@agenticmail/enterprise 0.5.310 → 0.5.312

package/dist/runtime-KFD322X5.js

@@ -0,0 +1,45 @@
+import {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  runAgentLoop,
+  toolsToDefinitions
+} from "./chunk-FNUFLQJ3.js";
+import {
+  PROVIDER_REGISTRY,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider
+} from "./chunk-UF3ZJMJO.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  PROVIDER_REGISTRY,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider,
+  runAgentLoop,
+  toolsToDefinitions
+};

package/dist/runtime-UCP46CVY.js

@@ -0,0 +1,45 @@
+import {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  runAgentLoop,
+  toolsToDefinitions
+} from "./chunk-HP42WFMQ.js";
+import {
+  PROVIDER_REGISTRY,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider
+} from "./chunk-UF3ZJMJO.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  AgentRuntime,
+  EmailChannel,
+  FollowUpScheduler,
+  PROVIDER_REGISTRY,
+  SessionManager,
+  SubAgentManager,
+  ToolRegistry,
+  callLLM,
+  createAgentRuntime,
+  createNoopHooks,
+  createRuntimeHooks,
+  estimateMessageTokens,
+  estimateTokens,
+  executeTool,
+  listAllProviders,
+  resolveApiKeyForProvider,
+  resolveProvider,
+  runAgentLoop,
+  toolsToDefinitions
+};

package/dist/server-6JMYVJVM.js

@@ -0,0 +1,28 @@
+import {
+  createServer
+} from "./chunk-VKSOKBVG.js";
+import "./chunk-DJBCRQTD.js";
+import "./chunk-UF3ZJMJO.js";
+import "./chunk-EKMS2KSE.js";
+import "./chunk-VSBC4SWO.js";
+import "./chunk-AF3WSNVX.js";
+import "./chunk-74ZCQKYU.js";
+import "./chunk-MOGIJA6K.js";
+import "./chunk-C6JP5NR6.js";
+import "./chunk-M6ZIC5H3.js";
+import "./chunk-PWWV2U5P.js";
+import "./chunk-MXK7RLTF.js";
+import "./chunk-3FMK32KQ.js";
+import "./chunk-Z7NVD3OQ.js";
+import "./chunk-YDD5TC5Q.js";
+import "./chunk-37ABTUFU.js";
+import "./chunk-NU657BBQ.js";
+import "./chunk-PGAU3W3M.js";
+import "./chunk-JGEVQZDR.js";
+import "./chunk-WUAWWKTN.js";
+import "./chunk-HS5YWSGM.js";
+import "./chunk-22U7TZPN.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createServer
+};

package/dist/server-CA2I3LJY.js

@@ -0,0 +1,28 @@
+import {
+  createServer
+} from "./chunk-Y2KIY4BA.js";
+import "./chunk-DJBCRQTD.js";
+import "./chunk-UF3ZJMJO.js";
+import "./chunk-EKMS2KSE.js";
+import "./chunk-VSBC4SWO.js";
+import "./chunk-AF3WSNVX.js";
+import "./chunk-74ZCQKYU.js";
+import "./chunk-MOGIJA6K.js";
+import "./chunk-C6JP5NR6.js";
+import "./chunk-M6ZIC5H3.js";
+import "./chunk-PWWV2U5P.js";
+import "./chunk-MXK7RLTF.js";
+import "./chunk-3FMK32KQ.js";
+import "./chunk-Z7NVD3OQ.js";
+import "./chunk-YDD5TC5Q.js";
+import "./chunk-37ABTUFU.js";
+import "./chunk-NU657BBQ.js";
+import "./chunk-PGAU3W3M.js";
+import "./chunk-JGEVQZDR.js";
+import "./chunk-WUAWWKTN.js";
+import "./chunk-HS5YWSGM.js";
+import "./chunk-22U7TZPN.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createServer
+};

