@bobfrankston/mailx 1.0.425 → 1.0.428

package/bin/mailx.js

@@ -1422,6 +1422,16 @@ RFC 5322 with CRLF line endings. Bodies are quoted-printable encoded (readable i
         svc.getTasks(false)
             .catch((e) => console.error(`  [tasks] poll error: ${e?.message || e}`));
     }, CAL_POLL_MS);
+    // Contacts poll — incremental sync via People API syncToken (persisted
+    // per-account in the kv table). Cheap after the first run because only
+    // changed/deleted contacts come back. 15-minute cadence picks up new
+    // contacts added on phone / web without restart while staying well
+    // under the People API rate limit.
+    const CONTACTS_POLL_MS = 15 * 60_000;
+    setInterval(() => {
+        svc.syncGoogleContacts()
+            .catch((e) => console.error(`  [contacts] poll error: ${e?.message || e}`));
+    }, CONTACTS_POLL_MS);
     // Auto-update: periodically check npm for a newer version and push a
     // notification to the WebView so the user can update with one click.
     const UPDATE_CHECK_MS = 30 * 60_000; // 30 minutes

package/client/components/calendar-sidebar.js

@@ -381,6 +381,18 @@ export function initCalendarSidebar() {
                     refresh();
                 else if (event?.type === "tasksUpdated")
                     renderTasks();
+                else if (event?.type === "quotaError") {
+                    // Surface a non-clickable banner — daily quota will reset
+                    // on its own, no user action helps. Idempotent so the
+                    // banner doesn't flash on repeat poll attempts.
+                    const host = event.feature === "tasks"
+                        ? document.getElementById("cal-side-tasks")
+                        : document.getElementById("cal-side-body");
+                    if (host && !host.querySelector(".cal-side-quota-error")) {
+                        const msg = event.message || `Google ${event.feature} quota exceeded — try again later.`;
+                        host.innerHTML = `<div class="cal-side-empty cal-side-quota-error">${escapeHtml(msg)}</div>`;
+                    }
+                }
                 else if (event?.type === "authScopeError") {
                     // Surface a visible hint right in the affected pane so the
                     // user doesn't stare at an empty list wondering why. Only

package/client/compose/compose.js

@@ -413,26 +413,39 @@ function applyInit(init) {
     }
     else if (init.to && init.to.length === 1) {
         // Q49: heuristic auto-expand — when replying/composing to a single
-        // recipient, check sent-history. If the user has previously Cc'd
-        // anyone on a message to this recipient, expand the Cc row (empty,
-        // just visible) so they're prompted to fill it. Fire-and-forget; if
-        // the service call fails or the user starts typing Cc manually
-        // before it resolves, the answer doesn't matter.
+        // recipient, check sent-history. If the user has previously Cc'd or
+        // Bcc'd anyone on a message to this recipient, expand the matching
+        // row (empty, just visible) so they're prompted to fill it.
+        // Fire-and-forget; if the service call fails or the user starts
+        // typing manually before it resolves, the answer doesn't matter.
         const firstEmail = init.to[0]?.address || "";
         if (firstEmail) {
-            import("../lib/api-client.js").then(({ hasCcHistoryTo }) => hasCcHistoryTo(firstEmail)
-                .then(res => {
-                if (!res?.hasCc)
-                    return;
-                const ccRowEl = document.getElementById("compose-cc-row");
-                const ccBtn = document.getElementById("btn-toggle-cc");
-                // Only expand if user hasn't already interacted
-                if (ccRowEl?.hidden && !ccInput.value) {
-                    ccRowEl.hidden = false;
-                    ccBtn?.classList.add("active");
-                }
-            })
-                .catch(() => { }));
+            import("../lib/api-client.js").then(({ hasCcHistoryTo, hasBccHistoryTo }) => {
+                hasCcHistoryTo(firstEmail)
+                    .then(res => {
+                    if (!res?.hasCc)
+                        return;
+                    const ccRowEl = document.getElementById("compose-cc-row");
+                    const ccBtn = document.getElementById("btn-toggle-cc");
+                    if (ccRowEl?.hidden && !ccInput.value) {
+                        ccRowEl.hidden = false;
+                        ccBtn?.classList.add("active");
+                    }
+                })
+                    .catch(() => { });
+                hasBccHistoryTo(firstEmail)
+                    .then(res => {
+                    if (!res?.hasBcc)
+                        return;
+                    const bccRowEl = document.getElementById("compose-bcc-row");
+                    const bccBtn = document.getElementById("btn-toggle-bcc");
+                    if (bccRowEl?.hidden && !bccInput.value) {
+                        bccRowEl.hidden = false;
+                        bccBtn?.classList.add("active");
+                    }
+                })
+                    .catch(() => { });
+            });
         }
     }
     // C42: append the account's signature (if configured) BEFORE rendering

