@bobfrankston/mailx 1.0.432 → 1.0.434

package/client/app.js

@@ -1238,6 +1238,24 @@ searchInput?.addEventListener("keydown", (e) => {
         setTitle("mailx");
     }
 });
+// Re-run the active search when the scope dropdown or "server too" checkbox
+// flips. Without this, switching all/current/server after typing the query
+// left the old result set on screen — the controls looked like they did
+// nothing. Treat the change as `immediate=true` so the user sees the new
+// scope's results without having to retype Enter; clear any client-side
+// filter-hidden flags from the prior "current folder" path so the row set
+// resets cleanly.
+function rerunActiveSearch() {
+    if (!searchInput || searchInput.value.trim() === "")
+        return;
+    const body = document.getElementById("ml-body");
+    if (body)
+        body.querySelectorAll(".filter-hidden").forEach(r => r.classList.remove("filter-hidden"));
+    clearTimeout(searchTimeout);
+    doSearch(true);
+}
+searchScope?.addEventListener("change", rerunActiveSearch);
+document.getElementById("search-server-too")?.addEventListener("change", rerunActiveSearch);
 // Message state handles move/delete — no manual event listener needed
 // ── Folder filter ──
 const ftFilterInput = document.getElementById("ft-filter-input");

package/client/components/message-list.js

@@ -160,6 +160,19 @@ function selectRange(from, to) {
     for (let i = lo; i <= hi; i++)
         rows[i].classList.add("selected");
 }
+/** The row to anchor a shift-click range against. `lastClickedRow` is the
+ *  primary anchor, but it can become a detached DOM node after a list
+ *  re-render (folder switch, sort, search reload, paging) — `selectRange`
+ *  would then no-op. Fall back to whichever live row is `.selected` (the
+ *  one in the viewer) before giving up. */
+function resolveShiftAnchor() {
+    if (lastClickedRow?.isConnected)
+        return lastClickedRow;
+    const body = document.getElementById("ml-body");
+    if (!body)
+        return null;
+    return body.querySelector(".ml-row.selected");
+}
 const timeFmt = { hour: "2-digit", minute: "2-digit", hour12: false };
 const dateFmt = { year: "numeric", month: "short", day: "numeric", hour: "2-digit", minute: "2-digit", hour12: false };
 const dateFmtSameYear = { month: "short", day: "numeric", hour: "2-digit", minute: "2-digit", hour12: false };
@@ -789,12 +802,25 @@ function appendMessages(body, accountId, items) {
                 updateBulkBar();
                 return;
             }
-            if (e.shiftKey && lastClickedRow) {
-                clearSelection();
-                selectRange(lastClickedRow, row);
-                lastClickedRow = row;
-                row.classList.remove("unread");
-                focusMessage(msgAccountId, msg);
+            if (e.shiftKey) {
+                const anchor = resolveShiftAnchor();
+                if (anchor) {
+                    clearSelection();
+                    selectRange(anchor, row);
+                    lastClickedRow = row;
+                    row.classList.remove("unread");
+                    focusMessage(msgAccountId, msg);
+                }
+                else {
+                    // No anchor available (first click of the session, or list
+                    // was just rebuilt with no selection). Treat as a plain
+                    // click so the user gets visible feedback rather than a
+                    // silent no-op.
+                    clearSelection();
+                    focusRow(row, msgAccountId, msg);
+                    lastClickedRow = row;
+                    row.classList.remove("unread");
+                }
             }
             else if (e.ctrlKey || e.metaKey) {
                 row.classList.toggle("selected");

package/client/components/message-viewer.js

@@ -358,60 +358,32 @@ export async function showMessage(accountId, uid, folderId, specialUse, isRetry
         }
         headerEl.querySelector(".mv-date").textContent = new Date(msg.date).toLocaleString(undefined, { year: "numeric", month: "short", day: "numeric", hour: "2-digit", minute: "2-digit", hour12: false });
         // Unsubscribe button (upper right of header).
-        // Priority:
-        //   1. RFC 8058 one-click (HTTPS + List-Unsubscribe-Post header) — POST server-side
-        //   2. HTTPS URL — open in a new tab (two-click flow, usually a confirmation page)
-        //   3. mailto: URL — open a pre-filled compose window (so the unsubscribe
-        //      reply gets sent from the correct mailx account, not the OS default
-        //      mail handler)
+        //   - HTTPS URL: open externally (same path as right-click → open link
+        //     in a new window). Earlier code attempted RFC 8058 one-click POST
+        //     first, but the IPC path was failing silently — the button "moved
+        //     a tad" (CSS :active) but no visible feedback. User preference:
+        //     just open the link, the way the working right-click does.
+        //   - mailto: URL: open a pre-filled compose window so the reply gets
+        //     sent from the correct mailx account, not the OS default mail
+        //     handler.
         const unsubBtn = document.getElementById("mv-unsubscribe");
         const httpUrl = msg.listUnsubscribeHttp || "";
         const mailUrl = msg.listUnsubscribeMail || "";
-        const oneClick = !!msg.listUnsubscribeOneClick;
         const anyUrl = httpUrl || mailUrl || msg.listUnsubscribe || "";
         if (unsubBtn) {
             if (anyUrl) {
                 unsubBtn.hidden = false;
-                unsubBtn.textContent = oneClick && httpUrl ? "Unsubscribe (1-click)" : "Unsubscribe";
+                unsubBtn.textContent = "Unsubscribe";
                 unsubBtn.removeAttribute("title");
                 unsubBtn.href = httpUrl || mailUrl || "#";
-                unsubBtn.onclick = async (e) => {
+                unsubBtn.onclick = (e) => {
                     e.preventDefault();
-                    const status = document.getElementById("status-sync");
-                    // Always attempt POST first when there's an HTTPS URL,
-                    // regardless of whether the message advertised the
-                    // `List-Unsubscribe-Post: List-Unsubscribe=One-Click`
-                    // header. Many senders provide a POST-capable endpoint
-                    // without setting the Post header. Server side already
-                    // falls back to GET internally on 4xx, so trying POST
-                    // first never makes things worse and avoids a tab full
-                    // of "are you sure?" ceremony when the endpoint would
-                    // have just accepted POST.
                     if (httpUrl) {
-                        unsubBtn.textContent = "Unsubscribing…";
-                        try {
-                            const { unsubscribeOneClick } = await import("../lib/api-client.js");
-                            const r = await unsubscribeOneClick(httpUrl);
-                            if (r?.ok) {
-                                unsubBtn.textContent = "Unsubscribed";
-                                if (status)
-                                    status.textContent = `Unsubscribed (HTTP ${r.status})`;
-                            }
-                            else {
-                                unsubBtn.textContent = `Failed: HTTP ${r?.status ?? "?"}`;
-                                if (status)
-                                    status.textContent = `Unsubscribe failed: ${r?.status} ${r?.statusText || ""}`.trim();
-                                // Last-resort fallback: open the URL in a tab so
-                                // the user can complete the flow manually.
-                                window.open(httpUrl, "_blank");
-                            }
-                        }
-                        catch (err) {
-                            unsubBtn.textContent = "Unsubscribe failed";
-                            if (status)
-                                status.textContent = `Unsubscribe error: ${err.message}`;
-                            window.open(httpUrl, "_blank");
-                        }
+                        const api = window.mailxapi;
+                        if (api?.openExternal)
+                            api.openExternal(httpUrl);
+                        else
+                            window.open(httpUrl, "_blank", "noopener,noreferrer");
                         return;
                     }
                     if (mailUrl) {

