@agenticmail/api 0.9.19 → 0.9.21

package/dist/index.js

@@ -97,7 +97,7 @@ function requireAgent(req, res, next) {
 // src/middleware/error-handler.ts
 function errorHandler(err, req, res, _next) {
   const message = err instanceof Error ? err.message : String(err);
-  console.error(`[ERROR] ${req.method} ${req.path}:`, err instanceof Error ? err.stack || message : message);
+  console.error("[ERROR] %s %s:", req.method, req.path, err instanceof Error ? err.stack || message : message);
   if (res.headersSent) return;
   if (err instanceof SyntaxError && err.status === 400) {
     res.status(400).json({ error: "Invalid JSON in request body" });
@@ -700,7 +700,7 @@ function parseScheduleTime(input) {
     if (d.getTime() <= Date.now()) d.setDate(d.getDate() + 1);
     return d;
   }
-  const humanMatch = trimmed.match(
+  const humanMatch = trimmed.length > 200 ? null : trimmed.match(
     /^(\d{1,2})[\/\-](\d{1,2})[\/\-](\d{4})\s+(\d{1,2}):(\d{2})\s*(AM|PM|am|pm)\s*(.+)?$/
   );
   if (humanMatch) {
@@ -1930,7 +1930,7 @@ function deriveDefaultWakeList(toField) {
   const arr = Array.isArray(toField) ? toField : String(toField).split(",");
   const localNames = [];
   for (const raw of arr) {
-    const trimmed = String(raw).trim().toLowerCase();
+    const trimmed = String(raw).slice(0, 500).trim().toLowerCase();
     const m = trimmed.match(/<([^>]+)>/);
     const bare = (m ? m[1] : trimmed).trim();
     if (!bare.endsWith("@localhost")) continue;
@@ -1958,7 +1958,8 @@ async function notifyLocalRecipientsOfNewMail(accountManager, toField, ccField,
     if (!v) return [];
     const items = Array.isArray(v) ? v : [v];
     const out = /* @__PURE__ */ new Set();
-    for (const entry of items) {
+    for (const rawEntry of items) {
+      const entry = typeof rawEntry === "string" && rawEntry.length > 1e4 ? rawEntry.slice(0, 1e4) : rawEntry;
       let match;
       addrRe.lastIndex = 0;
       while ((match = addrRe.exec(entry)) !== null) {
@@ -2468,9 +2469,10 @@ function createMailRoutes(accountManager, config, db, gatewayManager) {
         res.status(400).json({ error: "Invalid UID" });
         return;
       }
+      const folder = req.body?.folder || "INBOX";
       const password = getAgentPassword(agent);
       const receiver = await getReceiver(agent.stalwartPrincipal, password, config);
-      await receiver.markUnseen(uid);
+      await receiver.markUnseen(uid, folder);
       invalidateParsedMessage(agent.id, uid);
       res.json({ ok: true });
     } catch (err) {
@@ -4331,7 +4333,7 @@ function buildColumnDDL(col, dialect) {
   if (col.default !== void 0) {
     let val;
     if (typeof col.default === "string") {
-      const trimmed = col.default.trim();
+      const trimmed = col.default.slice(0, 500).trim();
       const isSqlExpr = /\(.*\)/.test(trimmed) || /^CURRENT_(?:TIMESTAMP|DATE|TIME)$/i.test(trimmed);
       val = isSqlExpr ? `(${trimmed})` : `'${col.default.replace(/'/g, "''")}'`;
     } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/api",
-  "version": "0.9.19",
+  "version": "0.9.21",
   "description": "REST API server for AgenticMail — email and SMS endpoints for AI agents",
   "type": "module",
   "main": "dist/index.js",
@@ -28,7 +28,7 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "@agenticmail/core": "^0.9.4",
+    "@agenticmail/core": "^0.9.5",
     "cors": "^2.8.5",
     "dotenv": "^16.4.7",
     "express": "^4.21.0",

