@bobfrankston/mailx 1.0.246 → 1.0.253

package/packages/mailx-imap/index.js

@@ -12,7 +12,9 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 import { simpleParser } from "mailparser";
 import { GmailApiProvider } from "./providers/gmail-api.js";
+import { SmtpClient } from "@bobfrankston/smtp-direct";
 import * as os from "node:os";
+import { fileURLToPath } from "node:url";
 // Well-known ports — no magic numbers
 const SMTP_PORT_STARTTLS = 587;
 const SMTP_PORT_IMPLICIT_TLS = 465;
@@ -367,7 +369,10 @@ export class ImapManager extends EventEmitter {
             let credPath = path.join(getConfigDir(), "google-credentials.json");
             if (!fs.existsSync(credPath)) {
                 try {
-                    const pkgDir = path.dirname(import.meta.resolve("@bobfrankston/iflow-direct").replace("file:///", "").replace("file://", ""));
+                    // Use fileURLToPath, NOT string-replace on "file://" — on Linux,
+                    // file:///usr/local/... loses its leading slash via .replace("file:///",
+                    // "") and becomes relative, so fs.existsSync silently fails.
+                    const pkgDir = path.dirname(fileURLToPath(import.meta.resolve("@bobfrankston/iflow-direct")));
                     for (const name of ["iflow-credentials.json"]) {
                         const p = path.join(pkgDir, name);
                         if (fs.existsSync(p)) {
@@ -758,6 +763,7 @@ export class ImapManager extends EventEmitter {
         // Use recalcFolderCounts — single SQL query instead of fetching all messages
         this.db.recalcFolderCounts(folderId);
         this.emit("syncProgress", accountId, `sync:${folder.path}`, 100);
+        const syncedAt = Date.now();
         // Notify client to refresh if anything changed
         if (newCount > 0 || deletedCount > 0) {
             const updatedFolder = this.db.getFolders(accountId).find(f => f.id === folderId);
@@ -765,7 +771,8 @@ export class ImapManager extends EventEmitter {
                 [folderId]: { total: updatedFolder?.totalCount || 0, unread: updatedFolder?.unreadCount || 0 }
             });
         }
-        this.db.updateLastSync(accountId, Date.now());
+        this.emit("folderSynced", accountId, folderId, syncedAt);
+        this.db.updateLastSync(accountId, syncedAt);
         return newCount;
     }
     /** Sync all folders for all accounts */
@@ -1014,6 +1021,7 @@ export class ImapManager extends EventEmitter {
         }
         this.db.recalcFolderCounts(folder.id);
         this.emit("folderCountsChanged", accountId, {});
+        this.emit("folderSynced", accountId, folder.id, Date.now());
         this.emit("syncProgress", accountId, `sync:${folder.path}`, 100);
     }
     /** Store API-fetched messages to DB */
@@ -1977,6 +1985,37 @@ export class ImapManager extends EventEmitter {
     async processLocalQueue(accountId) {
         const outboxDir = path.join(getConfigDir(), "outbox", accountId);
         const queuedDir = path.join(getConfigDir(), "sending", accountId, "queued");
+        // Recovery sweep: any *.sending-<host>-<pid> on THIS host whose PID is
+        // dead (process crashed mid-send) gets unclaimed so the next tick can
+        // retry. Foreign hosts are left alone — we have no way to know if their
+        // process is alive. Cross-host stale recovery is the IMAP-folder path's
+        // job (sweeper looks at server-side claim flags, not local files).
+        for (const dir of [outboxDir, queuedDir]) {
+            if (!fs.existsSync(dir))
+                continue;
+            for (const f of fs.readdirSync(dir)) {
+                const m = f.match(/^(.+)\.sending-([^-]+)-(\d+)$/);
+                if (!m)
+                    continue;
+                const [, original, host, pidStr] = m;
+                if (host !== this.hostname)
+                    continue;
+                const pid = parseInt(pidStr);
+                let alive = false;
+                try {
+                    process.kill(pid, 0);
+                    alive = true;
+                }
+                catch { /* dead */ }
+                if (alive)
+                    continue; // live claim — owner (sibling or self) still has it
+                try {
+                    fs.renameSync(path.join(dir, f), path.join(dir, original));
