@bobfrankston/mailx 1.0.353 → 1.0.360

package/client/app.js

@@ -5,7 +5,7 @@
 import { initFolderTree, refreshFolderTree, updateFolderCounts, setFolderSynced, getFolderSynced } from "./components/folder-tree.js";
 import { initMessageList, loadMessages, loadUnifiedInbox, loadSearchResults, reloadCurrentFolder, getSelectedMessages, markBodiesCached } from "./components/message-list.js";
 import { showMessage, getCurrentMessage, initViewer } from "./components/message-viewer.js";
-import { connectWebSocket, onWsEvent, triggerSync, syncAccount, reauthenticate, getAccounts, getFolders, deleteMessages, undeleteMessage, restartServer, getSyncPending, getVersion, getSettings, saveSettings, getAutocompleteSettings, saveAutocompleteSettings, repairAccounts, updateFlags, markAsSpamMessages, logClientEvent } from "./lib/api-client.js";
+import { connectWebSocket, onWsEvent, triggerSync, syncAccount, reauthenticate, getAccounts, getFolders, deleteMessages, undeleteMessage, restartServer, getSyncPending, getVersion, getSettings, saveSettings, getAutocompleteSettings, saveAutocompleteSettings, repairAccounts, updateFlags, markAsSpamMessages, logClientEvent, sendMessage as apiSendMessage } from "./lib/api-client.js";
 import * as messageState from "./lib/message-state.js";
 // ── New message badge (favicon + title) ──
 let baseTitle = "mailx";
@@ -1144,6 +1144,64 @@ if (ftFilterInput) {
 }
 // ── Open links from email body in system browser ──
 window.addEventListener("message", (e) => {
+    // Relay traces from iframes (compose) to Node via our working bridge.
+    // The iframe calls logClientEvent which tries its own bridge first; if
+    // that path is broken it also posts here as backup. Tag gets a `via-relay`
+    // suffix when the iframe couldn't reach its own bridge — that alone
+    // diagnoses whether the iframe bridge works.
+    if (e.data?.type === "mailx-trace" && typeof e.data.tag === "string") {
+        const relayTag = e.data.bridged ? e.data.tag : `${e.data.tag} (via-relay)`;
+        logClientEvent(relayTag, e.data.data);
+        return;
+    }
+    // Compose-send relay: iframe posts the send request here because its own
+    // bridge call to sendMessage was failing to reach Node. This window's
+    // bridge is proven (getAccounts / getOutboxStatus run every few seconds
+    // with no failures), so we do the IPC from here and post the result back
+    // to the iframe via its source. `e.source` is the iframe's window; use it
+    // so targeting works even if the iframe moves in the DOM.
+    if (e.data?.type === "mailx-compose-send" && e.data.id && e.data.body) {
+        const src = e.source;
+        const id = e.data.id;
+        logClientEvent("relay-compose-send-received", { id });
+        (async () => {
+            try {
+                await apiSendMessage(e.data.body);
+                logClientEvent("relay-compose-send-ok", { id });
+                src?.postMessage({ type: "mailx-compose-send-result", id, ok: true }, "*");
+            }
+            catch (err) {
+                const msg = err?.message || String(err);
+                logClientEvent("relay-compose-send-error", { id, error: msg });
+                src?.postMessage({ type: "mailx-compose-send-result", id, ok: false, error: msg }, "*");
+            }
+        })();
+        return;
+    }
+    // Generic IPC relay: the iframe's api-client routes every IPC call through
+    // postMessage when it's running in a child frame. Same reason as the
+    // compose-send relay — sendMessage wasn't the only method the iframe's
+    // bridge dropped; saveDraft hit the same wall ("Draft save failed: mailxapi
+    // timeout"). This handler invokes the named method on THIS window's
+    // mailxapi and posts the result back to the iframe.
+    if (e.data?.type === "mailx-ipc" && e.data.id && e.data.method) {
+        const src = e.source;
+        const { id, method, args } = e.data;
+        const bridge = window.mailxapi;
+        const fn = bridge?.[method];
+        if (typeof fn !== "function") {
+            src?.postMessage({ type: "mailx-ipc-result", id, ok: false, error: `parent bridge has no method "${method}"` }, "*");
+            return;
+        }
+        try {
+            const result = fn.apply(bridge, args || []);
+            Promise.resolve(result).then((value) => src?.postMessage({ type: "mailx-ipc-result", id, ok: true, result: value }, "*"), (err) => src?.postMessage({ type: "mailx-ipc-result", id, ok: false, error: err?.message || String(err) }, "*"));
+        }
+        catch (err) {
+            src?.postMessage({ type: "mailx-ipc-result", id, ok: false, error: err?.message || String(err) }, "*");
+        }
+        return;
+    }
     if (e.data?.type === "openLink" && e.data.url) {
         window.open(e.data.url, "_blank", "noopener,noreferrer");
     }