package/client/compose/compose.css

@@ -262,6 +262,70 @@ body {
     font-size: 0.8em;
 }
 
+/* Source badge in the autocomplete row. Custom user tags from
+ * contacts.jsonc#preferred[] (e.g. "work", "family") flow through verbatim;
+ * system sources show as 'google' / 'discovered' / 'preferred'. Inline-block
+ * so the small uppercased text doesn't push layout. */
+.ac-item-source {
+    color: var(--color-text-muted);
+    font-size: 0.7em;
+    text-transform: uppercase;
+    letter-spacing: 0.04em;
+    opacity: 0.7;
+    margin-top: 2px;
+}
+
+/* Modal overlay used by Add-to-preferred dialog. Lightweight; shares no
+ * CSS with the main app's modal because compose runs in its own document. */
+.modal-overlay {
+    position: fixed;
+    inset: 0;
+    background: rgba(0,0,0,0.4);
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    z-index: 1000;
+}
+.modal-overlay .modal {
+    background: var(--color-bg-surface);
+    border-radius: var(--radius-md);
+    padding: var(--gap-md);
+    min-width: 360px;
+    max-width: 90%;
+    box-shadow: 0 8px 24px rgba(0,0,0,0.4);
+    & h3 { margin: 0 0 var(--gap-sm); }
+    & p.muted { color: var(--color-text-muted); font-size: 0.85em; margin: 0 0 var(--gap-sm); }
+    & label {
+        display: block;
+        margin-bottom: var(--gap-sm);
+        font-size: var(--font-size-sm);
+        & input {
+            display: block;
+            width: 100%;
+            padding: 4px 6px;
+            margin-top: 2px;
+            background: var(--color-bg-input);
+            border: 1px solid var(--color-border);
+            border-radius: var(--radius-sm);
+            color: var(--color-text);
+        }
+    }
+    & .modal-actions {
+        display: flex;
+        justify-content: flex-end;
+        gap: var(--gap-sm);
+        margin-top: var(--gap-sm);
+        & button.primary {
+            background: var(--color-primary, #4a90e2);
+            color: white;
+            border: none;
+            padding: 4px 12px;
+            border-radius: var(--radius-sm);
+            cursor: pointer;
+        }
+    }
+}
+
 /* ── tiptap editor ── */
 .editor-tiptap {
     display: flex;