package/dist/server-ZA2N7MOP.js

@@ -0,0 +1,28 @@
+import {
+  createServer
+} from "./chunk-NM4KTDG2.js";
+import "./chunk-DJBCRQTD.js";
+import "./chunk-UF3ZJMJO.js";
+import "./chunk-HZZPIICV.js";
+import "./chunk-VSBC4SWO.js";
+import "./chunk-AF3WSNVX.js";
+import "./chunk-74ZCQKYU.js";
+import "./chunk-MOGIJA6K.js";
+import "./chunk-C6JP5NR6.js";
+import "./chunk-M6ZIC5H3.js";
+import "./chunk-PWWV2U5P.js";
+import "./chunk-MXK7RLTF.js";
+import "./chunk-3FMK32KQ.js";
+import "./chunk-Z7NVD3OQ.js";
+import "./chunk-YDD5TC5Q.js";
+import "./chunk-37ABTUFU.js";
+import "./chunk-NU657BBQ.js";
+import "./chunk-PGAU3W3M.js";
+import "./chunk-JGEVQZDR.js";
+import "./chunk-WUAWWKTN.js";
+import "./chunk-HS5YWSGM.js";
+import "./chunk-22U7TZPN.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  createServer
+};

package/dist/setup-HUYSMSBI.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-PFMIOSR5.js";
+import "./chunk-4WLJIZZB.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/dist/setup-PT6WGOYB.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-OPOBUYJT.js";
+import "./chunk-4WLJIZZB.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/dist/setup-VF4ZBLQQ.js

@@ -0,0 +1,20 @@
+import {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+} from "./chunk-MBT5ND3D.js";
+import "./chunk-4WLJIZZB.js";
+import "./chunk-KFQGP6VL.js";
+export {
+  promptCompanyInfo,
+  promptDatabase,
+  promptDeployment,
+  promptDomain,
+  promptRegistration,
+  provision,
+  runSetupWizard
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenticmail/enterprise",
-  "version": "0.5.310",
+  "version": "0.5.312",
   "description": "AgenticMail Enterprise — cloud-hosted AI agent identity, email, auth & compliance for organizations",
   "type": "module",
   "bin": {

package/src/admin/routes.ts

@@ -757,13 +757,15 @@ export function createAdminRoutes(db: DatabaseAdapter) {
     const userRole = c.get('userRole' as any);
     if (!userId) return c.json({ error: 'Not authenticated' }, 401);
 
+    const user = await db.getUser(userId);
+    const clientOrgId = user?.clientOrgId || c.get('clientOrgId' as any) || null;
+
     // Owner and admin always get full access
     if (userRole === 'owner' || userRole === 'admin') {
-      return c.json({ permissions: '*', role: userRole });
+      return c.json({ permissions: '*', role: userRole, clientOrgId });
     }
 
-    const user = await db.getUser(userId);
-    return c.json({ permissions: user?.permissions ?? '*', role: userRole, clientOrgId: user?.clientOrgId || null });
+    return c.json({ permissions: user?.permissions ?? '*', role: userRole, clientOrgId });
   });
 
   // ─── Platform Capabilities ──────────────────────────
@@ -2195,8 +2197,26 @@ export function createAdminRoutes(db: DatabaseAdapter) {
 
   // ─── Client Organizations ─────────────────────────────
 
-  api.get('/organizations', requireRole('admin'), async (c) => {
+  api.get('/organizations', async (c) => {
     try {
+      // Org-bound users can only see their own organization
+      const clientOrgId = c.get('clientOrgId' as any);
+      if (clientOrgId) {
+        const isPostgres = (db as any).pool;
+        if (isPostgres) {
+          const { rows } = await (db as any)._query(
+            `SELECT o.*, COUNT(a.id) as agent_count FROM client_organizations o LEFT JOIN agents a ON a.client_org_id = o.id WHERE o.id = $1 GROUP BY o.id`, [clientOrgId]);
+          return c.json({ organizations: rows });
+        }
+        return c.json({ organizations: [] });
+      }
+
+      // Full access for admins/owners
+      const userRole = c.get('userRole' as any);
+      if (userRole !== 'admin' && userRole !== 'owner') {
+        return c.json({ error: 'Insufficient permissions' }, 403);
+      }
+
       const isPostgres = (db as any).pool;
       if (isPostgres) {
         const { rows } = await (db as any)._query(`

package/src/auth/routes.ts

@@ -73,11 +73,14 @@ export function createAuthRoutes(
     return process.env.NODE_ENV === 'production' || process.env.SECURE_COOKIES === '1';
   };
 
