@agenticmail/core 0.9.3 → 0.9.5

package/dist/index.js

@@ -78,7 +78,7 @@ var MailSender = class {
         const code = err?.responseCode ?? err?.code;
         const isTransient = typeof code === "number" && code >= 400 && code < 500 || code === "ECONNRESET" || code === "ETIMEDOUT" || code === "ESOCKET";
         if (!isTransient || attempt === MAX_RETRIES) throw err;
-        await new Promise((resolve) => setTimeout(resolve, 1e3 * (attempt + 1)));
+        await new Promise((resolve2) => setTimeout(resolve2, 1e3 * (attempt + 1)));
       }
     }
     throw lastError;
@@ -205,7 +205,13 @@ var MailReceiver = class {
   async fetchMessage(uid, mailbox = "INBOX") {
     const lock = await this.client.getMailboxLock(mailbox);
     try {
-      const { content } = await this.client.download(String(uid), void 0, { uid: true });
+      const result = await this.client.download(String(uid), void 0, { uid: true });
+      const content = result?.content;
+      if (!content) {
+        const err = new Error(`Message UID ${uid} not found in mailbox "${mailbox}"`);
+        err.code = "MESSAGE_NOT_FOUND";
+        throw err;
+      }
       const chunks = [];
       for await (const chunk of content) {
         chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
@@ -1004,20 +1010,20 @@ var StalwartAdmin = class {
     }
     try {
       const net = await import("net");
-      return await new Promise((resolve) => {
+      return await new Promise((resolve2) => {
         const smtpPort = parseInt(process.env.SMTP_PORT || "25", 10);
         const smtpHost = process.env.SMTP_HOST || "localhost";
         const socket = net.createConnection({ host: smtpHost, port: smtpPort, timeout: 3e3 }, () => {
           socket.destroy();
-          resolve(true);
+          resolve2(true);
         });
         socket.on("error", () => {
           socket.destroy();
-          resolve(false);
+          resolve2(false);
         });
         socket.on("timeout", () => {
           socket.destroy();
-          resolve(false);
+          resolve2(false);
         });
       });
     } catch {
@@ -1089,8 +1095,8 @@ var StalwartAdmin = class {
     }
     const { readFileSync: readFileSync7, writeFileSync: writeFileSync8 } = await import("fs");
     const { homedir: homedir11 } = await import("os");
-    const { join: join12 } = await import("path");
-    const configPath = join12(homedir11(), ".agenticmail", "stalwart.toml");
+    const { join: join13 } = await import("path");
+    const configPath = join13(homedir11(), ".agenticmail", "stalwart.toml");
     try {
       let config = readFileSync7(configPath, "utf-8");
       config = config.replace(/^hostname\s*=\s*"[^"]*"/m, `hostname = "${escapeTomlString(domain)}"`);
@@ -1104,14 +1110,14 @@ var StalwartAdmin = class {
   /** Path to the host-side stalwart.toml (mounted read-only into container) */
   get configPath() {
     const { homedir: homedir11 } = __require("os");
-    const { join: join12 } = __require("path");
-    return join12(homedir11(), ".agenticmail", "stalwart.toml");
+    const { join: join13 } = __require("path");
+    return join13(homedir11(), ".agenticmail", "stalwart.toml");
   }
   /** Path to host-side DKIM key directory */
   get dkimDir() {
     const { homedir: homedir11 } = __require("os");
-    const { join: join12 } = __require("path");
-    return join12(homedir11(), ".agenticmail");
+    const { join: join13 } = __require("path");
+    return join13(homedir11(), ".agenticmail");
   }
   /**
    * Create/reuse a DKIM signing key for a domain.