package/client/compose/compose.js

@@ -4,7 +4,8 @@
  * Receives init data via window.opener.postMessage or URL params.
  */
 import { createEditor } from "./editor.js";
-import { getSettings, getAccounts, searchContacts, saveDraft as apiSaveDraft, deleteDraft, logClientEvent } from "../lib/api-client.js";
+import { getSettings, getAccounts, searchContacts, saveDraft as apiSaveDraft, deleteDraft, logClientEvent, addPreferredContact, addToDenylist } from "../lib/api-client.js";
+import { showContextMenu } from "../components/context-menu.js";
 // Very first line the iframe runs — if this doesn't reach Node, the iframe
 // itself isn't loading or the bridge is completely broken.
 logClientEvent("compose-module-loaded", { href: location.href, version: window.mailxVersion || "?" });
@@ -263,6 +264,77 @@ function smartTab(current) {
     editor.focus();
 }
 // ── Autocomplete ──
+/** Right-click on an autocomplete row → contextual actions. Two paths:
+ *  - Add to preferred (small modal: name / email / source-tag / org → write to
+ *    contacts.jsonc#preferred[])
+ *  - Never suggest this address (write to contacts.jsonc#denylist[]; the
+ *    service-side handler purges any matching discovered rows on apply) */
+function showAutocompleteContextMenu(e, row) {
+    showContextMenu(e.clientX, e.clientY, [
+        {
+            label: "Add to preferred…",
+            action: () => openAddToPreferredModal(row),
+        },
+        {
+            label: "Never suggest this address",
+            action: async () => {
+                try {
+                    await addToDenylist(row.email);
+                }
+                catch (err) {
+                    alert(`Failed to add to denylist: ${err?.message || err}`);
+                }
+            },
+        },
+    ]);
+}
+function openAddToPreferredModal(prefill) {
+    const overlay = document.createElement("div");
+    overlay.className = "modal-overlay";
+    overlay.innerHTML = `
+        <div class="modal" role="dialog" aria-label="Add to preferred contacts">
+            <h3>Add to preferred</h3>
+            <p class="muted">Saved to <code>contacts.jsonc</code> on your shared drive.</p>
+            <label>Name <input type="text" id="pf-name" /></label>
+            <label>Email <input type="email" id="pf-email" /></label>
+            <label>Source tag <input type="text" id="pf-source" placeholder="(optional — e.g. work, family)" /></label>
+            <label>Organization <input type="text" id="pf-org" placeholder="(optional)" /></label>
+            <div class="modal-actions">
+                <button id="pf-cancel">Cancel</button>
+                <button id="pf-save" class="primary">Save</button>
+            </div>
+        </div>
+    `;
+    document.body.appendChild(overlay);
+    overlay.querySelector("#pf-name").value = prefill.name || "";
+    overlay.querySelector("#pf-email").value = prefill.email || "";
+    // Pre-fill source from existing tag if it's already a custom one (not a system source).
+    const sysSources = new Set(["google", "discovered", "preferred", ""]);
+    const initSource = sysSources.has(prefill.source || "") ? "" : prefill.source;
+    overlay.querySelector("#pf-source").value = initSource;
+    const close = () => overlay.remove();
+    overlay.querySelector("#pf-cancel").addEventListener("click", close);
+    overlay.addEventListener("click", (ev) => { if (ev.target === overlay)
+        close(); });
+    overlay.querySelector("#pf-save").addEventListener("click", async () => {
+        const name = overlay.querySelector("#pf-name").value.trim();
+        const email = overlay.querySelector("#pf-email").value.trim();
+        const source = overlay.querySelector("#pf-source").value.trim();
+        const org = overlay.querySelector("#pf-org").value.trim();
+        if (!email) {
+            alert("Email is required.");
+            return;
+        }
+        try {
+            await addPreferredContact({ name, email, source, organization: org });
+            close();
+        }
+        catch (err) {
+            alert(`Failed to save: ${err?.message || err}`);
+        }
+    });
+    overlay.querySelector("#pf-name").focus();
+}
 function setupAutocomplete(input) {
     let dropdown = null;
     let activeIndex = -1;
@@ -318,9 +390,20 @@ function setupAutocomplete(input) {
                         const emailEl = document.createElement("span");
                         emailEl.className = "ac-item-email";
                         emailEl.textContent = results[i].email;
+                        // Source badge — shows where this row came from. Custom
+                        // user tags from contacts.jsonc preferred entries
+                        // (`source: "work"`, `source: "family"`) flow through
+                        // verbatim; system sources show as 'google' / 'discovered'
+                        // / 'preferred'. Helps disambiguate two rows with the
+                        // same email but different names (Bob's wife vs Bob Smith).
+                        const sourceEl = document.createElement("span");
+                        sourceEl.className = "ac-item-source";
+                        sourceEl.textContent = results[i].source || "";
                         item.appendChild(nameEl);
                         if (results[i].name)
                             item.appendChild(emailEl);
+                        if (results[i].source)
+                            item.appendChild(sourceEl);
                         item.addEventListener("mousedown", (e) => {
                             e.preventDefault();
                             const display = results[i].name
@@ -328,6 +411,16 @@ function setupAutocomplete(input) {
                                 : results[i].email;
                             replaceLastToken(display);
                         });
+                        // Right-click → contextual actions on this autocomplete
+                        // row. Two paths: promote to preferred (writes to
+                        // contacts.jsonc#preferred[]) or denylist (writes to
+                        // contacts.jsonc#denylist[] and purges any matching
+                        // discovered rows). Both round-trip through cloudWrite.
+                        item.addEventListener("contextmenu", (e) => {
+                            e.preventDefault();
+                            e.stopPropagation();
+                            showAutocompleteContextMenu(e, results[i]);
+                        });
                         dropdown.appendChild(item);
                     }
                     input.parentElement.appendChild(dropdown);

package/client/lib/api-client.js

@@ -206,6 +206,12 @@ export function upsertContact(name, email) {
 export function deleteContact(email) {
     return ipc().deleteContact(email);
 }
+export function addPreferredContact(entry) {
+    return ipc().addPreferredContact(entry.name, entry.email, entry.source, entry.organization);
+}
+export function addToDenylist(email) {
+    return ipc().addToDenylist(email);
+}
 export function openLocalPath(which) {
     return ipc().openLocalPath(which);
 }

package/client/lib/mailxapi.js

@@ -166,6 +166,15 @@
         deleteContact: function(email) {
             return callNode("deleteContact", { email: email });
         },
+        addPreferredContact: function(name, email, source, organization) {
+            return callNode("addPreferredContact", {
+                name: name || "", email: email,
+                source: source || "", organization: organization || "",
+            });
+        },
+        addToDenylist: function(email) {
+            return callNode("addToDenylist", { email: email });
+        },
         openLocalPath: function(which) {
             return callNode("openLocalPath", { which: which });
         },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx",
-  "version": "1.0.432",
+  "version": "1.0.434",
   "description": "Local-first email client with IMAP sync and standalone native app",
   "type": "module",
   "main": "bin/mailx.js",

package/packages/mailx-imap/index.js

@@ -3513,7 +3513,7 @@ export class ImapManager extends EventEmitter {
      *  configChanged so the UI can show a "restart to apply" banner. Uses
      *  a debounce to coalesce rapid writes from save tools. */
     watchConfigFiles() {
-        const files = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const files = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         const configDir = getConfigDir();
         const debounce = new Map();
         // Cache the last-seen normalized content per file. fs.watch fires on
@@ -3579,7 +3579,7 @@ export class ImapManager extends EventEmitter {
         // compare to local, and write-through on difference. The local
         // fs.watch above then picks up the write and emits configChanged.
         // config.jsonc is per-machine / local-only — never polled.
-        const cloudFiles = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc"];
+        const cloudFiles = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "contacts.jsonc"];
         const CLOUD_POLL_MS = 3 * 60 * 1000;
         // normalize() reused from the fs.watch block above — same intent:
         // cloud round-trips that re-wrap newlines / add a trailing newline are

