@bobfrankston/mailx 1.0.430 → 1.0.433

package/README.md

@@ -15,6 +15,8 @@ mailx
 
 Requires Node.js 22 or later.
 
+The package installs two equivalent commands: **`mailx`** and **`bobmail`**. They're the same binary — `bobmail` is provided as an alternative for environments where `mailx` collides with another tool (most commonly the BSD `mailx`/Heirloom mailx at `/usr/bin/mailx` on macOS and some Linux distributions). Use whichever name doesn't conflict on your system.
+
 On Windows, the native WebView2 app launches automatically via IPC (no HTTP server needed). Use `mailx --server` for browser mode at `http://127.0.0.1:9333`.
 
 ## First-Time Setup

package/client/app.js

@@ -492,16 +492,40 @@ document.getElementById("btn-restart-quick")?.addEventListener("click", async ()
     if (restartDropdown)
         restartDropdown.hidden = true;
     if (isApp) {
-        // Android: check for updates before reloading
+        // Android has no daemon — only the WebView. Reload-the-page is the
+        // right action there. Desktop IPC mode is a different story below.
         if (window.mailxapi?.platform === "android") {
             const f = document.createElement("iframe");
             f.style.display = "none";
             f.src = "mailxapi://checkUpdate";
             document.body.appendChild(f);
             setTimeout(() => f.remove(), 100);
+            location.reload();
+            return;
+        }
+        // Desktop IPC mode: there IS a daemon (the --daemon child of mailx)
+        // running mailx-service / mailx-imap / mailx-store. Just calling
+        // location.reload() reloads the WebView but the daemon keeps running
+        // the old code, so daemon-side changes (sync, store, IPC handlers)
+        // don't get picked up. Trigger restartDaemon — it spawns a fresh
+        // `mailx` process, hands off the instance.json slot, then gracefully
+        // shuts down the current daemon. The UI reloads after a short delay
+        // so the new daemon's WebView replaces this one.
+        const statusSync = document.getElementById("status-sync");
+        if (statusSync)
+            statusSync.textContent = "Restarting...";
+        const ipc = window.mailxapi;
+        if (ipc?.restartDaemon) {
+            try {
+                await ipc.restartDaemon();
+            }
+            catch { /* daemon shutting down */ }
+            setTimeout(() => location.reload(), 2000);
+        }
+        else {
+            // Older host with no restartDaemon IPC — fall back to UI reload.
+            location.reload();
         }
-        // IPC mode: reload the UI (no server to restart)
-        location.reload();
     }
     else {
         const statusSync = document.getElementById("status-sync");

package/client/components/message-viewer.js

@@ -358,60 +358,32 @@ export async function showMessage(accountId, uid, folderId, specialUse, isRetry
         }
         headerEl.querySelector(".mv-date").textContent = new Date(msg.date).toLocaleString(undefined, { year: "numeric", month: "short", day: "numeric", hour: "2-digit", minute: "2-digit", hour12: false });
         // Unsubscribe button (upper right of header).
-        // Priority:
-        //   1. RFC 8058 one-click (HTTPS + List-Unsubscribe-Post header) — POST server-side
-        //   2. HTTPS URL — open in a new tab (two-click flow, usually a confirmation page)
-        //   3. mailto: URL — open a pre-filled compose window (so the unsubscribe
-        //      reply gets sent from the correct mailx account, not the OS default
-        //      mail handler)
+        //   - HTTPS URL: open externally (same path as right-click → open link
+        //     in a new window). Earlier code attempted RFC 8058 one-click POST
+        //     first, but the IPC path was failing silently — the button "moved
+        //     a tad" (CSS :active) but no visible feedback. User preference:
+        //     just open the link, the way the working right-click does.
+        //   - mailto: URL: open a pre-filled compose window so the reply gets
+        //     sent from the correct mailx account, not the OS default mail
+        //     handler.
         const unsubBtn = document.getElementById("mv-unsubscribe");
         const httpUrl = msg.listUnsubscribeHttp || "";
         const mailUrl = msg.listUnsubscribeMail || "";
-        const oneClick = !!msg.listUnsubscribeOneClick;
         const anyUrl = httpUrl || mailUrl || msg.listUnsubscribe || "";
         if (unsubBtn) {
             if (anyUrl) {
                 unsubBtn.hidden = false;
-                unsubBtn.textContent = oneClick && httpUrl ? "Unsubscribe (1-click)" : "Unsubscribe";
+                unsubBtn.textContent = "Unsubscribe";
                 unsubBtn.removeAttribute("title");
                 unsubBtn.href = httpUrl || mailUrl || "#";
-                unsubBtn.onclick = async (e) => {
+                unsubBtn.onclick = (e) => {
                     e.preventDefault();
-                    const status = document.getElementById("status-sync");
-                    // Always attempt POST first when there's an HTTPS URL,
-                    // regardless of whether the message advertised the
-                    // `List-Unsubscribe-Post: List-Unsubscribe=One-Click`
-                    // header. Many senders provide a POST-capable endpoint
-                    // without setting the Post header. Server side already
-                    // falls back to GET internally on 4xx, so trying POST
-                    // first never makes things worse and avoids a tab full
-                    // of "are you sure?" ceremony when the endpoint would
-                    // have just accepted POST.
                     if (httpUrl) {
-                        unsubBtn.textContent = "Unsubscribing…";
-                        try {
-                            const { unsubscribeOneClick } = await import("../lib/api-client.js");
-                            const r = await unsubscribeOneClick(httpUrl);
-                            if (r?.ok) {
-                                unsubBtn.textContent = "Unsubscribed";
-                                if (status)
-                                    status.textContent = `Unsubscribed (HTTP ${r.status})`;
-                            }
-                            else {
-                                unsubBtn.textContent = `Failed: HTTP ${r?.status ?? "?"}`;
-                                if (status)
-                                    status.textContent = `Unsubscribe failed: ${r?.status} ${r?.statusText || ""}`.trim();
-                                // Last-resort fallback: open the URL in a tab so
-                                // the user can complete the flow manually.
-                                window.open(httpUrl, "_blank");
-                            }
-                        }
-                        catch (err) {
-                            unsubBtn.textContent = "Unsubscribe failed";
-                            if (status)
-                                status.textContent = `Unsubscribe error: ${err.message}`;
-                            window.open(httpUrl, "_blank");
-                        }
+                        const api = window.mailxapi;
+                        if (api?.openExternal)
+                            api.openExternal(httpUrl);
+                        else
+                            window.open(httpUrl, "_blank", "noopener,noreferrer");
                         return;
                     }
                     if (mailUrl) {

