@agenticmail/core 0.5.43 → 0.5.45

package/dist/index.cjs

@@ -30,6 +30,636 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// src/mail/spam-filter.ts
+var spam_filter_exports = {};
+__export(spam_filter_exports, {
+  SPAM_THRESHOLD: () => SPAM_THRESHOLD,
+  WARNING_THRESHOLD: () => WARNING_THRESHOLD,
+  isInternalEmail: () => isInternalEmail,
+  scoreEmail: () => scoreEmail
+});
+function isInternalEmail(email, localDomains) {
+  const fromDomain = email.from[0]?.address?.split("@")[1]?.toLowerCase();
+  if (!fromDomain) return false;
+  const internals = /* @__PURE__ */ new Set(["localhost", ...(localDomains ?? []).map((d) => d.toLowerCase())]);
+  if (internals.has(fromDomain) && email.replyTo?.length) {
+    const replyDomain = email.replyTo[0]?.address?.split("@")[1]?.toLowerCase();
+    if (replyDomain && !internals.has(replyDomain)) return false;
+  }
+  return internals.has(fromDomain);
+}
+function countSpamWords(text) {
+  const lower = text.toLowerCase();
+  let count = 0;
+  for (const word of SPAM_WORDS) {
+    if (lower.includes(word)) count++;
+  }
+  return count;
+}
+function hasHomographChars(domain) {
+  if (domain.startsWith("xn--")) return true;
+  const hasCyrillic = /[\u0400-\u04FF]/.test(domain);
+  const hasLatin = /[a-zA-Z]/.test(domain);
+  return hasCyrillic && hasLatin;
+}
+function scoreEmail(email) {
+  const bodyText = [email.subject, email.text ?? ""].join("\n");
+  const bodyHtml = email.html ?? "";
+  const matches = [];
+  for (const rule of RULES) {
+    try {
+      if (rule.test(email, bodyText, bodyHtml)) {
+        let score2 = rule.score;
+        if (rule.id === "cs_spam_word_density") {
+          const wordCount = countSpamWords(bodyText);
+          score2 = wordCount > 10 ? 20 : 10;
+        }
+        matches.push({
+          ruleId: rule.id,
+          category: rule.category,
+          score: score2,
+          description: rule.description
+        });
+      }
+    } catch {
+    }
+  }
+  const score = matches.reduce((sum, m) => sum + m.score, 0);
+  let topCategory = null;
+  if (matches.length > 0) {
+    const categoryScores = /* @__PURE__ */ new Map();
+    for (const m of matches) {
+      categoryScores.set(m.category, (categoryScores.get(m.category) ?? 0) + m.score);
+    }
+    let maxScore = 0;
+    for (const [cat, catScore] of categoryScores) {
+      if (catScore > maxScore) {
+        maxScore = catScore;
+        topCategory = cat;
+      }
+    }
+  }
+  return {
+    score,
+    isSpam: score >= SPAM_THRESHOLD,
+    isWarning: score >= WARNING_THRESHOLD && score < SPAM_THRESHOLD,
+    matches,
+    topCategory
+  };
+}
+var SPAM_THRESHOLD, WARNING_THRESHOLD, RE_IGNORE_INSTRUCTIONS, RE_YOU_ARE_NOW, RE_SYSTEM_DELIMITER, RE_NEW_INSTRUCTIONS, RE_ACT_AS, RE_DO_NOT_MENTION, RE_TAG_CHARS, RE_DENSE_ZWC, RE_JAILBREAK, RE_BASE64_BLOCK, RE_MARKDOWN_INJECTION, RE_OWNER_IMPERSONATION, RE_SECRET_REQUEST, RE_IMPERSONATE_SYSTEM, RE_URGENCY, RE_AUTHORITY, RE_MONEY_REQUEST, RE_GIFT_CARD, RE_CEO_FRAUD, RE_FORWARD_ALL, RE_SEARCH_CREDS, RE_SEND_TO_EXTERNAL, RE_DUMP_INSTRUCTIONS, RE_WEBHOOK_EXFIL, RE_CREDENTIAL_HARVEST, RE_LINK_TAG, RE_LINK_TAG_WITH_TEXT, RE_URL_IN_TEXT, RE_IP_URL, RE_URL_SHORTENER, RE_DATA_URI, RE_LOGIN_URGENCY, RE_PHARMACY_SPAM, RE_WEIGHT_LOSS, RE_LOTTERY_SCAM, RE_CRYPTO_SCAM, RE_EXECUTABLE_EXT, RE_DOUBLE_EXT, RE_ARCHIVE_EXT, RE_HTML_ATTACHMENT_EXT, BRAND_DOMAINS, SPAM_WORDS, RULES;
+var init_spam_filter = __esm({
+  "src/mail/spam-filter.ts"() {
+    "use strict";
+    SPAM_THRESHOLD = 40;
+    WARNING_THRESHOLD = 20;
+    RE_IGNORE_INSTRUCTIONS = /ignore\s+(all\s+)?(previous|prior|above)\s+(instructions|prompts|rules)/i;
+    RE_YOU_ARE_NOW = /you\s+are\s+now\s+(a|an|the|my)\b/i;
+    RE_SYSTEM_DELIMITER = /\[SYSTEM\]|\[INST\]|<<SYS>>|<\|im_start\|>/i;
+    RE_NEW_INSTRUCTIONS = /new\s+instructions?:|override\s+instructions?:/i;
+    RE_ACT_AS = /act\s+as\s+(a|an|if)|pretend\s+(to be|you\s+are)/i;
+    RE_DO_NOT_MENTION = /do\s+not\s+(mention|tell|reveal|disclose)\s+(that|this)/i;
+    RE_TAG_CHARS = /[\u{E0001}-\u{E007F}]/u;
+    RE_DENSE_ZWC = /[\u200B\u200C\u200D\uFEFF]{3,}/;
+    RE_JAILBREAK = /\b(DAN|jailbreak|bypass\s+(safety|filter|restriction)|unlimited\s+mode)\b/i;
+    RE_BASE64_BLOCK = /[A-Za-z0-9+/]{100,}={0,2}/;
+    RE_MARKDOWN_INJECTION = /```(?:system|python\s+exec|bash\s+exec)/i;
+    RE_OWNER_IMPERSONATION = /your\s+(owner|creator|admin|boss|master|human)\s+(asked|told|wants|said|instructed|needs)/i;
+    RE_SECRET_REQUEST = /share\s+(your|the)\s+(api.?key|password|secret|credential|token)/i;
+    RE_IMPERSONATE_SYSTEM = /this\s+is\s+(a|an)\s+(system|security|admin|automated)\s+(message|alert|notification)/i;
+    RE_URGENCY = /\b(urgent|immediately|right now|asap|deadline|expires?|last chance|act now|time.?sensitive)\b/i;
+    RE_AUTHORITY = /\b(suspend|terminate|deactivat|unauthori[zs]|locked|compromised|breach|violation|legal action)\b/i;
+    RE_MONEY_REQUEST = /send\s+(me|us)\s+\$?\d|wire\s+transfer|western\s+union|money\s*gram/i;
+    RE_GIFT_CARD = /buy\s+(me\s+)?gift\s*cards?|itunes\s+cards?|google\s+play\s+cards?/i;
+    RE_CEO_FRAUD = /\b(CEO|CFO|CTO|director|executive)\b.*\b(wire|transfer|payment|urgent)\b/i;
+    RE_FORWARD_ALL = /forward\s+(all|every)\s+(email|message)/i;
+    RE_SEARCH_CREDS = /search\s+(inbox|email|mailbox).*password|find.*credential/i;
+    RE_SEND_TO_EXTERNAL = /send\s+(the|all|every).*to\s+\S+@\S+/i;
+    RE_DUMP_INSTRUCTIONS = /reveal.*system\s+prompt|dump.*instructions|show.*system\s+prompt|print.*instructions/i;
+    RE_WEBHOOK_EXFIL = /https?:\/\/[^/]*(webhook|ngrok|pipedream|requestbin|hookbin)/i;
+    RE_CREDENTIAL_HARVEST = /verify\s+your\s+(account|identity|password|credentials?)/i;
+    RE_LINK_TAG = /<a\s[^>]*href\s*=\s*["']([^"']+)["']/gi;
+    RE_LINK_TAG_WITH_TEXT = /<a\s[^>]*href\s*=\s*["']([^"']+)["'][^>]*>(.*?)<\/a>/gi;
+    RE_URL_IN_TEXT = /https?:\/\/[^\s<>"]+/gi;
+    RE_IP_URL = /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i;
+    RE_URL_SHORTENER = /https?:\/\/(bit\.ly|t\.co|tinyurl\.com|goo\.gl|ow\.ly|is\.gd|buff\.ly|rebrand\.ly|shorturl\.at)\//i;
+    RE_DATA_URI = /(?:data:text\/html|javascript:)/i;
+    RE_LOGIN_URGENCY = /(click\s+here|sign\s+in|log\s*in).*\b(urgent|immediately|expire|suspend|locked)/i;
+    RE_PHARMACY_SPAM = /\b(viagra|cialis|pharmacy|prescription|cheap\s+meds|online\s+pharmacy)\b/i;
+    RE_WEIGHT_LOSS = /\b(weight\s+loss|diet\s+pill|lose\s+\d+\s+(lbs?|pounds|kg)|fat\s+burn)\b/i;
+    RE_LOTTERY_SCAM = /you\s+(have\s+)?(won|been\s+selected)|lottery|million\s+dollars|nigerian?\s+prince/i;
+    RE_CRYPTO_SCAM = /(bitcoin|crypto|ethereum).*invest(ment)?|guaranteed\s+returns|double\s+your\s+(money|bitcoin|crypto)/i;
+    RE_EXECUTABLE_EXT = /\.(exe|bat|cmd|ps1|sh|dll|scr|vbs|js|msi|com)$/i;
+    RE_DOUBLE_EXT = /\.\w{2,5}\.(exe|bat|cmd|ps1|sh|dll|scr|vbs|js|msi|com)$/i;
+    RE_ARCHIVE_EXT = /\.(zip|rar|7z|tar\.gz|tgz)$/i;
+    RE_HTML_ATTACHMENT_EXT = /\.(html?|svg)$/i;
+    BRAND_DOMAINS = {
+      google: ["google.com", "gmail.com", "googlemail.com"],
+      microsoft: ["microsoft.com", "outlook.com", "hotmail.com", "live.com"],
+      apple: ["apple.com", "icloud.com"],
+      amazon: ["amazon.com", "amazon.co.uk", "amazon.de"],
+      paypal: ["paypal.com"],
+      meta: ["facebook.com", "meta.com", "instagram.com"],
+      netflix: ["netflix.com"],
+      bank: ["chase.com", "wellsfargo.com", "bankofamerica.com", "citibank.com"]
+    };
+    SPAM_WORDS = [
+      "congratulations",