package/packages/mailx-service/index.d.ts

@@ -11,6 +11,25 @@ export declare class MailxService {
     private imapManager;
     private _accountsCache;
     constructor(db: MailxDB, imapManager: ImapManager);
+    /** Read contacts.jsonc from cloud + apply preferred/denylist to the DB.
+     *  No-op if the file is missing or empty. */
+    loadContactsConfig(): Promise<{
+        preferred: number;
+        purged: number;
+        conflicts: string[];
+    } | null>;
+    /** Append an entry to contacts.jsonc#preferred[] and write back to cloud,
+     *  then re-apply. Mutates the file in place — preserves existing entries
+     *  and the user's hand-formatting where the parser permits. */
+    addPreferredContact(entry: {
+        name: string;
+        email: string;
+        source?: string;
+        organization?: string;
+    }): Promise<void>;
+    /** Append an email to contacts.jsonc#denylist[] and write back to cloud,
+     *  then re-apply (which purges any matching discovered rows). */
+    addToDenylist(email: string): Promise<void>;
     /** Return accounts from cache — load once, reuse until configChanged. */
     private getCachedAccounts;
     getAccounts(): any[];

package/packages/mailx-service/index.js

@@ -112,7 +112,94 @@ export class MailxService {
         this.imapManager.on?.("configChanged", (filename) => {
             if (filename === "accounts.jsonc")
                 this._accountsCache = null;
+            if (filename === "contacts.jsonc") {
+                this.loadContactsConfig().catch(e => console.error(`  [contacts] reload failed: ${e?.message || e}`));
+            }
         });
+        // Initial load of contacts.jsonc — fire-and-forget; missing file is fine.
+        this.loadContactsConfig().catch(() => { });
+    }
+    /** Read contacts.jsonc from cloud + apply preferred/denylist to the DB.
+     *  No-op if the file is missing or empty. */
+    async loadContactsConfig() {
+        let raw = null;
+        try {
+            const { cloudRead } = await import("@bobfrankston/mailx-settings");
+            raw = await cloudRead("contacts.jsonc");
+        }
+        catch { /* cloud unavailable — leave config empty */ }
+        if (!raw) {
+            // No file yet. Make sure the in-memory denylist is empty.
+            this.db.applyContactsConfig({ preferred: [], denylist: [] });
+            return null;
+        }
+        const { parse: parseJsonc } = await import("jsonc-parser");
+        const errors = [];
+        const cfg = parseJsonc(raw, errors, { allowTrailingComma: true });
+        if (errors.length) {
+            console.error(`  [contacts] contacts.jsonc has parse errors — applying empty config: ${errors.map((e) => e.error).join(", ")}`);
+            this.db.applyContactsConfig({ preferred: [], denylist: [] });
+            return null;
+        }
+        return this.db.applyContactsConfig(cfg || {});
+    }
+    /** Append an entry to contacts.jsonc#preferred[] and write back to cloud,
+     *  then re-apply. Mutates the file in place — preserves existing entries
+     *  and the user's hand-formatting where the parser permits. */
+    async addPreferredContact(entry) {
+        const { cloudRead, cloudWrite } = await import("@bobfrankston/mailx-settings");
+        const { parse: parseJsonc } = await import("jsonc-parser");
+        let cfg = {};
+        const raw = await cloudRead("contacts.jsonc");
+        if (raw) {
+            try {
+                cfg = parseJsonc(raw, [], { allowTrailingComma: true }) || {};
+            }
+            catch {
+                cfg = {};
+            }
+        }
+        if (!Array.isArray(cfg.preferred))
+            cfg.preferred = [];
+        // Dedup: skip if an entry with the same email + name + source already exists.
+        const dupKey = `${(entry.source || "preferred").toLowerCase()}|${entry.email.toLowerCase()}|${(entry.name || "").toLowerCase()}`;
+        const exists = cfg.preferred.some((e) => `${(e?.source || "preferred").toLowerCase()}|${(e?.email || "").toLowerCase()}|${(e?.name || "").toLowerCase()}` === dupKey);
+        if (!exists) {
+            const row = { name: entry.name || "", email: entry.email };
+            if (entry.source)
+                row.source = entry.source;
+            if (entry.organization)
+                row.organization = entry.organization;
+            cfg.preferred.push(row);
+        }
+        await cloudWrite("contacts.jsonc", JSON.stringify(cfg, null, 2));
+        await this.loadContactsConfig();
+    }
+    /** Append an email to contacts.jsonc#denylist[] and write back to cloud,
+     *  then re-apply (which purges any matching discovered rows). */
+    async addToDenylist(email) {
+        const lower = (email || "").trim().toLowerCase();
+        if (!lower)
+            return;
+        const { cloudRead, cloudWrite } = await import("@bobfrankston/mailx-settings");
+        const { parse: parseJsonc } = await import("jsonc-parser");
+        let cfg = {};
+        const raw = await cloudRead("contacts.jsonc");
+        if (raw) {
+            try {
+                cfg = parseJsonc(raw, [], { allowTrailingComma: true }) || {};
+            }
+            catch {
+                cfg = {};
+            }
+        }
+        if (!Array.isArray(cfg.denylist))
+            cfg.denylist = [];
+        if (!cfg.denylist.some((e) => (e || "").toLowerCase() === lower)) {
+            cfg.denylist.push(email);
+        }
+        await cloudWrite("contacts.jsonc", JSON.stringify(cfg, null, 2));
+        await this.loadContactsConfig();
     }
     /** Return accounts from cache — load once, reuse until configChanged. */
     getCachedAccounts() {
@@ -1597,7 +1684,7 @@ export class MailxService {
      *  Names are whitelisted so the UI can't read arbitrary files.
      *  `config.jsonc` is the local per-machine config (not cloud-synced). */
     async readJsoncFile(name) {
-        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         if (!WHITELIST.includes(name))
             throw new Error(`File not allowed: ${name}`);
         if (name === "config.jsonc") {
@@ -1615,7 +1702,7 @@ export class MailxService {
     /** Return the help section for a named config file, extracted from docs/config-help.md.
      *  Matches a level-2 heading whose text equals the filename. Returns markdown. */
     async readConfigHelp(name) {
-        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         if (!WHITELIST.includes(name))
             return "";
         // Look in the repo root (dev) and in the installed package dir (production).
@@ -1654,7 +1741,7 @@ export class MailxService {
     /** Write a JSONC config file. Validates that the content parses as JSONC
      *  (loosely — strips comments/trailing commas) before writing. */
     async writeJsoncFile(name, content) {
-        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc"];
+        const WHITELIST = ["accounts.jsonc", "allowlist.jsonc", "clients.jsonc", "config.jsonc", "contacts.jsonc"];
         if (!WHITELIST.includes(name))
             throw new Error(`File not allowed: ${name}`);
         // Validate the content parses before writing

