentWatchers = activeWatchers.get(agent.id) ?? /* @__PURE__ */ new Set();
+      if (agentWatchers.size >= MAX_SSE_PER_AGENT) {
+        res.status(429).json({ error: `Maximum ${MAX_SSE_PER_AGENT} concurrent SSE connections per agent` });
+        return;
+      }
+      const watcher = new InboxWatcher({
+        host: config.imap.host,
+        port: config.imap.port,
+        email: agent.stalwartPrincipal,
+        password
+      });
+      try {
+        await watcher.start();
+      } catch (err) {
+        res.status(500).json({ error: "Failed to start event stream: " + (err instanceof Error ? err.message : String(err)) });
+        return;
+      }
+      res.setHeader("Content-Type", "text/event-stream");
+      res.setHeader("Cache-Control", "no-cache");
+      res.setHeader("Connection", "keep-alive");
+      res.setHeader("X-Accel-Buffering", "no");
+      res.flushHeaders();
+      let closed = false;
+      const entry = { watcher, res };
+      activeWatchers.set(agent.id, agentWatchers);
+      agentWatchers.add(entry);
+      const safeWrite = (data) => {
+        if (!closed) {
+          try {
+            res.write(data);
+          } catch {
+          }
+        }
+      };
+      safeWrite(`data: ${JSON.stringify({ type: "connected", agentId: agent.id })}
+
+`);
+      watcher.on("new", async (event) => {
+        if (db) touchActivity(db, agent.id);
+        if (db && event.uid) {
+          try {
+            const receiver = new MailReceiver2({
+              host: config.imap.host,
+              port: config.imap.port,
+              email: agent.stalwartPrincipal,
+              password,
+              secure: false
+            });
+            await receiver.connect();
+            try {
+              const raw = await receiver.fetchMessage(event.uid);
+              const parsed = await parseEmail3(raw);
+              const isRelay = !!parsed.headers.get("x-agenticmail-relay");
+              const internal = !isRelay && isInternalEmail2(parsed);
+              if (internal) {
+                const ruleResult2 = evaluateRules(db, agent.id, parsed);
+                if (ruleResult2) {
+                  const actions = ruleResult2.actions;
+                  if (actions.mark_read) await receiver.markSeen(event.uid);
+                  if (actions.delete) {
+                    await receiver.deleteMessage(event.uid);
+                    return;
+                  }
+                  if (actions.move_to) await receiver.moveMessage(event.uid, "INBOX", actions.move_to);
+                  event.ruleApplied = { ruleId: ruleResult2.ruleId, actions };
+                }
+                safeWrite(`data: ${JSON.stringify(event)}
+
+`);
+                return;
+              }
+              const spamResult = scoreEmail2(parsed);
+              try {
+                db.prepare(
+                  "INSERT INTO spam_log (id, agent_id, message_uid, score, flags, category, is_spam) VALUES (?, ?, ?, ?, ?, ?, ?)"
+                ).run(
+                  uuidv42(),
+                  agent.id,
+                  event.uid,
+                  spamResult.score,
+                  JSON.stringify(spamResult.matches.map((m) => m.ruleId)),
+                  spamResult.topCategory,
+                  spamResult.isSpam ? 1 : 0
+                );
+              } catch {
+              }
+              if (spamResult.isSpam) {
+                try {
+                  await receiver.createFolder("Spam");
+                } catch {
+                }
+                await receiver.moveMessage(event.uid, "INBOX", "Spam");
+                event.spam = { score: spamResult.score, category: spamResult.topCategory, movedToSpam: true };
+                safeWrite(`data: ${JSON.stringify(event)}
+
+`);
+                return;
+              }
+              if (spamResult.isWarning) {
+                event.spamWarning = { score: spamResult.score, category: spamResult.topCategory, matches: spamResult.matches.map((m) => m.ruleId) };
+              }
+              const ruleResult = evaluateRules(db, agent.id, parsed);
+              if (ruleResult) {
+                const actions = ruleResult.actions;
+                if (actions.mark_read) await receiver.markSeen(event.uid);
+                if (actions.delete) {
+                  await receiver.deleteMessage(event.uid);
+                  return;
+                }
+                if (actions.move_to) await receiver.moveMessage(event.uid, "INBOX", actions.move_to);
+                event.ruleApplied = { ruleId: ruleResult.ruleId, actions };
+              }
+            } finally {
+              await receiver.disconnect();
+            }
+          } catch (err) {
+            console.error("[SSE] Spam/rule evaluation error:", err.message);
+          }
+        }
+        safeWrite(`data: ${JSON.stringify(event)}
+
+`);
+      });
+      watcher.on("expunge", (event) => {
+        safeWrite(`data: ${JSON.stringify(event)}
+
+`);
+      });
+      watcher.on("flags", (event) => {
+        safeWrite(`data: ${JSON.stringify(event)}