package/client/compose/compose.css

@@ -75,6 +75,14 @@ body {
     padding: var(--gap-xs) 0;
 }
 
+/* HTML `hidden` attribute is display:none by UA default, but the `display:
+   flex` above wins specificity-wise and the row stays visible. Restore the
+   expected hide behavior — the Cc/Bcc toggle buttons flip `hidden` to
+   reveal/conceal the rows, which is pointless if CSS forces them on. */
+.compose-field[hidden] {
+    display: none;
+}
+
 .compose-field label {
     flex: 0 0 60px;
     font-size: var(--font-size-sm);

package/client/compose/compose.js

@@ -4,7 +4,7 @@
  * Receives init data via window.opener.postMessage or URL params.
  */
 import { createEditor } from "./editor.js";
-import { getSettings, getAccounts, searchContacts, sendMessage, saveDraft as apiSaveDraft, deleteDraft, logClientEvent } from "../lib/api-client.js";
+import { getSettings, getAccounts, searchContacts, saveDraft as apiSaveDraft, deleteDraft, logClientEvent } from "../lib/api-client.js";
 // Very first line the iframe runs — if this doesn't reach Node, the iframe
 // itself isn't loading or the bridge is completely broken.
 logClientEvent("compose-module-loaded", { href: location.href, version: window.mailxVersion || "?" });
@@ -621,26 +621,46 @@ document.getElementById("btn-send")?.addEventListener("click", () => {
     if (statusEl)
         statusEl.textContent = "";
     const sendStart = Date.now();
-    let ipcPromise;
     logClientEvent("compose-send-pre-ipc");
-    try {
-        ipcPromise = sendMessage(body);
-        logClientEvent("compose-send-ipc-invoked", { promiseType: typeof ipcPromise, isThenable: !!(ipcPromise && typeof ipcPromise.then === "function") });
-    }
-    catch (e) {
-        const msg = e?.message || String(e);
-        logClientEvent("compose-send-sync-throw", { error: msg });
-        console.error(`[compose] Send threw synchronously: ${msg}`);
-        if (sendBtn) {
-            sendBtn.disabled = false;
-            sendBtn.textContent = "Send";
+    // Parent-window relay for send. Empirical observation: Android (direct
+    // in-process SMTP) sends reliably; desktop (iframe → parent.mailxapi →
+    // msger → Node → service) has sendMessage IPCs failing to reach Node
+    // for reasons still unknown (iframe bridge behaves differently from the
+    // top frame in msger's WebView2 for this specific call). Meanwhile the
+    // parent window's bridge is proven — getAccounts / getOutboxStatus run
+    // through it every few seconds with no failures.
+    //
+    // Fix: the iframe doesn't touch the bridge at all for send. It posts
+    // a request to the parent, and the parent calls the real sendMessage
+    // from its own frame. Parent posts the result back. This bypasses
+    // whatever is wrong with iframe-scoped IPC.
+    const ipcPromise = new Promise((resolve, reject) => {
+        const reqId = `send-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const timer = setTimeout(() => {
+            window.removeEventListener("message", onMsg);
+            reject(new Error("parent-relay send timeout (120s)"));
+        }, 120000);
+        const onMsg = (ev) => {
+            if (!ev.data || ev.data.type !== "mailx-compose-send-result" || ev.data.id !== reqId)
+                return;
+            clearTimeout(timer);
+            window.removeEventListener("message", onMsg);
+            if (ev.data.ok)
+                resolve();
+            else
+                reject(new Error(ev.data.error || "unknown"));
+        };
+        window.addEventListener("message", onMsg);
+        try {
+            parent.postMessage({ type: "mailx-compose-send", id: reqId, body }, "*");
+            logClientEvent("compose-send-ipc-invoked", { via: "parent-relay", reqId });
         }
-        if (statusEl)
-            statusEl.textContent = `Send failed: ${msg}`;
-        else
-            alert(`Send failed: ${msg}`);
-        return;
-    }
+        catch (e) {
+            clearTimeout(timer);
+            window.removeEventListener("message", onMsg);
+            reject(e);
+        }
+    });
     Promise.resolve(ipcPromise)
         .then(() => {
         logClientEvent("compose-send-ipc-resolved", { ms: Date.now() - sendStart });