package/packages/mailx-service/jsonrpc.js

@@ -152,6 +152,14 @@ async function dispatchAction(svc, action, p) {
             return svc.upsertContact(p.name, p.email);
         case "deleteContact":
             return svc.deleteContact(p.email);
+        case "addPreferredContact":
+            await svc.addPreferredContact({ name: p.name, email: p.email, source: p.source, organization: p.organization });
+            return { ok: true };
+        case "addToDenylist":
+            await svc.addToDenylist(p.email);
+            return { ok: true };
+        case "loadContactsConfig":
+            return { result: await svc.loadContactsConfig() };
         case "openLocalPath":
             return await svc.openLocalPath(p.which);
         case "getThreadMessages":

package/packages/mailx-store/db.d.ts

@@ -196,20 +196,53 @@ export declare class MailxDB {
     rollbackTransaction(): void;
     /** Record an address used in sent mail */
     recordSentAddress(name: string, email: string): void;
-    /** Seed contacts from every address that appears in any cached message,
-     *  with two distinctions the prior version missed:
-     *    1. Sent-folder messages: harvest only To/Cc/Bcc (the user's *own*
-     *       From-address gets skipped — no point pre-filling our own
-     *       address into autocomplete). These are tagged `source='sent'`.
-     *    2. Other-folder messages: harvest From + To + Cc + Bcc, tagged
-     *       `source='received'`. Lower priority than 'sent' or 'google'
-     *       in searchContacts ranking.
-     *  Sent wins on insert conflict, so a person you've corresponded with
-     *  ends up tagged 'sent' (more authoritative). Junk addresses (noreply,
-     *  mailer-daemon, postmaster, *-bounces) are dropped at seed time so
-     *  they never even enter autocomplete. */
+    /** True if `email` (lowercased) appears in the active denylist. Cached
+     *  in-memory; refreshed on contacts.jsonc reload via setContactsDenylist. */
+    private _denylist;
+    isAddressDenylisted(emailLower: string): boolean;
+    setContactsDenylist(emails: string[]): void;
+    /** Seed `discovered`-tier contacts from every address that appears in
+     *  any cached message — From / To / Cc / Bcc across all folders. One row
+     *  per email; first non-empty name observed wins. Sent-folder rows skip
+     *  the From (it's us). Junk addresses (noreply, mailer-daemon, *-bounces)
+     *  and denylisted addresses are dropped at seed time so they never enter
+     *  autocomplete.
+     *
+     *  Discovered is a single tier; sub-distinctions like sent-vs-received
+     *  collapse here because the user-facing UI shows them as one "discovered"
+     *  source. Recency-weighted use_count differentiates within the tier. */
     seedContactsFromMessages(): number;
-    /** Search contacts by name or email prefix */
+    /** Apply the contents of contacts.jsonc — replaces all preferred-tier rows
+     *  with the entries in `preferred[]`, sets the in-memory denylist, and
+     *  purges any discovered rows whose email is now denylisted. Preferred
+     *  rows are *not* auto-purged on denylist hit — if the user explicitly
+     *  added them they win that conflict; we just log a warning. */
+    applyContactsConfig(cfg: {
+        preferred?: {
+            name?: string;
+            email: string;
+            source?: string;
+            organization?: string;
+            org?: string;
+        }[];
+        denylist?: string[];
+    }): {
+        preferred: number;
+        purged: number;
+        conflicts: string[];
+    };
+    /** Search contacts by name or email prefix.
+     *
+     *  Source-tier bonus is what makes the curated address book win against
+     *  passive corpus harvest. Anything in `contacts.jsonc#preferred[]` (any
+     *  source value other than the two reserved system sources) gets the
+     *  highest tier — that's the user's explicit address book and overrides
+     *  Google. Google sits in the middle (the auto-synced address book).
+     *  `discovered` is the corpus-harvested floor.
+     *
+     *  Multi-name-per-email is supported: the same email can carry distinct
+     *  (source, name) rows — Bob's wife and Bob Smith both at bob@example.com
+     *  surface as two rows, each typing-completable by their own name. */
     searchContacts(query: string, limit?: number): {
         name: string;
         email: string;

package/packages/mailx-store/db.js

@@ -115,7 +115,7 @@ const SCHEMA = `
 
     CREATE TABLE IF NOT EXISTS contacts (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
-        source TEXT NOT NULL DEFAULT 'sent',
+        source TEXT NOT NULL DEFAULT 'discovered',
         google_id TEXT,
         name TEXT DEFAULT '',
         email TEXT NOT NULL,
@@ -123,7 +123,7 @@ const SCHEMA = `
         last_used INTEGER DEFAULT 0,
         use_count INTEGER DEFAULT 0,
         updated_at INTEGER NOT NULL,
-        UNIQUE(email)
+        UNIQUE(source, email, name)
     );
 