@@ -1214,9 +1220,9 @@ var StalwartAdmin = class {
   async configureOutboundRelay(config) {
     const { readFileSync: readFileSync7, writeFileSync: writeFileSync8 } = await import("fs");
     const { homedir: homedir11 } = await import("os");
-    const { join: join12 } = await import("path");
+    const { join: join13 } = await import("path");
     const routeName = config.routeName ?? "gmail";
-    const tomlPath = join12(homedir11(), ".agenticmail", "stalwart.toml");
+    const tomlPath = join13(homedir11(), ".agenticmail", "stalwart.toml");
     let toml = readFileSync7(tomlPath, "utf-8");
     toml = toml.replace(/\n\[queue\.route\.gmail\][\s\S]*?(?=\n\[|$)/, "");
     toml = toml.replace(/\n\[queue\.strategy\][\s\S]*?(?=\n\[|$)/, "");
@@ -2321,7 +2327,8 @@ var OUTBOUND_TEXT_RULES = [
 var HIGH_RISK_EXTENSIONS = /* @__PURE__ */ new Set([".pem", ".key", ".p12", ".pfx", ".env", ".credentials", ".keystore", ".jks", ".p8"]);
 var MEDIUM_RISK_EXTENSIONS = /* @__PURE__ */ new Set([".db", ".sqlite", ".sqlite3", ".sql", ".csv", ".tsv", ".json", ".yml", ".yaml", ".conf", ".config", ".ini"]);
 function stripHtmlTags(html) {
-  return html.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "").replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "").replace(/<[^>]+>/g, "").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"').replace(/&#0?39;/g, "'").replace(/&nbsp;/g, " ").replace(/&#x([0-9a-fA-F]+);/g, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);/g, (_, dec) => String.fromCharCode(parseInt(dec, 10)));
+  const bounded = html.length > 1048576 ? html.slice(0, 1048576) : html;
+  return bounded.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "").replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "").replace(/<[^>]+>/g, "").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"').replace(/&#0?39;/g, "'").replace(/&nbsp;/g, " ").replace(/&#x([0-9a-fA-F]+);/g, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);/g, (_, dec) => String.fromCharCode(parseInt(dec, 10)));
 }
 var TEXT_SCANNABLE_TYPES = /* @__PURE__ */ new Set([
   "text/plain",
@@ -3853,7 +3860,7 @@ var CloudflareClient = class {
   // --- Workers methods ---
   /** Deploy an Email Worker script (ES module format) */
   async deployEmailWorker(scriptName, scriptContent, envVars = {}) {
-    const url = `${CF_API_BASE}/accounts/${this.accountId}/workers/scripts/${scriptName}`;
+    const url = `${CF_API_BASE}/accounts/${encodeURIComponent(this.accountId)}/workers/scripts/${encodeURIComponent(scriptName)}`;
     const bindings = Object.entries(envVars).map(([name, text2]) => ({
       type: "plain_text",
       name,
@@ -4271,7 +4278,7 @@ var TunnelManager = class {
       detached: false,
       env: { ...process.env, TUNNEL_TOKEN: tunnelToken }
     });
-    await new Promise((resolve, reject) => {
+    await new Promise((resolve2, reject) => {
       let resolved = false;
       const timeout = setTimeout(() => {
         if (!resolved) {
@@ -4285,7 +4292,7 @@ var TunnelManager = class {
           resolved = true;
           clearTimeout(timeout);
           this.running = true;
-          resolve();
+          resolve2();
         }
       };
       this.process.stderr?.on("data", onData);
@@ -4324,8 +4331,8 @@ var TunnelManager = class {
       this.process = null;
       p.kill("SIGTERM");
       await Promise.race([
-        new Promise((resolve) => p.on("exit", () => resolve())),
-        new Promise((resolve) => setTimeout(resolve, 5e3))
+        new Promise((resolve2) => p.on("exit", () => resolve2())),
+        new Promise((resolve2) => setTimeout(resolve2, 5e3))
       ]);
       this.running = false;
     }
@@ -4380,7 +4387,10 @@ function parseGoogleVoiceSms(emailBody, emailFrom) {
   if (!emailBody || typeof emailBody !== "string") return null;
   if (!emailFrom || typeof emailFrom !== "string") return null;
   const fromLower = emailFrom.toLowerCase();
-  const isGoogleVoice = fromLower.includes("voice-noreply@google.com") || fromLower.includes("@txt.voice.google.com") || fromLower.includes("voice.google.com") || fromLower.includes("google.com/voice") || fromLower.includes("google") && fromLower.includes("voice");
+  const atIdx = fromLower.lastIndexOf("@");
+  const domain = atIdx >= 0 ? fromLower.slice(atIdx + 1).replace(/[>"'\s].*$/, "") : "";
+  const isGoogleDomain = domain === "google.com" || domain.endsWith(".google.com");
+  const isGoogleVoice = isGoogleDomain && (fromLower.startsWith("voice-noreply@") || domain === "txt.voice.google.com" || domain === "voice.google.com" || domain.endsWith(".voice.google.com") || fromLower.includes("voice"));
   if (!isGoogleVoice) return null;
   let text = emailBody.replace(/<br\s*\/?>/gi, "\n").replace(/<\/p>/gi, "\n").replace(/<\/div>/gi, "\n").replace(/<[^>]+>/g, "").replace(/&nbsp;/gi, " ").replace(/&amp;/gi, "&").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&quot;/gi, '"').replace(/&#39;/gi, "'").trim();
   let from = "";
@@ -5411,6 +5421,15 @@ var GatewayManager = class {
       bcc: mail.bcc ? Array.isArray(mail.bcc) ? mail.bcc.join(", ") : mail.bcc : void 0,
       subject: mail.subject,
       text: mail.text || void 0,
+      // The `html` field is the literal HTML body of the outbound
+      // mail — by design it is whatever the sender chose to compose.
+      // CodeQL `js/xss` flags this because the value flows from user
+      // input, but nodemailer is the SMTP serializer, not an HTML
+      // renderer; XSS would only occur if the recipient's MUA
+      // executed the body, which is outside our trust boundary.