package/client/compose/editor.js

@@ -220,10 +220,24 @@ function createQuillEditor(container) {
     document.querySelectorAll(".ql-toolbar button, .ql-toolbar select, .ql-toolbar .ql-picker-label").forEach(el => el.setAttribute("tabindex", "-1"));
     // Native spell-check: WebView2 / Chromium underlines misspellings and the
     // right-click menu offers "Add to dictionary". Quill clears spellcheck on
-    // its root by default, so we turn it back on explicitly.
-    q.root.setAttribute("spellcheck", "true");
-    q.root.setAttribute("autocorrect", "on");
-    q.root.setAttribute("autocapitalize", "on");
+    // its root by default AND may re-clear it asynchronously as part of its
+    // setup (user-reported "spell-check broken again" with the one-shot set).
+    // Set once now, again after the frame flushes so post-init clears can't
+    // win, and install a MutationObserver to re-assert if anything later
+    // strips the attribute. Cheap — fires at most on each clear.
+    const applySpellcheck = () => {
+        if (q.root.getAttribute("spellcheck") !== "true")
+            q.root.setAttribute("spellcheck", "true");
+        if (q.root.getAttribute("autocorrect") !== "on")
+            q.root.setAttribute("autocorrect", "on");
+        if (q.root.getAttribute("autocapitalize") !== "on")
+            q.root.setAttribute("autocapitalize", "on");
+    };
+    applySpellcheck();
+    requestAnimationFrame(applySpellcheck);
+    setTimeout(applySpellcheck, 100);
+    const spellObs = new MutationObserver(() => applySpellcheck());
+    spellObs.observe(q.root, { attributes: true, attributeFilter: ["spellcheck", "autocorrect", "autocapitalize"] });
     // Toolbar link button: open our modal instead of Quill's built-in URL prompt.
     const toolbar = q.getModule("toolbar");
     toolbar?.addHandler("link", function () {
@@ -288,17 +302,30 @@ function createQuillEditor(container) {
         }
         catch { /* fall through to native menu */ }
     });
+    // IMPORTANT: register on the capture phase AND use stopImmediatePropagation
+    // when we handle the paste ourselves. Quill 2.x's clipboard module attaches
+    // its own listener on the same root element; preventDefault only stops the
+    // browser's default contenteditable insertion, NOT Quill's parallel listener.
+    // Without stopImmediatePropagation the two handlers fire independently and
+    // both insert — user sees the URL twice. Capture phase guarantees we run
+    // before Quill so stopImmediatePropagation actually blocks it.
     q.root.addEventListener("paste", (e) => {
         const cb = e.clipboardData;
         if (!cb)
             return;
+        // Helper: call when we've handled the paste ourselves. Stops Quill's
+        // own listener from also processing the same event.
+        const consume = () => {
+            e.preventDefault();
+            e.stopImmediatePropagation();
+        };
         // Q3: image-on-clipboard → inline as data: URL.
         for (const item of Array.from(cb.items)) {
             if (item.kind === "file" && item.type.startsWith("image/")) {