package/client/compose/compose.css

@@ -262,6 +262,70 @@ body {
     font-size: 0.8em;
 }
 
+/* Source badge in the autocomplete row. Custom user tags from
+ * contacts.jsonc#preferred[] (e.g. "work", "family") flow through verbatim;
+ * system sources show as 'google' / 'discovered' / 'preferred'. Inline-block
+ * so the small uppercased text doesn't push layout. */
+.ac-item-source {
+    color: var(--color-text-muted);
+    font-size: 0.7em;
+    text-transform: uppercase;
+    letter-spacing: 0.04em;
+    opacity: 0.7;
+    margin-top: 2px;
+}
+
+/* Modal overlay used by Add-to-preferred dialog. Lightweight; shares no
+ * CSS with the main app's modal because compose runs in its own document. */
+.modal-overlay {
+    position: fixed;
+    inset: 0;
+    background: rgba(0,0,0,0.4);
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    z-index: 1000;
+}
+.modal-overlay .modal {
+    background: var(--color-bg-surface);
+    border-radius: var(--radius-md);
+    padding: var(--gap-md);
+    min-width: 360px;
+    max-width: 90%;
+    box-shadow: 0 8px 24px rgba(0,0,0,0.4);
+    & h3 { margin: 0 0 var(--gap-sm); }
+    & p.muted { color: var(--color-text-muted); font-size: 0.85em; margin: 0 0 var(--gap-sm); }
+    & label {
+        display: block;
+        margin-bottom: var(--gap-sm);
+        font-size: var(--font-size-sm);
+        & input {
+            display: block;
+            width: 100%;
+            padding: 4px 6px;
+            margin-top: 2px;
+            background: var(--color-bg-input);
+            border: 1px solid var(--color-border);
+            border-radius: var(--radius-sm);
+            color: var(--color-text);
+        }
+    }
+    & .modal-actions {
+        display: flex;
+        justify-content: flex-end;
+        gap: var(--gap-sm);
+        margin-top: var(--gap-sm);
+        & button.primary {
+            background: var(--color-primary, #4a90e2);
+            color: white;
+            border: none;
+            padding: 4px 12px;
+            border-radius: var(--radius-sm);
+            cursor: pointer;
+        }
+    }
+}
+
 /* ── tiptap editor ── */
 .editor-tiptap {
     display: flex;