     CREATE INDEX IF NOT EXISTS idx_contacts_email ON contacts(email);
@@ -296,6 +296,41 @@ export class MailxDB {
         // this column landed. One UPDATE + an id roundtrip per row — cheap
         // at our row counts, runs once per DB upgrade.
         this.backfillUuids();
+        // One-shot contacts table reset: the contacts schema's UNIQUE constraint
+        // was widened from `(email)` to `(source, email, name)` so the same
+        // address can carry multiple distinct (name, source) entries — Bob's
+        // wife at bob@example.com and a separate `Bob Smith <bob@example.com>`
+        // for work, both legitimate. Old rows with the email-only unique key
+        // would block the new inserts. Per user "don't migrate, start fresh":
+        // drop the old table, recreate it via SCHEMA, reseed from messages on
+        // next sync. Gated by a kv flag so we run exactly once per machine.
+        const contactsResetFlag = this.getKv("schema", "contacts_v2");
+        if (!contactsResetFlag) {
+            try {
+                this.db.exec("DROP TABLE IF EXISTS contacts");
+                this.db.exec(`
+                    CREATE TABLE contacts (
+                        id INTEGER PRIMARY KEY AUTOINCREMENT,
+                        source TEXT NOT NULL DEFAULT 'discovered',
+                        google_id TEXT,
+                        name TEXT DEFAULT '',
+                        email TEXT NOT NULL,
+                        organization TEXT DEFAULT '',
+                        last_used INTEGER DEFAULT 0,
+                        use_count INTEGER DEFAULT 0,
+                        updated_at INTEGER NOT NULL,
+                        UNIQUE(source, email, name)
+                    );
+                    CREATE INDEX IF NOT EXISTS idx_contacts_email ON contacts(email);
+                    CREATE INDEX IF NOT EXISTS idx_contacts_name ON contacts(name);
+                `);
+                this.setKv("schema", "contacts_v2", String(Date.now()));
+                console.log("  [db] contacts table reset to v2 schema (multi-name-per-email)");
+            }
+            catch (e) {
+                console.error(`  [db] contacts v2 reset failed: ${e.message}`);
+            }
+        }
         // Post-migration sanity check: verify the columns we actually read in
         // SELECTs exist. If any migration silently failed (stale driver, DB
         // file locked, permission error), later code would throw cryptic
@@ -1105,45 +1140,55 @@ export class MailxDB {
     // ── Contacts ──
     /** Record an address used in sent mail */
     recordSentAddress(name, email) {
-        // Don't pollute the contacts table with non-addresses. Anything without
-        // an @ or without a TLD-ish tail would show up in autocomplete and end
-        // up back in To/Cc headers as "Name <not an email>".
+        // Don't pollute the contacts table with non-addresses.
         if (!email || !/^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/.test(email))
             return;
+        const lower = email.toLowerCase();
+        if (this.isAddressDenylisted(lower))
+            return;
         const now = Date.now();
-        const existing = this.db.prepare("SELECT id FROM contacts WHERE email = ?").get(email);
+        // discovered tier holds one row per email — bump if present, else
+        // insert. Doesn't touch preferred or google rows for the same email;
+        // those are independent address-book entries the user/Google curates.
+        const existing = this.db.prepare("SELECT id, name FROM contacts WHERE source = 'discovered' AND lower(email) = ?").get(lower);
         if (existing) {
-            this.db.prepare("UPDATE contacts SET name = CASE WHEN ? != '' THEN ? ELSE name END, last_used = ?, use_count = use_count + 1, updated_at = ? WHERE email = ?").run(name, name, now, now, email);
+            this.db.prepare("UPDATE contacts SET name = CASE WHEN name = '' AND ? != '' THEN ? ELSE name END, last_used = ?, use_count = use_count + 1, updated_at = ? WHERE id = ?").run(name, name, now, now, existing.id);
         }
         else {
-            this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('sent', ?, ?, ?, 1, ?)").run(name, email, now, now);
+            this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('discovered', ?, ?, ?, 1, ?)").run(name || "", email, now, now);
         }
     }
-    /** Seed contacts from every address that appears in any cached message,
-     *  with two distinctions the prior version missed:
-     *    1. Sent-folder messages: harvest only To/Cc/Bcc (the user's *own*
-     *       From-address gets skipped — no point pre-filling our own
-     *       address into autocomplete). These are tagged `source='sent'`.
-     *    2. Other-folder messages: harvest From + To + Cc + Bcc, tagged
-     *       `source='received'`. Lower priority than 'sent' or 'google'
-     *       in searchContacts ranking.
-     *  Sent wins on insert conflict, so a person you've corresponded with
-     *  ends up tagged 'sent' (more authoritative). Junk addresses (noreply,
-     *  mailer-daemon, postmaster, *-bounces) are dropped at seed time so
-     *  they never even enter autocomplete. */
+    /** True if `email` (lowercased) appears in the active denylist. Cached
+     *  in-memory; refreshed on contacts.jsonc reload via setContactsDenylist. */
+    _denylist = new Set();
+    isAddressDenylisted(emailLower) {
+        return this._denylist.has(emailLower);
+    }
+    setContactsDenylist(emails) {
+        this._denylist = new Set(emails.map(e => (e || "").trim().toLowerCase()).filter(Boolean));
+    }
+    /** Seed `discovered`-tier contacts from every address that appears in
+     *  any cached message — From / To / Cc / Bcc across all folders. One row
+     *  per email; first non-empty name observed wins. Sent-folder rows skip
+     *  the From (it's us). Junk addresses (noreply, mailer-daemon, *-bounces)
+     *  and denylisted addresses are dropped at seed time so they never enter
+     *  autocomplete.
+     *
+     *  Discovered is a single tier; sub-distinctions like sent-vs-received
+     *  collapse here because the user-facing UI shows them as one "discovered"
+     *  source. Recency-weighted use_count differentiates within the tier. */
     seedContactsFromMessages() {
         const VALID = /^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/;
         const now = Date.now();
-        // Aggregator keyed by lowercased email. `tag` is 'sent' or 'received'
-        // — sent wins on conflict because it implies the user wrote to that
-        // address (more authoritative than passive observation).
         const agg = new Map();
-        const bump = (name, address, date, tag) => {
+        const bump = (name, address, date) => {