package/client/lib/api-client.js

@@ -194,6 +194,9 @@ export function searchContacts(query) {
 export function hasCcHistoryTo(email) {
     return ipc().hasCcHistoryTo(email);
 }
+export function hasBccHistoryTo(email) {
+    return ipc().hasBccHistoryTo(email);
+}
 export function listContacts(query, page = 1, pageSize = 100) {
     return ipc().listContacts(query, page, pageSize);
 }

package/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx-client",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "private": true,
   "type": "module",
   "scripts": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx",
-  "version": "1.0.425",
+  "version": "1.0.428",
   "description": "Local-first email client with IMAP sync and standalone native app",
   "type": "module",
   "main": "bin/mailx.js",
@@ -37,7 +37,7 @@
     "@bobfrankston/miscinfo": "^1.0.10",
     "@bobfrankston/oauthsupport": "^1.0.25",
     "@bobfrankston/msger": "^0.1.361",
-    "@bobfrankston/mailx-host": "^0.1.7",
+    "@bobfrankston/mailx-host": "^0.1.8",
     "@capacitor/android": "^8.3.0",
     "@capacitor/cli": "^8.3.0",
     "@capacitor/core": "^8.3.0",
@@ -101,7 +101,7 @@
       "@bobfrankston/miscinfo": "^1.0.10",
       "@bobfrankston/oauthsupport": "^1.0.25",
       "@bobfrankston/msger": "^0.1.361",
-      "@bobfrankston/mailx-host": "^0.1.7",
+      "@bobfrankston/mailx-host": "^0.1.8",
       "@capacitor/android": "^8.3.0",
       "@capacitor/cli": "^8.3.0",
       "@capacitor/core": "^8.3.0",

package/packages/mailx-imap/index.d.ts

@@ -376,12 +376,21 @@ export declare class ImapManager extends EventEmitter {
     watchConfigFiles(): void;
     /** Stop all config file watchers */
     stopWatchingConfig(): void;
-    private contactsSyncToken;
+    /** Per-account in-flight guard so concurrent calls (startup + periodic
+     *  timer + manual button) share one round-trip instead of stacking. */
+    private contactsSyncing;
     /** Get an OAuth token for Google APIs (contacts, calendar, etc.)
      *  Uses the SAME token as IMAP — scopes are combined in one grant */
     private getContactsToken;
-    /** Sync contacts from Google People API */
+    /** Sync contacts from Google People API. Incremental: persists
+     *  `nextSyncToken` per account in the kv table (`scope='contacts'`,
+     *  `key=accountId`) so subsequent calls only fetch changed/deleted rows.
+     *  First-ever call passes `requestSyncToken=true` so Google returns a
+     *  token to use next time; without that, the first response has no
+     *  `nextSyncToken` and incremental never kicks in. Returns the number of
+     *  contacts added or removed in this run. */
     syncGoogleContacts(accountId: string): Promise<number>;
+    private syncGoogleContactsImpl;
     /** Sync contacts for all OAuth accounts */
     syncAllContacts(): Promise<void>;
     /** Shut down all watchers and timers */

