@bobfrankston/mailx 1.0.219 → 1.0.220

package/client/.msger-window.json

@@ -1 +1 @@
-{"height":1344,"width":2151,"x":194,"y":22}
+{"height":1344,"width":2151,"x":1060,"y":329}

package/client/app.js

@@ -192,6 +192,24 @@ document.getElementById("folder-tree")?.addEventListener("click", (e) => {
         document.querySelector(".folder-panel")?.classList.remove("open");
     }
 });
+// Close folder overlay when user clicks outside it (narrow mode OR
+// medium-width mode where the folder panel slides in as an overlay).
+// Uses capture phase so it beats any child handler that might stopPropagation.
+document.addEventListener("pointerdown", (e) => {
+    const panel = document.querySelector(".folder-panel");
+    if (!panel || !panel.classList.contains("open"))
+        return;
+    const target = e.target;
+    // Ignore clicks inside the panel itself and on the hamburger toggle
+    if (target.closest(".folder-panel") || target.closest("#btn-menu"))
+        return;
+    // Only auto-dismiss when we're in overlay mode (small or medium screens).
+    // On wide screens the panel is a permanent column and the "open" class
+    // is irrelevant.
+    if (window.innerWidth <= 1100 || window.innerHeight <= 600) {
+        panel.classList.remove("open");
+    }
+}, true);
 // ── Toolbar actions ──
 document.getElementById("btn-sync")?.addEventListener("click", async () => {
     const btn = document.getElementById("btn-sync");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx",
-  "version": "1.0.219",
+  "version": "1.0.220",
   "description": "Local-first email client with IMAP sync and standalone native app",
   "type": "module",
   "main": "bin/mailx.js",
@@ -20,7 +20,7 @@
     "postinstall": "node bin/postinstall.js"
   },
   "dependencies": {
-    "@bobfrankston/iflow-direct": "^0.1.8",
+    "@bobfrankston/iflow-direct": "^0.1.9",
     "@bobfrankston/iflow-node": "^0.1.2",
     "@bobfrankston/miscinfo": "^1.0.8",
     "@bobfrankston/oauthsupport": "^1.0.22",
@@ -74,7 +74,7 @@
   },
   ".transformedSnapshot": {
     "dependencies": {
-      "@bobfrankston/iflow-direct": "^0.1.8",
+      "@bobfrankston/iflow-direct": "^0.1.9",
       "@bobfrankston/iflow-node": "^0.1.2",
       "@bobfrankston/miscinfo": "^1.0.8",
       "@bobfrankston/oauthsupport": "^1.0.22",

package/packages/mailx-service/index.js

@@ -341,11 +341,34 @@ export class MailxService {
         const account = settings.accounts.find(a => a.id === msg.from);
         if (!account)
             throw new Error(`Unknown account: ${msg.from}`);
+        // Vet every recipient address — refuse to send if any field contains a
+        // non-email (e.g. "Bob Frankston <Bob Frankston>" from a bad contact
+        // autocomplete). This catches garbage BEFORE it hits SMTP, where the
+        // server would either accept-and-bounce or reject the whole envelope.
+        const emailRe = /^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/;
+        const validateList = (label, list) => {
+            if (!list)
+                return;
+            for (const a of list) {
+                const addr = (a?.address || "").trim();
+                if (!addr)
+                    throw new Error(`${label} has an empty address`);
+                if (!emailRe.test(addr))
+                    throw new Error(`${label} has an invalid address: "${addr}"${a?.name ? ` (displayed as "${a.name}")` : ""}`);
+            }
+        };
+        validateList("To", msg.to);
+        validateList("Cc", msg.cc);
+        validateList("Bcc", msg.bcc);
+        if (!msg.to?.length)
+            throw new Error("No To recipients");
         // Extract bare email from fromAddress (may be "Name <addr>" or just "addr")
         let fromAddr = msg.fromAddress || account.email;
         const angleMatch = fromAddr.match(/<([^>]+)>/);
         if (angleMatch)
             fromAddr = angleMatch[1];
+        if (!emailRe.test(fromAddr))
+            throw new Error(`From address is not a valid email: "${fromAddr}"`);
         const fromHeader = `${account.name} <${fromAddr}>`;
         const to = msg.to.map((a) => a.name ? `${a.name} <${a.address}>` : a.address).join(", ");
         const cc = msg.cc?.map((a) => a.name ? `${a.name} <${a.address}>` : a.address).join(", ");

package/packages/mailx-store/db.js

@@ -369,6 +369,11 @@ export class MailxDB {
     // ── Contacts ──
     /** Record an address used in sent mail */
     recordSentAddress(name, email) {
+        // Don't pollute the contacts table with non-addresses. Anything without
+        // an @ or without a TLD-ish tail would show up in autocomplete and end
+        // up back in To/Cc headers as "Name <not an email>".
+        if (!email || !/^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/.test(email))
+            return;
         const now = Date.now();
         const existing = this.db.prepare("SELECT id FROM contacts WHERE email = ?").get(email);
         if (existing) {
@@ -387,6 +392,9 @@ export class MailxDB {
              GROUP BY from_address`).all();
         let added = 0;
         for (const r of rows) {
+            // Skip invalid addresses so contact autocomplete never proposes non-emails
+            if (!r.from_address || !/^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/.test(r.from_address))
+                continue;
             const existing = this.db.prepare("SELECT id FROM contacts WHERE email = ?").get(r.from_address);
             if (!existing) {
                 this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('received', ?, ?, ?, ?, ?)").run(r.from_name || "", r.from_address, r.last, r.cnt, now);