@bobfrankston/mailx 1.0.437 → 1.0.439

package/packages/mailx-service/index.d.ts

@@ -6,6 +6,18 @@
 import { MailxDB } from "@bobfrankston/mailx-store";
 import { ImapManager } from "@bobfrankston/mailx-imap";
 import type { Folder, AutocompleteRequest, AutocompleteResponse, AutocompleteSettings, AiTransformRequest, AiTransformResponse } from "@bobfrankston/mailx-types";
+interface ReputationResult {
+    flagged: boolean;
+    listedCount: number;
+    checkedCount: number;
+    sources: Array<{
+        service: string;
+        flagged: boolean;
+        verdict: string;
+    }>;
+    verdict: string;
+    service: string;
+}
 export declare class MailxService {
     private db;
     private imapManager;
@@ -59,8 +71,59 @@ export declare class MailxService {
         status: number;
         statusText: string;
     }>;
+    /** Per-session map: editId → temp file path + watcher cleanup.
+     *  Lives in memory only — cleared when the user closes compose or sends. */
+    private wordEdits;
+    /** Hand the current compose body off to Microsoft Word for editing. Writes
+     *  the HTML to `~/.mailx/external-edit/<editId>.html`, opens it via the
+     *  default OS handler (Word on Windows when .html is associated; otherwise
+     *  the user's chosen editor for HTML), and starts an fs.watch that emits
+     *  `wordEditUpdated` when Word saves. The compose UI listens for that
+     *  event and reloads the editor.
+     *
+     *  Windows-only by current default — on Mac/Linux there's no equivalent
+     *  reliable round-trip. The compose toolbar should hide the button on
+     *  non-win32 platforms. */
+    openInWord(editId: string, html: string): Promise<{
+        ok: boolean;
+        path: string;
+        opener: string;
+    }>;
+    /** End external editing. Stops the watcher, removes the temp file.
+     *  Caller is the compose UI when the user closes the window or sends. */
+    closeWordEdit(editId: string): Promise<void>;
     updateFlags(accountId: string, uid: number, flags: string[]): Promise<void>;
     allowRemoteContent(type: "sender" | "domain" | "recipient", value: string): Promise<void>;
+    /** Domain-reputation cache. Lookups are fast (~50ms each, three in
+     *  parallel) but we still don't want to redo them on every render of
+     *  the same sender's mail. Five-minute TTL — long enough that scrolling
+     *  a folder fans out one query set, short enough that a newly-listed
+     *  domain surfaces within minutes. */
+    private reputationCache;
+    private static readonly REPUTATION_TTL_MS;
+    private static readonly REPUTATION_TIMEOUT_MS;
+    /** Check a domain against three free no-key DNS blocklists in parallel:
+     *
+     *    Spamhaus DBL    — `<d>.dbl.spamhaus.org`     spam/phish/malware
+     *    SURBL multi     — `<d>.multi.surbl.org`      mixed (ph/mw/abuse)
+     *    URIBL multi     — `<d>.multi.uribl.com`      black/grey/red lists
+     *
+     *  Each lookup is bounded at 500 ms; missing/slow services are treated
+     *  as "unknown" (don't poison the cache). Returns the aggregate plus
+     *  the per-service detail so the UI can show "N of 3 services flag
+     *  this domain" with the contributing source list.
+     *
+     *  Privacy: each query leaks the bare domain to that DNSBL's
+     *  infrastructure plus the user's local resolver. Opt-in via Settings.
+     *
+     *  No API keys, free for personal use across all three services. */
+    checkDomainReputation(domain: string): Promise<ReputationResult | null>;
+    /** Mark a sender or domain as suspect. Surfaced in the remote-content
+     *  banner as a red warning on subsequent messages. Toggle: calling with
+     *  the same value removes it. Returns the new state for UI feedback. */
+    flagSenderOrDomain(type: "sender" | "domain", value: string): Promise<{
+        flagged: boolean;
+    }>;
     search(q: string, page?: number, pageSize?: number, scope?: string, accountId?: string, folderId?: number): Promise<any>;
     rebuildSearchIndex(): number;
     getSyncPending(): {
@@ -284,4 +347,5 @@ export declare class MailxService {
      *  default false. Returns empty text + reason when disabled or on error. */
     aiTransform(req: AiTransformRequest): Promise<AiTransformResponse>;
 }
+export {};
 //# sourceMappingURL=index.d.ts.map