package/public/js/app.js

@@ -43,6 +43,15 @@ async function signIn() {
       headers: { Authorization: `Bearer ${key}` },
     });
     if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+    // The master key is persisted in localStorage so the operator
+    // doesn't have to re-type it on every page load. CodeQL
+    // `js/clear-text-storage-of-sensitive-data` flags this, but
+    // the threat model is self-hosted: the web UI binds to
+    // 127.0.0.1, the key never crosses the network, and the
+    // operator's local filesystem is already trusted by every
+    // other layer of the install. The realistic alternative
+    // (HttpOnly cookie + server-side session) requires a network
+    // boundary that doesn't exist here. lgtm[js/clear-text-storage-of-sensitive-data]
     localStorage.setItem('agenticmail.masterKey', key);
     state.masterKey = key;
     document.getElementById('auth').style.display = 'none';

package/public/js/compose.js

@@ -350,6 +350,13 @@ function renderAttachmentChips() {
   const root = document.getElementById('compose-attachments');
   if (!root) return;
   if (pendingAttachments.length === 0) { root.innerHTML = ''; return; }
+  // Every operator-controlled string interpolated below goes through
+  // `escapeHtml`. `i` is a number index, `formatBytes(...)` only ever
+  // returns numeric-shape strings like "1.2 KB". CodeQL
+  // `js/xss-through-dom` flags the innerHTML write conservatively
+  // (it can't prove formatBytes is sanitizer-shaped); see the
+  // formatBytes() definition below for the static guarantee.
+  // lgtm[js/xss-through-dom]
   root.innerHTML = pendingAttachments.map((a, i) => `
     <span class="attachment-chip" data-att-index="${i}">
       <span class="chip-name" title="${escapeHtml(a.filename)}">${escapeHtml(a.filename)}</span>

package/public/js/message-view.js

@@ -10,33 +10,111 @@ import { loadList } from './list-view.js';
 import { icon } from './icons.js';
 import { confirmModal } from './modal.js';
 