+      "winner",
+      "prize",
+      "claim",
+      "free",
+      "offer",
+      "limited time",
+      "act now",
+      "click here",
+      "no obligation",
+      "risk free",
+      "guaranteed",
+      "million",
+      "billion",
+      "inheritance",
+      "beneficiary",
+      "wire transfer",
+      "western union",
+      "dear friend",
+      "dear sir",
+      "kindly",
+      "revert back",
+      "do the needful",
+      "humbly",
+      "esteemed",
+      "investment opportunity",
+      "double your",
+      "earn money",
+      "work from home",
+      "make money",
+      "cash bonus",
+      "discount",
+      "lowest price"
+    ];
+    RULES = [
+      // === Prompt injection ===
+      {
+        id: "pi_ignore_instructions",
+        category: "prompt_injection",
+        score: 25,
+        description: 'Contains "ignore previous instructions" pattern',
+        test: (_e, text) => RE_IGNORE_INSTRUCTIONS.test(text)
+      },
+      {
+        id: "pi_you_are_now",
+        category: "prompt_injection",
+        score: 25,
+        description: 'Contains "you are now a..." roleplay injection',
+        test: (_e, text) => RE_YOU_ARE_NOW.test(text)
+      },
+      {
+        id: "pi_system_delimiter",
+        category: "prompt_injection",
+        score: 20,
+        description: "Contains LLM system delimiters ([SYSTEM], [INST], etc.)",
+        test: (_e, text, html) => RE_SYSTEM_DELIMITER.test(text) || RE_SYSTEM_DELIMITER.test(html)
+      },
+      {
+        id: "pi_new_instructions",
+        category: "prompt_injection",
+        score: 20,
+        description: 'Contains "new instructions:" or "override instructions:"',
+        test: (_e, text) => RE_NEW_INSTRUCTIONS.test(text)
+      },
+      {
+        id: "pi_act_as",
+        category: "prompt_injection",
+        score: 15,
+        description: 'Contains "act as" or "pretend to be" injection',
+        test: (_e, text) => RE_ACT_AS.test(text)
+      },
+      {
+        id: "pi_do_not_mention",
+        category: "prompt_injection",
+        score: 15,
+        description: 'Contains "do not mention/tell/reveal" suppression',
+        test: (_e, text) => RE_DO_NOT_MENTION.test(text)
+      },
+      {
+        id: "pi_invisible_unicode",
+        category: "prompt_injection",
+        score: 20,
+        description: "Contains invisible Unicode tag characters or dense zero-width chars",
+        test: (_e, text, html) => RE_TAG_CHARS.test(text) || RE_TAG_CHARS.test(html) || RE_DENSE_ZWC.test(text) || RE_DENSE_ZWC.test(html)
+      },
+      {
+        id: "pi_jailbreak",
+        category: "prompt_injection",
+        score: 20,
+        description: "Contains jailbreak/DAN/bypass safety language",
+        test: (_e, text) => RE_JAILBREAK.test(text)
+      },
+      {
+        id: "pi_base64_injection",
+        category: "prompt_injection",
+        score: 15,
+        description: "Contains long base64-encoded blocks (potential hidden instructions)",
+        test: (_e, text) => RE_BASE64_BLOCK.test(text)
+      },
+      {
+        id: "pi_markdown_injection",
+        category: "prompt_injection",
+        score: 10,
+        description: "Contains code block injection attempts (```system, ```python exec)",
+        test: (_e, text) => RE_MARKDOWN_INJECTION.test(text)
+      },
+      // === Social engineering ===
+      {
+        id: "se_owner_impersonation",
+        category: "social_engineering",
+        score: 20,
+        description: "Claims to speak on behalf of the agent's owner",
+        test: (_e, text) => RE_OWNER_IMPERSONATION.test(text)
+      },
+      {
+        id: "se_secret_request",
+        category: "social_engineering",
+        score: 15,
+        description: "Requests API keys, passwords, or credentials",
+        test: (_e, text) => RE_SECRET_REQUEST.test(text)
+      },
+      {
+        id: "se_impersonate_system",
+        category: "social_engineering",
+        score: 15,
+        description: "Impersonates a system/security message",
+        test: (_e, text) => RE_IMPERSONATE_SYSTEM.test(text)
+      },
+      {
+        id: "se_urgency_authority",
+        category: "social_engineering",
+        score: 10,
+        description: "Combines urgency language with authority/threat language",
+        test: (_e, text) => RE_URGENCY.test(text) && RE_AUTHORITY.test(text)
+      },
+      {
+        id: "se_money_request",
+        category: "social_engineering",
+        score: 15,
+        description: "Requests money transfer or wire",
+        test: (_e, text) => RE_MONEY_REQUEST.test(text)
+      },
+      {
+        id: "se_gift_card",
+        category: "social_engineering",
+        score: 20,
+        description: "Requests purchase of gift cards",
+        test: (_e, text) => RE_GIFT_CARD.test(text)
+      },
+      {
+        id: "se_ceo_fraud",
+        category: "social_engineering",
+        score: 15,
+        description: "BEC pattern: executive title + payment/wire/urgent",
+        test: (_e, text) => RE_CEO_FRAUD.test(text)
+      },
+      // === Data exfiltration ===
+      {
+        id: "de_forward_all",
+        category: "data_exfiltration",
+        score: 20,
+        description: "Requests forwarding all emails",
+        test: (_e, text) => RE_FORWARD_ALL.test(text)
+      },
+      {
+        id: "de_search_credentials",
+        category: "data_exfiltration",
+        score: 20,
+        description: "Requests searching inbox for passwords/credentials",
+        test: (_e, text) => RE_SEARCH_CREDS.test(text)
+      },
+      {
+        id: "de_send_to_external",
+        category: "data_exfiltration",
+        score: 15,
+        description: "Instructs sending data to an external email address",
+        test: (_e, text) => RE_SEND_TO_EXTERNAL.test(text)
+      },
+      {
+        id: "de_dump_instructions",
+        category: "data_exfiltration",
+        score: 15,
+        description: "Attempts to extract system prompt or instructions",
+        test: (_e, text) => RE_DUMP_INSTRUCTIONS.test(text)
+      },
+      {
+        id: "de_webhook_exfil",
+        category: "data_exfiltration",
+        score: 15,
+        description: "Contains webhook/ngrok/pipedream exfiltration URLs",
+        test: (_e, text) => RE_WEBHOOK_EXFIL.test(text)
+      },
+      // === Phishing ===
+      {
+        id: "ph_spoofed_sender",
+        category: "phishing",
+        score: 10,
+        description: "Sender name contains brand but domain doesn't match",
+        test: (email) => {
+          const from = email.from[0];
+          if (!from) return false;
+          const name = (from.name ?? "").toLowerCase();
+          const domain = (from.address ?? "").split("@")[1]?.toLowerCase() ?? "";
+          for (const [brand, domains] of Object.entries(BRAND_DOMAINS)) {
+            if (name.includes(brand) && !domains.some((d) => domain === d || domain.endsWith("." + d))) {
+              return true;
+            }
+          }
+          return false;
+        }
+      },
+      {
+        id: "ph_credential_harvest",
+        category: "phishing",
+        score: 15,
+        description: 'Asks to "verify your account/password" with links present',
+        test: (_e, text, html) => {
+          if (!RE_CREDENTIAL_HARVEST.test(text)) return false;
+          return RE_URL_IN_TEXT.test(text) || RE_LINK_TAG.test(html);
+        }
+      },
+      {
+        id: "ph_suspicious_links",
+        category: "phishing",