package/packages/mailx-service/index.js

@@ -460,10 +460,30 @@ export class MailxService {
         // hides the Source button on every just-opened message.
         const refreshed = this.db.getMessageByUid(accountId, uid, folderId);
         const emlPath = refreshed?.bodyPath || envelope.bodyPath || "";
+        // Flag check — surfaced in the remote-content banner as a red
+        // warning when the sender's address or domain is on the user's
+        // flagged list. Cheap lookup; loadAllowlist is already cached.
+        const allowList = loadAllowlist();
+        const senderAddr = (envelope.from?.address || "").toLowerCase();
+        const senderDomain = senderAddr.split("@")[1] || "";
+        const isFlagged = !!((allowList.flaggedSenders || []).some((s) => (s || "").toLowerCase() === senderAddr) ||
+            (allowList.flaggedDomains || []).some((d) => (d || "").toLowerCase() === senderDomain));
+        // External reputation check — Spamhaus DBL + SURBL + URIBL in parallel.
+        // Off by default (privacy: the domain leaks to those DNSBLs and the
+        // user's local resolver). User opts in via Settings → "Check sender
+        // reputation". Each lookup is bounded at 500 ms; the whole check is
+        // bounded by the slowest, ~500 ms worst case.
+        let reputation = null;
+        const settings = loadSettings() || {};
+        if (settings.checkDomainReputation && senderDomain && hasRemoteContent) {
+            reputation = await this.checkDomainReputation(senderDomain);
+        }
         return {
             ...envelope, bodyHtml, bodyText, hasRemoteContent, remoteAllowed: allowRemote,
             attachments, emlPath, deliveredTo, returnPath,
             listUnsubscribe, listUnsubscribeMail, listUnsubscribeHttp, listUnsubscribeOneClick,
+            isFlagged,
+            reputation,
         };
     }
     /** RFC 8058 one-click unsubscribe: POST `List-Unsubscribe=One-Click` to the
@@ -506,6 +526,158 @@ export class MailxService {
         }
         return { ok: resp.ok, status: resp.status, statusText: resp.statusText };
     }
+    // ── External edit in Microsoft Word ──
+    /** Per-session map: editId → temp file path + watcher cleanup.
+     *  Lives in memory only — cleared when the user closes compose or sends. */
+    wordEdits = new Map();
+    /** Hand the current compose body off to Microsoft Word for editing. Writes
+     *  the HTML to `~/.mailx/external-edit/<editId>.html`, opens it via the
+     *  default OS handler (Word on Windows when .html is associated; otherwise
+     *  the user's chosen editor for HTML), and starts an fs.watch that emits
+     *  `wordEditUpdated` when Word saves. The compose UI listens for that
+     *  event and reloads the editor.
+     *
+     *  Windows-only by current default — on Mac/Linux there's no equivalent
+     *  reliable round-trip. The compose toolbar should hide the button on
+     *  non-win32 platforms. */
+    async openInWord(editId, html) {
+        const dir = path.join(getConfigDir(), "external-edit");
+        fs.mkdirSync(dir, { recursive: true });
+        const filePath = path.join(dir, `${editId}.html`);
+        // Wrap in a minimal HTML doc so Word picks up encoding + treats the
+        // body content as the document. Word imports the <body> contents and
+        // converts them to its own model; saving HTML preserves enough of
+        // the structure for re-import (paragraphs, links, basic formatting).
+        const wrapped = `<!doctype html>
+<html><head><meta charset="utf-8"><title>mailx draft</title></head>
+<body>${html || "<p></p>"}</body></html>
+`;
+        fs.writeFileSync(filePath, wrapped, "utf-8");
+        // Stop any existing watcher for this edit (re-open re-arms cleanly).
+        this.wordEdits.get(editId)?.stop();
+        // Try Word explicitly first; on failure (Word not installed, exec not
+        // in PATH) fall back to the OS default handler so the user still gets
+        // *some* editor. Report which one ran so the UI can say "Opening in
+        // Word…" vs "Opening in default editor…".
+        const { spawnSync, spawn } = await import("node:child_process");
+        const tryLaunch = (cmd, args) => {
+            try {
+                const r = spawnSync(cmd, args, { stdio: "ignore", windowsHide: true });
+                return r.status === 0 && !r.error;
+            }
+            catch {
+                return false;
+            }
+        };
+        // Editor preference: settings.externalEditor in `~/.mailx/config.jsonc`
+        // can be "word" | "libreoffice" | "auto" (default). Auto means try
+        // Word first, then LibreOffice, then OS default — gives Word users the
+        // expected experience while still working when Word isn't installed.
+        // LibreOffice tends to round-trip email-shaped HTML cleaner than
+        // Word, so users on either platform may want to flip it via the
+        // config editor.
+        const settings = loadSettings() || {};
+        const pref = (settings.externalEditor || "auto");
+        const tryWord = () => {
+            if (process.platform === "win32")
+                return tryLaunch("cmd", ["/c", "start", "", "/B", "winword.exe", filePath]);
+            if (process.platform === "darwin")
+                return tryLaunch("open", ["-a", "Microsoft Word", filePath]);
+            return false; // no MS Word on Linux
+        };
+        const tryLibreOffice = () => {
+            if (process.platform === "win32")
+                return tryLaunch("cmd", ["/c", "start", "", "/B", "soffice.exe", "--writer", filePath]);