+
+`);
+      });
+      watcher.on("error", (err) => {
+        safeWrite(`data: ${JSON.stringify({ type: "error", message: err.message })}
+
+`);
+      });
+      const pingInterval = setInterval(() => {
+        safeWrite(`: ping
+
+`);
+      }, 3e4);
+      req.on("close", () => {
+        closed = true;
+        clearInterval(pingInterval);
+        agentWatchers.delete(entry);
+        if (agentWatchers.size === 0) activeWatchers.delete(agent.id);
+        watcher.removeAllListeners();
+        watcher.stop().catch((err) => {
+          console.error("[SSE] Watcher cleanup error:", err);
+        });
+      });
+    } catch (err) {
+      next(err);
+    }
+  });
+  return router;
+}
+
+// src/routes/domains.ts
+import { Router as Router7 } from "express";
+function createDomainRoutes(domainManager) {
+  const router = Router7();
+  router.post("/domains", requireMaster, async (req, res, next) => {
+    try {
+      const { domain } = req.body;
+      if (!domain) {
+        res.status(400).json({ error: "domain is required" });
+        return;
+      }
+      const result = await domainManager.setup(domain);
+      res.status(201).json(result);
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/domains", requireMaster, async (_req, res, next) => {
+    try {
+      const domains = await domainManager.list();
+      res.json({ domains });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/domains/:domain/dns", requireMaster, async (req, res, next) => {
+    try {
+      const records = await domainManager.getDnsRecords(req.params.domain);
+      res.json({ records });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/domains/:domain/verify", requireMaster, async (req, res, next) => {
+    try {
+      const verified = await domainManager.verify(req.params.domain);
+      res.json({ domain: req.params.domain, verified });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.delete("/domains/:domain", requireMaster, async (req, res, next) => {
+    try {
+      const deleted = await domainManager.delete(req.params.domain);
+      if (!deleted) {
+        res.status(404).json({ error: "Domain not found" });
+        return;
+      }
+      res.status(204).send();
+    } catch (err) {
+      next(err);
+    }
+  });
+  return router;
+}
+
+// src/routes/gateway.ts
+import { Router as Router8 } from "express";
+import {
+  RELAY_PRESETS,
+  AGENT_ROLES as AGENT_ROLES2
+} from "@agenticmail/core";
+function createGatewayRoutes(gatewayManager) {
+  const router = Router8();
+  router.get("/gateway/setup-guide", requireMaster, async (_req, res) => {
+    res.json({
+      modes: [
+        {
+          mode: "relay",
+          difficulty: "Beginner",
+          description: "Use your existing Gmail or Outlook account to send/receive emails. No domain needed.",
+          fromAddress: "yourname+agentname@gmail.com",
+          requirements: [
+            "A Gmail or Outlook email account",
+            "An app password (not your regular password)"
+          ],
+          setup: {
+            tool: "agenticmail_setup_relay",
+            params: { provider: "gmail", email: "you@gmail.com", password: "xxxx xxxx xxxx xxxx" }
+          },
+          howToGetAppPassword: {
+            gmail: "https://myaccount.google.com/apppasswords (requires 2FA enabled)",
+            outlook: "https://account.live.com/proofs/AppPassword"
+          },
+          pros: ["Quick setup (< 2 min)", "No domain purchase needed", "Free"],
+          cons: ["Emails show as yourname+agent@gmail.com", "Less professional", "Tied to personal email"]
+        },
+        {
+          mode: "domain",
+          difficulty: "Advanced",
+          description: "Use your own domain for professional agent emails (agent@yourdomain.com). Full DKIM/SPF/DMARC authentication.",
+          fromAddress: "agentname@yourdomain.com",
+          requirements: [
+            "A Cloudflare account (free tier works)",
+            "A Cloudflare API token (see tokenPermissions below for exact settings)",
+            "A domain name (can purchase during setup, ~$10/yr for .com)",
+            "A Gmail account + app password for outbound relay (recommended)"
+          ],
+          setup: {
+            tool: "agenticmail_setup_domain",
+            params: {
+              cloudflareToken: "your-api-token",
+              cloudflareAccountId: "your-account-id",
+              domain: "yourdomain.com",
+              gmailRelay: { email: "you@gmail.com", appPassword: "xxxx xxxx xxxx xxxx" }
+            }
+          },
+          postSetup: [
+            'Add each agent email as a Gmail "Send mail as" alias (use agenticmail_setup_gmail_alias tool for instructions)',
+            "DNS propagation takes 5-30 minutes",
+            "DKIM signing is automatic"
+          ],
+          howToGetCloudflareToken: "https://dash.cloudflare.com/profile/api-tokens \u2192 Create Token \u2192 Custom Token",
+          howToGetAccountId: "https://dash.cloudflare.com \u2192 click any site \u2192 right sidebar shows Account ID",