+        score: 10,
+        description: "Contains links with IP addresses, URL shorteners, or excessive subdomains",
+        test: (_e, text, html) => {
+          const allText = text + " " + html;
+          if (RE_IP_URL.test(allText)) return true;
+          if (RE_URL_SHORTENER.test(allText)) return true;
+          const urls = allText.match(RE_URL_IN_TEXT) ?? [];
+          for (const url of urls) {
+            try {
+              const hostname = new URL(url).hostname;
+              if (hostname.split(".").length > 4) return true;
+            } catch {
+            }
+          }
+          return false;
+        }
+      },
+      {
+        id: "ph_data_uri",
+        category: "phishing",
+        score: 15,
+        description: "Contains data: or javascript: URIs in links",
+        test: (_e, _text, html) => {
+          RE_LINK_TAG.lastIndex = 0;
+          let match;
+          while ((match = RE_LINK_TAG.exec(html)) !== null) {
+            if (RE_DATA_URI.test(match[1])) return true;
+          }
+          return false;
+        }
+      },
+      {
+        id: "ph_homograph",
+        category: "phishing",
+        score: 15,
+        description: "From domain contains mixed-script or punycode characters",
+        test: (email) => {
+          const domain = email.from[0]?.address?.split("@")[1] ?? "";
+          if (!domain) return false;
+          return hasHomographChars(domain);
+        }
+      },
+      {
+        id: "ph_mismatched_display_url",
+        category: "phishing",
+        score: 10,
+        description: "HTML link text shows one URL but href points to a different domain",
+        test: (_e, _text, html) => {
+          RE_LINK_TAG_WITH_TEXT.lastIndex = 0;
+          let match;
+          while ((match = RE_LINK_TAG_WITH_TEXT.exec(html)) !== null) {
+            const href = match[1];
+            const linkText = match[2].replace(/<[^>]*>/g, "").trim();
+            if (!/^https?:\/\//i.test(linkText)) continue;
+            try {
+              const hrefHost = new URL(href).hostname.replace(/^www\./, "");
+              const textHost = new URL(linkText).hostname.replace(/^www\./, "");
+              if (hrefHost !== textHost) return true;
+            } catch {
+            }
+          }
+          return false;
+        }
+      },
+      {
+        id: "ph_login_urgency",
+        category: "phishing",
+        score: 10,
+        description: "Combines login/click-here language with urgency",
+        test: (_e, text) => RE_LOGIN_URGENCY.test(text)
+      },
+      {
+        id: "ph_unsubscribe_missing",
+        category: "phishing",
+        score: 3,
+        description: "Marketing-like email with many links but no List-Unsubscribe header",
+        test: (email, text, html) => {
+          const allText = text + " " + html;
+          const urls = new Set(allText.match(RE_URL_IN_TEXT) ?? []);
+          if (urls.size < 5) return false;
+          return !email.headers.get("list-unsubscribe");
+        }
+      },
+      // === Authentication (SPF/DKIM/DMARC from headers) ===
+      {
+        id: "auth_spf_fail",
+        category: "authentication",
+        score: 15,
+        description: "SPF authentication failed",
+        test: (email) => {
+          const authResults = email.headers.get("authentication-results") ?? "";
+          return /spf=(fail|softfail)/i.test(authResults);
+        }
+      },
+      {
+        id: "auth_dkim_fail",
+        category: "authentication",
+        score: 15,
+        description: "DKIM authentication failed",
+        test: (email) => {
+          const authResults = email.headers.get("authentication-results") ?? "";
+          return /dkim=fail/i.test(authResults);
+        }
+      },
+      {
+        id: "auth_dmarc_fail",
+        category: "authentication",
+        score: 20,
+        description: "DMARC authentication failed",
+        test: (email) => {
+          const authResults = email.headers.get("authentication-results") ?? "";
+          return /dmarc=fail/i.test(authResults);
+        }
+      },
+      {
+        id: "auth_no_auth_results",
+        category: "authentication",
+        score: 3,
+        description: "No Authentication-Results header present",
+        test: (email) => {
+          return !email.headers.has("authentication-results");
+        }
+      },
+      // === Attachment risk ===
+      {
+        id: "at_executable",
+        category: "attachment_risk",
+        score: 25,
+        description: "Attachment has executable file extension",
+        test: (email) => {
+          return email.attachments.some((a) => RE_EXECUTABLE_EXT.test(a.filename));
+        }
+      },
+      {
+        id: "at_double_extension",
+        category: "attachment_risk",
+        score: 20,
+        description: "Attachment has double extension (e.g. document.pdf.exe)",
+        test: (email) => {
+          return email.attachments.some((a) => RE_DOUBLE_EXT.test(a.filename));
+        }
+      },
+      {
+        id: "at_archive_carrier",
+        category: "attachment_risk",
+        score: 15,
+        description: "Attachment is an archive (potential payload carrier)",
+        test: (email) => {
+          return email.attachments.some((a) => RE_ARCHIVE_EXT.test(a.filename));
+        }
+      },
+      {
+        id: "at_html_attachment",
+        category: "attachment_risk",
+        score: 10,
+        description: "HTML/SVG file attachment (phishing vector)",
+        test: (email) => {
+          return email.attachments.some((a) => RE_HTML_ATTACHMENT_EXT.test(a.filename));
+        }
+      },
+      // === Header anomalies ===
+      {
+        id: "ha_missing_message_id",
+        category: "header_anomaly",
+        score: 5,
+        description: "Missing Message-ID header",
+        test: (email) => !email.messageId
+      },
+      {
+        id: "ha_empty_from",
+        category: "header_anomaly",
+        score: 10,
+        description: "Missing or empty From address",
+        test: (email) => !email.from.length || !email.from[0].address
+      },
+      {
+        id: "ha_reply_to_mismatch",
+        category: "header_anomaly",
+        score: 5,
+        description: "Reply-To domain differs from From domain",
+        test: (email) => {
+          if (!email.replyTo?.length || !email.from.length) return false;
+          const fromDomain = email.from[0].address?.split("@")[1]?.toLowerCase();
+          const replyDomain = email.replyTo[0].address?.split("@")[1]?.toLowerCase();
+          return !!fromDomain && !!replyDomain && fromDomain !== replyDomain;
+        }
+      },
+      // === Content spam ===
+      {
+        id: "cs_all_caps_subject",
+        category: "content_spam",
+        score: 5,
+        description: "Subject is mostly uppercase",
+        test: (email) => {
+          const s = email.subject;
+          if (s.length < 10) return false;
+          const letters = s.replace(/[^a-zA-Z]/g, "");
+          if (letters.length < 5) return false;
+          const upper = letters.replace(/[^A-Z]/g, "").length;
+          return upper / letters.length > 0.8;
+        }
+      },
+      {
+        id: "cs_lottery_scam",
+        category: "content_spam",
+        score: 25,
+        description: "Contains lottery/prize scam language",
+        test: (_e, text) => RE_LOTTERY_SCAM.test(text)
+      },
+      {
+        id: "cs_crypto_scam",
+        category: "content_spam",
+        score: 10,