+      // The outbound-guard (packages/core/src/mail/outbound-guard.ts)
+      // already scores HTML bodies for suspicious patterns at the
+      // pre-send step. lgtm[js/xss]
       html: mail.html || void 0,
       replyTo: mail.replyTo || from,
       inReplyTo: mail.inReplyTo || void 0,
@@ -5772,11 +5791,11 @@ var RelayBridge = class {
     this.options = options;
   }
   async start() {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       this.server = createServer((req, res) => this.handleRequest(req, res));
       this.server.listen(this.options.port, "127.0.0.1", () => {
         console.log(`[RelayBridge] Listening on 127.0.0.1:${this.options.port}`);
-        resolve();
+        resolve2();
       });
       this.server.on("error", reject);
     });
@@ -5978,16 +5997,161 @@ try {
 } catch {
 }
 
+// src/util/safe-path.ts
+import { isAbsolute, join as join6, resolve, sep } from "path";
+var PathTraversalError = class extends Error {
+  constructor(baseDir, parts) {
+    super(
+      `path traversal attempt: ${JSON.stringify(parts)} resolves outside ${baseDir}`
+    );
+    this.baseDir = baseDir;
+    this.parts = parts;
+    this.name = "PathTraversalError";
+  }
+};
+function safeJoin(baseDir, ...partsAndOpts) {
+  let opts = {};
+  const parts = [];
+  for (const p of partsAndOpts) {
+    if (typeof p === "string") {
+      parts.push(p);
+    } else if (p && typeof p === "object") {
+      opts = p;
+    }
+  }
+  if (!opts.allowAbsolute) {
+    for (const part of parts) {
+      if (isAbsolute(part)) {
+        throw new PathTraversalError(baseDir, parts);
+      }
+    }
+  }
+  const resolvedBase = resolve(baseDir);
+  const resolved = resolve(resolvedBase, ...parts);
+  if (resolved !== resolvedBase && !resolved.startsWith(resolvedBase + sep)) {
+    throw new PathTraversalError(baseDir, parts);
+  }
+  return resolved;
+}
+function tryJoin(baseDir, ...parts) {
+  try {
+    return safeJoin(baseDir, ...parts);
+  } catch (err) {
+    if (err instanceof PathTraversalError) return null;
+    throw err;
+  }
+}
+function assertWithinBase(baseDir, candidate) {
+  const resolvedBase = resolve(baseDir);
+  const resolvedCandidate = resolve(candidate);
+  if (resolvedCandidate !== resolvedBase && !resolvedCandidate.startsWith(resolvedBase + sep)) {
+    throw new PathTraversalError(baseDir, [candidate]);
+  }
+  return resolvedCandidate;
+}
+
+// src/util/redact.ts
+var REDACTED = "***";
+function redactSecret(value) {
+  if (typeof value !== "string") return REDACTED;
+  if (value.length === 0) return REDACTED;
+  for (const prefix of ["mk_", "ak_", "sk-", "pk_", "tok_"]) {
+    if (value.startsWith(prefix)) return `${prefix}${REDACTED}`;
+  }
+  return REDACTED;
+}
+var SENSITIVE_KEY_PATTERNS = [
+  /key$/i,
+  /secret/i,
+  /password/i,
+  /passwd/i,
+  /token/i,
+  /authorization/i,
+  /bearer/i,
+  /\bapikey\b/i,
+  /\bapi_key\b/i,
+  /\bmasterkey\b/i,
+  /\bmaster_key\b/i
+];
+function looksSensitive(key) {
+  return SENSITIVE_KEY_PATTERNS.some((p) => p.test(key));
+}
+function redactObject(input, _depth = 0) {
+  if (_depth > 12) return input;
+  if (input === null || input === void 0) return input;
+  if (typeof input !== "object") return input;
+  if (Array.isArray(input)) {
+    return input.map((v) => redactObject(v, _depth + 1));
+  }
+  const proto = Object.getPrototypeOf(input);
+  if (proto !== Object.prototype && proto !== null) return input;
+  const out = {};
+  for (const [k, v] of Object.entries(input)) {
+    if (looksSensitive(k)) {
+      out[k] = typeof v === "string" ? redactSecret(v) : REDACTED;
+    } else {
+      out[k] = redactObject(v, _depth + 1);
+    }
+  }
+  return out;
+}
+
+// src/util/safe-url.ts
+var UnsafeApiUrlError = class extends Error {
+  constructor(raw, reason) {
+    super(`unsafe AgenticMail API URL ${JSON.stringify(raw)}: ${reason}`);
+    this.raw = raw;
+    this.reason = reason;
+    this.name = "UnsafeApiUrlError";
+  }
+};
+var BLOCKED_HOSTS = /* @__PURE__ */ new Set([
+  "169.254.169.254",
+  // AWS / Azure / GCP IPv4 metadata
+  "fd00:ec2::254",
+  // AWS IPv6 metadata
+  "metadata.google.internal",
+  // GCP DNS
+  "metadata.azure.internal"
+  // Azure DNS
+]);
+function validateApiUrl(raw) {
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new UnsafeApiUrlError(String(raw), "must be a non-empty string");
+  }
+  let parsed;
+  try {
+    parsed = new URL(raw);
+  } catch (err) {
+    throw new UnsafeApiUrlError(raw, `unparseable: ${err.message}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new UnsafeApiUrlError(raw, `unsupported protocol: ${parsed.protocol}`);
+  }
+  const host = parsed.hostname.toLowerCase().replace(/\.$/, "");