+          tokenPermissions: {
+            instructions: "Go to https://dash.cloudflare.com/profile/api-tokens \u2192 Create Token \u2192 Custom Token (Get started)",
+            zone: [
+              { permission: "Zone > Zone > Read", reason: "Look up zone ID for your domain" },
+              { permission: "Zone > DNS > Edit", reason: "Create/manage DNS records (SPF, DKIM, DMARC, CNAME)" },
+              { permission: "Zone > Email Routing Rules > Edit", reason: "Set catch-all rule to route emails to worker" }
+            ],
+            account: [
+              { permission: "Account > Cloudflare Tunnel > Edit", reason: "Create and configure tunnel for inbound SMTP" },
+              { permission: "Account > Workers Scripts > Edit", reason: "Deploy the inbound email worker" },
+              { permission: "Account > Email Routing Addresses > Edit", reason: "Enable/disable Email Routing on zones" },
+              { permission: "Account > Account Settings > Read", reason: "Verify account access" }
+            ],
+            optional: [
+              { permission: "Account > Registrar: Domains > Edit", reason: "Only needed if purchasing a domain via the tool (optional)" }
+            ],
+            zoneResources: "Include > All zones (or specific zone if you prefer)",
+            accountResources: "Include > your account"
+          },
+          domainPurchase: {
+            note: "Cloudflare API only supports READ access for registrar \u2014 domains must be purchased manually.",
+            options: [
+              {
+                option: "A",
+                label: "Buy from Cloudflare Registrar (recommended \u2014 at-cost pricing, no markup)",
+                url: "https://dash.cloudflare.com/?to=/:account/domain-registration",
+                steps: [
+                  "Open the link above",
+                  "Search for your desired domain",
+                  "Add a payment method if needed (Billing page)",
+                  "Complete the purchase \u2014 domain is automatically in your Cloudflare account"
+                ]
+              },
+              {
+                option: "B",
+                label: "Buy from another registrar (Namecheap, GoDaddy, etc.) then point to Cloudflare",
+                steps: [
+                  "Purchase your domain from any registrar",
+                  "Add the domain to Cloudflare: https://dash.cloudflare.com/?to=/:account/add-site",
+                  "Cloudflare will show you 2 nameservers to set",
+                  "Update nameservers at your registrar",
+                  "Wait for DNS propagation (5-30 min)"
+                ]
+              }
+            ]
+          },
+          pros: ["Professional emails (agent@yourdomain.com)", "Full DKIM/SPF/DMARC", "Multiple agents with unique addresses", "Better deliverability"],
+          cons: ["Requires Cloudflare account", "Domain costs ~$10/yr", "More setup steps", "Gmail alias step needed for outbound"]
+        }
+      ]
+    });
+  });
+  router.post("/gateway/relay", requireMaster, async (req, res, next) => {
+    try {
+      const { provider, email, password, smtpHost, smtpPort, imapHost, imapPort, agentName, agentRole, skipDefaultAgent } = req.body;
+      if (!email || !password) {
+        res.status(400).json({ error: "email and password are required" });
+        return;
+      }
+      if (agentRole && !AGENT_ROLES2.includes(agentRole)) {
+        res.status(400).json({ error: `Invalid agentRole. Must be one of: ${AGENT_ROLES2.join(", ")}` });
+        return;
+      }
+      const prov = provider ?? "custom";
+      const preset = prov === "gmail" || prov === "outlook" ? RELAY_PRESETS[prov] : null;
+      const config = {
+        provider: prov,
+        email,
+        password,
+        smtpHost: smtpHost ?? preset?.smtpHost ?? "localhost",
+        smtpPort: smtpPort ?? preset?.smtpPort ?? 587,
+        imapHost: imapHost ?? preset?.imapHost ?? "localhost",
+        imapPort: imapPort ?? preset?.imapPort ?? 993
+      };
+      const result = await gatewayManager.setupRelay(config, {
+        defaultAgentName: agentName,
+        defaultAgentRole: agentRole,
+        skipDefaultAgent
+      });
+      const response = {
+        status: "ok",
+        mode: "relay",
+        email: config.email,
+        provider: config.provider
+      };
+      if (result.agent) {
+        response.agent = {
+          id: result.agent.id,
+          name: result.agent.name,
+          email: result.agent.email,
+          apiKey: result.agent.apiKey,
+          role: result.agent.role,
+          subAddress: `${email.split("@")[0]}+${result.agent.name}@${email.split("@")[1]}`
+        };
+      }
+      res.json(response);
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/gateway/domain", requireMaster, async (req, res, next) => {
+    try {
+      const { cloudflareToken, cloudflareAccountId, domain, purchase, gmailRelay } = req.body;
+      if (!cloudflareToken || !cloudflareAccountId) {