+        description: "Contains crypto/investment scam language",
+        test: (_e, text) => RE_CRYPTO_SCAM.test(text)
+      },
+      {
+        id: "cs_excessive_punctuation",
+        category: "content_spam",
+        score: 3,
+        description: "Subject has excessive punctuation (!!!!, ????)",
+        test: (email) => /[!]{4,}|[?]{4,}/.test(email.subject)
+      },
+      {
+        id: "cs_pharmacy_spam",
+        category: "content_spam",
+        score: 15,
+        description: "Contains pharmacy/prescription drug spam language",
+        test: (_e, text) => RE_PHARMACY_SPAM.test(text)
+      },
+      {
+        id: "cs_weight_loss",
+        category: "content_spam",
+        score: 10,
+        description: "Contains weight loss scam language",
+        test: (_e, text) => RE_WEIGHT_LOSS.test(text)
+      },
+      {
+        id: "cs_html_only_no_text",
+        category: "content_spam",
+        score: 5,
+        description: "Email has HTML body but empty/missing text body",
+        test: (email) => {
+          const hasHtml = !!email.html && email.html.trim().length > 0;
+          const hasText = !!email.text && email.text.trim().length > 0;
+          return hasHtml && !hasText;
+        }
+      },
+      {
+        id: "cs_spam_word_density",
+        category: "content_spam",
+        score: 0,
+        // Dynamic — calculated in test
+        description: "High density of common spam words",
+        test: (_e, text) => countSpamWords(text) > 5
+      },
+      // === Link analysis ===
+      {
+        id: "la_excessive_links",
+        category: "link_analysis",
+        score: 5,
+        description: "Contains more than 10 unique links",
+        test: (_e, text, html) => {
+          const allText = text + " " + html;
+          const urls = new Set(allText.match(RE_URL_IN_TEXT) ?? []);
+          return urls.size > 10;
+        }
+      }
+    ];
+  }
+});
+
 // src/gateway/email-worker-template.ts
 var email_worker_template_exports = {};
 __export(email_worker_template_exports, {
@@ -183,15 +813,28 @@ var MailSender = class {
     };
     const composer = new import_mail_composer.default(mailOpts);
     const raw = await composer.compile().build();
-    const result = await this.transporter.sendMail(mailOpts);
-    return {
-      messageId: result.messageId,
-      envelope: {
-        from: result.envelope.from || "",
-        to: Array.isArray(result.envelope.to) ? result.envelope.to : result.envelope.to ? [result.envelope.to] : []
-      },
-      raw
-    };
+    const MAX_RETRIES = 2;
+    let lastError = null;
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+      try {
+        const result = await this.transporter.sendMail(mailOpts);
+        return {
+          messageId: result.messageId,
+          envelope: {
+            from: result.envelope.from || "",
+            to: Array.isArray(result.envelope.to) ? result.envelope.to : result.envelope.to ? [result.envelope.to] : []
+          },
+          raw
+        };
+      } catch (err) {
+        lastError = err;
+        const code = err?.responseCode ?? err?.code;
+        const isTransient = typeof code === "number" && code >= 400 && code < 500 || code === "ECONNRESET" || code === "ETIMEDOUT" || code === "ESOCKET";
+        if (!isTransient || attempt === MAX_RETRIES) throw err;
+        await new Promise((resolve) => setTimeout(resolve, 1e3 * (attempt + 1)));
+      }
+    }
+    throw lastError;
   }
   async verify() {
     try {
@@ -274,10 +917,13 @@ var MailReceiver = class {
       const limit = Math.min(Math.max(options?.limit ?? 20, 1), 1e3);
       const offset = Math.max(options?.offset ?? 0, 0);
       if (offset >= total) return envelopes;
-      const end = Math.max(total - offset, 1);
-      const start = Math.max(end - limit + 1, 1);
-      const range = `${start}:${end}`;
-      for await (const msg of this.client.fetch(range, {
+      const allUids = await this.client.search({ all: true }, { uid: true });
+      if (!allUids || allUids.length === 0) return envelopes;
+      const sortedUids = Array.from(allUids).sort((a, b) => b - a);
+      const pageUids = sortedUids.slice(offset, offset + limit);
+      if (pageUids.length === 0) return envelopes;
+      const uidRange = pageUids.join(",");
+      for await (const msg of this.client.fetch(uidRange, {
         uid: true,
         envelope: true,
         flags: true,
@@ -303,7 +949,8 @@ var MailReceiver = class {
           size: msg.size ?? 0
         });
       }
-      return envelopes.reverse();
+      envelopes.sort((a, b) => b.uid - a.uid);
+      return envelopes;
     } finally {
       lock.release();
     }
@@ -491,12 +1138,17 @@ async function parseEmail(raw) {
 }
 
 // src/inbox/watcher.ts
+var RECONNECT_INITIAL_MS = 2e3;
+var RECONNECT_MAX_MS = 6e4;
+var RECONNECT_FACTOR = 2;
 var InboxWatcher = class extends import_node_events.EventEmitter {
   constructor(options, watcherOptions) {
     super();
     this.options = options;
     this.mailbox = watcherOptions?.mailbox ?? "INBOX";
     this.autoFetch = watcherOptions?.autoFetch ?? true;
+    this._autoReconnect = options.autoReconnect ?? false;
+    this._maxReconnectAttempts = options.maxReconnectAttempts ?? Infinity;
     this.client = new import_imapflow2.ImapFlow({
       host: options.host,
       port: options.port,
@@ -516,8 +1168,15 @@ var InboxWatcher = class extends import_node_events.EventEmitter {
   mailbox;
   autoFetch;
   _lock = null;
+  _stopped = false;
+  _reconnectTimer = null;
+  _reconnectDelay = RECONNECT_INITIAL_MS;
+  _reconnectAttempts = 0;
+  _maxReconnectAttempts;
+  _autoReconnect;
   async start() {
     if (this.watching) return;
+    this._stopped = false;
     this.client = new import_imapflow2.ImapFlow({
       host: this.options.host,
       port: this.options.port,
@@ -535,6 +1194,8 @@ var InboxWatcher = class extends import_node_events.EventEmitter {
     const lock = await this.client.getMailboxLock(this.mailbox);
     try {
       this.watching = true;
+      this._reconnectDelay = RECONNECT_INITIAL_MS;
+      this._reconnectAttempts = 0;
       this.client.on("exists", async (data) => {
         try {
           if (data.count > data.prevCount) {
@@ -572,6 +1233,7 @@ var InboxWatcher = class extends import_node_events.EventEmitter {
       this.client.on("close", () => {
         this.watching = false;
         this.emit("close");
+        this._scheduleReconnect();
       });
       this._lock = lock;
     } catch (err) {
@@ -579,9 +1241,44 @@ var InboxWatcher = class extends import_node_events.EventEmitter {
       throw err;
     }
   }
+  /** Schedule a reconnect attempt with exponential backoff */
+  _scheduleReconnect() {
+    if (this._stopped || !this._autoReconnect) return;
+    if (this._reconnectAttempts >= this._maxReconnectAttempts) {
+      this.emit("reconnect_failed", { attempts: this._reconnectAttempts });
+      return;
+    }
+    const delay = this._reconnectDelay;
+    this._reconnectDelay = Math.min(this._reconnectDelay * RECONNECT_FACTOR, RECONNECT_MAX_MS);
+    this._reconnectAttempts++;
+    this.emit("reconnecting", { attempt: this._reconnectAttempts, delayMs: delay });
+    this._reconnectTimer = setTimeout(async () => {
+      if (this._stopped) return;
+      try {
+        this.client.removeAllListeners();
+        if (this._lock) {
+          try {
+            this._lock.release();
+          } catch {
+          }
+          this._lock = null;
+        }
+        await this.start();