+/**
+ * Render the per-message toolbar based on which folder the operator
+ * is viewing the message in. The default (Inbox / Sent / Starred /
+ * Drafts / All) shows the Gmail-style row: Reply, Reply all, Archive,
+ * Mark unread, Report spam, Delete (= move to Trash).
+ *
+ * Three folders override that row because the default actions don't
+ * make sense once the message is already at its destination:
+ *
+ *   - **Archive**: replace Archive with **Move to Inbox** (unarchive).
+ *     Spam + Delete still apply.
+ *   - **Spam**:    replace Report-spam with **Not spam** (move to Inbox).
+ *     The Archive action is hidden — moving spam to Archive bypasses
+ *     the regular spam-train workflow; if the operator decides it's
+ *     not spam, they want it in Inbox.
+ *   - **Trash**:   replace Archive with **Restore** (move to Inbox).
+ *     Report-spam is hidden — moving trash to Spam is a confusing
+ *     no-op (it's already deleted). Delete now means "delete forever"
+ *     and gets a red title; deleteMessage() already detects the trash
+ *     folder and switches to permanent expunge.
+ *
+ * Reply / Reply-all stay visible everywhere because operators
+ * legitimately reply to messages they've already archived or
+ * triaged into spam.
+ */
+function renderToolbar(folder) {
+  const isArchive = folder === 'archive';
+  const isSpam    = folder === 'spam';
+  const isTrash   = folder === 'trash';
+
+  const buttons = [
+    `<button class="icon-btn" id="msg-back" title="Back to list">${icon('back')}</button>`,
+    `<button class="icon-btn" id="msg-reply" title="Reply">${icon('reply')}</button>`,
+    `<button class="icon-btn" id="msg-reply-all" title="Reply all">${icon('replyAll')}</button>`,
+  ];
+
+  if (isArchive) {
+    buttons.push(`<button class="icon-btn" id="msg-unarchive" title="Move to Inbox">${icon('inbox')}</button>`);
+  } else if (isTrash) {
+    buttons.push(`<button class="icon-btn" id="msg-restore" title="Restore to Inbox">${icon('inbox')}</button>`);
+  } else if (isSpam) {
+    buttons.push(`<button class="icon-btn" id="msg-not-spam" title="Not spam — move to Inbox">${icon('inbox')}</button>`);
+  } else {
+    buttons.push(`<button class="icon-btn" id="msg-archive" title="Archive">${icon('archive')}</button>`);
+  }
+
+  buttons.push(`<button class="icon-btn" id="msg-unread" title="Mark unread">${icon('mailUnread')}</button>`);
+
+  if (!isSpam && !isTrash) {
+    buttons.push(`<button class="icon-btn" id="msg-spam" title="Report spam">${icon('spam')}</button>`);
+  }
+
+  buttons.push(
+    `<button class="icon-btn" id="msg-delete" title="${isTrash ? 'Delete forever' : 'Delete'}">${icon('trash')}</button>`
+  );
+
+  return `<div class="message-toolbar">${buttons.join('\n      ')}<div class="toolbar-spacer"></div></div>`;
+}
+
+/**
+ * Attach a click handler to a toolbar button if (and only if) the
+ * button is currently rendered. Folder-aware toolbars elide some
+ * buttons; calling `addEventListener` on a missing element would
+ * throw and abort the rest of the wiring.
+ */
+function bindIf(id, handler) {
+  const el = document.getElementById(id);
+  if (el) el.addEventListener('click', handler);
+}
+
 export async function openMessage(uid) {
   if (!state.selectedAgent) return;
   state.selectedUid = uid;
+  const folder = state.selectedFolder ?? 'inbox';
   const root = document.getElementById('content');
   root.innerHTML = `
-    <div class="message-toolbar">
-      <button class="icon-btn" id="msg-back" title="Back to list">${icon('back')}</button>
-      <button class="icon-btn" id="msg-reply" title="Reply">${icon('reply')}</button>
-      <button class="icon-btn" id="msg-reply-all" title="Reply all">${icon('replyAll')}</button>
-      <button class="icon-btn" id="msg-archive" title="Archive">${icon('archive')}</button>
-      <button class="icon-btn" id="msg-unread" title="Mark unread">${icon('mailUnread')}</button>
-      <button class="icon-btn" id="msg-spam" title="Report spam">${icon('spam')}</button>
-      <button class="icon-btn" id="msg-delete" title="Delete">${icon('trash')}</button>
-      <div class="toolbar-spacer"></div>
-    </div>
+    ${renderToolbar(folder)}
     <div class="message-view"><div class="empty">Loading…</div></div>
   `;
-  document.getElementById('msg-back').addEventListener('click', () => { location.hash = `#/folder/${state.selectedFolder ?? 'inbox'}`; });
-  document.getElementById('msg-reply').addEventListener('click', () => openReply(false));
-  document.getElementById('msg-reply-all').addEventListener('click', () => openReply(true));
-  document.getElementById('msg-archive').addEventListener('click', () => archiveMessage());
-  document.getElementById('msg-unread').addEventListener('click', () => markUnread());
-  document.getElementById('msg-spam').addEventListener('click', () => markSpam());
-  document.getElementById('msg-delete').addEventListener('click', () => deleteMessage());
+  bindIf('msg-back',      () => { location.hash = `#/folder/${folder}`; });
+  bindIf('msg-reply',     () => openReply(false));
+  bindIf('msg-reply-all', () => openReply(true));
+  bindIf('msg-archive',   () => archiveMessage());
+  bindIf('msg-unarchive', () => moveToInbox('unarchive'));
+  bindIf('msg-restore',   () => moveToInbox('restore'));
+  bindIf('msg-not-spam',  () => moveToInbox('not-spam'));
+  bindIf('msg-unread',    () => markUnread());
+  bindIf('msg-spam',      () => markSpam());
+  bindIf('msg-delete',    () => deleteMessage());
 