package/packages/mailx-imap/index.js

@@ -3652,22 +3652,43 @@ export class ImapManager extends EventEmitter {
         }
         this.cloudPollTimers = [];
     }
-    // ── Google Contacts Sync ──
-    contactsSyncToken = null;
+    // ── Google Contacts Sync (incremental via People API syncToken) ──
+    /** Per-account in-flight guard so concurrent calls (startup + periodic
+     *  timer + manual button) share one round-trip instead of stacking. */
+    contactsSyncing = new Map();
     /** Get an OAuth token for Google APIs (contacts, calendar, etc.)
      *  Uses the SAME token as IMAP — scopes are combined in one grant */
     async getContactsToken(accountId) {
         // Reuse the IMAP token — it now includes contacts.readonly scope
         return this.getOAuthToken(accountId);
     }
-    /** Sync contacts from Google People API */
+    /** Sync contacts from Google People API. Incremental: persists
+     *  `nextSyncToken` per account in the kv table (`scope='contacts'`,
+     *  `key=accountId`) so subsequent calls only fetch changed/deleted rows.
+     *  First-ever call passes `requestSyncToken=true` so Google returns a
+     *  token to use next time; without that, the first response has no
+     *  `nextSyncToken` and incremental never kicks in. Returns the number of
+     *  contacts added or removed in this run. */
     async syncGoogleContacts(accountId) {
+        // Coalesce concurrent calls for the same account.
+        const inFlight = this.contactsSyncing.get(accountId);
+        if (inFlight)
+            return inFlight;
+        const promise = this.syncGoogleContactsImpl(accountId)
+            .finally(() => this.contactsSyncing.delete(accountId));
+        this.contactsSyncing.set(accountId, promise);
+        return promise;
+    }
+    async syncGoogleContactsImpl(accountId) {
         const token = await this.getContactsToken(accountId);
         if (!token)
             return 0;
-        let added = 0;
+        let changed = 0;
         let nextPageToken;
         const now = Date.now();
+        // Per-account persisted sync token (survives restarts). Empty means
+        // we've never completed an initial sync for this account.
+        let syncToken = this.db.getKv("contacts", accountId) || "";
         try {
             do {
                 const params = new URLSearchParams({
@@ -3676,46 +3697,58 @@ export class ImapManager extends EventEmitter {
                 });
                 if (nextPageToken)
                     params.set("pageToken", nextPageToken);
-                if (this.contactsSyncToken)
-                    params.set("syncToken", this.contactsSyncToken);
+                if (syncToken) {
+                    params.set("syncToken", syncToken);
+                }
+                else {
+                    // First-ever sync for this account — ask Google to give us
+                    // a token in the response so the NEXT call can be cheap.
+                    params.set("requestSyncToken", "true");
+                }
                 const url = `https://people.googleapis.com/v1/people/me/connections?${params}`;
                 const res = await fetch(url, {
                     headers: { Authorization: `Bearer ${token}` },
                 });
                 if (res.status === 410) {
-                    // Sync token expired — do full sync
-                    this.contactsSyncToken = null;
-                    return this.syncGoogleContacts(accountId);
+                    // Sync token expired (Google retains tokens for ~7 days).
+                    // Drop the stored token and recurse for a full sync — the
+                    // in-flight guard is on syncGoogleContacts (the public
+                    // wrapper), not Impl, so recursion is safe.
+                    this.db.setKv("contacts", accountId, null);
+                    return this.syncGoogleContactsImpl(accountId);
                 }
                 if (!res.ok) {
                     const err = await res.text();
-                    console.error(`  [contacts] API error: ${res.status} ${err}`);
-                    return added;
+                    console.error(`  [contacts] API error for ${accountId}: ${res.status} ${err}`);
+                    return changed;
                 }
                 const data = await res.json();
                 if (data.connections) {
                     for (const person of data.connections) {
+                        const googleId = person.resourceName || "";
+                        // Incremental responses tag deleted contacts via
+                        // metadata.deleted=true (and emit no other fields).
+                        // Drop those rows so autocomplete stops surfacing them.
+                        if (person.metadata?.deleted) {
+                            const removed = this.db.deleteContactByGoogleId(googleId);
+                            if (removed > 0)
+                                changed += removed;
+                            continue;
+                        }
                         const emails = person.emailAddresses || [];
                         const names = person.names || [];
                         const orgs = person.organizations || [];
                         const name = names[0]?.displayName || "";
                         const org = orgs[0]?.name || "";
-                        const googleId = person.resourceName || "";
                         for (const emailEntry of emails) {
                             const email = emailEntry.value?.toLowerCase();
                             if (!email)
                                 continue;
-                            // Upsert into contacts
                             const existing = this.db.searchContacts(email, 1);
-                            if (existing.length > 0 && existing[0].email === email) {
-                                // Update name/org if from google
-                                this.db.recordSentAddress(name, email);
-                            }
-                            else {
-                                this.db.recordSentAddress(name, email);
-                                added++;
-                            }
-                            // Update google-specific fields
+                            const wasNew = !(existing.length > 0 && existing[0].email === email);
+                            this.db.recordSentAddress(name, email);
+                            if (wasNew)
+                                changed++;
                             try {
                                 this.db.db.prepare("UPDATE contacts SET source = 'google', google_id = ?, organization = ?, updated_at = ? WHERE email = ?").run(googleId, org, now, email);
                             }
@@ -3724,15 +3757,20 @@ export class ImapManager extends EventEmitter {
                     }
                 }
                 nextPageToken = data.nextPageToken;
-                if (data.nextSyncToken)
-                    this.contactsSyncToken = data.nextSyncToken;
+                // Google only returns nextSyncToken on the LAST page of a
+                // sync run (sentinel that the snapshot is consistent). When
+                // it appears, persist it for next time.
+                if (data.nextSyncToken) {
+                    this.db.setKv("contacts", accountId, data.nextSyncToken);
+                    syncToken = data.nextSyncToken;
+                }
             } while (nextPageToken);
-            console.log(`  [contacts] Synced ${added} new contacts from Google`);
+            console.log(`  [contacts] ${accountId}: ${changed} change(s) (${syncToken ? "incremental" : "full"})`);
         }
         catch (e) {
-            console.error(`  [contacts] Sync error: ${e.message}`);
+            console.error(`  [contacts] Sync error for ${accountId}: ${e.message}`);
         }
-        return added;
+        return changed;
     }
     /** Sync contacts for all OAuth accounts */
     async syncAllContacts() {