+  if (BLOCKED_HOSTS.has(host)) {
+    throw new UnsafeApiUrlError(raw, `blocked metadata host: ${host}`);
+  }
+  if (parsed.username || parsed.password) {
+    throw new UnsafeApiUrlError(raw, "embedded credentials are not supported");
+  }
+  return parsed.origin;
+}
+function buildApiUrl(baseOrigin, pathAndQuery) {
+  const path = pathAndQuery.startsWith("/") ? pathAndQuery : `/${pathAndQuery}`;
+  return new URL(path, baseOrigin + "/").toString();
+}
+
 // src/setup/index.ts
 import { randomBytes as randomBytes3 } from "crypto";
 import { existsSync as existsSync7, readFileSync as readFileSync4, writeFileSync as writeFileSync5, mkdirSync as mkdirSync6, chmodSync as chmodSync2 } from "fs";
-import { join as join9 } from "path";
+import { join as join10 } from "path";
 import { homedir as homedir8 } from "os";
 
 // src/setup/deps.ts
 import { execFileSync } from "child_process";
 import { existsSync as existsSync4 } from "fs";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 import { homedir as homedir5 } from "os";
 var DependencyChecker = class {
   async checkAll() {
@@ -6038,7 +6202,7 @@ var DependencyChecker = class {
     }
   }
   async checkCloudflared() {
-    const binPath = join6(homedir5(), ".agenticmail", "bin", "cloudflared");
+    const binPath = join7(homedir5(), ".agenticmail", "bin", "cloudflared");
     if (existsSync4(binPath)) {
       let version;
       try {
@@ -6063,12 +6227,12 @@ var DependencyChecker = class {
 import { execFileSync as execFileSync2, execSync, spawn as spawnChild } from "child_process";
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, symlinkSync } from "fs";
 import { writeFile, rename, chmod as chmod2, mkdir as mkdir2, unlink } from "fs/promises";
-import { join as join7 } from "path";
+import { join as join8 } from "path";
 import { homedir as homedir6, platform as platform3, arch as arch2 } from "os";
 function runShellWithRollingOutput(cmd, opts = {}) {
   const maxLines = opts.maxLines ?? 20;
   const timeout = opts.timeout ?? 3e5;
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     const child = spawnChild("sh", ["-c", cmd], {
       stdio: ["ignore", "pipe", "pipe"],
       timeout
@@ -6110,7 +6274,7 @@ function runShellWithRollingOutput(cmd, opts = {}) {
         }
         process.stdout.write(`\x1B[${displayedCount}A`);
       }
-      resolve({ exitCode: code ?? 1, fullOutput });
+      resolve2({ exitCode: code ?? 1, fullOutput });
     });
     child.on("error", (err) => {
       if (displayedCount > 0) {
@@ -6126,7 +6290,7 @@ function runShellWithRollingOutput(cmd, opts = {}) {
 }
 function runSilent(command, args, opts = {}) {
   const timeout = opts.timeout ?? 3e5;
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     const child = spawnChild(command, args, {
       stdio: ["ignore", "pipe", "pipe"],
       timeout
@@ -6138,7 +6302,7 @@ function runSilent(command, args, opts = {}) {
     child.stderr?.on("data", (d) => {
       fullOutput += d.toString();
     });
-    child.on("close", (code) => resolve({ exitCode: code ?? 1, fullOutput }));
+    child.on("close", (code) => resolve2({ exitCode: code ?? 1, fullOutput }));
     child.on("error", reject);
   });
 }
@@ -6240,8 +6404,8 @@ var DependencyInstaller = class {
     try {
       const composeBin = execFileSync2("which", ["docker-compose"], { timeout: 5e3, stdio: ["ignore", "pipe", "ignore"] }).toString().trim();
       if (!composeBin) return;
-      const pluginDir = join7(homedir6(), ".docker", "cli-plugins");
-      const pluginPath = join7(pluginDir, "docker-compose");
+      const pluginDir = join8(homedir6(), ".docker", "cli-plugins");
+      const pluginPath = join8(pluginDir, "docker-compose");
       if (existsSync5(pluginPath)) return;
       try {
         mkdirSync4(pluginDir, { recursive: true });
@@ -6307,9 +6471,9 @@ var DependencyInstaller = class {
       return;
     }
     this.onProgress("__progress__:5:Installing Docker Engine...");
-    const tmpDir = join7(homedir6(), ".agenticmail", "tmp");
+    const tmpDir = join8(homedir6(), ".agenticmail", "tmp");
     await mkdir2(tmpDir, { recursive: true });
-    const scriptPath = join7(tmpDir, "install-docker.sh");
+    const scriptPath = join8(tmpDir, "install-docker.sh");
     const dlResult = await runShellWithRollingOutput(
       `curl -fsSL https://get.docker.com -o "${scriptPath}" && sudo sh "${scriptPath}"`,
       { timeout: 3e5 }
@@ -6377,7 +6541,7 @@ var DependencyInstaller = class {
       }
       try {
         const programFiles = process.env["ProgramFiles"] || "C:\\Program Files";
-        const dockerExe = join7(programFiles, "Docker", "Docker", "Docker Desktop.exe");