package/client/compose/compose.js

@@ -4,7 +4,8 @@
  * Receives init data via window.opener.postMessage or URL params.
  */
 import { createEditor } from "./editor.js";
-import { getSettings, getAccounts, searchContacts, saveDraft as apiSaveDraft, deleteDraft, logClientEvent } from "../lib/api-client.js";
+import { getSettings, getAccounts, searchContacts, saveDraft as apiSaveDraft, deleteDraft, logClientEvent, addPreferredContact, addToDenylist } from "../lib/api-client.js";
+import { showContextMenu } from "../components/context-menu.js";
 // Very first line the iframe runs — if this doesn't reach Node, the iframe
 // itself isn't loading or the bridge is completely broken.
 logClientEvent("compose-module-loaded", { href: location.href, version: window.mailxVersion || "?" });
@@ -263,6 +264,77 @@ function smartTab(current) {
     editor.focus();
 }
 // ── Autocomplete ──
+/** Right-click on an autocomplete row → contextual actions. Two paths:
+ *  - Add to preferred (small modal: name / email / source-tag / org → write to
+ *    contacts.jsonc#preferred[])
+ *  - Never suggest this address (write to contacts.jsonc#denylist[]; the
+ *    service-side handler purges any matching discovered rows on apply) */
+function showAutocompleteContextMenu(e, row) {
+    showContextMenu(e.clientX, e.clientY, [
+        {
+            label: "Add to preferred…",
+            action: () => openAddToPreferredModal(row),
+        },
+        {
+            label: "Never suggest this address",
+            action: async () => {
+                try {
+                    await addToDenylist(row.email);
+                }
+                catch (err) {
+                    alert(`Failed to add to denylist: ${err?.message || err}`);
+                }
+            },
+        },
+    ]);
+}
+function openAddToPreferredModal(prefill) {
+    const overlay = document.createElement("div");
+    overlay.className = "modal-overlay";
+    overlay.innerHTML = `
+        <div class="modal" role="dialog" aria-label="Add to preferred contacts">
+            <h3>Add to preferred</h3>
+            <p class="muted">Saved to <code>contacts.jsonc</code> on your shared drive.</p>
+            <label>Name <input type="text" id="pf-name" /></label>
+            <label>Email <input type="email" id="pf-email" /></label>
+            <label>Source tag <input type="text" id="pf-source" placeholder="(optional — e.g. work, family)" /></label>
+            <label>Organization <input type="text" id="pf-org" placeholder="(optional)" /></label>
+            <div class="modal-actions">
+                <button id="pf-cancel">Cancel</button>
+                <button id="pf-save" class="primary">Save</button>
+            </div>
+        </div>
+    `;
+    document.body.appendChild(overlay);
+    overlay.querySelector("#pf-name").value = prefill.name || "";
+    overlay.querySelector("#pf-email").value = prefill.email || "";
+    // Pre-fill source from existing tag if it's already a custom one (not a system source).
+    const sysSources = new Set(["google", "discovered", "preferred", ""]);
+    const initSource = sysSources.has(prefill.source || "") ? "" : prefill.source;
+    overlay.querySelector("#pf-source").value = initSource;
+    const close = () => overlay.remove();
+    overlay.querySelector("#pf-cancel").addEventListener("click", close);
+    overlay.addEventListener("click", (ev) => { if (ev.target === overlay)
+        close(); });
+    overlay.querySelector("#pf-save").addEventListener("click", async () => {
+        const name = overlay.querySelector("#pf-name").value.trim();
+        const email = overlay.querySelector("#pf-email").value.trim();
+        const source = overlay.querySelector("#pf-source").value.trim();
+        const org = overlay.querySelector("#pf-org").value.trim();
+        if (!email) {
+            alert("Email is required.");
+            return;
+        }
+        try {
+            await addPreferredContact({ name, email, source, organization: org });
+            close();
+        }
+        catch (err) {
+            alert(`Failed to save: ${err?.message || err}`);
+        }
+    });
+    overlay.querySelector("#pf-name").focus();
+}
 function setupAutocomplete(input) {
     let dropdown = null;
     let activeIndex = -1;
@@ -318,9 +390,20 @@ function setupAutocomplete(input) {
                         const emailEl = document.createElement("span");
                         emailEl.className = "ac-item-email";
                         emailEl.textContent = results[i].email;
+                        // Source badge — shows where this row came from. Custom
+                        // user tags from contacts.jsonc preferred entries
+                        // (`source: "work"`, `source: "family"`) flow through
+                        // verbatim; system sources show as 'google' / 'discovered'
+                        // / 'preferred'. Helps disambiguate two rows with the
+                        // same email but different names (Bob's wife vs Bob Smith).
+                        const sourceEl = document.createElement("span");
+                        sourceEl.className = "ac-item-source";
+                        sourceEl.textContent = results[i].source || "";
                         item.appendChild(nameEl);
                         if (results[i].name)
                             item.appendChild(emailEl);
+                        if (results[i].source)
+                            item.appendChild(sourceEl);
                         item.addEventListener("mousedown", (e) => {
                             e.preventDefault();
                             const display = results[i].name
@@ -328,6 +411,16 @@ function setupAutocomplete(input) {
                                 : results[i].email;
                             replaceLastToken(display);
                         });
+                        // Right-click → contextual actions on this autocomplete
+                        // row. Two paths: promote to preferred (writes to
+                        // contacts.jsonc#preferred[]) or denylist (writes to
+                        // contacts.jsonc#denylist[] and purges any matching
+                        // discovered rows). Both round-trip through cloudWrite.
+                        item.addEventListener("contextmenu", (e) => {
+                            e.preventDefault();
+                            e.stopPropagation();
+                            showAutocompleteContextMenu(e, results[i]);
+                        });
                         dropdown.appendChild(item);
                     }
                     input.parentElement.appendChild(dropdown);
@@ -974,7 +1067,13 @@ function formatSize(n) {
         return `${(n / 1024).toFixed(1)} KB`;
     return `${(n / (1024 * 1024)).toFixed(1)} MB`;
 }
+/** Set when the user clicks Attach — the native file picker eats the Esc
+ *  press, but on Windows WebView2 the keydown can still spill to the page
+ *  and trip the document-level Esc-closes-compose handler. While this flag
+ *  is set, that handler short-circuits. Cleared shortly after click. */
+let attachJustClicked = 0;
 document.getElementById("btn-attach")?.addEventListener("click", () => {
+    attachJustClicked = Date.now();
     fileInput?.click();
 });
 async function ingestFiles(files) {
@@ -1065,6 +1164,12 @@ document.addEventListener("keydown", (e) => {
         document.getElementById("btn-send")?.click();
     }
     if (e.key === "Escape") {
+        // If the user just clicked Attach, the native file picker is up.
+        // The picker swallows the Esc that dismissed it, but the keydown can
+        // still bubble here on WebView2 — closing the whole compose. Suppress
+        // for a short window after the attach click.
+        if (Date.now() - attachJustClicked < 1500)
+            return;
         e.preventDefault();
         handleCloseRequest();
     }

package/client/index.html

@@ -70,7 +70,7 @@
                     <span class="tb-icon">⚡</span><span class="tb-label"> Restart ▾</span>
                 </button>
                 <div class="tb-menu-dropdown" id="restart-dropdown" hidden>
-                    <button class="tb-menu-item" id="btn-restart-quick" title="Reload the page">Reload</button>
+                    <button class="tb-menu-item" id="btn-restart-quick" title="Restart the mailx daemon and reload the UI — picks up new code after a build">Restart</button>
                     <button class="tb-menu-item" id="btn-update" title="Check for updates and install if available">Check for updates</button>
                     <button class="tb-menu-item" id="btn-rebuild" title="Wipe local DB and message cache, re-download everything. Accounts and settings are preserved. Safe and fast.">Rebuild local cache</button>
                     <hr class="tb-menu-sep">

package/client/lib/api-client.js

@@ -206,6 +206,12 @@ export function upsertContact(name, email) {
 export function deleteContact(email) {
     return ipc().deleteContact(email);
 }
+export function addPreferredContact(entry) {
+    return ipc().addPreferredContact(entry.name, entry.email, entry.source, entry.organization);
+}
+export function addToDenylist(email) {
+    return ipc().addToDenylist(email);
+}
 export function openLocalPath(which) {
     return ipc().openLocalPath(which);
 }

package/client/lib/mailxapi.js

@@ -166,6 +166,15 @@
         deleteContact: function(email) {
             return callNode("deleteContact", { email: email });
         },
+        addPreferredContact: function(name, email, source, organization) {
+            return callNode("addPreferredContact", {
+                name: name || "", email: email,
+                source: source || "", organization: organization || "",
+            });
+        },
+        addToDenylist: function(email) {
+            return callNode("addToDenylist", { email: email });
+        },
         openLocalPath: function(which) {
             return callNode("openLocalPath", { which: which });
         },

package/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx-client",
-  "version": "1.0.15",
+  "version": "1.0.16",
   "private": true,
   "type": "module",
   "scripts": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx",
-  "version": "1.0.430",
+  "version": "1.0.433",
   "description": "Local-first email client with IMAP sync and standalone native app",
   "type": "module",
   "main": "bin/mailx.js",