package/packages/mailx-service/google-sync.d.ts

@@ -10,6 +10,12 @@
  * either retries via the store_sync drainer or surfaces to the UI.
  */
 type TokenProvider = () => Promise<string>;
+export declare class GoogleHttpError extends Error {
+    status: number;
+    statusText: string;
+    body: string;
+    constructor(status: number, statusText: string, body: string);
+}
 export interface GCalEvent {
     id: string;
     summary: string;

package/packages/mailx-service/google-sync.js

@@ -9,6 +9,17 @@
  * Error handling: throws on network / HTTP errors. Caller catches and
  * either retries via the store_sync drainer or surfaces to the UI.
  */
+export class GoogleHttpError extends Error {
+    status;
+    statusText;
+    body;
+    constructor(status, statusText, body) {
+        super(`Google API ${status} ${statusText}: ${body.slice(0, 300)}`);
+        this.status = status;
+        this.statusText = statusText;
+        this.body = body;
+    }
+}
 async function googleFetch(tokenProvider, url, init = {}) {
     const token = await tokenProvider();
     const headers = new Headers(init.headers || {});
@@ -18,7 +29,7 @@ async function googleFetch(tokenProvider, url, init = {}) {
     const res = await fetch(url, { ...init, headers });
     if (!res.ok) {
         const body = await res.text().catch(() => "");
-        throw new Error(`Google API ${res.status} ${res.statusText}: ${body.slice(0, 300)}`);
+        throw new GoogleHttpError(res.status, res.statusText, body);
     }
     return res;
 }

package/packages/mailx-service/index.d.ts

@@ -52,6 +52,21 @@ export declare class MailxService {
      *  5-min poll / sidebar nav re-fired the event and the client re-rendered
      *  the red banner. Cleared when the user hits Re-authenticate. */
     private scopeErrorEmitted;
+    /** Quota cooldown — feature → epoch-ms when the next API call is allowed.
+     *  Set when Google returns 429 (rate limit / daily-quota exceeded). While
+     *  cooldown is in effect, getCalendarEvents/getTasks return local DB rows
+     *  without firing a refresh. Heuristic cooldown is one hour; the daily
+     *  Google Tasks quota actually resets at Pacific midnight, but a one-hour
+     *  short-circuit keeps the log clean and avoids hammering after a burst. */
+    private quotaCooldown;
+    /** Sticky "quota exceeded" emit guard — same shape as scopeErrorEmitted. */
+    private quotaErrorEmitted;
+    /** In-flight refresh promises keyed by feature, so concurrent UI calls
+     *  share one Google round-trip instead of stacking N parallel fetches.
+     *  The fire-and-forget loop where `tasksUpdated` re-triggers `getTasks`
+     *  used to spawn a new refresh on every event RTT — this dedupes them. */
+    private refreshingCalendar;
+    private refreshingTasks;
     /** Delete the cached Google OAuth token (the one used for Calendar / Tasks
      *  / Contacts scopes — NOT the IMAP token which `reauthenticate()` handles)
      *  and clear the sticky auth-error state so a subsequent refresh can
@@ -68,9 +83,19 @@ export declare class MailxService {
      *  re-renders with pulled-in rows. Fire-and-forget-with-event, not
      *  fire-and-forget-and-pray. */
     getCalendarEvents(fromMs: number, toMs: number): Promise<any[]>;
+    /** Returns true if the feature is currently in a quota-exceeded cooldown. */
+    private inQuotaCooldown;
+    /** Single error-handling path for Google refresh failures.
+     *  Distinguishes 429 (quota) from 401/403 (scope) so each gets the right
+     *  cooldown + sticky-emit treatment without duplicating the regex blocks. */
+    private handleGoogleRefreshError;
     /** Pull events in [fromMs..toMs) from Google, upsert locally, reconcile
      *  server-side deletions. Returns true if anything changed so callers
-     *  can decide whether to emit a refresh event. */
+     *  can decide whether to emit a refresh event. `changed` is only true
+     *  when at least one row's data actually differs — without this guard
+     *  the UI's `calendarUpdated` listener re-triggers `getCalendarEvents`,
+     *  which fires another `refreshCalendarEvents`, which emits again, etc.
+     *  Tight loop = 429 quota burn. */
     private refreshCalendarEvents;
     createCalendarEventLocal(ev: {
         title: string;
@@ -162,6 +187,9 @@ export declare class MailxService {
      *  address. True when at least one past sent message to the same recipient
      *  had a non-empty Cc field. */
     hasCcHistoryTo(email: string): boolean;
+    /** Q49: same shape, for Bcc. Sent folder is the only place Bcc appears,
+     *  so the signal is local-only but still reflects the user's habit. */
+    hasBccHistoryTo(email: string): boolean;
     syncGoogleContacts(): Promise<void>;
     seedContacts(): number;
     /** Explicit add to address book — used by the right-click "Add to contacts"