+        res.status(400).json({ error: "cloudflareToken and cloudflareAccountId are required" });
+        return;
+      }
+      const result = await gatewayManager.setupDomain({
+        cloudflareToken,
+        cloudflareAccountId,
+        domain,
+        purchase,
+        gmailRelay
+      });
+      res.json({ status: "ok", mode: "domain", ...result });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/gateway/domain/alias-setup", requireMaster, async (req, res, next) => {
+    try {
+      const config = gatewayManager.getConfig();
+      if (config.mode !== "domain" || !config.domain) {
+        res.status(400).json({ error: "Domain mode not configured" });
+        return;
+      }
+      const { agentEmail, agentDisplayName } = req.body;
+      if (!agentEmail) {
+        res.status(400).json({ error: "agentEmail is required (e.g. secretary@yourdomain.com)" });
+        return;
+      }
+      const stalwart = gatewayManager.getStalwart();
+      const gmailUsername = await stalwart.getSettings("queue.route.gmail.auth");
+      const relayEmail = gmailUsername?.["username"];
+      if (!relayEmail) {
+        res.status(400).json({ error: "Gmail relay not configured. Set up domain with gmailRelay first." });
+        return;
+      }
+      const domain = config.domain.domain;
+      const displayName = agentDisplayName || agentEmail.split("@")[0];
+      res.json({
+        status: "ok",
+        instructions: {
+          summary: `Add "${agentEmail}" as a "Send mail as" alias in Gmail`,
+          gmailSettingsUrl: "https://mail.google.com/mail/u/0/#settings/accounts",
+          steps: [
+            { step: 1, action: "Navigate to Gmail settings", url: "https://mail.google.com/mail/u/0/#settings/accounts" },
+            { step: 2, action: 'Click "Add another email address" under "Send mail as"' },
+            { step: 3, action: "Fill name and email", fields: { name: displayName, email: agentEmail, treatAsAlias: false } },
+            { step: 4, action: 'Click "Next Step"' },
+            {
+              step: 5,
+              action: "IMPORTANT: Gmail auto-fills wrong SMTP values. Change ALL fields to:",
+              fields: {
+                smtpServer: "smtp.gmail.com",
+                port: 465,
+                username: relayEmail,
+                password: "[app password - same one used during domain setup]",
+                security: "SSL"
+              }
+            },
+            { step: 6, action: 'Click "Add Account"' },
+            { step: 7, action: `Check AgenticMail inbox for verification email from gmail-noreply@google.com, extract the confirmation link or code` },
+            { step: 8, action: "Open the confirmation link or enter the code to complete verification" }
+          ]
+        },
+        domain,
+        agentEmail
+      });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/gateway/domain/payment-setup", requireMaster, async (_req, res) => {
+    const config = gatewayManager.getConfig();
+    const accountId = config.mode === "domain" && config.domain ? config.domain.cloudflareAccountId : void 0;
+    res.json({
+      status: "ok",
+      instructions: {
+        summary: "Add a payment method to your Cloudflare account (required for domain purchases)",
+        options: [
+          {
+            option: "A",
+            label: "Add it yourself (2 minutes)",
+            steps: [
+              { step: 1, action: "Open Cloudflare billing page", url: accountId ? `https://dash.cloudflare.com/${accountId}/billing` : "https://dash.cloudflare.com/?to=/:account/billing" },
+              { step: 2, action: 'Click "Payment Info" tab or "Manage" next to Payment Method' },
+              { step: 3, action: 'Click "Add payment method"' },
+              { step: 4, action: "Enter card details (prepaid debit cards with spending limits work fine)" },
+              { step: 5, action: 'Click "Save" or "Add"' }
+            ]
+          },
+          {
+            option: "B",
+            label: "Let your AI agent do it via browser automation",
+            requirements: ["Agent must have browser tool access", "You must be logged into Cloudflare in your browser"],
+            steps: [
+              { step: 1, action: "Agent navigates to Cloudflare billing page", url: accountId ? `https://dash.cloudflare.com/${accountId}/billing` : "https://dash.cloudflare.com/?to=/:account/billing" },
+              { step: 2, action: 'Agent clicks "Payment Info" or "Manage" next to Payment Method' },
+              { step: 3, action: 'Agent clicks "Add payment method"' },
+              { step: 4, action: "Agent fills in card number, expiry, CVC, and billing info", note: "User provides card details via chat. Agent types them into the form. Details are NOT stored anywhere." },
+              { step: 5, action: 'Agent clicks "Save" \u2014 user should verify the details on screen before confirming' }
+            ],
+            securityNote: "Card details go directly to Cloudflare via their secure form. AgenticMail never stores or sees your card information."