+            if (process.platform === "darwin")
+                return tryLaunch("open", ["-a", "LibreOffice", filePath]);
+            return tryLaunch("soffice", ["--writer", filePath]) || tryLaunch("libreoffice", ["--writer", filePath]);
+        };
+        const tryDefault = () => {
+            if (process.platform === "win32")
+                return tryLaunch("cmd", ["/c", "start", "", filePath]);
+            if (process.platform === "darwin")
+                return tryLaunch("open", [filePath]);
+            return tryLaunch("xdg-open", [filePath]);
+        };
+        let opener = "none";
+        const order = pref === "libreoffice"
+            ? [["libreoffice", tryLibreOffice], ["word", tryWord], ["default", tryDefault]]
+            : pref === "word"
+                ? [["word", tryWord], ["default", tryDefault]]
+                : [["word", tryWord], ["libreoffice", tryLibreOffice], ["default", tryDefault]]; // auto
+        for (const [name, fn] of order) {
+            if (fn()) {
+                opener = name;
+                break;
+            }
+        }
+        if (opener === "none") {
+            console.error(`  [word-edit] no editor found on this platform — file written to ${filePath}`);
+        }
+        else {
+            console.log(`  [word-edit] opened ${filePath} via ${opener}`);
+        }
+        // Watch for save events. fs.watch on Windows fires multiple events
+        // per save (rename + change for atomic replacement); debounce so the
+        // UI only reloads once per save. Watch the directory rather than the
+        // file directly because Word writes via temp-file rename, which can
+        // invalidate a file-level watch.
+        let debounce = null;
+        let lastSize = -1;
+        const watcher = fs.watch(dir, (eventType, name) => {
+            if (name !== `${editId}.html`)
+                return;
+            if (debounce)
+                clearTimeout(debounce);
+            debounce = setTimeout(() => {
+                let stat;
+                try {
+                    stat = fs.statSync(filePath);
+                }
+                catch {
+                    return;
+                }
+                // Skip duplicate events with the same size — Word fires several
+                // change notifications per save and we only want one reload.
+                if (stat.size === lastSize)
+                    return;
+                lastSize = stat.size;
+                try {
+                    const updatedHtml = fs.readFileSync(filePath, "utf-8");
+                    // Strip the wrapper to extract just the body content.
+                    const bodyMatch = updatedHtml.match(/<body[^>]*>([\s\S]*?)<\/body>/i);
+                    const inner = bodyMatch ? bodyMatch[1] : updatedHtml;
+                    this.imapManager.emit("wordEditUpdated", { editId, html: inner });
+                }
+                catch (e) {
+                    console.error(`  [word-edit] read after save failed: ${e.message}`);
+                }
+            }, 300);
+        });
+        const stop = () => {
+            try {
+                watcher.close();
+            }
+            catch { /* */ }
+            if (debounce)
+                clearTimeout(debounce);
+        };
+        this.wordEdits.set(editId, { path: filePath, stop });
+        return { ok: opener !== "none", path: filePath, opener };
+    }
+    /** End external editing. Stops the watcher, removes the temp file.
+     *  Caller is the compose UI when the user closes the window or sends. */
+    async closeWordEdit(editId) {
+        const entry = this.wordEdits.get(editId);
+        if (!entry)
+            return;
+        entry.stop();
+        this.wordEdits.delete(editId);
+        try {
+            fs.unlinkSync(entry.path);
+        }
+        catch { /* file already gone — fine */ }
+    }
     async updateFlags(accountId, uid, flags) {
         const envelope = this.db.getMessageByUid(accountId, uid);
         await this.imapManager.updateFlagsLocal(accountId, uid, envelope?.folderId || 0, flags);
@@ -526,6 +698,102 @@ export class MailxService {
         await saveAllowlist(list);
         console.log(`  [allow] Added ${type}: ${value}`);
     }
+    /** Domain-reputation cache. Lookups are fast (~50ms each, three in
+     *  parallel) but we still don't want to redo them on every render of
+     *  the same sender's mail. Five-minute TTL — long enough that scrolling
+     *  a folder fans out one query set, short enough that a newly-listed
+     *  domain surfaces within minutes. */
+    reputationCache = new Map();
+    static REPUTATION_TTL_MS = 5 * 60_000;
+    static REPUTATION_TIMEOUT_MS = 500;
+    /** Check a domain against three free no-key DNS blocklists in parallel:
+     *
+     *    Spamhaus DBL    — `<d>.dbl.spamhaus.org`     spam/phish/malware
+     *    SURBL multi     — `<d>.multi.surbl.org`      mixed (ph/mw/abuse)
+     *    URIBL multi     — `<d>.multi.uribl.com`      black/grey/red lists
+     *
+     *  Each lookup is bounded at 500 ms; missing/slow services are treated
+     *  as "unknown" (don't poison the cache). Returns the aggregate plus
+     *  the per-service detail so the UI can show "N of 3 services flag
+     *  this domain" with the contributing source list.
+     *
+     *  Privacy: each query leaks the bare domain to that DNSBL's
+     *  infrastructure plus the user's local resolver. Opt-in via Settings.
+     *
+     *  No API keys, free for personal use across all three services. */
+    async checkDomainReputation(domain) {