                 const file = item.getAsFile();
                 if (!file)
                     continue;
-                e.preventDefault();
+                consume();
                 const reader = new FileReader();
                 reader.onload = () => {
                     const dataUrl = String(reader.result || "");
@@ -337,7 +364,7 @@ function createQuillEditor(container) {
                     const href = a.getAttribute("href") || "";
                     const text = (a.textContent || "").trim();
                     if (href && text) {
-                        e.preventDefault();
+                        consume();
                         const range = q.getSelection(true);
                         if (!range)
                             return;
@@ -350,12 +377,35 @@ function createQuillEditor(container) {
                         return;
                     }
                 }
+                // Single text-node wrapping the URL — common when copying from
+                // browser address bar (Chrome ships text/html as
+                // `<meta><span>URL</span>` alongside text/plain). Fall through
+                // to the plain-URL path below instead of letting Quill insert
+                // the bare URL text AND our handler insert it linked — which
+                // is exactly the double-paste the user reported.
+                const textOnly = (root.textContent || "").trim();
+                if (textOnly && looksLikeUrl(textOnly) && !root.querySelector("a")) {
+                    consume();
+                    const range = q.getSelection(true);
+                    if (!range)
+                        return;
+                    const url = normalizeUrl(textOnly);
+                    if (range.length > 0) {
+                        q.formatText(range.index, range.length, "link", url);
+                        q.setSelection(range.index + range.length, 0);
+                    }
+                    else {
+                        q.insertText(range.index, textOnly, { link: url });
+                        q.setSelection(range.index + textOnly.length, 0);
+                    }
+                    return;
+                }
             }
             catch { /* fall through to Quill default */ }
-            return; // Quill handles richer HTML clipboard
+            return; // Quill handles richer HTML clipboard (no consume → Quill runs)
         }
         if (plain && looksLikeUrl(plain)) {
-            e.preventDefault();
+            consume();
             const range = q.getSelection(true);
             if (!range)
                 return;
@@ -370,7 +420,7 @@ function createQuillEditor(container) {
                 q.setSelection(range.index + plain.trim().length, 0);
             }
         }
-    });
+    }, true); // capture=true — run before Quill's own paste listener
     // Hover preview: show the target URL in a floating tooltip when the
     // pointer is over a link. Built on top of native mouseover/mouseout
     // rather than Quill's ql-tooltip (which is keyboard-triggered).

