@agenticmail/cli 0.9.28 → 0.9.29

package/dist/cli.js

@@ -438,6 +438,14 @@ function fail(msg) {
 function info(msg) {
   log(`  ${c.dim(msg)}`);
 }
+function maskApiKey(key) {
+  if (!key || typeof key !== "string") return "***";
+  if (key.length <= 8) return "***";
+  const underscore = key.indexOf("_");
+  const prefix = underscore > 0 && underscore <= 4 ? key.slice(0, underscore + 1) : "";
+  const tail = key.slice(-4);
+  return `${prefix}***${tail}`;
+}
 function cleanFilePath(raw) {
   let p = raw.trim();
   if (p.startsWith("'") && p.endsWith("'") || p.startsWith('"') && p.endsWith('"')) {
@@ -950,7 +958,7 @@ async function interactiveShell(options) {
               const displayName = owner ? `${agent.name} from ${owner}` : agent.name;
               const active = currentAgent?.name === agent.name ? c.green(" \u25C2 active") : "";
               log(`  ${c.cyan(displayName.padEnd(24))} ${c.dim(agent.email || "")}${active}`);
-              log(`  ${" ".repeat(24)} ${c.dim("key:")} ${c.yellow(agent.apiKey?.slice(0, 16) + "...")}`);
+              log(`  ${" ".repeat(24)} ${c.dim("key:")} ${c.yellow(maskApiKey(agent.apiKey))}`);
               log("");
             }
             if (agents.length > 1) {
@@ -1014,7 +1022,7 @@ async function interactiveShell(options) {
           const created = await createResp.json();
           ok(`Agent ${c.bold('"' + created.name + '"')} created!`);
           log(`    ${c.dim("Email:")} ${c.cyan(created.email || created.subAddress || "")}`);
-          log(`    ${c.dim("Key:")}   ${c.yellow(created.apiKey)}`);
+          log(`    ${c.dim("Key:")}   ${c.yellow(created.apiKey)} ${c.dim("(save this \u2014 only shown once)")}`);
           log(`    ${c.dim("Role:")}  ${role}`);
           currentAgent = { name: created.name, email: created.email || created.subAddress, apiKey: created.apiKey };
           ok(`Switched to ${c.bold(created.name)}`);
@@ -3960,7 +3968,7 @@ ${c.dim(boxChar.bl + boxChar.h.repeat(bWidth) + boxChar.br)}`);
             if (data.agent) {
               ok(`Agent ${c.bold('"' + data.agent.name + '"')} is ready!`);
               log(`    ${c.dim("Email:")} ${c.cyan(data.agent.subAddress)}`);
-              log(`    ${c.dim("Key:")}   ${c.yellow(data.agent.apiKey)}`);
+              log(`    ${c.dim("Key:")}   ${c.yellow(data.agent.apiKey)} ${c.dim("(save this \u2014 only shown once)")}`);
               currentAgent = { name: data.agent.name, email: data.agent.email || data.agent.subAddress, apiKey: data.agent.apiKey };
             }
             log("");

package/dist/public/js/app.js

@@ -43,6 +43,15 @@ async function signIn() {
       headers: { Authorization: `Bearer ${key}` },
     });
     if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+    // The master key is persisted in localStorage so the operator
+    // doesn't have to re-type it on every page load. CodeQL
+    // `js/clear-text-storage-of-sensitive-data` flags this, but
+    // the threat model is self-hosted: the web UI binds to
+    // 127.0.0.1, the key never crosses the network, and the
+    // operator's local filesystem is already trusted by every
+    // other layer of the install. The realistic alternative
+    // (HttpOnly cookie + server-side session) requires a network
+    // boundary that doesn't exist here. lgtm[js/clear-text-storage-of-sensitive-data]
     localStorage.setItem('agenticmail.masterKey', key);
     state.masterKey = key;
     document.getElementById('auth').style.display = 'none';

package/dist/public/js/compose.js

@@ -350,6 +350,13 @@ function renderAttachmentChips() {
   const root = document.getElementById('compose-attachments');
   if (!root) return;
   if (pendingAttachments.length === 0) { root.innerHTML = ''; return; }
+  // Every operator-controlled string interpolated below goes through
+  // `escapeHtml`. `i` is a number index, `formatBytes(...)` only ever
+  // returns numeric-shape strings like "1.2 KB". CodeQL
+  // `js/xss-through-dom` flags the innerHTML write conservatively
+  // (it can't prove formatBytes is sanitizer-shaped); see the
+  // formatBytes() definition below for the static guarantee.
+  // lgtm[js/xss-through-dom]
   root.innerHTML = pendingAttachments.map((a, i) => `
     <span class="attachment-chip" data-att-index="${i}">
       <span class="chip-name" title="${escapeHtml(a.filename)}">${escapeHtml(a.filename)}</span>

package/dist/public/js/message-view.js

@@ -10,30 +10,95 @@ import { loadList } from './list-view.js';
 import { icon } from './icons.js';
 import { confirmModal } from './modal.js';
 