             const email = (address || "").trim().toLowerCase();
             if (!email || !VALID.test(email))
                 return;
             if (isJunkContact(email, name))
                 return;
+            if (this.isAddressDenylisted(email))
+                return;
             const e = agg.get(email);
             if (e) {
                 e.cnt++;
@@ -1151,14 +1196,12 @@ export class MailxDB {
                     e.last = date;
                 if (!e.name && name)
                     e.name = name;
-                if (tag === "sent")
-                    e.tag = "sent"; // upgrade
             }
             else {
-                agg.set(email, { name: name || "", cnt: 1, last: date || 0, tag });
+                agg.set(email, { name: name || "", cnt: 1, last: date || 0 });
             }
         };
-        // Sent folder rows: skip the From (it's us), harvest the recipients.
+        // Sent folder: recipients only (skip the user's own From address).
         const sentRows = this.db.prepare(`SELECT m.to_json, m.cc_json, m.bcc_json, m.date
              FROM messages m
              JOIN folders f ON m.folder_id = f.id
@@ -1180,18 +1223,18 @@ export class MailxDB {
                 for (const a of parsed) {
                     if (!a)
                         continue;
-                    bump(a.name || "", a.address || a.email || "", date, "sent");
+                    bump(a.name || "", a.address || a.email || "", date);
                 }
             }
         }
-        // Other folders: harvest everything.
+        // Other folders: From + recipients.
         const recvRows = this.db.prepare(`SELECT m.from_name, m.from_address, m.to_json, m.cc_json, m.bcc_json, m.date
              FROM messages m
              LEFT JOIN folders f ON m.folder_id = f.id
              WHERE f.special_use IS NULL OR f.special_use != 'sent'`).all();
         for (const r of recvRows) {
             const date = r.date || 0;
-            bump(r.from_name, r.from_address, date, "received");
+            bump(r.from_name, r.from_address, date);
             for (const field of [r.to_json, r.cc_json, r.bcc_json]) {
                 if (!field)
                     continue;
@@ -1207,74 +1250,113 @@ export class MailxDB {
                 for (const a of parsed) {
                     if (!a)
                         continue;
-                    bump(a.name || "", a.address || a.email || "", date, "received");
+                    bump(a.name || "", a.address || a.email || "", date);
                 }
             }
         }
         let added = 0;
         let bumped = 0;
-        let upgraded = 0;
-        const insStmt = this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES (?, ?, ?, ?, ?, ?)");
-        // Refresh seed-derived rows ('sent' or 'received') with fresh counters.
-        // Allow upgrading a 'received' row to 'sent' if the seed now sees it
-        // in the Sent folder. 'google' rows stay untouched — they're owned
-        // by syncGoogleContacts and carry curated names/orgs.
-        const updStmt = this.db.prepare(`UPDATE contacts SET source = ?, use_count = ?,
+        const insStmt = this.db.prepare("INSERT INTO contacts (source, name, email, last_used, use_count, updated_at) VALUES ('discovered', ?, ?, ?, ?, ?)");
+        const updStmt = this.db.prepare(`UPDATE contacts SET use_count = ?,
                                  last_used = max(last_used, ?),
                                  name = CASE WHEN name = '' AND ? != '' THEN ? ELSE name END,
                                  updated_at = ?
-             WHERE email = ? AND source IN ('sent', 'received')`);
+             WHERE id = ?`);
         for (const [email, info] of agg) {
-            const existing = this.db.prepare("SELECT id, source FROM contacts WHERE email = ?").get(email);
+            const existing = this.db.prepare("SELECT id FROM contacts WHERE source = 'discovered' AND lower(email) = ?").get(email);
             if (!existing) {
-                insStmt.run(info.tag, info.name, email, info.last, info.cnt, now);
+                insStmt.run(info.name, email, info.last, info.cnt, now);
                 added++;
             }
-            else if (existing.source === "google") {
-                // Don't overwrite curated address-book rows; recordSentAddress
-                // already bumps their use_count when actual sends happen.
-            }
             else {
-                if (existing.source !== info.tag && info.tag === "sent")
-                    upgraded++;
-                updStmt.run(info.tag, info.cnt, info.last, info.name, info.name, now, email);
+                updStmt.run(info.cnt, info.last, info.name, info.name, now, existing.id);
                 bumped++;
             }
         }
-        if (added > 0 || upgraded > 0) {
-            console.log(`  [contacts] seed: ${added} new + ${bumped} refreshed (${upgraded} upgraded received→sent)`);
+        if (added > 0 || bumped > 0) {
+            console.log(`  [contacts] seed: ${added} new + ${bumped} refreshed (discovered)`);
         }
         return added;
     }
-    /** Search contacts by name or email prefix */
+    /** Apply the contents of contacts.jsonc — replaces all preferred-tier rows
+     *  with the entries in `preferred[]`, sets the in-memory denylist, and
+     *  purges any discovered rows whose email is now denylisted. Preferred
+     *  rows are *not* auto-purged on denylist hit — if the user explicitly
+     *  added them they win that conflict; we just log a warning. */
+    applyContactsConfig(cfg) {
+        const preferred = Array.isArray(cfg.preferred) ? cfg.preferred : [];
+        const denylist = Array.isArray(cfg.denylist) ? cfg.denylist : [];
+        this.setContactsDenylist(denylist);
+        // Wipe and rewrite preferred-tier rows owned by contacts.jsonc.
+        // The address-book UI's legacy `upsertContact` still writes
+        // source='manual' rows; those are owned by the address-book code
+        // path, not contacts.jsonc, so we leave them alone here.
+        this.db.exec("DELETE FROM contacts WHERE source NOT IN ('google', 'discovered', 'manual')");
+        const VALID = /^[^\s<>@]+@[^\s<>@]+\.[^\s<>@]+$/;
+        const now = Date.now();
+        const ins = this.db.prepare(`INSERT OR IGNORE INTO contacts (source, name, email, organization, last_used, use_count, updated_at)
+             VALUES (?, ?, ?, ?, 0, 0, ?)`);
+        const denySet = new Set(denylist.map(e => (e || "").trim().toLowerCase()).filter(Boolean));
+        const conflicts = [];
+        let inserted = 0;
+        for (const entry of preferred) {
+            if (!entry)
+                continue;
+            const email = (entry.email || "").trim();