+        domain = (domain || "").toLowerCase().trim();
+        if (!domain)
+            return null;
+        const cached = this.reputationCache.get(domain);
+        if (cached && cached.expiresAt > Date.now())
+            return cached.result;
+        const probe = async (service, host, mapVerdict) => {
+            try {
+                const lookup = dns.resolve4(`${domain}.${host}`);
+                const timeout = new Promise((_, reject) => setTimeout(() => reject(new Error("dnsbl-timeout")), MailxService.REPUTATION_TIMEOUT_MS));
+                const records = await Promise.race([lookup, timeout]);
+                const last = records[0]?.split(".").pop() || "";
+                return { service, flagged: true, verdict: mapVerdict(last) };
+            }
+            catch (e) {
+                const code = e?.code || "";
+                if (code === "ENOTFOUND" || code === "ENODATA") {
+                    return { service, flagged: false, verdict: "clean" };
+                }
+                return null; // timeout / network — unknown
+            }
+        };
+        const dblVerdict = (last) => last === "2" ? "spam" :
+            last === "4" ? "phishing" :
+                last === "5" ? "malware" :
+                    last === "6" ? "botnet" :
+                        "listed";
+        // SURBL/URIBL encode multiple list memberships in a bitfield; the
+        // distinction matters less to the end user than "how many sources
+        // agree", so we keep a generic "listed" verdict for both.
+        const generic = (_last) => "listed";
+        const sources = await Promise.all([
+            probe("Spamhaus DBL", "dbl.spamhaus.org", dblVerdict),
+            probe("SURBL", "multi.surbl.org", generic),
+            probe("URIBL", "multi.uribl.com", generic),
+        ]);
+        const known = sources.filter((s) => s !== null);
+        const flagged = known.filter(s => s.flagged);
+        const result = {
+            flagged: flagged.length > 0,
+            listedCount: flagged.length,
+            checkedCount: known.length,
+            sources: flagged,
+            // Pick the most specific verdict if Spamhaus contributed (since
+            // DBL distinguishes phishing/malware/etc); otherwise generic.
+            verdict: flagged.find(s => s.service === "Spamhaus DBL")?.verdict || flagged[0]?.verdict || "clean",
+            service: flagged.map(s => s.service).join(", ") || "Spamhaus DBL / SURBL / URIBL",
+        };
+        this.reputationCache.set(domain, { result, expiresAt: Date.now() + MailxService.REPUTATION_TTL_MS });
+        return result;
+    }
+    /** Mark a sender or domain as suspect. Surfaced in the remote-content
+     *  banner as a red warning on subsequent messages. Toggle: calling with
+     *  the same value removes it. Returns the new state for UI feedback. */
+    async flagSenderOrDomain(type, value) {
+        const list = loadAllowlist();
+        const key = type === "sender" ? "flaggedSenders" : "flaggedDomains";
+        if (!Array.isArray(list[key]))
+            list[key] = [];
+        const lower = (value || "").toLowerCase();
+        const idx = list[key].findIndex((v) => (v || "").toLowerCase() === lower);
+        if (idx >= 0) {
+            list[key].splice(idx, 1);
+            await saveAllowlist(list);
+            console.log(`  [flag] Removed ${type}: ${value}`);
+            return { flagged: false };
+        }
+        list[key].push(value);
+        await saveAllowlist(list);
+        console.log(`  [flag] Added ${type}: ${value}`);
+        return { flagged: true };
+    }
     // ── Search ──
     async search(q, page = 1, pageSize = 50, scope = "all", accountId, folderId) {
         q = (q || "").trim();
@@ -1454,7 +1722,7 @@ export class MailxService {
     // ── Folder management ──
     async createFolder(accountId, parentPath, name) {
         const fullPath = parentPath ? `${parentPath}.${name}` : name;
-        const client = this.imapManager.createPublicClient(accountId);
+        const client = await this.imapManager.createPublicClient(accountId);
         try {
             await client.createmailbox(fullPath);
             await this.imapManager.syncFolders(accountId, client);
@@ -1474,7 +1742,7 @@ export class MailxService {
         const parts = folder.path.split(folder.delimiter || ".");
         parts[parts.length - 1] = newName;
         const newPath = parts.join(folder.delimiter || ".");
-        const client = this.imapManager.createPublicClient(accountId);
+        const client = await this.imapManager.createPublicClient(accountId);
         try {
             if (client.renameMailbox) {
                 await client.renameMailbox(folder.path, newPath);
@@ -1498,7 +1766,7 @@ export class MailxService {
         const folder = this.db.getFolders(accountId).find(f => f.id === folderId);
         if (!folder)
             throw new Error("Folder not found");
-        const client = this.imapManager.createPublicClient(accountId);
+        const client = await this.imapManager.createPublicClient(accountId);
         try {
             try {
                 if (client.deleteMailbox) {
@@ -1551,7 +1819,7 @@ export class MailxService {
             this.imapManager.emit?.("folderCountsChanged", accountId, {});
         }
         catch { /* non-fatal */ }
-        const client = this.imapManager.createPublicClient(accountId);
+        const client = await this.imapManager.createPublicClient(accountId);
         try {
             const uids = await client.getUids(folder.path);
             for (const uid of uids)