package/packages/mailx-service/index.js

@@ -71,6 +71,32 @@ async function detectEmailProvider(domain) {
     return null;
 }
 // sanitizeHtml and encodeQuotedPrintable imported from @bobfrankston/mailx-types (shared with Android)
+/** Compare a local task row to an incoming Google task projection. Used by
+ *  refreshTasks to skip no-op upserts that would otherwise emit `tasksUpdated`
+ *  on every poll, feeding back into the UI's getTasks-on-event listener and
+ *  burning the daily Google Tasks API quota. */
+function taskRowEquals(prior, fresh) {
+    return prior.providerId === fresh.providerId
+        && prior.title === fresh.title
+        && (prior.notes || "") === (fresh.notes || "")
+        && (prior.dueMs ?? null) === (fresh.dueMs ?? null)
+        && (prior.completedMs ?? null) === (fresh.completedMs ?? null)
+        && (prior.etag || "") === (fresh.etag || "");
+}
+/** Same shape as taskRowEquals — compares the calendar-event fields the
+ *  Google projection actually carries, ignoring derived/local-only columns. */
+function calendarRowEquals(prior, fresh) {
+    return prior.providerId === fresh.providerId
+        && prior.title === fresh.title
+        && prior.startMs === fresh.startMs
+        && prior.endMs === fresh.endMs
+        && !!prior.allDay === !!fresh.allDay
+        && (prior.location || "") === (fresh.location || "")
+        && (prior.notes || "") === (fresh.notes || "")
+        && (prior.etag || "") === (fresh.etag || "")
+        && (prior.recurringEventId || null) === (fresh.recurringEventId || null)
+        && (prior.htmlLink || null) === (fresh.htmlLink || null);
+}
 // ── Service ──
 export class MailxService {
     db;
@@ -454,6 +480,21 @@ export class MailxService {
      *  5-min poll / sidebar nav re-fired the event and the client re-rendered
      *  the red banner. Cleared when the user hits Re-authenticate. */
     scopeErrorEmitted = new Set();
+    /** Quota cooldown — feature → epoch-ms when the next API call is allowed.
+     *  Set when Google returns 429 (rate limit / daily-quota exceeded). While
+     *  cooldown is in effect, getCalendarEvents/getTasks return local DB rows
+     *  without firing a refresh. Heuristic cooldown is one hour; the daily
+     *  Google Tasks quota actually resets at Pacific midnight, but a one-hour
+     *  short-circuit keeps the log clean and avoids hammering after a burst. */
+    quotaCooldown = new Map();
+    /** Sticky "quota exceeded" emit guard — same shape as scopeErrorEmitted. */
+    quotaErrorEmitted = new Set();
+    /** In-flight refresh promises keyed by feature, so concurrent UI calls
+     *  share one Google round-trip instead of stacking N parallel fetches.
+     *  The fire-and-forget loop where `tasksUpdated` re-triggers `getTasks`
+     *  used to spawn a new refresh on every event RTT — this dedupes them. */
+    refreshingCalendar = new Map();
+    refreshingTasks = new Map();
     /** Delete the cached Google OAuth token (the one used for Calendar / Tasks
      *  / Contacts scopes — NOT the IMAP token which `reauthenticate()` handles)
      *  and clear the sticky auth-error state so a subsequent refresh can
@@ -483,6 +524,8 @@ export class MailxService {
         // can fire a fresh banner. Also trigger a kickoff refresh so the
         // browser consent pops open now instead of on next sidebar nav.
         this.scopeErrorEmitted.clear();
+        this.quotaCooldown.clear();
+        this.quotaErrorEmitted.clear();
         const now = Date.now();
         const horizonMs = 90 * 86400_000;
         this.getCalendarEvents(now, now + horizonMs); // fire-and-forget — triggers consent via primaryTokenProvider
@@ -509,29 +552,78 @@ export class MailxService {
         const acct = this.getPrimaryAccount("calendar");
         if (!acct)
             return [];
-        this.refreshCalendarEvents(acct.id, fromMs, toMs)
-            .then(changed => {
-            if (changed)
-                this.imapManager.emit("calendarUpdated", { accountId: acct.id });
-        })
-            .catch(e => {
-            const msg = String(e?.message || e);
-            console.error(`[calendar] refresh failed: ${msg}`);
-            if (/insufficient (authentication )?scope|PERMISSION_DENIED|403/i.test(msg)) {
-                if (!this.scopeErrorEmitted.has("calendar")) {
-                    this.scopeErrorEmitted.add("calendar");
-                    this.imapManager.emit("authScopeError", {
-                        feature: "calendar",
-                        message: "Google Calendar access needs re-consent.",
-                    });
-                }
+        const acctId = acct.id;
+        // Skip the network entirely while in quota cooldown — return DB rows.
+        if (!this.inQuotaCooldown("calendar")) {
+            let promise = this.refreshingCalendar.get(acctId);
+            if (!promise) {
+                promise = this.refreshCalendarEvents(acctId, fromMs, toMs)
+                    .finally(() => this.refreshingCalendar.delete(acctId));
+                this.refreshingCalendar.set(acctId, promise);
+                promise
+                    .then(changed => {
+                    if (changed)
+                        this.imapManager.emit("calendarUpdated", { accountId: acctId });
+                })
+                    .catch(e => this.handleGoogleRefreshError("calendar", e));
             }
-        });
-        return this.db.getCalendarEvents(acct.id, fromMs, toMs);
+        }
+        return this.db.getCalendarEvents(acctId, fromMs, toMs);
+    }
+    /** Returns true if the feature is currently in a quota-exceeded cooldown. */
+    inQuotaCooldown(feature) {
+        const until = this.quotaCooldown.get(feature);
+        if (!until)
+            return false;
+        if (Date.now() < until)
+            return true;
+        this.quotaCooldown.delete(feature);
+        this.quotaErrorEmitted.delete(feature);
+        return false;
+    }
+    /** Single error-handling path for Google refresh failures.
+     *  Distinguishes 429 (quota) from 401/403 (scope) so each gets the right