-  async function issueTokens(userId: string, email: string, role: string) {
+  async function issueTokens(userId: string, email: string, role: string, clientOrgId?: string | null) {
     const { SignJWT } = await import('jose');
     const secret = new TextEncoder().encode(jwtSecret);
 
-    const token = await new SignJWT({ sub: userId, email, role })
+    const payload: Record<string, any> = { sub: userId, email, role };
+    if (clientOrgId) payload.clientOrgId = clientOrgId;
+
+    const token = await new SignJWT(payload)
       .setProtectedHeader({ alg: 'HS256' })
       .setIssuedAt()
       .setExpirationTime(TOKEN_TTL)
@@ -93,8 +96,8 @@ export function createAuthRoutes(
   }
 
   /** Set session cookies and return token info */
-  async function setSessionCookies(c: any, userId: string, email: string, role: string, method: string) {
-    const { token, refreshToken } = await issueTokens(userId, email, role);
+  async function setSessionCookies(c: any, userId: string, email: string, role: string, method: string, clientOrgId?: string | null) {
+    const { token, refreshToken } = await issueTokens(userId, email, role, clientOrgId);
     const csrf = generateCsrf();
     const secure = isSecure();
 
@@ -301,7 +304,7 @@ export function createAuthRoutes(
       });
     }
 
-    const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'password');
+    const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'password', user.clientOrgId);
 
     return c.json({
       token,
@@ -360,7 +363,7 @@ export function createAuthRoutes(
 
     pending2fa.delete(challengeToken);
 
-    const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'password+2fa');
+    const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'password+2fa', user.clientOrgId);
 
     return c.json({
       token,
@@ -614,7 +617,7 @@ export function createAuthRoutes(
     const user = await db.getUser(key.createdBy);
     if (!user) return c.json({ error: 'API key owner not found' }, 401);
 
-    const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'api-key');
+    const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'api-key', user.clientOrgId);
 
     return c.json({
       token,
@@ -643,7 +646,7 @@ export function createAuthRoutes(
       const user = await db.getUser(payload.sub as string);
       if (!user) return c.json({ error: 'User not found' }, 401);
 
-      const { token, refreshToken } = await issueTokens(user.id, user.email, user.role);
+      const { token, refreshToken } = await issueTokens(user.id, user.email, user.role, user.clientOrgId);
       const csrf = generateCsrf();
       const secure = isSecure();
 
@@ -890,7 +893,7 @@ export function createAuthRoutes(
         ip: c.req.header('x-forwarded-for') || c.req.header('x-real-ip'),
       });
 
-      const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'bootstrap');
+      const { token, refreshToken, csrf } = await setSessionCookies(c, user.id, user.email, user.role, 'bootstrap', user.clientOrgId);
 
       // Notify server that setup is complete (flips the dashboard latch)
       opts?.onBootstrap?.();
@@ -1214,7 +1217,7 @@ export function createAuthRoutes(
     }
 
     // Issue session
-    await setSessionCookies(c, result.user.id, result.user.email, result.user.role, 'oidc');
+    await setSessionCookies(c, result.user.id, result.user.email, result.user.role, 'oidc', result.user.clientOrgId);
 
     // Redirect to dashboard
     return c.redirect('/dashboard');
@@ -1363,7 +1366,7 @@ export function createAuthRoutes(
     }
 
     // Issue session
-    await setSessionCookies(c, result.user.id, result.user.email, result.user.role, 'saml');
+    await setSessionCookies(c, result.user.id, result.user.email, result.user.role, 'saml', result.user.clientOrgId);
 