+          }
+        ]
+      }
+    });
+  });
+  router.get("/gateway/status", requireMaster, async (_req, res, next) => {
+    try {
+      const status = gatewayManager.getStatus();
+      res.json(status);
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/gateway/domain/purchase", requireMaster, async (req, res, next) => {
+    try {
+      const { keywords, tld } = req.body;
+      if (!keywords?.length) {
+        res.status(400).json({ error: "keywords array is required" });
+        return;
+      }
+      const purchaser = gatewayManager.getDomainPurchaser();
+      if (!purchaser) {
+        res.status(400).json({ error: "Domain mode not configured. Set up Cloudflare credentials first." });
+        return;
+      }
+      const results = await purchaser.searchAvailable(keywords, tld ? [tld] : void 0);
+      res.json({ domains: results });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/gateway/domain/dns", requireMaster, async (_req, res, next) => {
+    try {
+      const config = gatewayManager.getConfig();
+      if (config.mode !== "domain" || !config.domain) {
+        res.status(400).json({ error: "Domain mode not configured" });
+        return;
+      }
+      const dnsConfig = gatewayManager.getDNSConfigurator();
+      if (!dnsConfig) {
+        res.status(400).json({ error: "DNS configurator not available" });
+        return;
+      }
+      const verification = await dnsConfig.verify(config.domain.domain);
+      res.json({ domain: config.domain.domain, dns: verification });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/gateway/tunnel/start", requireMaster, async (_req, res, next) => {
+    try {
+      const config = gatewayManager.getConfig();
+      if (config.mode !== "domain" || !config.domain?.tunnelToken) {
+        res.status(400).json({ error: "Domain mode with tunnel not configured" });
+        return;
+      }
+      const tunnel = gatewayManager.getTunnelManager();
+      if (!tunnel) {
+        res.status(400).json({ error: "Tunnel manager not available" });
+        return;
+      }
+      await tunnel.start(config.domain.tunnelToken);
+      res.json({ status: "ok", tunnel: tunnel.status() });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/gateway/tunnel/stop", requireMaster, async (_req, res, next) => {
+    try {
+      const tunnel = gatewayManager.getTunnelManager();
+      if (!tunnel) {
+        res.status(400).json({ error: "Tunnel manager not available" });
+        return;
+      }
+      await tunnel.stop();
+      res.json({ status: "ok", tunnel: tunnel.status() });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/gateway/test", requireMaster, async (req, res, next) => {
+    try {
+      const { to } = req.body;
+      if (!to) {
+        res.status(400).json({ error: "to email address is required" });
+        return;
+      }
+      const result = await gatewayManager.sendTestEmail(to);
+      if (result) {
+        res.json({ status: "ok", messageId: result.messageId });
+      } else {
+        res.status(400).json({ error: "No gateway configured or destination is local" });
+      }
+    } catch (err) {
+      next(err);
+    }
+  });
+  return router;
+}
+
+// src/routes/tasks.ts
+import { Router as Router9 } from "express";
+import { v4 as uuidv43 } from "uuid";
+import { MailSender as MailSender4 } from "@agenticmail/core";
+var rpcResolvers = /* @__PURE__ */ new Map();
+function createTaskRoutes(db, accountManager, config) {
+  const router = Router9();
+  router.post("/tasks/assign", requireAuth, async (req, res, next) => {
+    try {
+      const { assignee, taskType, payload, expiresInSeconds } = req.body || {};
+      if (!assignee) {
+        res.status(400).json({ error: "assignee (agent name) is required" });
+        return;
+      }
+      const target = await accountManager.getByName(assignee);
+      if (!target) {
+        res.status(404).json({ error: `Agent "${assignee}" not found` });
+        return;
+      }
+      const assignerId = req.agent?.id ?? "master";
+      const id = uuidv43();
+      const expiresAt = expiresInSeconds ? new Date(Date.now() + expiresInSeconds * 1e3).toISOString() : null;
+      db.prepare(
+        "INSERT INTO agent_tasks (id, assigner_id, assignee_id, task_type, payload, expires_at) VALUES (?, ?, ?, ?, ?, ?)"
+      ).run(id, assignerId, target.id, taskType || "generic", JSON.stringify(payload || {}), expiresAt);
+      const taskEvent = {
+        type: "task",
+        taskId: id,
+        taskType: taskType || "generic",
+        assignee: target.name,
+        from: req.agent?.name ?? "system"
+      };
+      if (!pushEventToAgent(target.id, taskEvent)) {
+        broadcastEvent(taskEvent);
+      }
+      if (req.agent) {
+        const notifSender = new MailSender4({
+          host: config.smtp.host,
+          port: config.smtp.port,
+          email: req.agent.email,
+          password: getAgentPassword(req.agent),
+          authUser: req.agent.stalwartPrincipal
+        });
+        notifSender.send({
+          to: target.email,
+          subject: `[Task] ${taskType || "generic"} from ${req.agent.name}`,
+          text: `You have a new task assigned to you (ID: ${id}).
+
+Type: ${taskType || "generic"}
+${payload ? `Payload: ${JSON.stringify(payload)}
+` : ""}
+Please check your pending tasks.`
+        }).catch((err) => {
+          console.warn(`[Tasks] Failed to notify ${target.name}:`, err.message);
+        }).finally(() => {
+          notifSender.close();
+        });
+      }
+      res.status(201).json({ id, assignee: target.name, assigneeId: target.id, status: "pending" });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/tasks/pending", requireAgent, async (req, res, next) => {
+    try {
+      let assigneeId = req.agent.id;
+      const assigneeName = req.query.assignee;
+      if (assigneeName) {
+        const target = await accountManager.getByName(assigneeName);
+        if (target) assigneeId = target.id;
+      }
+      const rows = db.prepare(
+        "SELECT * FROM agent_tasks WHERE assignee_id = ? AND status IN ('pending', 'claimed') ORDER BY created_at ASC"
+      ).all(assigneeId);