package/packages/mailx-imap/index.js

@@ -3513,7 +3513,7 @@ export class ImapManager extends EventEmitter {
      *  configChanged so the UI can show a "restart to apply" banner. Uses
      *  a debounce to coalesce rapid writes from save tools. */
     watchConfigFiles() {
-        const files = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const files = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         const configDir = getConfigDir();
         const debounce = new Map();
         // Cache the last-seen normalized content per file. fs.watch fires on
@@ -3579,7 +3579,7 @@ export class ImapManager extends EventEmitter {
         // compare to local, and write-through on difference. The local
         // fs.watch above then picks up the write and emits configChanged.
         // config.jsonc is per-machine / local-only — never polled.
-        const cloudFiles = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc"];
+        const cloudFiles = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "contacts.jsonc"];
         const CLOUD_POLL_MS = 3 * 60 * 1000;
         // normalize() reused from the fs.watch block above — same intent:
         // cloud round-trips that re-wrap newlines / add a trailing newline are

package/packages/mailx-service/index.d.ts

@@ -11,6 +11,25 @@ export declare class MailxService {
     private imapManager;
     private _accountsCache;
     constructor(db: MailxDB, imapManager: ImapManager);
+    /** Read contacts.jsonc from cloud + apply preferred/denylist to the DB.
+     *  No-op if the file is missing or empty. */
+    loadContactsConfig(): Promise<{
+        preferred: number;
+        purged: number;
+        conflicts: string[];
+    } | null>;
+    /** Append an entry to contacts.jsonc#preferred[] and write back to cloud,
+     *  then re-apply. Mutates the file in place — preserves existing entries
+     *  and the user's hand-formatting where the parser permits. */
+    addPreferredContact(entry: {
+        name: string;
+        email: string;
+        source?: string;
+        organization?: string;
+    }): Promise<void>;
+    /** Append an email to contacts.jsonc#denylist[] and write back to cloud,
+     *  then re-apply (which purges any matching discovered rows). */
+    addToDenylist(email: string): Promise<void>;
     /** Return accounts from cache — load once, reuse until configChanged. */
     private getCachedAccounts;
     getAccounts(): any[];

package/packages/mailx-service/index.js

@@ -112,7 +112,94 @@ export class MailxService {
         this.imapManager.on?.("configChanged", (filename) => {
             if (filename === "accounts.jsonc")
                 this._accountsCache = null;
+            if (filename === "contacts.jsonc") {
+                this.loadContactsConfig().catch(e => console.error(`  [contacts] reload failed: ${e?.message || e}`));
+            }
         });
+        // Initial load of contacts.jsonc — fire-and-forget; missing file is fine.
+        this.loadContactsConfig().catch(() => { });
+    }
+    /** Read contacts.jsonc from cloud + apply preferred/denylist to the DB.
+     *  No-op if the file is missing or empty. */
+    async loadContactsConfig() {
+        let raw = null;
+        try {
+            const { cloudRead } = await import("@bobfrankston/mailx-settings");
+            raw = await cloudRead("contacts.jsonc");
+        }
+        catch { /* cloud unavailable — leave config empty */ }
+        if (!raw) {
+            // No file yet. Make sure the in-memory denylist is empty.
+            this.db.applyContactsConfig({ preferred: [], denylist: [] });
+            return null;
+        }
+        const { parse: parseJsonc } = await import("jsonc-parser");
+        const errors = [];
+        const cfg = parseJsonc(raw, errors, { allowTrailingComma: true });
+        if (errors.length) {
+            console.error(`  [contacts] contacts.jsonc has parse errors — applying empty config: ${errors.map((e) => e.error).join(", ")}`);
+            this.db.applyContactsConfig({ preferred: [], denylist: [] });
+            return null;
+        }
+        return this.db.applyContactsConfig(cfg || {});
+    }
+    /** Append an entry to contacts.jsonc#preferred[] and write back to cloud,
+     *  then re-apply. Mutates the file in place — preserves existing entries
+     *  and the user's hand-formatting where the parser permits. */
+    async addPreferredContact(entry) {
+        const { cloudRead, cloudWrite } = await import("@bobfrankston/mailx-settings");
+        const { parse: parseJsonc } = await import("jsonc-parser");
+        let cfg = {};
+        const raw = await cloudRead("contacts.jsonc");
+        if (raw) {
+            try {
+                cfg = parseJsonc(raw, [], { allowTrailingComma: true }) || {};
+            }
+            catch {
+                cfg = {};
+            }
+        }
+        if (!Array.isArray(cfg.preferred))
+            cfg.preferred = [];
+        // Dedup: skip if an entry with the same email + name + source already exists.
+        const dupKey = `${(entry.source || "preferred").toLowerCase()}|${entry.email.toLowerCase()}|${(entry.name || "").toLowerCase()}`;
+        const exists = cfg.preferred.some((e) => `${(e?.source || "preferred").toLowerCase()}|${(e?.email || "").toLowerCase()}|${(e?.name || "").toLowerCase()}` === dupKey);
+        if (!exists) {
+            const row = { name: entry.name || "", email: entry.email };
+            if (entry.source)
+                row.source = entry.source;
+            if (entry.organization)
+                row.organization = entry.organization;
+            cfg.preferred.push(row);
+        }
+        await cloudWrite("contacts.jsonc", JSON.stringify(cfg, null, 2));
+        await this.loadContactsConfig();
+    }
+    /** Append an email to contacts.jsonc#denylist[] and write back to cloud,
+     *  then re-apply (which purges any matching discovered rows). */
+    async addToDenylist(email) {
+        const lower = (email || "").trim().toLowerCase();
+        if (!lower)
+            return;
+        const { cloudRead, cloudWrite } = await import("@bobfrankston/mailx-settings");
+        const { parse: parseJsonc } = await import("jsonc-parser");
+        let cfg = {};
+        const raw = await cloudRead("contacts.jsonc");
+        if (raw) {
+            try {
+                cfg = parseJsonc(raw, [], { allowTrailingComma: true }) || {};
+            }
+            catch {
+                cfg = {};
+            }
+        }
+        if (!Array.isArray(cfg.denylist))
+            cfg.denylist = [];
+        if (!cfg.denylist.some((e) => (e || "").toLowerCase() === lower)) {
+            cfg.denylist.push(email);
+        }
+        await cloudWrite("contacts.jsonc", JSON.stringify(cfg, null, 2));
+        await this.loadContactsConfig();
     }
     /** Return accounts from cache — load once, reuse until configChanged. */
     getCachedAccounts() {
@@ -1597,7 +1684,7 @@ export class MailxService {
      *  Names are whitelisted so the UI can't read arbitrary files.
      *  `config.jsonc` is the local per-machine config (not cloud-synced). */
     async readJsoncFile(name) {
-        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         if (!WHITELIST.includes(name))
             throw new Error(`File not allowed: ${name}`);
         if (name === "config.jsonc") {
@@ -1615,7 +1702,7 @@ export class MailxService {
     /** Return the help section for a named config file, extracted from docs/config-help.md.
      *  Matches a level-2 heading whose text equals the filename. Returns markdown. */
     async readConfigHelp(name) {
-        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         if (!WHITELIST.includes(name))
             return "";
         // Look in the repo root (dev) and in the installed package dir (production).
@@ -1654,7 +1741,7 @@ export class MailxService {
     /** Write a JSONC config file. Validates that the content parses as JSONC
      *  (loosely — strips comments/trailing commas) before writing. */
     async writeJsoncFile(name, content) {
-        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         if (!WHITELIST.includes(name))
             throw new Error(`File not allowed: ${name}`);
         // Validate the content parses before writing