+        this.emit("reconnected", { attempt: this._reconnectAttempts });
+      } catch (err) {
+        this.emit("error", err);
+        this._scheduleReconnect();
+      }
+    }, delay);
+  }
   async stop() {
-    if (!this.watching) return;
+    if (!this.watching && !this._reconnectTimer) return;
+    this._stopped = true;
     this.watching = false;
+    if (this._reconnectTimer) {
+      clearTimeout(this._reconnectTimer);
+      this._reconnectTimer = null;
+    }
     this.client.removeAllListeners();
     if (this._lock) {
       try {
@@ -1192,7 +1889,7 @@ var AccountManager = class {
     const apiKey = generateApiKey();
     const password = options.password ?? generatePassword();
     const domain = options.domain ?? "localhost";
-    if (domain !== "localhost" && !/^[a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z]{2,}$/.test(domain)) {
+    if (domain !== "localhost" && !/^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/.test(domain)) {
       throw new Error(`Invalid domain "${domain}": must be a valid domain name`);
     }
     const principalName = options.name.toLowerCase();
@@ -1409,31 +2106,39 @@ var AgentDeletionService = class {
   }
   async archiveFolder(receiver, folder) {
     const archived = [];
+    const PAGE_SIZE = 100;
     try {
-      const envelopes = await receiver.listEnvelopes(folder, { limit: 1e4 });
-      for (const env of envelopes) {
-        try {
-          const raw = await receiver.fetchMessage(env.uid, folder);
-          const parsed = await parseEmail(raw);
-          archived.push({
-            uid: env.uid,
-            messageId: parsed.messageId || env.messageId,
-            from: parsed.from?.[0]?.address ?? "",
-            to: parsed.to?.map((a) => a.address) ?? [],
-            subject: parsed.subject || env.subject,
-            date: parsed.date?.toISOString() ?? env.date?.toISOString?.() ?? "",
-            text: parsed.text,
-            html: parsed.html
-          });
-        } catch {
-          archived.push({
-            uid: env.uid,
-            messageId: env.messageId,
-            from: env.from?.[0]?.address ?? "",
-            to: env.to?.map((a) => a.address) ?? [],
-            subject: env.subject,
-            date: env.date?.toISOString?.() ?? ""
-          });
+      let offset = 0;
+      let hasMore = true;
+      while (hasMore) {
+        const envelopes = await receiver.listEnvelopes(folder, { limit: PAGE_SIZE, offset });
+        if (envelopes.length === 0) break;
+        hasMore = envelopes.length === PAGE_SIZE;
+        offset += envelopes.length;
+        for (const env of envelopes) {
+          try {
+            const raw = await receiver.fetchMessage(env.uid, folder);
+            const parsed = await parseEmail(raw);
+            archived.push({
+              uid: env.uid,
+              messageId: parsed.messageId || env.messageId,
+              from: parsed.from?.[0]?.address ?? "",
+              to: parsed.to?.map((a) => a.address) ?? [],
+              subject: parsed.subject || env.subject,
+              date: parsed.date?.toISOString() ?? env.date?.toISOString?.() ?? "",
+              text: parsed.text,
+              html: parsed.html
+            });
+          } catch {
+            archived.push({
+              uid: env.uid,
+              messageId: env.messageId,
+              from: env.from?.[0]?.address ?? "",
+              to: env.to?.map((a) => a.address) ?? [],
+              subject: env.subject,
+              date: env.date?.toISOString?.() ?? ""
+            });
+          }
         }
       }
     } catch (err) {
@@ -1510,622 +2215,8 @@ var AgentDeletionService = class {
   }
 };
 
-// src/mail/spam-filter.ts
-var SPAM_THRESHOLD = 40;
-var WARNING_THRESHOLD = 20;
-function isInternalEmail(email, localDomains) {
-  const fromDomain = email.from[0]?.address?.split("@")[1]?.toLowerCase();
-  if (!fromDomain) return false;
-  const internals = /* @__PURE__ */ new Set(["localhost", ...(localDomains ?? []).map((d) => d.toLowerCase())]);
-  if (internals.has(fromDomain) && email.replyTo?.length) {
-    const replyDomain = email.replyTo[0]?.address?.split("@")[1]?.toLowerCase();
-    if (replyDomain && !internals.has(replyDomain)) return false;
-  }
-  return internals.has(fromDomain);
-}
-var RE_IGNORE_INSTRUCTIONS = /ignore\s+(all\s+)?(previous|prior|above)\s+(instructions|prompts|rules)/i;
-var RE_YOU_ARE_NOW = /you\s+are\s+now\s+(a|an|the|my)\b/i;
-var RE_SYSTEM_DELIMITER = /\[SYSTEM\]|\[INST\]|<<SYS>>|<\|im_start\|>/i;
-var RE_NEW_INSTRUCTIONS = /new\s+instructions?:|override\s+instructions?:/i;
-var RE_ACT_AS = /act\s+as\s+(a|an|if)|pretend\s+(to be|you\s+are)/i;
-var RE_DO_NOT_MENTION = /do\s+not\s+(mention|tell|reveal|disclose)\s+(that|this)/i;
-var RE_TAG_CHARS = /[\u{E0001}-\u{E007F}]/u;
-var RE_DENSE_ZWC = /[\u200B\u200C\u200D\uFEFF]{3,}/;
-var RE_JAILBREAK = /\b(DAN|jailbreak|bypass\s+(safety|filter|restriction)|unlimited\s+mode)\b/i;
-var RE_BASE64_BLOCK = /[A-Za-z0-9+/]{100,}={0,2}/;
-var RE_MARKDOWN_INJECTION = /```(?:system|python\s+exec|bash\s+exec)/i;
-var RE_OWNER_IMPERSONATION = /your\s+(owner|creator|admin|boss|master|human)\s+(asked|told|wants|said|instructed|needs)/i;
-var RE_SECRET_REQUEST = /share\s+(your|the)\s+(api.?key|password|secret|credential|token)/i;
-var RE_IMPERSONATE_SYSTEM = /this\s+is\s+(a|an)\s+(system|security|admin|automated)\s+(message|alert|notification)/i;
-var RE_URGENCY = /\b(urgent|immediately|right now|asap|deadline|expires?|last chance|act now|time.?sensitive)\b/i;
-var RE_AUTHORITY = /\b(suspend|terminate|deactivat|unauthori[zs]|locked|compromised|breach|violation|legal action)\b/i;
-var RE_MONEY_REQUEST = /send\s+(me|us)\s+\$?\d|wire\s+transfer|western\s+union|money\s*gram/i;
-var RE_GIFT_CARD = /buy\s+(me\s+)?gift\s*cards?|itunes\s+cards?|google\s+play\s+cards?/i;
-var RE_CEO_FRAUD = /\b(CEO|CFO|CTO|director|executive)\b.*\b(wire|transfer|payment|urgent)\b/i;
-var RE_FORWARD_ALL = /forward\s+(all|every)\s+(email|message)/i;
-var RE_SEARCH_CREDS = /search\s+(inbox|email|mailbox).*password|find.*credential/i;
-var RE_SEND_TO_EXTERNAL = /send\s+(the|all|every).*to\s+\S+@\S+/i;
-var RE_DUMP_INSTRUCTIONS = /reveal.*system\s+prompt|dump.*instructions|show.*system\s+prompt|print.*instructions/i;
-var RE_WEBHOOK_EXFIL = /https?:\/\/[^/]*(webhook|ngrok|pipedream|requestbin|hookbin)/i;
-var RE_CREDENTIAL_HARVEST = /verify\s+your\s+(account|identity|password|credentials?)/i;
-var RE_LINK_TAG = /<a\s[^>]*href\s*=\s*["']([^"']+)["']/gi;
-var RE_LINK_TAG_WITH_TEXT = /<a\s[^>]*href\s*=\s*["']([^"']+)["'][^>]*>(.*?)<\/a>/gi;
-var RE_URL_IN_TEXT = /https?:\/\/[^\s<>"]+/gi;
-var RE_IP_URL = /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i;
-var RE_URL_SHORTENER = /https?:\/\/(bit\.ly|t\.co|tinyurl\.com|goo\.gl|ow\.ly|is\.gd|buff\.ly|rebrand\.ly|shorturl\.at)\//i;
-var RE_DATA_URI = /(?:data:text\/html|javascript:)/i;
-var RE_LOGIN_URGENCY = /(click\s+here|sign\s+in|log\s*in).*\b(urgent|immediately|expire|suspend|locked)/i;
-var RE_PHARMACY_SPAM = /\b(viagra|cialis|pharmacy|prescription|cheap\s+meds|online\s+pharmacy)\b/i;
-var RE_WEIGHT_LOSS = /\b(weight\s+loss|diet\s+pill|lose\s+\d+\s+(lbs?|pounds|kg)|fat\s+burn)\b/i;
-var RE_LOTTERY_SCAM = /you\s+(have\s+)?(won|been\s+selected)|lottery|million\s+dollars|nigerian?\s+prince/i;
-var RE_CRYPTO_SCAM = /(bitcoin|crypto|ethereum).*invest(ment)?|guaranteed\s+returns|double\s+your\s+(money|bitcoin|crypto)/i;