+                    console.log(`  [outbox] Recovered stale claim ${f} → ${original}`);
+                }
+                catch { /* ignore */ }
+            }
+        }
         const filesToSend = [];
         for (const dir of [outboxDir, queuedDir]) {
             if (!fs.existsSync(dir))
@@ -1994,32 +2033,57 @@ export class ImapManager extends EventEmitter {
             const nowMs = Date.now();
             for (const { dir, file } of filesToSend) {
                 const filePath = path.join(dir, file);
-                let raw = fs.readFileSync(filePath, "utf-8");
+                // Atomic claim: rename to <file>.sending-<host>-<pid> so a sibling
+                // process scanning the same dir can't grab the same .ltr. Filesystem
+                // rename is atomic; loser sees ENOENT and skips. Without this, two
+                // mailx instances on one machine (or two ticks within one process)
+                // could both pass the Message-ID dedup check and both call SMTP.
+                const claimSuffix = `.sending-${this.hostname}-${process.pid}`;
+                const claimedPath = filePath + claimSuffix;
+                try {
+                    fs.renameSync(filePath, claimedPath);
+                }
+                catch (e) {
+                    if (e.code === "ENOENT")
+                        continue; // another process won
+                    throw e;
+                }
+                let raw = fs.readFileSync(claimedPath, "utf-8");
                 // Per-message rate limit: if a prior attempt set X-Mailx-Retry-After
                 // in the future, skip this file for now. Minimizes the race where the
                 // SMTP server actually accepted DATA but we lost the ack and would
                 // otherwise retry immediately on the next 10s tick.
                 const retryInfo = parseRetryInfo(raw);
-                if (retryInfo.nextAttemptAt > nowMs)
+                if (retryInfo.nextAttemptAt > nowMs) {
+                    // Release claim — let next tick reconsider
+                    try {
+                        fs.renameSync(claimedPath, filePath);
+                    }
+                    catch { /* ignore */ }
                     continue;
+                }
                 // Record this attempt: strip internal X-Mailx-Retry-After, append a new
                 // X-Mailx-Retry: N <ISO-timestamp> line to the headers. The updated file
                 // is written back *before* the send so a crash mid-send doesn't lose state.
                 const attempt = retryInfo.attemptCount + 1;
                 raw = stripHeaderField(raw, "X-Mailx-Retry-After");
                 raw = insertHeaderBeforeBody(raw, `X-Mailx-Retry: ${attempt} ${new Date().toISOString()}`);
-                fs.writeFileSync(filePath, raw, "utf-8");
+                fs.writeFileSync(claimedPath, raw, "utf-8");
                 try {
                     await this.sendRawViaSMTP(accountId, raw);
-                    fs.renameSync(filePath, path.join(sentDir, file));
+                    fs.renameSync(claimedPath, path.join(sentDir, file));
                     console.log(`  [outbox] Sent ${file} via SMTP → sent/ (attempt ${attempt})`);
                 }
                 catch (e) {
-                    // Persist a next-attempt timestamp so the same file won't be retried
-                    // until RETRY_DELAY_MS later — gives the server time to settle.
+                    // Persist a next-attempt timestamp and release the claim so the
+                    // file is visible to the scan loop again.
                     const nextAt = new Date(nowMs + OUTBOX_RETRY_DELAY_MS).toISOString();
                     const withDelay = insertHeaderBeforeBody(raw, `X-Mailx-Retry-After: ${nextAt}`);
-                    fs.writeFileSync(filePath, withDelay, "utf-8");
+                    fs.writeFileSync(claimedPath, withDelay, "utf-8");
+                    try {
+                        fs.renameSync(claimedPath, filePath);
+                    }
+                    catch { /* file stays claimed; recovery sweeper will handle */ }
                     console.error(`  [outbox] Send failed for ${file} (attempt ${attempt}, retry after ${nextAt}): ${e.message}`);