package/packages/mailx-service/jsonrpc.js

@@ -152,6 +152,14 @@ async function dispatchAction(svc, action, p) {
             return svc.upsertContact(p.name, p.email);
         case "deleteContact":
             return svc.deleteContact(p.email);
+        case "addPreferredContact":
+            await svc.addPreferredContact({ name: p.name, email: p.email, source: p.source, organization: p.organization });
+            return { ok: true };
+        case "addToDenylist":
+            await svc.addToDenylist(p.email);
+            return { ok: true };
+        case "loadContactsConfig":
+            return { result: await svc.loadContactsConfig() };
         case "openLocalPath":
             return await svc.openLocalPath(p.which);
         case "getThreadMessages":

package/packages/mailx-store/db.d.ts

@@ -196,20 +196,53 @@ export declare class MailxDB {
     rollbackTransaction(): void;
     /** Record an address used in sent mail */
     recordSentAddress(name: string, email: string): void;
-    /** Seed contacts from every address that appears in any cached message —
-     *  From, To, Cc, Bcc — across all folders. The original implementation
-     *  only scanned `from_address`, so addresses you'd sent to (To/Cc on
-     *  outgoing mail) never made it into autocomplete unless they had also
-     *  written back to you. That left compose unable to suggest people you
-     *  email regularly but who never reply. This pass walks the JSON arrays
-     *  too. Dedup by lowercased email; per-address `use_count` is the total
-     *  occurrences across the corpus, `last_used` is the most recent message
-     *  date in any field. Existing rows have their counters bumped (instead of
-     *  the old skip-if-exists behavior) so periodic re-seeds keep recency
-     *  fresh — `received`-tagged rows get usage data from observed traffic;
-     *  `sent` and `google` rows are left alone (they're authoritative). */
+    /** True if `email` (lowercased) appears in the active denylist. Cached
+     *  in-memory; refreshed on contacts.jsonc reload via setContactsDenylist. */
+    private _denylist;
+    isAddressDenylisted(emailLower: string): boolean;
+    setContactsDenylist(emails: string[]): void;
+    /** Seed `discovered`-tier contacts from every address that appears in
+     *  any cached message — From / To / Cc / Bcc across all folders. One row
+     *  per email; first non-empty name observed wins. Sent-folder rows skip
+     *  the From (it's us). Junk addresses (noreply, mailer-daemon, *-bounces)
+     *  and denylisted addresses are dropped at seed time so they never enter
+     *  autocomplete.
+     *
+     *  Discovered is a single tier; sub-distinctions like sent-vs-received
+     *  collapse here because the user-facing UI shows them as one "discovered"
+     *  source. Recency-weighted use_count differentiates within the tier. */
     seedContactsFromMessages(): number;
-    /** Search contacts by name or email prefix */
+    /** Apply the contents of contacts.jsonc — replaces all preferred-tier rows
+     *  with the entries in `preferred[]`, sets the in-memory denylist, and
+     *  purges any discovered rows whose email is now denylisted. Preferred
+     *  rows are *not* auto-purged on denylist hit — if the user explicitly
+     *  added them they win that conflict; we just log a warning. */
+    applyContactsConfig(cfg: {
+        preferred?: {
+            name?: string;
+            email: string;
+            source?: string;
+            organization?: string;
+            org?: string;
+        }[];
+        denylist?: string[];
+    }): {
+        preferred: number;
+        purged: number;
+        conflicts: string[];
+    };
+    /** Search contacts by name or email prefix.
+     *
+     *  Source-tier bonus is what makes the curated address book win against
+     *  passive corpus harvest. Anything in `contacts.jsonc#preferred[]` (any
+     *  source value other than the two reserved system sources) gets the
+     *  highest tier — that's the user's explicit address book and overrides
+     *  Google. Google sits in the middle (the auto-synced address book).
+     *  `discovered` is the corpus-harvested floor.
+     *
+     *  Multi-name-per-email is supported: the same email can carry distinct
+     *  (source, name) rows — Bob's wife and Bob Smith both at bob@example.com
+     *  surface as two rows, each typing-completable by their own name. */
     searchContacts(query: string, limit?: number): {
         name: string;
         email: string;

package/packages/mailx-store/db.js

@@ -7,6 +7,27 @@ import { DatabaseSync } from "node:sqlite";
 import { randomUUID } from "node:crypto";
 import * as path from "node:path";
 import * as fs from "node:fs";
+/** Addresses that have no business in autocomplete. Standard automated
+ *  sender patterns plus name-side hints ("MAILER-DAEMON" etc.). The exact
+ *  match list keeps surprise low; the regex catches the long tail of
+ *  *-bounces@, no-reply variants, and listserv-style addresses. */
+const JUNK_LOCAL_RE = /^(no-?reply|do-?not-?reply|noreply|mailer-daemon|postmaster|abuse|automated|bounce(s|d)?|list-?(server|admin|owner|manager)?|notification|notifications?|admin@.*automated|root|daemon|nobody|undisclosed)$/i;
+const JUNK_LOCAL_SUFFIX_RE = /(-bounces|\+bounces|-noreply|-no-reply|-notifications?|-mailer)$/i;
+function isJunkContact(email, name) {
+    const local = email.split("@")[0] || "";
+    if (JUNK_LOCAL_RE.test(local))
+        return true;
+    if (JUNK_LOCAL_SUFFIX_RE.test(local))
+        return true;
+    // Bare numeric / hex addresses (rotating IDs from automated systems)
+    // — three or fewer chars is too short to be useful regardless.
+    if (local.length < 2)
+        return true;
+    const lname = (name || "").trim().toLowerCase();
+    if (lname.includes("mailer-daemon") || lname.includes("postmaster"))
+        return true;
+    return false;
+}
 const SCHEMA = `
     CREATE TABLE IF NOT EXISTS accounts (
         id TEXT PRIMARY KEY,
@@ -94,7 +115,7 @@ const SCHEMA = `
 