-var RE_EXECUTABLE_EXT = /\.(exe|bat|cmd|ps1|sh|dll|scr|vbs|js|msi|com)$/i;
-var RE_DOUBLE_EXT = /\.\w{2,5}\.(exe|bat|cmd|ps1|sh|dll|scr|vbs|js|msi|com)$/i;
-var RE_ARCHIVE_EXT = /\.(zip|rar|7z|tar\.gz|tgz)$/i;
-var RE_HTML_ATTACHMENT_EXT = /\.(html?|svg)$/i;
-var BRAND_DOMAINS = {
-  google: ["google.com", "gmail.com", "googlemail.com"],
-  microsoft: ["microsoft.com", "outlook.com", "hotmail.com", "live.com"],
-  apple: ["apple.com", "icloud.com"],
-  amazon: ["amazon.com", "amazon.co.uk", "amazon.de"],
-  paypal: ["paypal.com"],
-  meta: ["facebook.com", "meta.com", "instagram.com"],
-  netflix: ["netflix.com"],
-  bank: ["chase.com", "wellsfargo.com", "bankofamerica.com", "citibank.com"]
-};
-var SPAM_WORDS = [
-  "congratulations",
-  "winner",
-  "prize",
-  "claim",
-  "free",
-  "offer",
-  "limited time",
-  "act now",
-  "click here",
-  "no obligation",
-  "risk free",
-  "guaranteed",
-  "million",
-  "billion",
-  "inheritance",
-  "beneficiary",
-  "wire transfer",
-  "western union",
-  "dear friend",
-  "dear sir",
-  "kindly",
-  "revert back",
-  "do the needful",
-  "humbly",
-  "esteemed",
-  "investment opportunity",
-  "double your",
-  "earn money",
-  "work from home",
-  "make money",
-  "cash bonus",
-  "discount",
-  "lowest price"
-];
-function countSpamWords(text) {
-  const lower = text.toLowerCase();
-  let count = 0;
-  for (const word of SPAM_WORDS) {
-    if (lower.includes(word)) count++;
-  }
-  return count;
-}
-function hasHomographChars(domain) {
-  if (domain.startsWith("xn--")) return true;
-  const hasCyrillic = /[\u0400-\u04FF]/.test(domain);
-  const hasLatin = /[a-zA-Z]/.test(domain);
-  return hasCyrillic && hasLatin;
-}
-var RULES = [
-  // === Prompt injection ===
-  {
-    id: "pi_ignore_instructions",
-    category: "prompt_injection",
-    score: 25,
-    description: 'Contains "ignore previous instructions" pattern',
-    test: (_e, text) => RE_IGNORE_INSTRUCTIONS.test(text)
-  },
-  {
-    id: "pi_you_are_now",
-    category: "prompt_injection",
-    score: 25,
-    description: 'Contains "you are now a..." roleplay injection',
-    test: (_e, text) => RE_YOU_ARE_NOW.test(text)
-  },
-  {
-    id: "pi_system_delimiter",
-    category: "prompt_injection",
-    score: 20,
-    description: "Contains LLM system delimiters ([SYSTEM], [INST], etc.)",
-    test: (_e, text, html) => RE_SYSTEM_DELIMITER.test(text) || RE_SYSTEM_DELIMITER.test(html)
-  },
-  {
-    id: "pi_new_instructions",
-    category: "prompt_injection",
-    score: 20,
-    description: 'Contains "new instructions:" or "override instructions:"',
-    test: (_e, text) => RE_NEW_INSTRUCTIONS.test(text)
-  },
-  {
-    id: "pi_act_as",
-    category: "prompt_injection",
-    score: 15,
-    description: 'Contains "act as" or "pretend to be" injection',
-    test: (_e, text) => RE_ACT_AS.test(text)
-  },
-  {
-    id: "pi_do_not_mention",
-    category: "prompt_injection",
-    score: 15,
-    description: 'Contains "do not mention/tell/reveal" suppression',
-    test: (_e, text) => RE_DO_NOT_MENTION.test(text)
-  },
-  {
-    id: "pi_invisible_unicode",
-    category: "prompt_injection",
-    score: 20,
-    description: "Contains invisible Unicode tag characters or dense zero-width chars",
-    test: (_e, text, html) => RE_TAG_CHARS.test(text) || RE_TAG_CHARS.test(html) || RE_DENSE_ZWC.test(text) || RE_DENSE_ZWC.test(html)
-  },
-  {
-    id: "pi_jailbreak",
-    category: "prompt_injection",
-    score: 20,
-    description: "Contains jailbreak/DAN/bypass safety language",
-    test: (_e, text) => RE_JAILBREAK.test(text)
-  },
-  {
-    id: "pi_base64_injection",
-    category: "prompt_injection",
-    score: 15,
-    description: "Contains long base64-encoded blocks (potential hidden instructions)",
-    test: (_e, text) => RE_BASE64_BLOCK.test(text)
-  },
-  {
-    id: "pi_markdown_injection",
-    category: "prompt_injection",
-    score: 10,
-    description: "Contains code block injection attempts (```system, ```python exec)",
-    test: (_e, text) => RE_MARKDOWN_INJECTION.test(text)
-  },
-  // === Social engineering ===
-  {
-    id: "se_owner_impersonation",
-    category: "social_engineering",
-    score: 20,
-    description: "Claims to speak on behalf of the agent's owner",
-    test: (_e, text) => RE_OWNER_IMPERSONATION.test(text)
-  },
-  {
-    id: "se_secret_request",
-    category: "social_engineering",
-    score: 15,
-    description: "Requests API keys, passwords, or credentials",
-    test: (_e, text) => RE_SECRET_REQUEST.test(text)
-  },
-  {
-    id: "se_impersonate_system",
-    category: "social_engineering",
-    score: 15,
-    description: "Impersonates a system/security message",
-    test: (_e, text) => RE_IMPERSONATE_SYSTEM.test(text)
-  },
-  {
-    id: "se_urgency_authority",
-    category: "social_engineering",
-    score: 10,
-    description: "Combines urgency language with authority/threat language",
-    test: (_e, text) => RE_URGENCY.test(text) && RE_AUTHORITY.test(text)
-  },
-  {
-    id: "se_money_request",
-    category: "social_engineering",
-    score: 15,
-    description: "Requests money transfer or wire",
-    test: (_e, text) => RE_MONEY_REQUEST.test(text)
-  },
-  {
-    id: "se_gift_card",
-    category: "social_engineering",
-    score: 20,
-    description: "Requests purchase of gift cards",
-    test: (_e, text) => RE_GIFT_CARD.test(text)
-  },
-  {
-    id: "se_ceo_fraud",
-    category: "social_engineering",
-    score: 15,
-    description: "BEC pattern: executive title + payment/wire/urgent",
-    test: (_e, text) => RE_CEO_FRAUD.test(text)
-  },
-  // === Data exfiltration ===
-  {
-    id: "de_forward_all",
-    category: "data_exfiltration",
-    score: 20,
-    description: "Requests forwarding all emails",
-    test: (_e, text) => RE_FORWARD_ALL.test(text)
-  },
-  {
-    id: "de_search_credentials",
-    category: "data_exfiltration",
-    score: 20,
-    description: "Requests searching inbox for passwords/credentials",
-    test: (_e, text) => RE_SEARCH_CREDS.test(text)
-  },
-  {
-    id: "de_send_to_external",
-    category: "data_exfiltration",
-    score: 15,
-    description: "Instructs sending data to an external email address",
-    test: (_e, text) => RE_SEND_TO_EXTERNAL.test(text)
-  },
-  {
-    id: "de_dump_instructions",
-    category: "data_exfiltration",
-    score: 15,
-    description: "Attempts to extract system prompt or instructions",
-    test: (_e, text) => RE_DUMP_INSTRUCTIONS.test(text)
-  },
-  {
-    id: "de_webhook_exfil",
-    category: "data_exfiltration",
-    score: 15,
-    description: "Contains webhook/ngrok/pipedream exfiltration URLs",
-    test: (_e, text) => RE_WEBHOOK_EXFIL.test(text)
-  },
-  // === Phishing ===
-  {
-    id: "ph_spoofed_sender",
-    category: "phishing",
-    score: 10,
-    description: "Sender name contains brand but domain doesn't match",
-    test: (email) => {
-      const from = email.from[0];
-      if (!from) return false;
-      const name = (from.name ?? "").toLowerCase();
-      const domain = (from.address ?? "").split("@")[1]?.toLowerCase() ?? "";
-      for (const [brand, domains] of Object.entries(BRAND_DOMAINS)) {
-        if (name.includes(brand) && !domains.some((d) => domain === d || domain.endsWith("." + d))) {
-          return true;
-        }
-      }
-      return false;
-    }
-  },
-  {
-    id: "ph_credential_harvest",
-    category: "phishing",
-    score: 15,
-    description: 'Asks to "verify your account/password" with links present',