+/**
+ * Render the per-message toolbar based on which folder the operator
+ * is viewing the message in. The default (Inbox / Sent / Starred /
+ * Drafts / All) shows the Gmail-style row: Reply, Reply all, Archive,
+ * Mark unread, Report spam, Delete (= move to Trash).
+ *
+ * Three folders override that row because the default actions don't
+ * make sense once the message is already at its destination:
+ *
+ *   - **Archive**: replace Archive with **Move to Inbox** (unarchive).
+ *     Spam + Delete still apply.
+ *   - **Spam**:    replace Report-spam with **Not spam** (move to Inbox).
+ *     The Archive action is hidden — moving spam to Archive bypasses
+ *     the regular spam-train workflow; if the operator decides it's
+ *     not spam, they want it in Inbox.
+ *   - **Trash**:   replace Archive with **Restore** (move to Inbox).
+ *     Report-spam is hidden — moving trash to Spam is a confusing
+ *     no-op (it's already deleted). Delete now means "delete forever"
+ *     and gets a red title; deleteMessage() already detects the trash
+ *     folder and switches to permanent expunge.
+ *
+ * Reply / Reply-all stay visible everywhere because operators
+ * legitimately reply to messages they've already archived or
+ * triaged into spam.
+ */
+function renderToolbar(folder) {
+  const isArchive = folder === 'archive';
+  const isSpam    = folder === 'spam';
+  const isTrash   = folder === 'trash';
+
+  const buttons = [
+    `<button class="icon-btn" id="msg-back" title="Back to list">${icon('back')}</button>`,
+    `<button class="icon-btn" id="msg-reply" title="Reply">${icon('reply')}</button>`,
+    `<button class="icon-btn" id="msg-reply-all" title="Reply all">${icon('replyAll')}</button>`,
+  ];
+
+  if (isArchive) {
+    buttons.push(`<button class="icon-btn" id="msg-unarchive" title="Move to Inbox">${icon('inbox')}</button>`);
+  } else if (isTrash) {
+    buttons.push(`<button class="icon-btn" id="msg-restore" title="Restore to Inbox">${icon('inbox')}</button>`);
+  } else if (isSpam) {
+    buttons.push(`<button class="icon-btn" id="msg-not-spam" title="Not spam — move to Inbox">${icon('inbox')}</button>`);
+  } else {
+    buttons.push(`<button class="icon-btn" id="msg-archive" title="Archive">${icon('archive')}</button>`);
+  }
+
+  buttons.push(`<button class="icon-btn" id="msg-unread" title="Mark unread">${icon('mailUnread')}</button>`);
+
+  if (!isSpam && !isTrash) {
+    buttons.push(`<button class="icon-btn" id="msg-spam" title="Report spam">${icon('spam')}</button>`);
+  }
+
+  buttons.push(
+    `<button class="icon-btn" id="msg-delete" title="${isTrash ? 'Delete forever' : 'Delete'}">${icon('trash')}</button>`
+  );
+
+  return `<div class="message-toolbar">${buttons.join('\n      ')}<div class="toolbar-spacer"></div></div>`;
+}
+
+/**
+ * Attach a click handler to a toolbar button if (and only if) the
+ * button is currently rendered. Folder-aware toolbars elide some
+ * buttons; calling `addEventListener` on a missing element would
+ * throw and abort the rest of the wiring.
+ */
+function bindIf(id, handler) {
+  const el = document.getElementById(id);
+  if (el) el.addEventListener('click', handler);
+}
+
 export async function openMessage(uid) {
   if (!state.selectedAgent) return;
   state.selectedUid = uid;
+  const folder = state.selectedFolder ?? 'inbox';
   const root = document.getElementById('content');
   root.innerHTML = `
-    <div class="message-toolbar">
-      <button class="icon-btn" id="msg-back" title="Back to list">${icon('back')}</button>
-      <button class="icon-btn" id="msg-reply" title="Reply">${icon('reply')}</button>
-      <button class="icon-btn" id="msg-reply-all" title="Reply all">${icon('replyAll')}</button>
-      <button class="icon-btn" id="msg-archive" title="Archive">${icon('archive')}</button>
-      <button class="icon-btn" id="msg-unread" title="Mark unread">${icon('mailUnread')}</button>
-      <button class="icon-btn" id="msg-spam" title="Report spam">${icon('spam')}</button>
-      <button class="icon-btn" id="msg-delete" title="Delete">${icon('trash')}</button>
-      <div class="toolbar-spacer"></div>
-    </div>
+    ${renderToolbar(folder)}
     <div class="message-view"><div class="empty">Loading…</div></div>
   `;
-  document.getElementById('msg-back').addEventListener('click', () => { location.hash = `#/folder/${state.selectedFolder ?? 'inbox'}`; });
-  document.getElementById('msg-reply').addEventListener('click', () => openReply(false));
-  document.getElementById('msg-reply-all').addEventListener('click', () => openReply(true));
-  document.getElementById('msg-archive').addEventListener('click', () => archiveMessage());
-  document.getElementById('msg-unread').addEventListener('click', () => markUnread());
-  document.getElementById('msg-spam').addEventListener('click', () => markSpam());
-  document.getElementById('msg-delete').addEventListener('click', () => deleteMessage());
+  bindIf('msg-back',      () => { location.hash = `#/folder/${folder}`; });
+  bindIf('msg-reply',     () => openReply(false));
+  bindIf('msg-reply-all', () => openReply(true));
+  bindIf('msg-archive',   () => archiveMessage());
+  bindIf('msg-unarchive', () => moveToInbox('unarchive'));
+  bindIf('msg-restore',   () => moveToInbox('restore'));
+  bindIf('msg-not-spam',  () => moveToInbox('not-spam'));
+  bindIf('msg-unread',    () => markUnread());
+  bindIf('msg-spam',      () => markSpam());
+  bindIf('msg-delete',    () => deleteMessage());
 