+        const dockerExe = join8(programFiles, "Docker", "Docker", "Docker Desktop.exe");
         if (existsSync5(dockerExe)) {
           execSync(`start "" "${dockerExe}"`, { timeout: 1e4, stdio: "ignore", shell: "cmd.exe" });
         }
@@ -6428,7 +6592,7 @@ var DependencyInstaller = class {
         this.onProgress("__progress__:70:Docker Desktop installed. Starting...");
         try {
           const programFiles = process.env["ProgramFiles"] || "C:\\Program Files";
-          const dockerExe = join7(programFiles, "Docker", "Docker", "Docker Desktop.exe");
+          const dockerExe = join8(programFiles, "Docker", "Docker", "Docker Desktop.exe");
           if (existsSync5(dockerExe)) {
             execSync(`start "" "${dockerExe}"`, { timeout: 1e4, stdio: "ignore", shell: "cmd.exe" });
           }
@@ -6525,9 +6689,9 @@ var DependencyInstaller = class {
    */
   async installCloudflared() {
     const os = platform3();
-    const binDir = join7(homedir6(), ".agenticmail", "bin");
+    const binDir = join8(homedir6(), ".agenticmail", "bin");
     const binName = os === "win32" ? "cloudflared.exe" : "cloudflared";
-    const binPath = join7(binDir, binName);
+    const binPath = join8(binDir, binName);
     if (existsSync5(binPath)) {
       return binPath;
     }
@@ -6557,7 +6721,7 @@ var DependencyInstaller = class {
     }
     const buffer = Buffer.from(await response.arrayBuffer());
     if (os === "darwin") {
-      const tgzPath = join7(binDir, "cloudflared.tgz");
+      const tgzPath = join8(binDir, "cloudflared.tgz");
       await writeFile(tgzPath, buffer);
       try {
         execFileSync2("tar", ["-xzf", tgzPath, "-C", binDir, "cloudflared"], { timeout: 15e3, stdio: "ignore" });
@@ -6593,7 +6757,7 @@ var DependencyInstaller = class {
 // src/setup/service.ts
 import { execFileSync as execFileSync3, execSync as execSync2 } from "child_process";
 import { existsSync as existsSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync4, unlinkSync, mkdirSync as mkdirSync5, chmodSync } from "fs";
-import { join as join8 } from "path";
+import { join as join9 } from "path";
 import { homedir as homedir7, platform as platform4 } from "os";
 import { createRequire as createRequire2 } from "module";
 var PLIST_LABEL = "com.agenticmail.server";
@@ -6605,9 +6769,9 @@ var ServiceManager = class {
    */
   getServicePath() {
     if (this.os === "darwin") {
-      return join8(homedir7(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
+      return join9(homedir7(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`);
     } else {
-      return join8(homedir7(), ".config", "systemd", "user", SYSTEMD_UNIT);
+      return join9(homedir7(), ".config", "systemd", "user", SYSTEMD_UNIT);
     }
   }
   /**
@@ -6645,33 +6809,33 @@ var ServiceManager = class {
     } catch {
     }
     const parentPackages = [
-      join8("@agenticmail", "cli"),
+      join9("@agenticmail", "cli"),
       // current scoped package
       "agenticmail"
       // legacy unscoped package
     ];
     const baseDirs = [
       // user-local install
-      join8(homedir7(), "node_modules")
+      join9(homedir7(), "node_modules")
     ];
     try {
       const prefix = execSync2("npm prefix -g", { timeout: 5e3, stdio: ["ignore", "pipe", "ignore"] }).toString().trim();
-      baseDirs.push(join8(prefix, "lib", "node_modules"));
-      baseDirs.push(join8(prefix, "node_modules"));
+      baseDirs.push(join9(prefix, "lib", "node_modules"));
+      baseDirs.push(join9(prefix, "node_modules"));
     } catch {
     }
     baseDirs.push("/opt/homebrew/lib/node_modules");
     baseDirs.push("/usr/local/lib/node_modules");
     for (const base of baseDirs) {
-      const sibling = join8(base, "@agenticmail", "api", "dist", "index.js");
+      const sibling = join9(base, "@agenticmail", "api", "dist", "index.js");
       if (existsSync6(sibling)) return sibling;
       for (const parent of parentPackages) {
-        const nested = join8(base, parent, "node_modules", "@agenticmail", "api", "dist", "index.js");
+        const nested = join9(base, parent, "node_modules", "@agenticmail", "api", "dist", "index.js");
         if (existsSync6(nested)) return nested;
       }
     }
-    const dataDir = join8(homedir7(), ".agenticmail");
-    const entryCache = join8(dataDir, "api-entry.path");
+    const dataDir = join9(homedir7(), ".agenticmail");
+    const entryCache = join9(dataDir, "api-entry.path");
     if (existsSync6(entryCache)) {
       const cached = readFileSync3(entryCache, "utf-8").trim();
       if (cached && existsSync6(cached)) return cached;
@@ -6682,9 +6846,9 @@ var ServiceManager = class {
    * Cache the API entry path so the service can find it later.