+            if (!email || !VALID.test(email))
+                continue;
+            if (denySet.has(email.toLowerCase())) {
+                conflicts.push(email);
+                continue;
+            }
+            const source = (entry.source || "preferred").trim() || "preferred";
+            const name = (entry.name || "").trim();
+            const org = (entry.organization || entry.org || "").trim();
+            try {
+                const r = ins.run(source, name, email, org, now);
+                if (r.changes)
+                    inserted++;
+            }
+            catch { /* dup row, skip */ }
+        }
+        // Purge discovered rows for any denylisted email.
+        const purge = this.db.prepare("DELETE FROM contacts WHERE source = 'discovered' AND lower(email) = ?");
+        let purged = 0;
+        for (const e of denySet) {
+            const r = purge.run(e);
+            purged += Number(r.changes || 0);
+        }
+        if (conflicts.length > 0) {
+            console.warn(`  [contacts] config: ${conflicts.length} preferred entries also appear in denylist — denylist wins, entries skipped: ${conflicts.join(", ")}`);
+        }
+        console.log(`  [contacts] config applied: ${inserted} preferred row(s), ${denySet.size} denylisted, ${purged} discovered row(s) purged`);
+        return { preferred: inserted, purged, conflicts };
+    }
+    /** Search contacts by name or email prefix.
+     *
+     *  Source-tier bonus is what makes the curated address book win against
+     *  passive corpus harvest. Anything in `contacts.jsonc#preferred[]` (any
+     *  source value other than the two reserved system sources) gets the
+     *  highest tier — that's the user's explicit address book and overrides
+     *  Google. Google sits in the middle (the auto-synced address book).
+     *  `discovered` is the corpus-harvested floor.
+     *
+     *  Multi-name-per-email is supported: the same email can carry distinct
+     *  (source, name) rows — Bob's wife and Bob Smith both at bob@example.com
+     *  surface as two rows, each typing-completable by their own name. */
     searchContacts(query, limit = 10) {
         query = (query || "").trim();
         if (!query)
             return [];
-        // Ranking: prefix matches beat substring matches, then recency-weighted
-        // use_count within a tier. Recency decay: half-life of 30 days, so a
-        // contact used today edges out one from months ago even with a lower
-        // raw use_count. Computed in JS since SQLite lacks exp/log.
-        //
-        // Wrapped in try/catch + simple-query fallback so a (hypothetical) SQL
-        // edge case on exotic input can never leave autocomplete showing blank.
-        // The rank-0 baseline is identical behavior to the original query.
         const substr = `%${query}%`;
         let rows;
         try {
             const prefixQ = `${query}%`;
-            // match_rank combines two signals: how the query matches the
-            // contact (name prefix > local-part prefix > substring), and
-            // where the contact came from (curated Google address book >
-            // someone you've sent to > someone who emailed you). Without
-            // the source bonus, the seeded "received" rows — newsletters,
-            // mailing lists, no-reply senders — drown out the People API
-            // contacts because they have higher use_count from the corpus
-            // aggregation. The +30 / +20 / 0 spread is large enough that a
-            // google-source row with weak query match still beats a
-            // received-source row with the same query match, but small
-            // enough that within a tier the recency-weighted use_count
-            // (computed in JS below, magnitude ~10000×) still differentiates.
+            // Source tier: anything not in the two reserved system sources
+            // ('google', 'discovered') is preferred-tier — i.e. came out of
+            // contacts.jsonc#preferred[]. The user's `source: "work"` /
+            // `source: "family"` tags all rank +40 alongside the default
+            // `preferred` label.
             rows = this.db.prepare(`SELECT name, email, source, use_count, last_used,
                         (CASE
                             WHEN lower(name) LIKE lower(?) THEN 3
@@ -1282,15 +1364,15 @@ export class MailxDB {
                             WHEN email LIKE ? OR name LIKE ? THEN 1
                             ELSE 0
                          END) +
-                        (CASE source
-                            WHEN 'google' THEN 30
-                            WHEN 'sent' THEN 20
-                            ELSE 0
+                        (CASE
+                            WHEN source = 'google' THEN 30
+                            WHEN source = 'discovered' THEN 0
+                            ELSE 40
                          END) AS match_rank
                  FROM contacts
                  WHERE email LIKE ? OR name LIKE ?
                  ORDER BY match_rank DESC, use_count DESC, last_used DESC
-                 LIMIT ?`).all(prefixQ, prefixQ, substr, substr, substr, substr, limit);
+                 LIMIT ?`).all(prefixQ, prefixQ, substr, substr, substr, substr, limit * 2);
         }
         catch (e) {
             console.error(`  [searchContacts] ranked query failed (${e?.message}) — falling back to simple LIKE`);
@@ -1298,13 +1380,18 @@ export class MailxDB {
                  FROM contacts
                  WHERE email LIKE ? OR name LIKE ?
                  ORDER BY use_count DESC, last_used DESC
-                 LIMIT ?`).all(substr, substr, limit);
+                 LIMIT ?`).all(substr, substr, limit * 2);
         }
+        // Filter out denylisted emails as a defense-in-depth — applyContactsConfig
+        // already purges discovered rows on denylist, but a Google sync that
+        // reintroduced a denylisted address would otherwise leak through.
+        rows = rows.filter(r => !this.isAddressDenylisted((r.email || "").toLowerCase()));
         const now = Date.now();
         const HALF_LIFE_MS = 30 * 86400_000;
         const score = (r) => (r.match_rank || 0) * 10_000
             + (r.use_count || 0) * Math.pow(0.5, Math.max(0, now - (r.last_used || 0)) / HALF_LIFE_MS);
         rows.sort((a, b) => score(b) - score(a));
+        rows = rows.slice(0, limit);
         return rows.map(r => ({ name: r.name, email: r.email, source: r.source, useCount: r.use_count }));
     }
     /** List all contacts (address-book view) with pagination + optional filter. */

package/unwedge.cmd

@@ -1 +1 @@
-rmdir C:\Users\Bob\.claude\session-env\5a053d1d-7856-4e74-9b2b-23a4e3262aed /s /q 
+rmdir C:\Users\Bob\.claude\session-env\7299facd-d726-4f8a-8e7a-dbd852680c95 /s /q