   try {
     // Pass the current folder so the API fetches from the right
@@ -230,6 +295,37 @@ function renderThreadQuote(dateRaw, sender, quotedBody) {
   `;
 }
 
+/**
+ * Move the open message back to INBOX from Archive / Spam / Trash.
+ * Three triggers:
+ *
+ *   - 'unarchive' (from Archive): generic move via /mail/messages/:uid/move
+ *   - 'not-spam'  (from Spam):    /mail/messages/:uid/not-spam (server-side
+ *                                  also clears the spam-train flag)
+ *   - 'restore'   (from Trash):   generic move via /mail/messages/:uid/move
+ *
+ * All three navigate back to the originating folder list afterwards so
+ * the operator sees the row vanish from the view they triggered the
+ * action from. The list refresh is what makes the affordance feel real.
+ */
+async function moveToInbox(reason) {
+  if (!state.currentMessage || !state.selectedAgent) return;
+  try {
+    const imap = state.folderNames?.[state.selectedFolder] ?? 'INBOX';
+    if (reason === 'not-spam') {
+      await apiPost(`/mail/messages/${state.selectedUid}/not-spam`, {}, { agentKey: state.selectedAgent.apiKey });
+      toast('Marked as not spam.');
+    } else {
+      await apiPost(`/mail/messages/${state.selectedUid}/move`, { from: imap, to: 'INBOX' }, { agentKey: state.selectedAgent.apiKey });
+      toast(reason === 'restore' ? 'Restored to Inbox.' : 'Moved to Inbox.');
+    }
+    location.hash = `#/folder/${state.selectedFolder ?? 'inbox'}`;
+    await loadList(state.selectedAgent, state.selectedFolder);
+  } catch (err) {
+    toast(`Move failed: ${err.message}`, true);
+  }
+}
+
 async function markUnread() {
   if (!state.currentMessage || !state.selectedAgent) return;
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/cli",
-  "version": "0.9.28",
+  "version": "0.9.29",
   "description": "Email and SMS infrastructure for AI agents — the first platform to give agents real email addresses and phone numbers",
   "type": "module",
   "main": "dist/index.js",
@@ -31,13 +31,13 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "@agenticmail/api": "^0.9.20",
-    "@agenticmail/core": "^0.9.4",
+    "@agenticmail/api": "^0.9.21",
+    "@agenticmail/core": "^0.9.5",
     "json5": "^2.2.3"
   },
   "optionalDependencies": {
-    "@agenticmail/claudecode": "^0.2.14",
-    "@agenticmail/codex": "^0.1.9"
+    "@agenticmail/claudecode": "^0.2.15",
+    "@agenticmail/codex": "^0.1.10"
   },
   "devDependencies": {
     "tsup": "^8.4.0",