package/client/lib/api-client.js

@@ -12,7 +12,76 @@ function getIpc() {
         return window.parent.mailxapi;
     return null;
 }
+/** Build a proxy bridge that forwards every method call to the parent window
+ *  via postMessage. Used when the compose iframe's own attempt to reach
+ *  msger's IPC silently drops messages — empirically, `sendMessage` and
+ *  `saveDraft` both hit this (user-visible: "Sending…" spinner forever;
+ *  "Draft save failed: mailxapi timeout"). The main window's bridge is
+ *  provably fine, so the iframe routes through it. */
+function buildRelayBridge() {
+    const pending = new Map();
+    window.addEventListener("message", (ev) => {
+        if (!ev.data || ev.data.type !== "mailx-ipc-result" || !ev.data.id)
+            return;
+        const entry = pending.get(ev.data.id);
+        if (!entry)
+            return;
+        pending.delete(ev.data.id);
+        clearTimeout(entry.timer);
+        if (ev.data.ok)
+            entry.resolve(ev.data.result);
+        else
+            entry.reject(new Error(ev.data.error || "parent-relay ipc error"));
+    });
+    const call = (method, args) => {
+        const id = `ipc-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        return new Promise((resolve, reject) => {
+            const timer = setTimeout(() => {
+                pending.delete(id);
+                reject(new Error(`parent-relay timeout: ${method}`));
+            }, 120000);
+            pending.set(id, { resolve, reject, timer });
+            try {
+                window.parent.postMessage({ type: "mailx-ipc", id, method, args }, "*");
+            }
+            catch (e) {
+                clearTimeout(timer);
+                pending.delete(id);
+                reject(e);
+            }
+        });
+    };
+    // Proxy: any property access returns a function that forwards to parent.
+    // `isApp` / `platform` / other non-function reads return sensible defaults
+    // so existing getIpc-style checks still work.
+    return new Proxy({}, {
+        get(_t, prop) {
+            if (prop === "isApp")
+                return true;
+            if (prop === "platform")
+                return window.parent?.mailxapi?.platform || "webview2";
+            if (prop === "onEvent") {
+                // Event subscription can't be relayed simply — iframes that need
+                // events are rare. Fall back to direct parent bridge for onEvent
+                // since the subscription path doesn't hit the broken send path.
+                return (handler) => window.parent?.mailxapi?.onEvent?.(handler);
+            }
+            return (...args) => call(prop, args);
+        }
+    });
+}
+let cachedRelayBridge = null;
 function ipc() {
+    // Direct bridge is fine for the top window (main mailx app). The iframe
+    // (compose) can't trust its own bridge resolution because msger-routed
+    // sendMessage / saveDraft IPCs disappear without trace. So when we're in
+    // a child frame with a parent bridge, go through the parent.
+    const inIframe = window.parent && window.parent !== window;
+    if (inIframe && window.parent?.mailxapi?.isApp) {
+        if (!cachedRelayBridge)
+            cachedRelayBridge = buildRelayBridge();
+        return cachedRelayBridge;
+    }
     const bridge = getIpc();
     if (!bridge)
         throw new Error("IPC bridge not available");
@@ -130,18 +199,32 @@ export function emptyFolder(accountId, folderId) {
     return ipc().emptyFolder?.(accountId, folderId);
 }
 /** Ship a named event to the Node log as `[client] <tag> <data>`. Fire and
- *  forget — never awaits, never throws, never blocks the caller. If the IPC
- *  bridge is unavailable, the call is a no-op so tracing calls scattered
- *  through the UI don't become failure points themselves. */
+ *  forget — never awaits, never throws, never blocks the caller. Tries two
+ *  paths so a broken primary channel can't swallow the trace:
+ *    1. Direct bridge call (self / opener / parent mailxapi).
+ *    2. parent.postMessage fallback — the main window listens and relays.
+ *  The fallback matters because the whole point of tracing is to diagnose
+ *  a broken iframe bridge; a single-path tracer that goes through that same
+ *  bridge is useless in exactly the case we need it. */
 export function logClientEvent(tag, data) {
+    let delivered = false;
     try {
         const bridge = typeof globalThis.mailxapi !== "undefined" && globalThis.mailxapi?.isApp ? globalThis.mailxapi
             : window.opener?.mailxapi?.isApp ? window.opener.mailxapi
                 : window.parent?.mailxapi?.isApp ? window.parent.mailxapi
                     : null;
-        bridge?.logClientEvent?.(tag, data);
+        if (bridge?.logClientEvent) {
+            bridge.logClientEvent(tag, data);
+            delivered = true;
+        }
     }
     catch { /* never throw from tracing */ }
+    try {
+        if (window.parent && window.parent !== window) {
+            window.parent.postMessage({ type: "mailx-trace", tag, data, bridged: delivered }, "*");
+        }
+    }
+    catch { /* */ }
 }
 export function sendMessage(body) {
     return ipc().sendMessage?.(body);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx",
-  "version": "1.0.353",
+  "version": "1.0.360",
   "description": "Local-first email client with IMAP sync and standalone native app",
   "type": "module",
   "main": "bin/mailx.js",