+      res.json({ tasks: rows.map(parseTask), count: rows.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/tasks/assigned", requireAuth, async (req, res, next) => {
+    try {
+      const id = req.agent?.id ?? "master";
+      const rows = db.prepare(
+        "SELECT * FROM agent_tasks WHERE assigner_id = ? ORDER BY created_at DESC LIMIT 50"
+      ).all(id);
+      res.json({ tasks: rows.map(parseTask), count: rows.length });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tasks/:id/claim", requireAgent, async (req, res, next) => {
+    try {
+      const result = db.prepare(
+        "UPDATE agent_tasks SET status = 'claimed', claimed_at = datetime('now') WHERE id = ? AND status = 'pending'"
+      ).run(req.params.id);
+      if (result.changes === 0) {
+        res.status(404).json({ error: "Task not found or already claimed" });
+        return;
+      }
+      touchActivity(db, req.agent.id);
+      const task = db.prepare("SELECT * FROM agent_tasks WHERE id = ?").get(req.params.id);
+      res.json(parseTask(task));
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tasks/:id/result", requireAgent, async (req, res, next) => {
+    try {
+      const { result } = req.body || {};
+      const resultJson = JSON.stringify(result ?? null);
+      const dbResult = db.prepare(
+        "UPDATE agent_tasks SET status = 'completed', result = ?, completed_at = datetime('now') WHERE id = ? AND status = 'claimed'"
+      ).run(resultJson, req.params.id);
+      if (dbResult.changes === 0) {
+        res.status(404).json({ error: "Task not found or not in claimed status" });
+        return;
+      }
+      touchActivity(db, req.agent.id);
+      const resolver = rpcResolvers.get(req.params.id);
+      if (resolver) {
+        rpcResolvers.delete(req.params.id);
+        resolver({ status: "completed", result: resultJson });
+      }
+      res.json({ ok: true, taskId: req.params.id, status: "completed" });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tasks/:id/complete", requireAgent, async (req, res, next) => {
+    try {
+      const { result } = req.body || {};
+      const resultJson = JSON.stringify(result ?? null);
+      const dbResult = db.prepare(
+        "UPDATE agent_tasks SET status = 'completed', result = ?, claimed_at = datetime('now'), completed_at = datetime('now') WHERE id = ? AND status = 'pending'"
+      ).run(resultJson, req.params.id);
+      if (dbResult.changes === 0) {
+        const retry = db.prepare(
+          "UPDATE agent_tasks SET status = 'completed', result = ?, completed_at = datetime('now') WHERE id = ? AND status = 'claimed'"
+        ).run(resultJson, req.params.id);
+        if (retry.changes === 0) {
+          res.status(404).json({ error: "Task not found or already completed" });
+          return;
+        }
+      }
+      touchActivity(db, req.agent.id);
+      const resolver = rpcResolvers.get(req.params.id);
+      if (resolver) {
+        rpcResolvers.delete(req.params.id);
+        resolver({ status: "completed", result: resultJson });
+      }
+      res.json({ ok: true, taskId: req.params.id, status: "completed" });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tasks/:id/fail", requireAgent, async (req, res, next) => {
+    try {
+      const { error } = req.body || {};
+      const errorMsg = error || "Unknown error";
+      const dbResult = db.prepare(
+        "UPDATE agent_tasks SET status = 'failed', error = ?, completed_at = datetime('now') WHERE id = ? AND status = 'claimed'"
+      ).run(errorMsg, req.params.id);
+      if (dbResult.changes === 0) {
+        res.status(404).json({ error: "Task not found or not in claimed status" });
+        return;
+      }
+      touchActivity(db, req.agent.id);
+      const resolver = rpcResolvers.get(req.params.id);
+      if (resolver) {
+        rpcResolvers.delete(req.params.id);
+        resolver({ status: "failed", error: errorMsg });
+      }
+      res.json({ ok: true, taskId: req.params.id, status: "failed" });
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.get("/tasks/:id", requireAuth, async (req, res, next) => {
+    try {
+      const task = db.prepare("SELECT * FROM agent_tasks WHERE id = ?").get(req.params.id);
+      if (!task) {
+        res.status(404).json({ error: "Task not found" });
+        return;
+      }
+      res.json(parseTask(task));
+    } catch (err) {
+      next(err);
+    }
+  });
+  router.post("/tasks/rpc", requireAuth, async (req, res, next) => {
+    try {
+      const { target, task, payload, timeout } = req.body || {};
+      if (!target || !task) {
+        res.status(400).json({ error: "target (agent name) and task are required" });
+        return;
+      }
+      const targetAgent = await accountManager.getByName(target);
+      if (!targetAgent) {
+        res.status(404).json({ error: `Agent "${target}" not found` });
+        return;
+      }
+      const assignerId = req.agent?.id ?? "master";
+      const taskId = uuidv43();
+      const timeoutMs = Math.min(Math.max((timeout || 180) * 1e3, 5e3), 3e5);
+      req.socket.setTimeout(0);
+      res.setHeader("Connection", "keep-alive");
+      db.prepare(
+        "INSERT INTO agent_tasks (id, assigner_id, assignee_id, task_type, payload) VALUES (?, ?, ?, ?, ?)"
+      ).run(taskId, assignerId, targetAgent.id, "rpc", JSON.stringify({ task, ...payload || {} }));
+      const rpcEvent = {
+        type: "task",
+        taskId,
+        taskType: "rpc",
+        task,
+        assignee: targetAgent.name,
+        from: req.agent?.name ?? "system"
+      };
+      if (!pushEventToAgent(targetAgent.id, rpcEvent)) {
+        broadcastEvent(rpcEvent);
+      }
+      if (req.agent) {
+        const notifSender = new MailSender4({
+          host: config.smtp.host,
+          port: config.smtp.port,
+          email: req.agent.email,
+          password: getAgentPassword(req.agent),
+          authUser: req.agent.stalwartPrincipal
+        });
+        notifSender.send({
+          to: targetAgent.email,
+          subject: `[RPC] Task from ${req.agent.name}: ${task}`,
+          text: `You have a pending RPC task (ID: ${taskId}).