                 }
             }
@@ -2050,36 +2114,34 @@ export class ImapManager extends EventEmitter {
             // IMAP still unreachable — leave files for next attempt
         }
     }
-    /** Send a raw RFC 2822 message via SMTP for a given account */
+    /** Send a raw RFC 2822 message via SMTP for a given account.
+     *  Uses @bobfrankston/smtp-direct with the same TransportFactory as IMAP —
+     *  same TCP byte-stream interface, no nodemailer dependency. */
     async sendRawViaSMTP(accountId, raw) {
         const settings = loadSettings();
         const account = settings.accounts.find(a => a.id === accountId);
         if (!account?.smtp)
             throw new Error(`No SMTP config for ${accountId}`);
-        // SMTP auth: use explicit SMTP credentials, fall back to IMAP credentials
-        let smtpAuth;
+        const smtpPort = account.smtp.port || SMTP_PORT_STARTTLS;
+        const smtpHost = account.smtp.host || account.imap?.host;
+        if (!smtpHost)
+            throw new Error(`No SMTP host for ${accountId}`);
+        // SMTP auth: explicit SMTP creds, fall back to IMAP creds for password auth.
         const smtpAuthType = account.smtp.auth || (account.imap?.password ? "password" : undefined);
+        const smtpUser = account.smtp.user || account.imap?.user || account.email;
+        let auth;
         if (smtpAuthType === "password") {
-            smtpAuth = {
-                user: account.smtp.user || account.imap?.user || account.email,
-                pass: account.smtp.password || account.imap?.password,
-            };
+            const pass = account.smtp.password || account.imap?.password;
+            if (!pass)
+                throw new Error("SMTP password not configured");
+            auth = { method: "PLAIN", user: smtpUser, pass };
         }
         else if (smtpAuthType === "oauth2") {
-            const accessToken = await this.getOAuthToken(accountId);
-            if (!accessToken)
+            const token = await this.getOAuthToken(accountId);
+            if (!token)
                 throw new Error("OAuth token not available");
-            smtpAuth = { type: "OAuth2", user: account.smtp.user || account.imap?.user || account.email, accessToken };
+            auth = { method: "XOAUTH2", user: smtpUser, token };
         }
-        const { createTransport } = await import("nodemailer");
-        const smtpPort = account.smtp.port || SMTP_PORT_STARTTLS;
-        const transport = createTransport({
-            host: account.smtp.host || account.imap?.host,
-            port: smtpPort,
-            secure: smtpPort === SMTP_PORT_IMPLICIT_TLS, // 465 = implicit TLS, 587 = STARTTLS
-            auth: smtpAuth,
-            tls: { rejectUnauthorized: false },
-        });
         const parseAddrs = (s) => s.match(/[\w.+-]+@[\w.-]+/g) || [];
         const toMatch = raw.match(/^To:\s*(.+)$/mi);
         const ccMatch = raw.match(/^Cc:\s*(.+)$/mi);
@@ -2097,17 +2159,33 @@ export class ImapManager extends EventEmitter {
             throw new Error("No recipients");
         // Dedup: skip if this Message-ID has already been sent. Prevents the
         // outbox from re-sending the same file across crash/restart cycles.
-        // Without this, a queued .ltr that was mid-delivery when mailx crashed
-        // would be re-sent on every startup until the rename loop completed.
         const messageId = messageIdMatch ? messageIdMatch[1] : "";
         if (messageId && this.db.hasSentMessage(messageId)) {
             console.log(`  [smtp] ${accountId}: SKIP ${messageId} — already in sent_log`);
-            return; // caller will move the file to sent/ without re-sending
+            return;
         }
         const rawToSend = raw.replace(/^Bcc:.*\r?\n/mi, "");
         this.saveSendingCopy(accountId, rawToSend, "sent");
-        await transport.sendMail({ envelope: { from: sender, to: recipients }, raw: rawToSend });
-        // Record the successful send so future attempts dedupe against it.
+        const smtp = new SmtpClient({
+            host: smtpHost,
+            port: smtpPort,
+            secure: smtpPort === SMTP_PORT_IMPLICIT_TLS,
+            auth,
+            localname: os.hostname(),
+        }, this.transportFactory);
+        try {