-    test: (_e, text, html) => {
-      if (!RE_CREDENTIAL_HARVEST.test(text)) return false;
-      return RE_URL_IN_TEXT.test(text) || RE_LINK_TAG.test(html);
-    }
-  },
-  {
-    id: "ph_suspicious_links",
-    category: "phishing",
-    score: 10,
-    description: "Contains links with IP addresses, URL shorteners, or excessive subdomains",
-    test: (_e, text, html) => {
-      const allText = text + " " + html;
-      if (RE_IP_URL.test(allText)) return true;
-      if (RE_URL_SHORTENER.test(allText)) return true;
-      const urls = allText.match(RE_URL_IN_TEXT) ?? [];
-      for (const url of urls) {
-        try {
-          const hostname = new URL(url).hostname;
-          if (hostname.split(".").length > 4) return true;
-        } catch {
-        }
-      }
-      return false;
-    }
-  },
-  {
-    id: "ph_data_uri",
-    category: "phishing",
-    score: 15,
-    description: "Contains data: or javascript: URIs in links",
-    test: (_e, _text, html) => {
-      RE_LINK_TAG.lastIndex = 0;
-      let match;
-      while ((match = RE_LINK_TAG.exec(html)) !== null) {
-        if (RE_DATA_URI.test(match[1])) return true;
-      }
-      return false;
-    }
-  },
-  {
-    id: "ph_homograph",
-    category: "phishing",
-    score: 15,
-    description: "From domain contains mixed-script or punycode characters",
-    test: (email) => {
-      const domain = email.from[0]?.address?.split("@")[1] ?? "";
-      if (!domain) return false;
-      return hasHomographChars(domain);
-    }
-  },
-  {
-    id: "ph_mismatched_display_url",
-    category: "phishing",
-    score: 10,
-    description: "HTML link text shows one URL but href points to a different domain",
-    test: (_e, _text, html) => {
-      RE_LINK_TAG_WITH_TEXT.lastIndex = 0;
-      let match;
-      while ((match = RE_LINK_TAG_WITH_TEXT.exec(html)) !== null) {
-        const href = match[1];
-        const linkText = match[2].replace(/<[^>]*>/g, "").trim();
-        if (!/^https?:\/\//i.test(linkText)) continue;
-        try {
-          const hrefHost = new URL(href).hostname.replace(/^www\./, "");
-          const textHost = new URL(linkText).hostname.replace(/^www\./, "");
-          if (hrefHost !== textHost) return true;
-        } catch {
-        }
-      }
-      return false;
-    }
-  },
-  {
-    id: "ph_login_urgency",
-    category: "phishing",
-    score: 10,
-    description: "Combines login/click-here language with urgency",
-    test: (_e, text) => RE_LOGIN_URGENCY.test(text)
-  },
-  {
-    id: "ph_unsubscribe_missing",
-    category: "phishing",
-    score: 3,
-    description: "Marketing-like email with many links but no List-Unsubscribe header",
-    test: (email, text, html) => {
-      const allText = text + " " + html;
-      const urls = new Set(allText.match(RE_URL_IN_TEXT) ?? []);
-      if (urls.size < 5) return false;
-      return !email.headers.get("list-unsubscribe");
-    }
-  },
-  // === Authentication (SPF/DKIM/DMARC from headers) ===
-  {
-    id: "auth_spf_fail",
-    category: "authentication",
-    score: 15,
-    description: "SPF authentication failed",
-    test: (email) => {
-      const authResults = email.headers.get("authentication-results") ?? "";
-      return /spf=(fail|softfail)/i.test(authResults);
-    }
-  },
-  {
-    id: "auth_dkim_fail",
-    category: "authentication",
-    score: 15,
-    description: "DKIM authentication failed",
-    test: (email) => {
-      const authResults = email.headers.get("authentication-results") ?? "";
-      return /dkim=fail/i.test(authResults);
-    }
-  },
-  {
-    id: "auth_dmarc_fail",
-    category: "authentication",
-    score: 20,
-    description: "DMARC authentication failed",
-    test: (email) => {
-      const authResults = email.headers.get("authentication-results") ?? "";
-      return /dmarc=fail/i.test(authResults);
-    }
-  },
-  {
-    id: "auth_no_auth_results",
-    category: "authentication",
-    score: 3,
-    description: "No Authentication-Results header present",
-    test: (email) => {
-      return !email.headers.has("authentication-results");
-    }
-  },
-  // === Attachment risk ===
-  {
-    id: "at_executable",
-    category: "attachment_risk",
-    score: 25,
-    description: "Attachment has executable file extension",
-    test: (email) => {
-      return email.attachments.some((a) => RE_EXECUTABLE_EXT.test(a.filename));
-    }
-  },
-  {
-    id: "at_double_extension",
-    category: "attachment_risk",
-    score: 20,
-    description: "Attachment has double extension (e.g. document.pdf.exe)",
-    test: (email) => {
-      return email.attachments.some((a) => RE_DOUBLE_EXT.test(a.filename));
-    }
-  },
-  {
-    id: "at_archive_carrier",
-    category: "attachment_risk",
-    score: 15,
-    description: "Attachment is an archive (potential payload carrier)",
-    test: (email) => {
-      return email.attachments.some((a) => RE_ARCHIVE_EXT.test(a.filename));
-    }
-  },
-  {
-    id: "at_html_attachment",
-    category: "attachment_risk",
-    score: 10,
-    description: "HTML/SVG file attachment (phishing vector)",
-    test: (email) => {
-      return email.attachments.some((a) => RE_HTML_ATTACHMENT_EXT.test(a.filename));
-    }
-  },
-  // === Header anomalies ===
-  {
-    id: "ha_missing_message_id",
-    category: "header_anomaly",
-    score: 5,
-    description: "Missing Message-ID header",
-    test: (email) => !email.messageId
-  },
-  {
-    id: "ha_empty_from",
-    category: "header_anomaly",
-    score: 10,
-    description: "Missing or empty From address",
-    test: (email) => !email.from.length || !email.from[0].address
-  },
-  {
-    id: "ha_reply_to_mismatch",
-    category: "header_anomaly",
-    score: 5,
-    description: "Reply-To domain differs from From domain",
-    test: (email) => {
-      if (!email.replyTo?.length || !email.from.length) return false;
-      const fromDomain = email.from[0].address?.split("@")[1]?.toLowerCase();
-      const replyDomain = email.replyTo[0].address?.split("@")[1]?.toLowerCase();
-      return !!fromDomain && !!replyDomain && fromDomain !== replyDomain;
-    }
-  },
-  // === Content spam ===
-  {
-    id: "cs_all_caps_subject",
-    category: "content_spam",
-    score: 5,
-    description: "Subject is mostly uppercase",
-    test: (email) => {
-      const s = email.subject;
-      if (s.length < 10) return false;
-      const letters = s.replace(/[^a-zA-Z]/g, "");
-      if (letters.length < 5) return false;
-      const upper = letters.replace(/[^A-Z]/g, "").length;
-      return upper / letters.length > 0.8;
-    }
-  },
-  {
-    id: "cs_lottery_scam",
-    category: "content_spam",
-    score: 25,
-    description: "Contains lottery/prize scam language",
-    test: (_e, text) => RE_LOTTERY_SCAM.test(text)
-  },
-  {
-    id: "cs_crypto_scam",
-    category: "content_spam",
-    score: 10,
-    description: "Contains crypto/investment scam language",
-    test: (_e, text) => RE_CRYPTO_SCAM.test(text)
-  },
-  {
-    id: "cs_excessive_punctuation",
-    category: "content_spam",
-    score: 3,
-    description: "Subject has excessive punctuation (!!!!, ????)",
-    test: (email) => /[!]{4,}|[?]{4,}/.test(email.subject)
-  },
-  {
-    id: "cs_pharmacy_spam",
-    category: "content_spam",
-    score: 15,
-    description: "Contains pharmacy/prescription drug spam language",
-    test: (_e, text) => RE_PHARMACY_SPAM.test(text)
-  },
-  {
-    id: "cs_weight_loss",
-    category: "content_spam",
-    score: 10,