+
+Task: ${task}
+${payload ? `Payload: ${JSON.stringify(payload)}
+` : ""}
+Please check your pending tasks, claim this task, process it, and submit the result.`
+        }).catch((err) => {
+          console.warn(`[RPC] Failed to notify ${targetAgent.name}:`, err.message);
+        }).finally(() => {
+          notifSender.close();
+        });
+      }
+      const completionPromise = new Promise((resolve) => {
+        rpcResolvers.set(taskId, resolve);
+        const pollStmt = db.prepare("SELECT status, result, error FROM agent_tasks WHERE id = ?");
+        let pollCount = 0;
+        const pollInterval = setInterval(() => {
+          pollCount++;
+          if (req.destroyed || res.destroyed) {
+            clearInterval(pollInterval);
+            rpcResolvers.delete(taskId);
+            resolve({ status: "disconnected" });
+            return;
+          }
+          const row = pollStmt.get(taskId);
+          if (row?.status === "completed" || row?.status === "failed") {
+            clearInterval(pollInterval);
+            rpcResolvers.delete(taskId);
+            resolve({ status: row.status, result: row.result, error: row.error });
+          }
+        }, 2e3);
+        setTimeout(() => {
+          clearInterval(pollInterval);
+          rpcResolvers.delete(taskId);
+          resolve({ status: "timeout" });
+        }, timeoutMs);
+      });
+      const outcome = await completionPromise;
+      if (outcome.status === "disconnected") return;
+      if (outcome.status === "completed") {
+        let result = null;
+        try {
+          result = JSON.parse(outcome.result);
+        } catch {
+          result = outcome.result;
+        }
+        res.json({ taskId, status: "completed", result });
+        return;
+      }
+      if (outcome.status === "failed") {
+        res.json({ taskId, status: "failed", error: outcome.error });
+        return;
+      }
+      res.json({ taskId, status: "timeout", message: `Task not completed within ${timeout || 180}s. Check with GET /tasks/${taskId}` });
+    } catch (err) {
+      next(err);
+    }
+  });
+  return router;
+}
+function parseTask(row) {
+  if (!row) return null;
+  let payload = {};
+  let result = null;
+  try {
+    payload = JSON.parse(row.payload);
+  } catch {
+    payload = row.payload;
+  }
+  try {
+    result = row.result ? JSON.parse(row.result) : null;
+  } catch {
+    result = row.result;
+  }
+  return {
+    id: row.id,
+    assignerId: row.assigner_id,
+    assigneeId: row.assignee_id,
+    taskType: row.task_type,
+    payload,
+    status: row.status,
+    result,
+    error: row.error,
+    createdAt: row.created_at,
+    claimedAt: row.claimed_at,
+    completedAt: row.completed_at,
+    expiresAt: row.expires_at
+  };
+}
+
+// src/app.ts
+function createApp(configOverrides) {
+  const config = resolveConfig(configOverrides);
+  const db = getDatabase(config);
+  const stalwart = new StalwartAdmin({
+    url: config.stalwart.url,
+    adminUser: config.stalwart.adminUser,
+    adminPassword: config.stalwart.adminPassword
+  });
+  const accountManager = new AccountManager(db, stalwart);
+  const domainManager = new DomainManager(db, stalwart);
+  const gatewayManager = new GatewayManager2({
+    db,
+    stalwart,
+    accountManager,
+    localSmtp: {
+      host: config.smtp.host,
+      port: config.smtp.port,
+      user: config.stalwart.adminUser,
+      pass: config.stalwart.adminPassword
+    }
+  });
+  const app2 = express();
+  app2.disable("x-powered-by");
+  app2.use((_req, res, next) => {
+    res.setHeader("X-Powered-By", "AgenticMail");
+    next();
+  });
+  app2.use(cors());
+  app2.use(express.json({ limit: "10mb" }));
+  app2.use(
+    rateLimit({
+      windowMs: 60 * 1e3,
+      max: 100,
+      standardHeaders: true,
+      legacyHeaders: false,
+      message: { error: "Too many requests, please try again later" }
+    })
+  );
+  app2.use("/api/agenticmail", createHealthRoutes(stalwart));
+  app2.use("/api/agenticmail", createInboundRoutes(accountManager, config, gatewayManager));
+  app2.use("/api/agenticmail", createAuthMiddleware(config.masterKey, accountManager, db));
+  app2.use("/api/agenticmail", createAccountRoutes(accountManager, db, config));
+  app2.use("/api/agenticmail", createMailRoutes(accountManager, config, db, gatewayManager));
+  app2.use("/api/agenticmail", createEventRoutes(accountManager, config, db));
+  app2.use("/api/agenticmail", createDomainRoutes(domainManager));
+  app2.use("/api/agenticmail", createGatewayRoutes(gatewayManager));
+  app2.use("/api/agenticmail", createFeatureRoutes(db, accountManager, config, gatewayManager));
+  app2.use("/api/agenticmail", createTaskRoutes(db, accountManager, config));
+  app2.use("/api/agenticmail", (_req, res) => {
+    res.status(404).json({ error: "Not found" });
+  });
+  app2.use(errorHandler);
+  const context2 = { config, db, stalwart, accountManager, domainManager, gatewayManager };
+  return { app: app2, context: context2 };