     CREATE TABLE IF NOT EXISTS contacts (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
-        source TEXT NOT NULL DEFAULT 'sent',
+        source TEXT NOT NULL DEFAULT 'discovered',
         google_id TEXT,
         name TEXT DEFAULT '',
         email TEXT NOT NULL,
@@ -102,7 +123,7 @@ const SCHEMA = `
         last_used INTEGER DEFAULT 0,
         use_count INTEGER DEFAULT 0,
         updated_at INTEGER NOT NULL,
-        UNIQUE(email)
+        UNIQUE(source, email, name)
     );
 
     CREATE INDEX IF NOT EXISTS idx_contacts_email ON contacts(email);
@@ -275,6 +296,41 @@ export class MailxDB {
         // this column landed. One UPDATE + an id roundtrip per row — cheap
         // at our row counts, runs once per DB upgrade.
         this.backfillUuids();
+        // One-shot contacts table reset: the contacts schema's UNIQUE constraint
+        // was widened from `(email)` to `(source, email, name)` so the same
+        // address can carry multiple distinct (name, source) entries — Bob's
+        // wife at bob@example.com and a separate `Bob Smith <bob@example.com>`
+        // for work, both legitimate. Old rows with the email-only unique key
+        // would block the new inserts. Per user "don't migrate, start fresh":
+        // drop the old table, recreate it via SCHEMA, reseed from messages on
+        // next sync. Gated by a kv flag so we run exactly once per machine.
+        const contactsResetFlag = this.getKv("schema", "contacts_v2");
+        if (!contactsResetFlag) {
+            try {
+                this.db.exec("DROP TABLE IF EXISTS contacts");
+                this.db.exec(`
+                    CREATE TABLE contacts (
+                        id INTEGER PRIMARY KEY AUTOINCREMENT,
+                        source TEXT NOT NULL DEFAULT 'discovered',
+                        google_id TEXT,
+                        name TEXT DEFAULT '',
+                        email TEXT NOT NULL,
+                        organization TEXT DEFAULT '',
+                        last_used INTEGER DEFAULT 0,
+                        use_count INTEGER DEFAULT 0,
+                        updated_at INTEGER NOT NULL,
+                        UNIQUE(source, email, name)
+                    );
+                    CREATE INDEX IF NOT EXISTS idx_contacts_email ON contacts(email);
+                    CREATE INDEX IF NOT EXISTS idx_contacts_name ON contacts(name);
+                `);
+                this.setKv("schema", "contacts_v2", String(Date.now()));
+                console.log("  [db] contacts table reset to v2 schema (multi-name-per-email)");
+            }
+            catch (e) {
+                console.error(`  [db] contacts v2 reset failed: ${e.message}`);
+            }
+        }
         // Post-migration sanity check: verify the columns we actually read in
         // SELECTs exist. If any migration silently failed (stale driver, DB
         // file locked, permission error), later code would throw cryptic
@@ -1084,42 +1140,55 @@ export class MailxDB {
     // ── Contacts ──
     /** Record an address used in sent mail */
     recordSentAddress(name, email) {
-        // Don't pollute the contacts table with non-addresses. Anything without
-        // an @ or without a TLD-ish tail would show up in autocomplete and end
-        // up back in To/Cc headers as "Name <not an email>".
+        // Don't pollute the contacts table with non-addresses.
         if (!email || !/^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/.test(email))
             return;
+        const lower = email.toLowerCase();
+        if (this.isAddressDenylisted(lower))
+            return;
         const now = Date.now();
-        const existing = this.db.prepare("SELECT id FROM contacts WHERE email = ?").get(email);
+        // discovered tier holds one row per email — bump if present, else
+        // insert. Doesn't touch preferred or google rows for the same email;
+        // those are independent address-book entries the user/Google curates.
+        const existing = this.db.prepare("SELECT id, name FROM contacts WHERE source = 'discovered' AND lower(email) = ?").get(lower);
         if (existing) {
-            this.db.prepare("UPDATE contacts SET name = CASE WHEN ? != '' THEN ? ELSE name END, last_used = ?, use_count = use_count + 1, updated_at = ? WHERE email = ?").run(name, name, now, now, email);
+            this.db.prepare("UPDATE contacts SET name = CASE WHEN name = '' AND ? != '' THEN ? ELSE name END, last_used = ?, use_count = use_count + 1, updated_at = ? WHERE id = ?").run(name, name, now, now, existing.id);
         }
         else {
-            this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('sent', ?, ?, ?, 1, ?)").run(name, email, now, now);
+            this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('discovered', ?, ?, ?, 1, ?)").run(name || "", email, now, now);
         }
     }
-    /** Seed contacts from every address that appears in any cached message —
-     *  From, To, Cc, Bcc — across all folders. The original implementation
-     *  only scanned `from_address`, so addresses you'd sent to (To/Cc on
-     *  outgoing mail) never made it into autocomplete unless they had also
-     *  written back to you. That left compose unable to suggest people you
-     *  email regularly but who never reply. This pass walks the JSON arrays
-     *  too. Dedup by lowercased email; per-address `use_count` is the total
-     *  occurrences across the corpus, `last_used` is the most recent message
-     *  date in any field. Existing rows have their counters bumped (instead of
-     *  the old skip-if-exists behavior) so periodic re-seeds keep recency
-     *  fresh — `received`-tagged rows get usage data from observed traffic;
-     *  `sent` and `google` rows are left alone (they're authoritative). */
+    /** True if `email` (lowercased) appears in the active denylist. Cached
+     *  in-memory; refreshed on contacts.jsonc reload via setContactsDenylist. */
+    _denylist = new Set();
+    isAddressDenylisted(emailLower) {
+        return this._denylist.has(emailLower);
+    }
+    setContactsDenylist(emails) {
+        this._denylist = new Set(emails.map(e => (e || "").trim().toLowerCase()).filter(Boolean));
+    }
+    /** Seed `discovered`-tier contacts from every address that appears in