    */
   cacheApiEntryPath(entryPath) {
-    const dataDir = join8(homedir7(), ".agenticmail");
+    const dataDir = join9(homedir7(), ".agenticmail");
     if (!existsSync6(dataDir)) mkdirSync5(dataDir, { recursive: true });
-    writeFileSync4(join8(dataDir, "api-entry.path"), entryPath);
+    writeFileSync4(join9(dataDir, "api-entry.path"), entryPath);
   }
   /**
    * Get the current package version.
@@ -6705,7 +6869,7 @@ var ServiceManager = class {
     }
     try {
       const apiEntry = this.getApiEntryPath();
-      const apiPkg = join8(apiEntry, "..", "..", "package.json");
+      const apiPkg = join9(apiEntry, "..", "..", "package.json");
       if (existsSync6(apiPkg)) {
         const pkg = JSON.parse(readFileSync3(apiPkg, "utf-8"));
         if (pkg.version) return pkg.version;
@@ -6713,14 +6877,14 @@ var ServiceManager = class {
     } catch {
     }
     const candidates = [
-      join8(homedir7(), "node_modules", "@agenticmail", "cli", "package.json"),
-      join8(homedir7(), "node_modules", "agenticmail", "package.json"),
-      join8(homedir7(), ".agenticmail", "package-version.json")
+      join9(homedir7(), "node_modules", "@agenticmail", "cli", "package.json"),
+      join9(homedir7(), "node_modules", "agenticmail", "package.json"),
+      join9(homedir7(), ".agenticmail", "package-version.json")
     ];
     try {
       const prefix = execSync2("npm prefix -g", { timeout: 5e3, stdio: ["ignore", "pipe", "ignore"] }).toString().trim();
-      candidates.push(join8(prefix, "lib", "node_modules", "@agenticmail", "cli", "package.json"));
-      candidates.push(join8(prefix, "lib", "node_modules", "agenticmail", "package.json"));
+      candidates.push(join9(prefix, "lib", "node_modules", "@agenticmail", "cli", "package.json"));
+      candidates.push(join9(prefix, "lib", "node_modules", "agenticmail", "package.json"));
     } catch {
     }
     for (const p of candidates) {
@@ -6739,8 +6903,8 @@ var ServiceManager = class {
    * This ensures AgenticMail doesn't fail on boot when Docker is still loading.
    */
   generateStartScript(nodePath, apiEntry) {
-    const scriptPath = join8(homedir7(), ".agenticmail", "bin", "start-server.sh");
-    const scriptDir = join8(homedir7(), ".agenticmail", "bin");
+    const scriptPath = join9(homedir7(), ".agenticmail", "bin", "start-server.sh");
+    const scriptDir = join9(homedir7(), ".agenticmail", "bin");
     if (!existsSync6(scriptDir)) mkdirSync5(scriptDir, { recursive: true });
     const script = [
       "#!/bin/bash",
@@ -6806,7 +6970,7 @@ var ServiceManager = class {
    */
   generatePlist(nodePath, apiEntry, configPath) {
     const config = JSON.parse(readFileSync3(configPath, "utf-8"));
-    const logDir = join8(homedir7(), ".agenticmail", "logs");
+    const logDir = join9(homedir7(), ".agenticmail", "logs");
     if (!existsSync6(logDir)) mkdirSync5(logDir, { recursive: true });
     const version = this.getVersion();
     const startScript = this.generateStartScript(nodePath, apiEntry);
@@ -6830,7 +6994,7 @@ var ServiceManager = class {
     <key>HOME</key>
     <string>${homedir7()}</string>
     <key>AGENTICMAIL_DATA_DIR</key>
-    <string>${config.dataDir || join8(homedir7(), ".agenticmail")}</string>
+    <string>${config.dataDir || join9(homedir7(), ".agenticmail")}</string>
     <key>PATH</key>
     <string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
     <key>AGENTICMAIL_SERVICE_VERSION</key>
@@ -6884,7 +7048,7 @@ var ServiceManager = class {
    */
   generateSystemdUnit(nodePath, apiEntry, configPath) {
     const config = JSON.parse(readFileSync3(configPath, "utf-8"));
-    const dataDir = config.dataDir || join8(homedir7(), ".agenticmail");
+    const dataDir = config.dataDir || join9(homedir7(), ".agenticmail");
     const version = this.getVersion();
     const startScript = this.generateStartScript(nodePath, apiEntry);
     return `[Unit]
@@ -6914,7 +7078,7 @@ WantedBy=default.target
    * Install the auto-start service.