+     *  cooldown + sticky-emit treatment without duplicating the regex blocks. */
+    handleGoogleRefreshError(feature, e) {
+        const msg = String(e?.message || e);
+        const status = e instanceof gsync.GoogleHttpError ? e.status : 0;
+        const is429 = status === 429 || /\b429\b|rateLimitExceeded|quotaExceeded|userRateLimitExceeded/i.test(msg);
+        const isScope = !is429 && (status === 401 || status === 403
+            || /insufficient (authentication )?scope|PERMISSION_DENIED|\b403\b/i.test(msg));
+        console.error(`[${feature}] refresh failed: ${msg}`);
+        if (is429) {
+            const cooldownMs = 60 * 60_000; // one hour heuristic
+            this.quotaCooldown.set(feature, Date.now() + cooldownMs);
+            if (!this.quotaErrorEmitted.has(feature)) {
+                this.quotaErrorEmitted.add(feature);
+                this.imapManager.emit("quotaError", {
+                    feature,
+                    message: `Google ${feature} daily quota exceeded — try again later.`,
+                    untilMs: Date.now() + cooldownMs,
+                });
+            }
+            return;
+        }
+        if (isScope) {
+            if (!this.scopeErrorEmitted.has(feature)) {
+                this.scopeErrorEmitted.add(feature);
+                const labels = {
+                    calendar: "Google Calendar", tasks: "Google Tasks", contacts: "Google Contacts",
+                };
+                this.imapManager.emit("authScopeError", {
+                    feature,
+                    message: `${labels[feature] || feature} access needs re-consent.`,
+                });
+            }
+        }
     }
     /** Pull events in [fromMs..toMs) from Google, upsert locally, reconcile
      *  server-side deletions. Returns true if anything changed so callers
-     *  can decide whether to emit a refresh event. */
+     *  can decide whether to emit a refresh event. `changed` is only true
+     *  when at least one row's data actually differs — without this guard
+     *  the UI's `calendarUpdated` listener re-triggers `getCalendarEvents`,
+     *  which fires another `refreshCalendarEvents`, which emits again, etc.
+     *  Tight loop = 429 quota burn. */
     async refreshCalendarEvents(accountId, fromMs, toMs) {
         const tp = await this.primaryTokenProvider("calendar");
         const events = await gsync.listCalendarEvents(tp, fromMs, toMs);
@@ -545,6 +637,8 @@ export class MailxService {
             const local = gsync.calendarEventToLocal(ev, accountId);
             seenProviderIds.add(ev.id);
             const existing = this.db.getCalendarEventByProviderId(accountId, ev.id);
+            if (existing && calendarRowEquals(existing, local))
+                continue;
             this.db.upsertCalendarEvent({ uuid: existing?.uuid, ...local });
             changed = true;
         }
@@ -613,26 +707,23 @@ export class MailxService {
         const acct = this.getPrimaryAccount("tasks");
         if (!acct)
             return [];
-        this.refreshTasks(acct.id, includeCompleted)
-            .then(changed => {
-            if (changed)
-                this.imapManager.emit("tasksUpdated", { accountId: acct.id });
-        })
-            .catch(e => {
-            const msg = String(e?.message || e);
-            console.error(`[tasks] refresh failed: ${msg}`);
-            if (/insufficient (authentication )?scope|PERMISSION_DENIED|403/i.test(msg)) {
-                if (!this.scopeErrorEmitted.has("tasks")) {
-                    this.scopeErrorEmitted.add("tasks");
-                    console.error(`[tasks] Your cached OAuth token doesn't include the 'tasks' scope.`);
-                    this.imapManager.emit("authScopeError", {
-                        feature: "tasks",
-                        message: "Google Tasks access needs re-consent.",
-                    });
-                }
+        const acctId = acct.id;
+        if (!this.inQuotaCooldown("tasks")) {
+            const key = `${acctId}:${includeCompleted ? 1 : 0}`;
+            let promise = this.refreshingTasks.get(key);
+            if (!promise) {
+                promise = this.refreshTasks(acctId, includeCompleted)
+                    .finally(() => this.refreshingTasks.delete(key));
+                this.refreshingTasks.set(key, promise);
+                promise
+                    .then(changed => {
+                    if (changed)
+                        this.imapManager.emit("tasksUpdated", { accountId: acctId });
+                })
+                    .catch(e => this.handleGoogleRefreshError("tasks", e));
             }
-        });
-        return this.db.getTasks(acct.id, includeCompleted);
+        }
+        return this.db.getTasks(acctId, includeCompleted);
     }
     async refreshTasks(accountId, includeCompleted) {
         const tp = await this.primaryTokenProvider("tasks");
@@ -644,8 +735,13 @@ export class MailxService {
         for (const t of tasks) {
             const local = gsync.taskToLocal(t, accountId);
             const prior = existing.find(e => e.providerId === t.id);
-            this.db.upsertTask({ uuid: prior?.uuid, ...local });
             seen.add(t.id);
+            // Skip the upsert when nothing actually differs. Otherwise every
+            // refresh emits `tasksUpdated`, the UI listener calls `getTasks`,
+            // which fires another `refreshTasks` — tight loop, 429 quota burn.
+            if (prior && taskRowEquals(prior, local))
+                continue;
+            this.db.upsertTask({ uuid: prior?.uuid, ...local });
             changed = true;
         }
         // Server-side delete reconciliation: any non-dirty local task whose
@@ -1414,6 +1510,11 @@ export class MailxService {
     hasCcHistoryTo(email) {
         return this.db.hasCcHistoryTo(email);
     }
+    /** Q49: same shape, for Bcc. Sent folder is the only place Bcc appears,
+     *  so the signal is local-only but still reflects the user's habit. */
+    hasBccHistoryTo(email) {
+        return this.db.hasBccHistoryTo(email);
+    }
     async syncGoogleContacts() {
         await this.imapManager.syncAllContacts();
     }