+            await smtp.connect();
+            const result = await smtp.sendMail({ from: sender, to: recipients }, rawToSend);
+            if (result.rejected.length > 0) {
+                console.log(`  [smtp] ${accountId}: ${result.rejected.length} recipient(s) rejected: ${result.rejected.map(r => `${r.address} (${r.code})`).join(", ")}`);
+            }
+        }
+        finally {
+            try {
+                await smtp.quit();
+            }
+            catch { /* ignore */ }
+        }
         if (messageId) {
             this.db.recordSent(messageId, accountId, subjectMatch?.[1]?.trim() || "", recipients);
         }
@@ -2139,21 +2217,54 @@ export class ImapManager extends EventEmitter {
                 catch { }
                 return;
             }
-            const sendingFlag = `$Sending-${this.hostname}`;
+            // Stale-claim recovery: if a peer (or our prior incarnation) crashed
+            // mid-send, the $Sending-<host>-<ts> flag would otherwise pin the
+            // message forever. Sweep flags older than STALE_CLAIM_MS first.
+            const STALE_CLAIM_MS = 3600_000; // 1 hour — far longer than any reasonable SMTP send
+            const nowSec = Math.floor(Date.now() / 1000);
+            // Encode our claim with a seconds-since-epoch timestamp so peers
+            // (and our own restart sweeper) can identify stale entries.
+            const sendingFlag = `$Sending-${this.hostname}-${nowSec}`;
             for (const uid of uids) {
                 // Check flags — skip if already being sent or permanently failed
                 const flags = await client.getFlags(outboxFolder.path, uid);
-                if (flags.some((f) => f.startsWith("$Sending")))
+                // Sweep stale claims. New form: $Sending-<host>-<sec>. Old form
+                // ($Sending-<host>, no timestamp) is treated as stale on first
+                // encounter — safe because if its owner is alive, it'll re-claim
+                // with a fresh timestamped flag on its next tick.
+                const claimFlags = flags.filter((f) => f.startsWith("$Sending"));
+                for (const cf of claimFlags) {
+                    const m = cf.match(/^\$Sending-(.+?)(?:-(\d+))?$/);
+                    if (!m)
+                        continue;
+                    const tsSec = m[2] ? parseInt(m[2]) : 0;
+                    const ageSec = nowSec - tsSec;
+                    if (ageSec * 1000 > STALE_CLAIM_MS) {
+                        try {
+                            await client.removeFlags(outboxFolder.path, uid, [cf]);
+                            console.log(`  [outbox] Swept stale claim ${cf} on UID ${uid} (age ${Math.round(ageSec / 60)}m)`);
+                        }
+                        catch { /* ignore */ }
+                    }
+                }
+                // Re-read flags after sweep
+                const flagsNow = (claimFlags.length > 0)
+                    ? await client.getFlags(outboxFolder.path, uid)
+                    : flags;
+                if (flagsNow.some((f) => f.startsWith("$Sending")))
                     continue;
-                if (flags.includes("$PermanentFailure"))
+                if (flagsNow.includes("$PermanentFailure"))
                     continue;
-                if (flags.includes("$Failed")) {
+                if (flagsNow.includes("$Failed")) {
                     // Retry: remove failed flag
                     await client.removeFlags(outboxFolder.path, uid, ["$Failed"]);
                 }
                 // Claim this message
                 await client.addFlags(outboxFolder.path, uid, [sendingFlag]);
-                // Re-check — did we win the race?
+                // Re-check — did we win the race? (TOCTOU window: two devices
+                // both reaching addFlags concurrently both see ≥2 sending flags
+                // and both back off — fails safe; nobody sends this tick, next
+                // tick one wins.)
                 const flagsAfter = await client.getFlags(outboxFolder.path, uid);
                 const sendingFlags = flagsAfter.filter((f) => f.startsWith("$Sending"));
                 if (sendingFlags.length > 1 || (sendingFlags.length === 1 && sendingFlags[0] !== sendingFlag)) {