    */
   install() {
-    const configPath = join8(homedir7(), ".agenticmail", "config.json");
+    const configPath = join9(homedir7(), ".agenticmail", "config.json");
     if (!existsSync6(configPath)) {
       return { installed: false, message: "Config not found. Run agenticmail setup first." };
     }
@@ -6927,7 +7091,7 @@ WantedBy=default.target
     }
     const servicePath = this.getServicePath();
     if (this.os === "darwin") {
-      const dir = join8(homedir7(), "Library", "LaunchAgents");
+      const dir = join9(homedir7(), "Library", "LaunchAgents");
       if (!existsSync6(dir)) mkdirSync5(dir, { recursive: true });
       if (existsSync6(servicePath)) {
         try {
@@ -6945,7 +7109,7 @@ WantedBy=default.target
       }
       return { installed: true, message: `Service installed at ${servicePath}` };
     } else if (this.os === "linux") {
-      const dir = join8(homedir7(), ".config", "systemd", "user");
+      const dir = join9(homedir7(), ".config", "systemd", "user");
       if (!existsSync6(dir)) mkdirSync5(dir, { recursive: true });
       const unit = this.generateSystemdUnit(nodePath, apiEntry, configPath);
       writeFileSync4(servicePath, unit);
@@ -7071,7 +7235,7 @@ WantedBy=default.target
     } catch {
       return { reason: "Service file unreadable" };
     }
-    const startScript = join8(homedir7(), ".agenticmail", "bin", "start-server.sh");
+    const startScript = join9(homedir7(), ".agenticmail", "bin", "start-server.sh");
     if (serviceContent.includes(startScript)) {
       if (!existsSync6(startScript)) {
         return { reason: "start-server.sh is missing" };
@@ -7104,7 +7268,7 @@ WantedBy=default.target
         return { reason: `Service version drift (current CLI is v${currentVersion})` };
       }
     }
-    const entryCache = join8(homedir7(), ".agenticmail", "api-entry.path");
+    const entryCache = join9(homedir7(), ".agenticmail", "api-entry.path");
     if (existsSync6(entryCache)) {
       try {
         const cached = readFileSync3(entryCache, "utf-8").trim();
@@ -7159,12 +7323,12 @@ var SetupManager = class {
    * falls back to monorepo location.
    */
   getComposePath() {
-    const standalonePath = join9(homedir8(), ".agenticmail", "docker-compose.yml");
+    const standalonePath = join10(homedir8(), ".agenticmail", "docker-compose.yml");
     if (existsSync7(standalonePath)) return standalonePath;
     const cwd = process.cwd();
-    const candidates = [cwd, join9(cwd, "..")];
+    const candidates = [cwd, join10(cwd, "..")];
     for (const dir of candidates) {
-      const p = join9(dir, "docker-compose.yml");
+      const p = join10(dir, "docker-compose.yml");
       if (existsSync7(p)) return p;
     }
     return standalonePath;
@@ -7175,9 +7339,9 @@ var SetupManager = class {
    * Always regenerates Docker files to keep passwords in sync.
    */
   initConfig() {
-    const dataDir = join9(homedir8(), ".agenticmail");
-    const configPath = join9(dataDir, "config.json");
-    const envPath = join9(dataDir, ".env");
+    const dataDir = join10(homedir8(), ".agenticmail");
+    const configPath = join10(dataDir, "config.json");
+    const envPath = join10(dataDir, ".env");
     if (existsSync7(configPath)) {
       try {
         const existing = JSON.parse(readFileSync4(configPath, "utf-8"));
@@ -7229,12 +7393,12 @@ IMAP_PORT=143
    * with the correct admin password from config.
    */
   generateDockerFiles(config) {
-    const dataDir = config.dataDir || join9(homedir8(), ".agenticmail");
+    const dataDir = config.dataDir || join10(homedir8(), ".agenticmail");
     if (!existsSync7(dataDir)) {
       mkdirSync6(dataDir, { recursive: true });
     }
     const password = config.stalwart?.adminPassword || "changeme";
-    const composePath = join9(dataDir, "docker-compose.yml");
+    const composePath = join10(dataDir, "docker-compose.yml");
     writeFileSync5(composePath, `services:
   stalwart:
     # Pinned to v0.15.5 \u2014 Stalwart 0.16+ moved its config to JSON
@@ -7265,7 +7429,7 @@ volumes:
   stalwart-data:
 `);
     chmodSync2(composePath, 384);
-    const tomlPath = join9(dataDir, "stalwart.toml");
+    const tomlPath = join10(dataDir, "stalwart.toml");
     writeFileSync5(tomlPath, `# Stalwart Mail Server \u2014 AgenticMail Configuration
 
 [server]
@@ -7322,7 +7486,7 @@ secret = "${password}"
    * Check if config has already been initialized.