+     *  any cached message — From / To / Cc / Bcc across all folders. One row
+     *  per email; first non-empty name observed wins. Sent-folder rows skip
+     *  the From (it's us). Junk addresses (noreply, mailer-daemon, *-bounces)
+     *  and denylisted addresses are dropped at seed time so they never enter
+     *  autocomplete.
+     *
+     *  Discovered is a single tier; sub-distinctions like sent-vs-received
+     *  collapse here because the user-facing UI shows them as one "discovered"
+     *  source. Recency-weighted use_count differentiates within the tier. */
     seedContactsFromMessages() {
         const VALID = /^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/;
         const now = Date.now();
-        // Per-email aggregator. `name` keeps the first non-empty display name
-        // we see so autocomplete shows "Alice <alice@…>" not just the address.
         const agg = new Map();
         const bump = (name, address, date) => {
             const email = (address || "").trim().toLowerCase();
             if (!email || !VALID.test(email))
                 return;
+            if (isJunkContact(email, name))
+                return;
+            if (this.isAddressDenylisted(email))
+                return;
             const e = agg.get(email);
             if (e) {
                 e.cnt++;
@@ -1132,8 +1201,38 @@ export class MailxDB {
                 agg.set(email, { name: name || "", cnt: 1, last: date || 0 });
             }
         };
-        const rows = this.db.prepare("SELECT from_name, from_address, to_json, cc_json, bcc_json, date FROM messages").all();
-        for (const r of rows) {
+        // Sent folder: recipients only (skip the user's own From address).
+        const sentRows = this.db.prepare(`SELECT m.to_json, m.cc_json, m.bcc_json, m.date
+             FROM messages m
+             JOIN folders f ON m.folder_id = f.id
+             WHERE f.special_use = 'sent'`).all();
+        for (const r of sentRows) {
+            const date = r.date || 0;
+            for (const field of [r.to_json, r.cc_json, r.bcc_json]) {
+                if (!field)
+                    continue;
+                let parsed;
+                try {
+                    parsed = JSON.parse(field);
+                }
+                catch {
+                    continue;
+                }
+                if (!Array.isArray(parsed))
+                    continue;
+                for (const a of parsed) {
+                    if (!a)
+                        continue;
+                    bump(a.name || "", a.address || a.email || "", date);
+                }
+            }
+        }
+        // Other folders: From + recipients.
+        const recvRows = this.db.prepare(`SELECT m.from_name, m.from_address, m.to_json, m.cc_json, m.bcc_json, m.date
+             FROM messages m
+             LEFT JOIN folders f ON m.folder_id = f.id
+             WHERE f.special_use IS NULL OR f.special_use != 'sent'`).all();
+        for (const r of recvRows) {
             const date = r.date || 0;
             bump(r.from_name, r.from_address, date);
             for (const field of [r.to_json, r.cc_json, r.bcc_json]) {
@@ -1157,54 +1256,123 @@ export class MailxDB {
         }
         let added = 0;
         let bumped = 0;
-        const insStmt = this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('received', ?, ?, ?, ?, ?)");
-        const updStmt = this.db.prepare("UPDATE contacts SET use_count = ?, last_used = max(last_used, ?), name = CASE WHEN name = '' AND ? != '' THEN ? ELSE name END, updated_at = ? WHERE email = ? AND source = 'received'");
+        const insStmt = this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('discovered', ?, ?, ?, ?, ?)");
+        const updStmt = this.db.prepare(`UPDATE contacts SET use_count = ?,
+                                 last_used = max(last_used, ?),
+                                 name = CASE WHEN name = '' AND ? != '' THEN ? ELSE name END,
+                                 updated_at = ?
+             WHERE id = ?`);
         for (const [email, info] of agg) {
-            const existing = this.db.prepare("SELECT id, source FROM contacts WHERE email = ?").get(email);
+            const existing = this.db.prepare("SELECT id FROM contacts WHERE source = 'discovered' AND lower(email) = ?").get(email);
             if (!existing) {
                 insStmt.run(info.name, email, info.last, info.cnt, now);
                 added++;
             }
-            else if (existing.source === "received") {
-                updStmt.run(info.cnt, info.last, info.name, info.name, now, email);
+            else {
+                updStmt.run(info.cnt, info.last, info.name, info.name, now, existing.id);
                 bumped++;
             }
-            // 'sent' and 'google' rows are authoritative — leave their
-            // use_count alone. recordSentAddress bumps 'sent' rows on actual
-            // sends, syncGoogleContacts owns 'google' rows.
         }
-        if (bumped > 0)
-            console.log(`  [contacts] seed: ${added} new + ${bumped} refreshed`);
+        if (added > 0 || bumped > 0) {
+            console.log(`  [contacts] seed: ${added} new + ${bumped} refreshed (discovered)`);
+        }
         return added;
     }
-    /** Search contacts by name or email prefix */
+    /** Apply the contents of contacts.jsonc — replaces all preferred-tier rows
+     *  with the entries in `preferred[]`, sets the in-memory denylist, and
+     *  purges any discovered rows whose email is now denylisted. Preferred
+     *  rows are *not* auto-purged on denylist hit — if the user explicitly
+     *  added them they win that conflict; we just log a warning. */
+    applyContactsConfig(cfg) {
+        const preferred = Array.isArray(cfg.preferred) ? cfg.preferred : [];
+        const denylist = Array.isArray(cfg.denylist) ? cfg.denylist : [];
+        this.setContactsDenylist(denylist);
+        // Wipe and rewrite preferred-tier rows owned by contacts.jsonc.
+        // The address-book UI's legacy `upsertContact` still writes
+        // source='manual' rows; those are owned by the address-book code
+        // path, not contacts.jsonc, so we leave them alone here.
+        this.db.exec("DELETE FROM contacts WHERE source NOT IN ('google', 'discovered', 'manual')");