package/packages/mailx-imap/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx-imap",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "type": "module",
   "main": "index.js",
   "types": "index.d.ts",
@@ -13,8 +13,9 @@
     "@bobfrankston/mailx-settings": "file:../mailx-settings",
     "@bobfrankston/mailx-store": "file:../mailx-store",
     "@bobfrankston/iflow-direct": "file:../../../MailApps/iflow-direct",
-    "@bobfrankston/oauthsupport": "file:../../../../projects/oauth/oauthsupport",
-    "nodemailer": "^7.0.0"
+    "@bobfrankston/tcp-transport": "file:../../../MailApps/tcp-transport",
+    "@bobfrankston/smtp-direct": "file:../../../MailApps/smtp-direct",
+    "@bobfrankston/oauthsupport": "file:../../../../projects/oauth/oauthsupport"
   },
   "repository": {
     "type": "git",

package/packages/mailx-server/index.js

@@ -230,6 +230,9 @@ imapManager.on("syncProgress", (accountId, phase, progress) => {
 imapManager.on("folderCountsChanged", (accountId, counts) => {
     broadcast({ type: "folderCountsChanged", accountId, counts });
 });
+imapManager.on("folderSynced", (accountId, folderId, syncedAt) => {
+    broadcast({ type: "folderSynced", accountId, entries: [{ folderId, syncedAt }] });
+});
 imapManager.on("syncError", (accountId, error) => {
     broadcast({ type: "error", message: `${accountId}: ${error}` });
 });

package/packages/mailx-store/db.js

@@ -59,8 +59,10 @@ const SCHEMA = `
     CREATE INDEX IF NOT EXISTS idx_messages_message_id
         ON messages(message_id);
 
-    CREATE INDEX IF NOT EXISTS idx_messages_thread_id
-        ON messages(account_id, thread_id);
+    -- Note: idx_messages_thread_id is created by the addColumnIfMissing migration
+    -- in the constructor, AFTER thread_id is guaranteed to exist. Including it
+    -- here would crash startup on any pre-thread_id DB because exec(SCHEMA) runs
+    -- before the column-add migration.
 
     CREATE TABLE IF NOT EXISTS sent_log (
         message_id TEXT PRIMARY KEY,

package/packages/mailx-store/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx-store",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "type": "module",
   "main": "index.js",
   "types": "index.d.ts",