    */
   isInitialized() {
-    const configPath = join9(homedir8(), ".agenticmail", "config.json");
+    const configPath = join10(homedir8(), ".agenticmail", "config.json");
     return existsSync7(configPath);
   }
 };
@@ -7330,7 +7494,7 @@ secret = "${password}"
 // src/threading/thread-id.ts
 import { createHash as createHash2 } from "crypto";
 function stripReplyPrefixes(subject) {
-  let s = subject;
+  let s = subject.length > 1e3 ? subject.slice(0, 1e3) : subject;
   for (; ; ) {
     const next = s.replace(/^\s*(?:re|fwd?|fw)\s*(?:\[\d+\])?\s*:\s*/i, "");
     if (next === s) break;
@@ -7350,8 +7514,9 @@ function normalizeSubject(subject) {
 }
 function normalizeAddress(addr) {
   if (!addr) return "(unknown)";
-  const m = addr.match(/<([^>]+)>/);
-  const raw = m ? m[1] : addr;
+  const bounded = addr.length > 500 ? addr.slice(0, 500) : addr;
+  const m = bounded.match(/<([^>]+)>/);
+  const raw = m ? m[1] : bounded;
   return raw.trim().toLowerCase();
 }
 function threadIdFor(input) {
@@ -7371,8 +7536,8 @@ import {
   renameSync
 } from "fs";
 import { homedir as homedir9 } from "os";
-import { join as join10 } from "path";
-var CACHE_DIR_DEFAULT = join10(homedir9(), ".agenticmail", "thread-cache");
+import { join as join11 } from "path";
+var CACHE_DIR_DEFAULT = join11(homedir9(), ".agenticmail", "thread-cache");
 var DEFAULT_K_MESSAGES = 10;
 var DEFAULT_LRU_CAP = 5e3;
 var PREVIEW_MAX_CHARS = 240;
@@ -7390,7 +7555,7 @@ var ThreadCache = class {
     }
   }
   pathFor(threadId) {
-    return join10(this.dir, `${threadId}.json`);
+    return join11(this.dir, `${threadId}.json`);
   }
   read(threadId) {
     const p = this.pathFor(threadId);
@@ -7480,7 +7645,7 @@ var ThreadCache = class {
     }
     if (files.length <= this.lruCap) return;
     const stats = files.map((f) => {
-      const p = join10(this.dir, f);
+      const p = join11(this.dir, f);
       try {
         return { p, mtime: statSync(p).mtimeMs };
       } catch {
@@ -7519,8 +7684,8 @@ import {
   renameSync as renameSync2
 } from "fs";
 import { homedir as homedir10 } from "os";
-import { join as join11 } from "path";
-var MEMORY_DIR_DEFAULT = join11(homedir10(), ".agenticmail", "agent-memory");
+import { join as join12 } from "path";
+var MEMORY_DIR_DEFAULT = join12(homedir10(), ".agenticmail", "agent-memory");
 var AgentMemoryStore = class {
   dir;
   constructor(opts = {}) {
@@ -7531,10 +7696,10 @@ var AgentMemoryStore = class {
     }
   }
   dirFor(agentId) {
-    return join11(this.dir, sanitizeId(agentId));
+    return join12(this.dir, sanitizeId(agentId));
   }
   pathFor(agentId, threadId) {
-    return join11(this.dirFor(agentId), `${sanitizeId(threadId)}.md`);
+    return join12(this.dirFor(agentId), `${sanitizeId(threadId)}.md`);
   }
   read(agentId, threadId) {
     const p = this.pathFor(agentId, threadId);
@@ -7635,6 +7800,8 @@ export {
   InboxWatcher,
   MailReceiver,
   MailSender,
+  PathTraversalError,
+  REDACTED,
   RELAY_PRESETS,
   RelayBridge,
   RelayGateway,
@@ -7646,7 +7813,10 @@ export {
   StalwartAdmin,
   ThreadCache,
   TunnelManager,
+  UnsafeApiUrlError,
   WARNING_THRESHOLD,
+  assertWithinBase,
+  buildApiUrl,
   buildInboundSecurityAdvisory,
   classifyEmailRoute,
   closeDatabase,
@@ -7665,12 +7835,17 @@ export {
   parseEmail,
   parseGoogleVoiceSms,
   recordToolCall,
+  redactObject,
+  redactSecret,
   resolveConfig,
+  safeJoin,
   sanitizeEmail,
   saveConfig,
   scanOutboundEmail,
   scoreEmail,
   setTelemetryVersion,
   startRelayBridge,
-  threadIdFor
+  threadIdFor,
+  tryJoin,
+  validateApiUrl
 };