+}
+
+// src/index.ts
+function getLocalIp() {
+  const nets = networkInterfaces();
+  for (const iface of Object.values(nets)) {
+    if (!iface) continue;
+    for (const info of iface) {
+      if (info.family === "IPv4" && !info.internal) return info.address;
+    }
+  }
+  return "127.0.0.1";
+}
+var VERSION = "0.2.26";
+var { app, context } = createApp();
+var { port, host } = context.config.api;
+var scheduledTimer = null;
+var server = app.listen(port, host, async () => {
+  const displayHost = host === "127.0.0.1" || host === "0.0.0.0" ? getLocalIp() : host;
+  console.log("");
+  console.log("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557");
+  console.log("  \u2551                 \u{1F380} AgenticMail v" + VERSION.padEnd(29) + "\u2551");
+  console.log("  \u2551              Built by Ope Olatunji                           \u2551");
+  console.log("  \u2551       github.com/agenticmail/agenticmail                     \u2551");
+  console.log("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u2551  What \u{1F380} AgenticMail gives your agents:                     \u2551");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u2551  \u{1F4E7} Real Email        Send, receive, reply, forward with    \u2551");
+  console.log("  \u2551                       full DKIM/SPF/DMARC authentication    \u2551");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u2551  \u{1F91D} Agent Coordination  Task queues, synchronous RPC,       \u2551");
+  console.log("  \u2551                         push notifications, structured      \u2551");
+  console.log("  \u2551                         results \u2014 replaces fire-and-forget  \u2551");
+  console.log("  \u2551                         session spawning                    \u2551");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u2551  \u{1F512} Security           Outbound PII/credential scanning,   \u2551");
+  console.log("  \u2551                        inbound spam filtering, human-in-   \u2551");
+  console.log("  \u2551                        the-loop approval for sensitive      \u2551");
+  console.log("  \u2551                        content                              \u2551");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u2551  \u26A1 Efficiency         ~60% fewer tokens on multi-agent    \u2551");
+  console.log("  \u2551                        tasks vs session polling. Persistent \u2551");
+  console.log("  \u2551                        task state survives crashes.         \u2551");
+  console.log("  \u2551                        Push-based \u2014 no wasted poll cycles.  \u2551");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u2551  54 tools \u2022 MIT license \u2022 Contributions welcome             \u2551");
+  console.log("  \u2551                                                             \u2551");
+  console.log("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D");
+  console.log("");
+  console.log(`  \u{1F680} API: http://${displayHost}:${port}`);
+  console.log(`  \u2764\uFE0F  Health: http://${displayHost}:${port}/api/agenticmail/health`);
+  console.log(`  \u{1F4D6} About: http://${displayHost}:${port}/api/agenticmail/about`);
+  scheduledTimer = startScheduledSender(context.db, context.accountManager, context.config, context.gatewayManager);
+  try {
+    await context.gatewayManager.resume();
+    const status = context.gatewayManager.getStatus();
+    if (status.mode !== "none") {
+      console.log(`   Gateway: ${status.mode} mode resumed${status.relay?.polling ? " (polling)" : ""}`);
+    }
+  } catch (err) {
+    console.error("   Gateway resume failed:", err);
+  }
+});
+server.on("error", (err) => {
+  if (err.code === "EADDRINUSE") {
+    console.error(`Port ${port} is already in use`);
+  } else {
+    console.error("Failed to start server:", err);
+  }
+  process.exit(1);
+});
+var shuttingDown = false;
+async function shutdown() {
+  if (shuttingDown) return;
+  shuttingDown = true;
+  console.log("\nShutting down...");
+  if (scheduledTimer) {
+    try {
+      clearInterval(scheduledTimer);
+    } catch {
+    }
+  }
+  try {
+    await closeAllWatchers();
+  } catch {
+  }
+  try {
+    await closeCaches();
+  } catch {
+  }
+  try {
+    await context.gatewayManager.shutdown();
+  } catch {
+  }
+  server.close(() => process.exit(0));
+  setTimeout(() => process.exit(1), 5e3);
+}
+process.on("SIGTERM", () => shutdown().catch(() => process.exit(1)));
+process.on("SIGINT", () => shutdown().catch(() => process.exit(1)));
+process.on("uncaughtException", (err) => {
+  console.error("[AgenticMail] Uncaught exception (server will continue):", err.message);
+  console.error(err.stack);
+});
+process.on("unhandledRejection", (reason) => {
+  const msg = reason instanceof Error ? reason.message : String(reason);
+  console.error("[AgenticMail] Unhandled promise rejection (server will continue):", msg);
+  if (reason instanceof Error && reason.stack) {
+    console.error(reason.stack);
+  }
+});