package/packages/mailx-store-web/android-bootstrap.js

@@ -17,6 +17,8 @@ import { WebMailxService } from "./web-service.js";
 import { loadAccounts, loadAccountsFromCloud, saveAccounts, clearSettings, getDeviceId, setGDriveTokenProvider, setGDriveFolderId } from "./web-settings.js";
 import { GmailApiWebProvider } from "./gmail-api-web.js";
 import { ImapWebProvider } from "./imap-web-provider.js";
+import { SmtpClient } from "@bobfrankston/smtp-direct";
+import { BridgeTcpTransport } from "@bobfrankston/tcp-transport";
 // ── State ──
 let db;
 let bodyStore;
@@ -121,7 +123,12 @@ class AndroidSyncManager {
                         return 1;
                     return 0;
                 });
-                for (const folder of sorted.slice(0, 5)) {
+                // Sync every folder, not just the first five — the old slice(0, 5)
+                // meant subfolders past the cutoff (e.g. _spam, custom labels)
+                // never picked up moves made on other clients, and those moves
+                // also stayed visible in the source folder because reconcile
+                // (below in syncFolder) never ran for the target.
+                for (const folder of sorted) {
                     try {
                         await this.syncFolder(account.id, folder.id);
                     }
@@ -185,6 +192,48 @@ class AndroidSyncManager {
             this.db.recalcFolderCounts(folderId);
             emitEvent({ type: "folderCountsChanged", accountId, counts: {} });
         }
+        // Reconcile deletions — messages present locally but no longer on the
+        // server (moved away, deleted on another client). Without this, the
+        // Android client never drops removed rows: e.g., moves to _spam from
+        // another client showed up in _spam (next time it synced) but never
+        // disappeared from INBOX.
+        //
+        // Same safety guards as the desktop reconcile path:
+        //   - Skip if the server list is empty but local has messages (likely
+        //     a transient API failure that returned []).
+        //   - Refuse to delete more than 50% of local in one pass — better to
+        //     keep phantoms than to wipe a folder on a sync bug. Rebuild local
+        //     cache fixes a stuck state.
+        try {
+            const serverUidsArr = await provider.getUids(folder.path);
+            const serverUids = new Set(serverUidsArr);
+            const localUids = this.db.getUidsForFolder(accountId, folderId);
+            if (serverUidsArr.length === 0 && localUids.length > 0) {
+                console.log(`[sync] ${folder.path}: reconcile skipped — server returned empty but local has ${localUids.length}`);
+            }
+            else {
+                const toDelete = localUids.filter(uid => !serverUids.has(uid));
+                const RECONCILE_DELETE_THRESHOLD = 0.5;
+                if (localUids.length > 0 && toDelete.length / localUids.length > RECONCILE_DELETE_THRESHOLD) {
+                    console.log(`[sync] ${folder.path}: reconcile refused — would delete ${toDelete.length}/${localUids.length} (${Math.round(toDelete.length / localUids.length * 100)}%)`);
+                }
+                else {
+                    for (const uid of toDelete) {
+                        this.db.deleteMessage(accountId, uid);
+                        this.bodyStore.deleteMessage(accountId, folderId, uid).catch(() => { });
+                    }
+                    if (toDelete.length > 0) {
+                        console.log(`[sync] ${folder.path}: reconciled ${toDelete.length} deletions`);
+                        this.db.recalcFolderCounts(folderId);
+                        emitEvent({ type: "folderCountsChanged", accountId, counts: {} });
+                    }
+                }
+            }
+        }
+        catch (e) {
+            console.error(`[sync] ${folder.path}: reconcile error: ${e.message}`);
+        }
+        emitEvent({ type: "folderSynced", accountId, entries: [{ folderId, syncedAt: Date.now() }] });
         emitEvent({ type: "syncProgress", accountId, phase: `sync:${folder.path}`, progress: 100 });
     }
     storeProviderMessages(accountId, folderId, messages) {
@@ -286,8 +335,122 @@ class AndroidSyncManager {
     async undeleteMessage(accountId, uid, folderId) {
         this.db.queueSyncAction(accountId, "undelete", uid, folderId);
     }
-    queueOutgoingLocal(accountId, _rawMessage) {
-        console.log(`[send] Queued outgoing for ${accountId}`);
+    queueOutgoingLocal(accountId, rawMessage) {
+        // Two paths, both real (no stubs that pretend success — see programming.md
+        // rule "Stubs MUST NOT appear successful"):
+        //   - Gmail accounts: POST to users.messages.send (Gmail handles SMTP +
+        //     auto-files into Sent label).
+        //   - Non-Gmail accounts: smtp-direct over BridgeTransport (mailxapi.tcp).
+        // Caller (web-service.send) is sync-returning; we kick off the network