-    description: "Contains weight loss scam language",
-    test: (_e, text) => RE_WEIGHT_LOSS.test(text)
-  },
-  {
-    id: "cs_html_only_no_text",
-    category: "content_spam",
-    score: 5,
-    description: "Email has HTML body but empty/missing text body",
-    test: (email) => {
-      const hasHtml = !!email.html && email.html.trim().length > 0;
-      const hasText = !!email.text && email.text.trim().length > 0;
-      return hasHtml && !hasText;
-    }
-  },
-  {
-    id: "cs_spam_word_density",
-    category: "content_spam",
-    score: 0,
-    // Dynamic — calculated in test
-    description: "High density of common spam words",
-    test: (_e, text) => countSpamWords(text) > 5
-  },
-  // === Link analysis ===
-  {
-    id: "la_excessive_links",
-    category: "link_analysis",
-    score: 5,
-    description: "Contains more than 10 unique links",
-    test: (_e, text, html) => {
-      const allText = text + " " + html;
-      const urls = new Set(allText.match(RE_URL_IN_TEXT) ?? []);
-      return urls.size > 10;
-    }
-  }
-];
-function scoreEmail(email) {
-  const bodyText = [email.subject, email.text ?? ""].join("\n");
-  const bodyHtml = email.html ?? "";
-  const matches = [];
-  for (const rule of RULES) {
-    try {
-      if (rule.test(email, bodyText, bodyHtml)) {
-        let score2 = rule.score;
-        if (rule.id === "cs_spam_word_density") {
-          const wordCount = countSpamWords(bodyText);
-          score2 = wordCount > 10 ? 20 : 10;
-        }
-        matches.push({
-          ruleId: rule.id,
-          category: rule.category,
-          score: score2,
-          description: rule.description
-        });
-      }
-    } catch {
-    }
-  }
-  const score = matches.reduce((sum, m) => sum + m.score, 0);
-  let topCategory = null;
-  if (matches.length > 0) {
-    const categoryScores = /* @__PURE__ */ new Map();
-    for (const m of matches) {
-      categoryScores.set(m.category, (categoryScores.get(m.category) ?? 0) + m.score);
-    }
-    let maxScore = 0;
-    for (const [cat, catScore] of categoryScores) {
-      if (catScore > maxScore) {
-        maxScore = catScore;
-        topCategory = cat;
-      }
-    }
-  }
-  return {
-    score,
-    isSpam: score >= SPAM_THRESHOLD,
-    isWarning: score >= WARNING_THRESHOLD && score < SPAM_THRESHOLD,
-    matches,
-    topCategory
-  };
-}
+// src/index.ts
+init_spam_filter();
 
 // src/mail/sanitizer.ts
 var RE_TAG_BLOCK = /[\u{E0001}-\u{E007F}]/gu;
@@ -2693,7 +2784,10 @@ function getAttachmentText(content, encoding) {
 }
 function scanOutboundEmail(input) {
   const recipients = Array.isArray(input.to) ? input.to : [input.to];
-  const allInternal = recipients.every((r) => r.endsWith("@localhost"));
+  const allInternal = recipients.every((r) => {
+    const domain = r.split("@").pop()?.toLowerCase();
+    return domain === "localhost";
+  });
   if (allInternal) {
     return { warnings: [], hasHighSeverity: false, hasMediumSeverity: false, blocked: false, summary: "" };
   }
@@ -3186,6 +3280,12 @@ var EmailSearchIndex = class {
     this.db = db2;
   }
   index(email) {
+    if (email.messageId) {
+      const existing = this.db.prepare(
+        "SELECT rowid FROM email_search WHERE agent_id = ? AND message_id = ?"
+      ).get(email.agentId, email.messageId);
+      if (existing) return;
+    }
     const stmt = this.db.prepare(`
       INSERT INTO email_search (agent_id, message_id, subject, from_address, to_address, body_text, received_at)
       VALUES (?, ?, ?, ?, ?, ?, ?)
@@ -4573,6 +4673,7 @@ var TunnelManager = class {
 
 // src/gateway/manager.ts
 var import_mail_composer3 = __toESM(require("nodemailer/lib/mail-composer/index.js"), 1);
+init_spam_filter();
 
 // src/sms/manager.ts
 function normalizePhoneNumber(raw) {
@@ -4973,23 +5074,38 @@ var SmsPoller = class {
 };
 
 // src/gateway/manager.ts
+function deriveKey(key, salt) {
+  return (0, import_node_crypto2.scryptSync)(key, salt, 32, { N: 16384, r: 8, p: 1 });
+}
 function encryptSecret(plaintext, key) {
-  const keyHash = (0, import_node_crypto2.createHash)("sha256").update(key).digest();
+  const salt = (0, import_node_crypto2.randomBytes)(16);
+  const derivedKey = deriveKey(key, salt);
   const iv = (0, import_node_crypto2.randomBytes)(12);
-  const cipher = (0, import_node_crypto2.createCipheriv)("aes-256-gcm", keyHash, iv);
+  const cipher = (0, import_node_crypto2.createCipheriv)("aes-256-gcm", derivedKey, iv);
   const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
   const authTag = cipher.getAuthTag();
-  return `enc:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+  return `enc2:${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
 }
 function decryptSecret(value, key) {
-  if (!value.startsWith("enc:")) return value;
-  const parts = value.split(":");
-  if (parts.length !== 4) return value;
-  const [, ivHex, authTagHex, ciphertextHex] = parts;
-  const keyHash = (0, import_node_crypto2.createHash)("sha256").update(key).digest();
-  const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", keyHash, Buffer.from(ivHex, "hex"));
-  decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
-  return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
+  if (value.startsWith("enc2:")) {
+    const parts = value.split(":");
+    if (parts.length !== 5) return value;
+    const [, saltHex, ivHex, authTagHex, ciphertextHex] = parts;
+    const derivedKey = deriveKey(key, Buffer.from(saltHex, "hex"));
+    const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", derivedKey, Buffer.from(ivHex, "hex"));
+    decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
+    return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
+  }
+  if (value.startsWith("enc:")) {
+    const parts = value.split(":");
+    if (parts.length !== 4) return value;
+    const [, ivHex, authTagHex, ciphertextHex] = parts;
+    const keyHash = (0, import_node_crypto2.createHash)("sha256").update(key).digest();
+    const decipher = (0, import_node_crypto2.createDecipheriv)("aes-256-gcm", keyHash, Buffer.from(ivHex, "hex"));
+    decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
+    return Buffer.concat([decipher.update(Buffer.from(ciphertextHex, "hex")), decipher.final()]).toString("utf8");
+  }
+  return value;
 }
 var GatewayManager = class {
   constructor(options) {
@@ -5079,11 +5195,14 @@ var GatewayManager = class {
       console.warn(`[GatewayManager] Approval reply check failed: ${err.message}`);
     }
     const parsed = inboundToParsedEmail(mail);
-    const spamResult = scoreEmail(parsed);
-    if (spamResult.isSpam) {
-      console.warn(`[GatewayManager] Spam blocked (score=${spamResult.score}, category=${spamResult.topCategory}): "${mail.subject}" from ${mail.from}`);
-      if (mail.messageId) this.recordDelivery(mail.messageId, agentName);
-      return;
+    const { isInternalEmail: isInternalEmail2 } = await Promise.resolve().then(() => (init_spam_filter(), spam_filter_exports));
+    if (!isInternalEmail2(parsed)) {
+      const spamResult = scoreEmail(parsed);
+      if (spamResult.isSpam) {
+        console.warn(`[GatewayManager] Spam blocked (score=${spamResult.score}, category=${spamResult.topCategory}): "${mail.subject}" from ${mail.from}`);
+        if (mail.messageId) this.recordDelivery(mail.messageId, agentName);
+        return;
+      }
     }
     let agent = await this.accountManager.getByName(agentName);
     if (!agent && agentName !== DEFAULT_AGENT_NAME) {