+        const VALID = /^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/;
+        const now = Date.now();
+        const ins = this.db.prepare(`INSERT OR IGNORE INTO contacts (source, name, email, organization, last_used, use_count, updated_at)
+             VALUES (?, ?, ?, ?, 0, 0, ?)`);
+        const denySet = new Set(denylist.map(e => (e || "").trim().toLowerCase()).filter(Boolean));
+        const conflicts = [];
+        let inserted = 0;
+        for (const entry of preferred) {
+            if (!entry)
+                continue;
+            const email = (entry.email || "").trim();
+            if (!email || !VALID.test(email))
+                continue;
+            if (denySet.has(email.toLowerCase())) {
+                conflicts.push(email);
+                continue;
+            }
+            const source = (entry.source || "preferred").trim() || "preferred";
+            const name = (entry.name || "").trim();
+            const org = (entry.organization || entry.org || "").trim();
+            try {
+                const r = ins.run(source, name, email, org, now);
+                if (r.changes)
+                    inserted++;
+            }
+            catch { /* dup row, skip */ }
+        }
+        // Purge discovered rows for any denylisted email.
+        const purge = this.db.prepare("DELETE FROM contacts WHERE source = 'discovered' AND lower(email) = ?");
+        let purged = 0;
+        for (const e of denySet) {
+            const r = purge.run(e);
+            purged += Number(r.changes || 0);
+        }
+        if (conflicts.length > 0) {
+            console.warn(`  [contacts] config: ${conflicts.length} preferred entries also appear in denylist — denylist wins, entries skipped: ${conflicts.join(", ")}`);
+        }
+        console.log(`  [contacts] config applied: ${inserted} preferred row(s), ${denySet.size} denylisted, ${purged} discovered row(s) purged`);
+        return { preferred: inserted, purged, conflicts };
+    }
+    /** Search contacts by name or email prefix.
+     *
+     *  Source-tier bonus is what makes the curated address book win against
+     *  passive corpus harvest. Anything in `contacts.jsonc#preferred[]` (any
+     *  source value other than the two reserved system sources) gets the
+     *  highest tier — that's the user's explicit address book and overrides
+     *  Google. Google sits in the middle (the auto-synced address book).
+     *  `discovered` is the corpus-harvested floor.
+     *
+     *  Multi-name-per-email is supported: the same email can carry distinct
+     *  (source, name) rows — Bob's wife and Bob Smith both at bob@example.com
+     *  surface as two rows, each typing-completable by their own name. */
     searchContacts(query, limit = 10) {
         query = (query || "").trim();
         if (!query)
             return [];
-        // Ranking: prefix matches beat substring matches, then recency-weighted
-        // use_count within a tier. Recency decay: half-life of 30 days, so a
-        // contact used today edges out one from months ago even with a lower
-        // raw use_count. Computed in JS since SQLite lacks exp/log.
-        //
-        // Wrapped in try/catch + simple-query fallback so a (hypothetical) SQL
-        // edge case on exotic input can never leave autocomplete showing blank.
-        // The rank-0 baseline is identical behavior to the original query.
         const substr = `%${query}%`;
         let rows;
         try {
             const prefixQ = `${query}%`;
+            // Source tier: anything not in the two reserved system sources
+            // ('google', 'discovered') is preferred-tier — i.e. came out of
+            // contacts.jsonc#preferred[]. The user's `source: "work"` /
+            // `source: "family"` tags all rank +40 alongside the default
+            // `preferred` label.
             rows = this.db.prepare(`SELECT name, email, source, use_count, last_used,
                         (CASE
                             WHEN lower(name) LIKE lower(?) THEN 3
                             WHEN substr(email, 1, instr(email, '@') - 1) LIKE lower(?) THEN 2
                             WHEN email LIKE ? OR name LIKE ? THEN 1
                             ELSE 0
+                         END) +
+                        (CASE
+                            WHEN source = 'google' THEN 30
+                            WHEN source = 'discovered' THEN 0
+                            ELSE 40
                          END) AS match_rank
                  FROM contacts
                  WHERE email LIKE ? OR name LIKE ?
                  ORDER BY match_rank DESC, use_count DESC, last_used DESC
-                 LIMIT ?`).all(prefixQ, prefixQ, substr, substr, substr, substr, limit);
+                 LIMIT ?`).all(prefixQ, prefixQ, substr, substr, substr, substr, limit * 2);
         }
         catch (e) {
             console.error(`  [searchContacts] ranked query failed (${e?.message}) — falling back to simple LIKE`);
@@ -1212,13 +1380,18 @@ export class MailxDB {
                  FROM contacts
                  WHERE email LIKE ? OR name LIKE ?
                  ORDER BY use_count DESC, last_used DESC
-                 LIMIT ?`).all(substr, substr, limit);
+                 LIMIT ?`).all(substr, substr, limit * 2);
         }
+        // Filter out denylisted emails as a defense-in-depth — applyContactsConfig
+        // already purges discovered rows on denylist, but a Google sync that
+        // reintroduced a denylisted address would otherwise leak through.
+        rows = rows.filter(r => !this.isAddressDenylisted((r.email || "").toLowerCase()));
         const now = Date.now();
         const HALF_LIFE_MS = 30 * 86400_000;
         const score = (r) => (r.match_rank || 0) * 10_000
             + (r.use_count || 0) * Math.pow(0.5, Math.max(0, now - (r.last_used || 0)) / HALF_LIFE_MS);
         rows.sort((a, b) => score(b) - score(a));
+        rows = rows.slice(0, limit);
         return rows.map(r => ({ name: r.name, email: r.email, source: r.source, useCount: r.use_count }));
     }
     /** List all contacts (address-book view) with pagination + optional filter. */

package/unwedge.cmd

@@ -1 +1 @@
-rmdir C:\Users\Bob\.claude\session-env\5a053d1d-7856-4e74-9b2b-23a4e3262aed /s /q 
+rmdir C:\Users\Bob\.claude\session-env\7299facd-d726-4f8a-8e7a-dbd852680c95 /s /q