+        // request and surface success/failure via events. Compose UI listens for
+        // sendError/sendComplete.
+        const provider = this.getProvider(accountId);
+        if (provider && typeof provider.sendRaw === "function") {
+            provider.sendRaw(rawMessage)
+                .then((result) => {
+                console.log(`[send] ${accountId}: sent via Gmail API (id=${result.id})`);
+                emitEvent({ type: "sendComplete", accountId, messageId: result.id });
+            })
+                .catch((e) => {
+                console.error(`[send] ${accountId}: Gmail send failed: ${e.message}`);
+                emitEvent({ type: "sendError", accountId, error: e.message });
+            });
+            return;
+        }
+        // Non-Gmail: use smtp-direct + BridgeTransport. Pull SMTP config from the
+        // stored account JSON.
+        const accounts = db.getAccountConfigs();
+        const row = accounts.find(a => a.id === accountId);
+        if (!row) {
+            const e = "Unknown account";
+            console.error(`[send] ${accountId}: ${e}`);
+            emitEvent({ type: "sendError", accountId, error: e });
+            throw new Error(e);
+        }
+        let account;
+        try {
+            account = JSON.parse(row.configJson);
+        }
+        catch {
+            const e = "Account config malformed";
+            emitEvent({ type: "sendError", accountId, error: e });
+            throw new Error(e);
+        }
+        if (!account.smtp) {
+            const e = "No SMTP config for this account";
+            console.error(`[send] ${accountId}: ${e}`);
+            emitEvent({ type: "sendError", accountId, error: e });
+            throw new Error(e);
+        }
+        // Fire async — same pattern as Gmail path above.
+        this.sendViaSmtpDirect(accountId, account, rawMessage)
+            .then((result) => {
+            console.log(`[send] ${accountId}: sent via SMTP (${result.accepted.length} accepted, ${result.rejected.length} rejected)`);
+            emitEvent({ type: "sendComplete", accountId });
+        })
+            .catch((e) => {
+            console.error(`[send] ${accountId}: SMTP send failed: ${e.message}`);
+            emitEvent({ type: "sendError", accountId, error: e.message });
+        });
+    }
+    /** Build SMTP config from account, send via smtp-direct over BridgeTransport. */
+    async sendViaSmtpDirect(accountId, account, raw) {
+        const SMTP_PORT_STARTTLS = 587;
+        const SMTP_PORT_IMPLICIT_TLS = 465;
+        const smtp = account.smtp;
+        const smtpPort = smtp.port || SMTP_PORT_STARTTLS;
+        const smtpHost = smtp.host || account.imap?.host;
+        if (!smtpHost)
+            throw new Error("No SMTP host");
+        // Auth: password → PLAIN; oauth2 → XOAUTH2 (token from this account's provider)
+        const smtpUser = smtp.user || account.imap?.user || account.email;
+        const authType = smtp.auth || (account.imap?.password ? "password" : undefined);
+        let auth;
+        if (authType === "password") {
+            const pass = smtp.password || account.imap?.password;
+            if (!pass)
+                throw new Error("SMTP password not configured");
+            auth = { method: "PLAIN", user: smtpUser, pass };
+        }
+        else if (authType === "oauth2") {
+            const tp = this.tokenProviders.get(accountId);
+            if (!tp)
+                throw new Error("OAuth token provider not registered");
+            const token = await tp();
+            auth = { method: "XOAUTH2", user: smtpUser, token };
+        }
+        // Recipients from headers
+        const parseAddrs = (s) => s.match(/[\w.+-]+@[\w.-]+/g) || [];
+        const toMatch = raw.match(/^To:\s*(.+)$/mi);
+        const ccMatch = raw.match(/^Cc:\s*(.+)$/mi);
+        const bccMatch = raw.match(/^Bcc:\s*(.+)$/mi);
+        const fromMatch = raw.match(/^From:\s*(.+)$/mi);
+        const recipients = [
+            ...(toMatch ? parseAddrs(toMatch[1]) : []),
+            ...(ccMatch ? parseAddrs(ccMatch[1]) : []),
+            ...(bccMatch ? parseAddrs(bccMatch[1]) : []),
+        ];
+        const sender = fromMatch ? (parseAddrs(fromMatch[1])[0] || account.email) : account.email;
+        if (recipients.length === 0)
+            throw new Error("No recipients");
+        const rawToSend = raw.replace(/^Bcc:.*\r?\n/mi, "");
+        const client = new SmtpClient({
+            host: smtpHost,
+            port: smtpPort,
+            secure: smtpPort === SMTP_PORT_IMPLICIT_TLS,
+            auth,
+            localname: "mailx-android",
+        }, () => new BridgeTcpTransport());
+        try {
+            await client.connect();
+            return await client.sendMail({ from: sender, to: recipients }, rawToSend);
+        }
+        finally {
+            try {
+                await client.quit();
+            }
+            catch { /* ignore */ }
+        }
     }
     async saveDraft(_accountId, _raw, _prevUid, _draftId) {
         return null;