package/packages/mailx-service/index.js

@@ -102,7 +102,7 @@ export class MailxService {
         for (const cfg of cfgs) {
             const a = dbAccounts.find(d => d.id === cfg.id);
             if (a)
-                ordered.push({ ...a, label: cfg.label, defaultSend: cfg.defaultSend || false, identityDomains: cfg.identityDomains || [], spam: cfg.spam || "" });
+                ordered.push({ ...a, label: cfg.label, defaultSend: cfg.defaultSend || false, identityDomains: cfg.identityDomains || [] });
         }
         // Append any DB accounts not in settings
         for (const a of dbAccounts) {

package/packages/mailx-settings/index.js

@@ -307,43 +307,36 @@ const PROVIDERS = {
         label: "Gmail",
         imap: { host: "imap.gmail.com", port: 993, tls: true, auth: "oauth2" },
         smtp: { host: "smtp.gmail.com", port: 587, tls: true, auth: "oauth2" },
-        spam: "SPAM", // Gmail labels, mailx tree shows as "SPAM"
     },
     "googlemail.com": {
         label: "Gmail",
         imap: { host: "imap.gmail.com", port: 993, tls: true, auth: "oauth2" },
         smtp: { host: "smtp.gmail.com", port: 587, tls: true, auth: "oauth2" },
-        spam: "SPAM",
     },
     "outlook.com": {
         label: "Outlook",
         imap: { host: "outlook.office365.com", port: 993, tls: true, auth: "oauth2" },
         smtp: { host: "smtp.office365.com", port: 587, tls: true, auth: "oauth2" },
-        spam: "Junk Email",
     },
     "hotmail.com": {
         label: "Hotmail",
         imap: { host: "outlook.office365.com", port: 993, tls: true, auth: "oauth2" },
         smtp: { host: "smtp.office365.com", port: 587, tls: true, auth: "oauth2" },
-        spam: "Junk Email",
     },
     "yahoo.com": {
         label: "Yahoo",
         imap: { host: "imap.mail.yahoo.com", port: 993, tls: true, auth: "password" },
         smtp: { host: "smtp.mail.yahoo.com", port: 587, tls: true, auth: "password" },
-        spam: "Bulk Mail",
     },
     "aol.com": {
         label: "AOL",
         imap: { host: "imap.aol.com", port: 993, tls: true, auth: "password" },
         smtp: { host: "smtp.aol.com", port: 587, tls: true, auth: "password" },
-        spam: "Bulk Mail",
     },
     "icloud.com": {
         label: "iCloud",
         imap: { host: "imap.mail.me.com", port: 993, tls: true, auth: "password" },
         smtp: { host: "smtp.mail.me.com", port: 587, tls: true, auth: "password" },
-        spam: "Junk",
     },
 };
 /** Fill in provider defaults for an account based on email domain */
@@ -388,13 +381,10 @@ function normalizeAccount(acct, globalName) {
         relayDomains: acct.relayDomains,
         deliveredToPrefix: acct.deliveredToPrefix,
         identityDomains: acct.identityDomains,
-        // Spam folder: explicit account config wins; otherwise fall back to
-        // the provider default (e.g. Gmail ships with built-in SPAM; Outlook
-        // with "Junk Email"). Before 2026-04-21 this field was dropped by
-        // normalizeAccount entirely — silent regression even for accounts
-        // that had it configured. `acct.spam` first so a user-set value on
-        // a recognized provider still overrides the default.
-        spam: acct.spam !== undefined ? acct.spam : provider?.spam,
+        // `spam` passthrough retired 2026-04-22 — markAsSpamMessages now finds
+        // the junk folder via `specialUse === "junk"` on the DB folder record
+        // (populated by mailx-imap from iflow's getSpecialFolders()). Authoritative
+        // per-server info beats per-domain guesses.
         // `signature` is on AccountConfig in mailx-types but the workspace
         // build order sometimes leaves a stale .d.ts for type-check; using
         // `as any` is the minimum-blast-radius way to add the field without