package/packages/mailx-service/jsonrpc.js

@@ -175,6 +175,10 @@ async function dispatchAction(svc, action, p) {
             return { content: await svc.readConfigHelp(p.name) };
         case "unsubscribeOneClick":
             return await svc.unsubscribeOneClick(p.url);
+        case "openInWord":
+            return await svc.openInWord(p.editId, p.html);
+        case "closeWordEdit":
+            return await svc.closeWordEdit(p.editId);
         // Client-side tracing — lets webview / iframe code ship events to the
         // Node log so a "compose→send→vanished" report can be diagnosed without
         // opening devtools. Every call shows up as `[client] <tag> <data>` in
@@ -192,6 +196,8 @@ async function dispatchAction(svc, action, p) {
         case "allowRemoteContent":
             svc.allowRemoteContent(p.type, p.value);
             return { ok: true };
+        case "flagSenderOrDomain":
+            return await svc.flagSenderOrDomain(p.type, p.value);
         case "getVersion": {
             try {
                 const settings = svc.getSettings();

package/packages/mailx-settings/index.d.ts

@@ -69,6 +69,8 @@ declare const DEFAULT_ALLOWLIST: {
     senders: string[];
     domains: string[];
     recipients: string[];
+    flaggedSenders: string[];
+    flaggedDomains: string[];
 };
 /** Load account configs */
 export declare function loadAccounts(): AccountConfig[];

package/packages/mailx-settings/index.js

@@ -439,6 +439,14 @@ const DEFAULT_ALLOWLIST = {
     senders: [],
     domains: [],
     recipients: [],
+    // Flagged senders/domains — surfaced as a red warning on the
+    // remote-content banner. Distinct from the positive lists above:
+    // these don't auto-allow anything, they make the banner louder when
+    // a known-suspicious correspondent's mail shows up. Future: a shared
+    // GitHub list users can opt in to (community-flagged phishing /
+    // tracker-heavy senders) — see TODO.md.
+    flaggedSenders: [],
+    flaggedDomains: [],
 };
 // ── Public API ──
 /** Load account configs */
@@ -620,6 +628,8 @@ export async function saveAllowlist(list) {
                     senders: mergeArrays(list.senders || [], cloud.senders || []),
                     domains: mergeArrays(list.domains || [], cloud.domains || []),
                     recipients: mergeArrays(list.recipients || [], cloud.recipients || []),
+                    flaggedSenders: mergeArrays(list.flaggedSenders || [], cloud.flaggedSenders || []),
+                    flaggedDomains: mergeArrays(list.flaggedDomains || [], cloud.flaggedDomains || []),
                 };
             }
         }