package/packages/mailx-store-web/gmail-api-web.d.ts

@@ -24,6 +24,13 @@ export declare class GmailApiWebProvider implements MailProvider {
     fetchOne(folder: string, uid: number, options?: FetchOptions): Promise<ProviderMessage | null>;
     getUids(folder: string): Promise<number[]>;
     close(): Promise<void>;
+    /** Send an RFC 2822 message via Gmail API users.messages.send. The server
+     *  handles SMTP — we just hand it the raw bytes base64url-encoded. Auto-files
+     *  a copy into the Sent label, so caller does NOT need to APPEND to Sent. */
+    sendRaw(rawRfc822: string): Promise<{
+        id: string;
+        threadId: string;
+    }>;
     private folderToLabel;
     private formatDate;
 }

package/packages/mailx-store-web/gmail-api-web.js

@@ -227,6 +227,18 @@ export class GmailApiWebProvider {
         return ids.map(idToUid);
     }
     async close() { }
+    /** Send an RFC 2822 message via Gmail API users.messages.send. The server
+     *  handles SMTP — we just hand it the raw bytes base64url-encoded. Auto-files
+     *  a copy into the Sent label, so caller does NOT need to APPEND to Sent. */
+    async sendRaw(rawRfc822) {
+        const b64 = btoa(unescape(encodeURIComponent(rawRfc822)))
+            .replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+        const data = await this.apiFetch("/messages/send", {
+            method: "POST",
+            body: JSON.stringify({ raw: b64 }),
+        });
+        return { id: data.id, threadId: data.threadId };
+    }
     folderToLabel(path) {
         const lower = path.toLowerCase();
         if (lower === "inbox")

package/packages/mailx-store-web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx-store-web",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "type": "module",
   "main": "index.js",
   "types": "index.d.ts",
@@ -10,6 +10,9 @@
   "license": "ISC",
   "dependencies": {
     "@bobfrankston/mailx-types": "file:../mailx-types",
+    "@bobfrankston/iflow-direct": "file:../../../MailApps/iflow-direct",
+    "@bobfrankston/tcp-transport": "file:../../../MailApps/tcp-transport",
+    "@bobfrankston/smtp-direct": "file:../../../MailApps/smtp-direct",
     "sql.js": "^1.14.1"
   },
   "repository": {

package/packages/mailx-types/index.d.ts

@@ -159,6 +159,13 @@ export type WsEvent = {
         total: number;
         unread: number;
     }>;
+} | {
+    type: "folderSynced";
+    accountId: string;
+    entries: {
+        folderId: number;
+        syncedAt: number;
+    }[];
 } | {
     type: "syncProgress";
     accountId: string;

package/test-smtp-direct.mjs

@@ -0,0 +1,4 @@
+// Removed after one-shot smtp-direct test on 2026-04-13.
+// Original sent a test message to test1@bob.ma via iecc submission.
+// Result: 250 Accepted message qp 15437 (server queued for delivery).
+// File overwritten because it had a plaintext password; safe to delete.