   try {
-    const msg = await apiGet(`/mail/messages/${uid}`, { agentKey: state.selectedAgent.apiKey });
+    // Pass the current folder so the API fetches from the right
+    // mailbox — Spam / Archive / Trash UIDs don't exist in INBOX,
+    // and the API defaults `folder` to INBOX when omitted. Without
+    // this, opening a message from any non-Inbox folder 404'd
+    // with `MESSAGE_NOT_FOUND` because UID N existed in (say) Junk
+    // Mail but the API looked in INBOX.
+    //
+    // We resolve the IMAP folder name via state.folderNames (the
+    // map populated by /mail/folders auto-discovery) so renames
+    // like Stalwart's "Junk Mail" vs "Spam" are handled in one
+    // place. "inbox" maps to "INBOX" by convention.
+    const imap = state.folderNames?.[state.selectedFolder] ?? 'INBOX';
+    const qs = imap && imap !== 'INBOX' ? `?folder=${encodeURIComponent(imap)}` : '';
+    const msg = await apiGet(`/mail/messages/${uid}${qs}`, { agentKey: state.selectedAgent.apiKey });
     state.currentMessage = msg;
     renderMessage(msg);
   } catch (err) {
@@ -217,10 +295,42 @@ function renderThreadQuote(dateRaw, sender, quotedBody) {
   `;
 }
 
+/**
+ * Move the open message back to INBOX from Archive / Spam / Trash.
+ * Three triggers:
+ *
+ *   - 'unarchive' (from Archive): generic move via /mail/messages/:uid/move
+ *   - 'not-spam'  (from Spam):    /mail/messages/:uid/not-spam (server-side
+ *                                  also clears the spam-train flag)
+ *   - 'restore'   (from Trash):   generic move via /mail/messages/:uid/move
+ *
+ * All three navigate back to the originating folder list afterwards so
+ * the operator sees the row vanish from the view they triggered the
+ * action from. The list refresh is what makes the affordance feel real.
+ */
+async function moveToInbox(reason) {
+  if (!state.currentMessage || !state.selectedAgent) return;
+  try {
+    const imap = state.folderNames?.[state.selectedFolder] ?? 'INBOX';
+    if (reason === 'not-spam') {
+      await apiPost(`/mail/messages/${state.selectedUid}/not-spam`, {}, { agentKey: state.selectedAgent.apiKey });
+      toast('Marked as not spam.');
+    } else {
+      await apiPost(`/mail/messages/${state.selectedUid}/move`, { from: imap, to: 'INBOX' }, { agentKey: state.selectedAgent.apiKey });
+      toast(reason === 'restore' ? 'Restored to Inbox.' : 'Moved to Inbox.');
+    }
+    location.hash = `#/folder/${state.selectedFolder ?? 'inbox'}`;
+    await loadList(state.selectedAgent, state.selectedFolder);
+  } catch (err) {
+    toast(`Move failed: ${err.message}`, true);
+  }
+}
+
 async function markUnread() {
   if (!state.currentMessage || !state.selectedAgent) return;
   try {
-    await apiPost(`/mail/messages/${state.selectedUid}/unseen`, {}, { agentKey: state.selectedAgent.apiKey });
+    const imap = state.folderNames?.[state.selectedFolder] ?? 'INBOX';
+    await apiPost(`/mail/messages/${state.selectedUid}/unseen`, { folder: imap }, { agentKey: state.selectedAgent.apiKey });
     toast('Marked unread.');
     location.hash = `#/folder/${state.selectedFolder ?? 'inbox'}`;
     await loadList(state.selectedAgent, state.selectedFolder);
@@ -262,7 +372,8 @@ async function markSpam() {
   });
   if (!ok) return;
   try {
-    await apiPost(`/mail/messages/${state.selectedUid}/spam`, {}, { agentKey: state.selectedAgent.apiKey });
+    const imap = state.folderNames?.[state.selectedFolder] ?? 'INBOX';
+    await apiPost(`/mail/messages/${state.selectedUid}/spam`, { folder: imap }, { agentKey: state.selectedAgent.apiKey });
     toast('Reported as spam.');
     location.hash = `#/folder/${state.selectedFolder ?? 'inbox'}`;
     await loadList(state.selectedAgent, state.selectedFolder);