package/packages/mailx-service/jsonrpc.js

@@ -142,6 +142,8 @@ async function dispatchAction(svc, action, p) {
             return svc.searchContacts(p.query);
         case "hasCcHistoryTo":
             return { hasCc: svc.hasCcHistoryTo(p.email) };
+        case "hasBccHistoryTo":
+            return { hasBcc: svc.hasBccHistoryTo(p.email) };
         case "addContact":
             return { ok: svc.addContact(p.name, p.email) };
         case "listContacts":

package/packages/mailx-store/db.d.ts

@@ -10,6 +10,10 @@ export declare class MailxDB {
     /** Fail loud + early if expected columns are missing. Cheap (PRAGMA only
      *  runs at startup). The user-facing message names the recovery command. */
     private verifySchema;
+    /** Fetch a string from the kv table. Returns null when not set. */
+    getKv(scope: string, key: string): string | null;
+    /** Upsert a kv row. Pass `null` to delete. */
+    setKv(scope: string, key: string, value: string | null): void;
     /** One-time: assign UUIDs to every `messages` row that's missing one.
      *  Runs on every startup but the WHERE clause makes it a no-op after the
      *  first pass. */
@@ -27,6 +31,10 @@ export declare class MailxDB {
      *  Sent folder's row count is typically a few thousand at most; acceptable
      *  on the compose-open path. */
     hasCcHistoryTo(recipientEmail: string): boolean;
+    /** Same shape as hasCcHistoryTo for the Bcc field. Bcc only appears in the
+     *  user's own Sent copy, so it's still a reliable signal that this user
+     *  habitually Bccs when writing to this recipient. */
+    hasBccHistoryTo(recipientEmail: string): boolean;
     /** Mark a Message-ID as locally-deleted for an account. No-op if messageId
      *  is empty (e.g. provider stripped the header) — without a stable id we
      *  can't check against future sync results anyway. */
@@ -215,6 +223,12 @@ export declare class MailxDB {
     upsertContact(name: string, email: string): void;
     /** Delete a contact by email (address book UI). */
     deleteContact(email: string): void;
+    /** Delete contact rows by Google People resourceName. Used by the
+     *  incremental People sync when a person comes back with `metadata.deleted = true`
+     *  — the email may have already changed/disappeared, but the resourceName
+     *  is stable. Removes all rows tied to that Google identity (a single
+     *  contact can have multiple email addresses, each is its own row). */
+    deleteContactByGoogleId(googleId: string): number;
     /** Full-text search across all messages. Supports qualifiers: from:, to:, subject: */
     searchMessages(query: string, page?: number, pageSize?: number, accountId?: string, folderId?: number): PagedResult<MessageEnvelope>;
     /** Rebuild FTS index from existing messages */