     // Redirect to dashboard (or RelayState)
     return c.redirect('/dashboard');

package/src/dashboard/app.js

@@ -163,6 +163,12 @@ function App() {
     if (document.cookie.match(/em_session|em_csrf/)) {
       authCall('/me').then(async d => {
         setUser(d.user || d);
+        // If user is org-bound, lock org context immediately
+        var u = d.user || d;
+        if (u.clientOrgId) {
+          setSelectedOrgId(u.clientOrgId);
+          localStorage.setItem('em_client_org_id', u.clientOrgId);
+        }
         // Init transport encryption BEFORE setting authed — ensures all subsequent
         // API calls from child components are encrypted
         try {
@@ -202,9 +208,10 @@ function App() {
     apiCall('/settings').then(d => { const s = d.settings || d || {}; if (s.primaryColor) applyBrandColor(s.primaryColor); if (s.orgId) setOrgId(s.orgId); }).catch(() => {});
     apiCall('/me/permissions').then(d => {
       if (d && d.permissions) setPermissions(d.permissions);
-      // If user is assigned to a client org, auto-set org context
+      // If user is assigned to a client org, auto-set org context and lock switcher
       if (d && d.clientOrgId) {
         localStorage.setItem('em_client_org_id', d.clientOrgId);
+        setSelectedOrgId(d.clientOrgId);
       } else {
         localStorage.removeItem('em_client_org_id');
       }

package/src/engine/compliance.ts

@@ -705,7 +705,7 @@ export class ComplianceReporter {
         timeline.push({ timestamp: v.created_at, source: 'vault_access', category: 'access', agentId: v.agent_id, detail: `Vault ${v.action}: ${v.key}`, data: { action: v.action, key: v.key } });
       }
 
-      timeline.sort((a, b) => a.timestamp.localeCompare(b.timestamp));
+      timeline.sort((a, b) => String(a.timestamp || '').localeCompare(String(b.timestamp || '')));
       data.timeline = timeline;
 
       // Summary statistics
@@ -720,7 +720,7 @@ export class ComplianceReporter {
         data.summary.bySource[e.source] = (data.summary.bySource[e.source] || 0) + 1;
         data.summary.byCategory[e.category] = (data.summary.byCategory[e.category] || 0) + 1;
         data.summary.byAgent[e.agentId] = (data.summary.byAgent[e.agentId] || 0) + 1;
-        const day = e.timestamp?.substring(0, 10);
+        const day = String(e.timestamp || '').substring(0, 10);
         if (day) data.summary.byDay[day] = (data.summary.byDay[day] || 0) + 1;
       }
 

package/src/server.ts

@@ -278,6 +278,7 @@ export function createServer(config: ServerConfig): ServerInstance {
       c.set('userRole', (payload.role as string) || '');
       c.set('userEmail', (payload.email as string) || '');
       c.set('userOrgId', (payload.orgId as string) || '');
+      c.set('clientOrgId', (payload.clientOrgId as string) || '');
       c.set('authType', cookieToken ? 'cookie' : 'jwt');
       return next();
     } catch {
@@ -285,6 +286,35 @@ export function createServer(config: ServerConfig): ServerInstance {
     }
   });
 
+  // ─── Org-scoping enforcement for client-bound users ───
+  // Users with clientOrgId in JWT can ONLY access their bound org's data
+  api.use('*', async (c: any, next: any) => {
+    const clientOrgId = c.get('clientOrgId');
+    if (!clientOrgId) return next(); // Not org-bound, full access
+
+    // Override orgId in query params to enforce scoping
+    const url = new URL(c.req.url);
+    const requestedOrg = url.searchParams.get('orgId');
+    if (requestedOrg && requestedOrg !== clientOrgId) {
+      return c.json({ error: 'Access denied: you can only access your assigned organization' }, 403);
+    }
+
+    // Block org listing — only return their own org
+    const path = c.req.path;
+    if (path === '/api/organizations' && c.req.method === 'GET') {
+      // Let it through but we'll filter in the response
+      // Store the clientOrgId for downstream filtering
+    }
+
+    // Block access to other orgs' data via path params (e.g., /api/engine/stats/:orgId)
+    const orgIdMatch = path.match(/\/stats\/([^/]+)/);
+    if (orgIdMatch && orgIdMatch[1] !== clientOrgId) {
+      return c.json({ error: 'Access denied: you can only access your assigned organization' }, 403);
+    }
+
+    return next();
+  });
+
   // Audit logging on all API mutations
   api.use('*', auditLogger(config.db));