package/packages/mailx-store/db.js

@@ -219,6 +219,17 @@ const SCHEMA = `
     -- by target_uuid alone ("is this uuid queued for any op?") would otherwise
     -- table-scan. Cheap; store_sync is tiny and write-heavy.
     CREATE INDEX IF NOT EXISTS idx_store_sync_target_uuid ON store_sync(target_uuid);
+    -- Generic per-scope/per-key string store. Used for sync tokens (Google
+    -- People nextSyncToken per account, Gmail history-id, calendar sync token,
+    -- etc.) and any other small bits of state that need to outlive a process
+    -- restart but don't deserve their own table. Keyed by (scope, key).
+    CREATE TABLE IF NOT EXISTS kv (
+        scope TEXT NOT NULL,
+        key TEXT NOT NULL,
+        value TEXT,
+        updated_at INTEGER NOT NULL,
+        PRIMARY KEY(scope, key)
+    );
 `;
 export class MailxDB {
     db;
@@ -277,6 +288,7 @@ export class MailxDB {
     verifySchema() {
         const required = {
             messages: ["thread_id", "provider_id", "uuid"],
+            calendar_events: ["recurring_event_id", "html_link"],
         };
         for (const [table, cols] of Object.entries(required)) {
             let actual;
@@ -293,6 +305,20 @@ export class MailxDB {
             }
         }
     }
+    /** Fetch a string from the kv table. Returns null when not set. */
+    getKv(scope, key) {
+        const r = this.db.prepare("SELECT value FROM kv WHERE scope = ? AND key = ?").get(scope, key);
+        return r?.value ?? null;
+    }
+    /** Upsert a kv row. Pass `null` to delete. */
+    setKv(scope, key, value) {
+        if (value === null) {
+            this.db.prepare("DELETE FROM kv WHERE scope = ? AND key = ?").run(scope, key);
+            return;
+        }
+        this.db.prepare("INSERT INTO kv (scope, key, value, updated_at) VALUES (?, ?, ?, ?) "
+            + "ON CONFLICT(scope, key) DO UPDATE SET value=excluded.value, updated_at=excluded.updated_at").run(scope, key, value, Date.now());
+    }
     /** One-time: assign UUIDs to every `messages` row that's missing one.
      *  Runs on every startup but the WHERE clause makes it a no-op after the
      *  first pass. */
@@ -364,6 +390,28 @@ export class MailxDB {
             return false;
         }
     }
+    /** Same shape as hasCcHistoryTo for the Bcc field. Bcc only appears in the
+     *  user's own Sent copy, so it's still a reliable signal that this user
+     *  habitually Bccs when writing to this recipient. */
+    hasBccHistoryTo(recipientEmail) {
+        const email = (recipientEmail || "").trim().toLowerCase();
+        if (!email)
+            return false;
+        try {
+            const row = this.db.prepare(`
+                SELECT 1 FROM messages m
+                JOIN folders f ON m.folder_id = f.id
+                WHERE f.special_use = 'sent'
+                  AND lower(m.to_json) LIKE ?
+                  AND m.bcc_json IS NOT NULL AND m.bcc_json != '[]' AND m.bcc_json != ''
+                LIMIT 1
+            `).get(`%"${email}"%`);
+            return !!row;
+        }
+        catch {
+            return false;
+        }
+    }
     // ── Tombstones (local-delete record so server echo can't resurrect) ──
     /** Mark a Message-ID as locally-deleted for an account. No-op if messageId
      *  is empty (e.g. provider stripped the header) — without a stable id we
@@ -1155,6 +1203,17 @@ export class MailxDB {
     deleteContact(email) {
         this.db.prepare("DELETE FROM contacts WHERE email = ?").run(email);
     }
+    /** Delete contact rows by Google People resourceName. Used by the
+     *  incremental People sync when a person comes back with `metadata.deleted = true`
+     *  — the email may have already changed/disappeared, but the resourceName
+     *  is stable. Removes all rows tied to that Google identity (a single
+     *  contact can have multiple email addresses, each is its own row). */
+    deleteContactByGoogleId(googleId) {
+        if (!googleId)
+            return 0;
+        const r = this.db.prepare("DELETE FROM contacts WHERE google_id = ?").run(googleId);
+        return Number(r.changes || 0);
+    }
     // ── Search ──
     /** Full-text search across all messages. Supports qualifiers: from:, to:, subject: */
     searchMessages(query, page = 1, pageSize = 50, accountId, folderId) {