npm - @bobfrankston/mailx - Versions diffs - 1.0.438 → 1.0.440 - Mend

@bobfrankston/mailx 1.0.438 → 1.0.440

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/client/app.js +15 -0
package/client/components/message-viewer.js +34 -2
package/client/index.html +2 -0
package/client/styles/components.css +12 -0
package/package.json +1 -1
package/packages/mailx-service/index.d.ts +37 -0
package/packages/mailx-service/index.js +86 -0

package/client/app.js CHANGED Viewed

@@ -2873,6 +2873,21 @@ optAiProofread?.addEventListener("change", () => {
     }
     catch { /* */ }
 });
+// Sender reputation check (Spamhaus DBL). Stored at top-level settings so
+// the service can read it cheaply without going through autocomplete config.
+// Off by default — enabling it leaks read-recipient domains to Spamhaus's
+// DNS infra, which the user should opt into knowingly.
+const optCheckReputation = document.getElementById("opt-check-reputation");
+getSettings().then((s) => {
+    if (optCheckReputation)
+        optCheckReputation.checked = !!s.checkDomainReputation;
+}).catch(() => { });
+optCheckReputation?.addEventListener("change", () => {
+    getSettings().then((settings) => {
+        settings.checkDomainReputation = !!optCheckReputation.checked;
+        saveSettings(settings);
+    }).catch(() => { });
+});
 const isApp = typeof mailxapi !== "undefined" && mailxapi?.isApp;
 // Wait for server ready signal, then fetch version
 const versionPromise = getVersion();

package/client/components/message-viewer.js CHANGED Viewed

@@ -2,7 +2,7 @@
  * Message viewer component -- displays full message in sandboxed iframe.
  * Subscribes to message-state: clears when selected becomes null.
  */
-import { getMessage, updateFlags, allowRemoteContent, flagSenderOrDomain, getAttachment, addContact, listContacts, upsertContact, unsubscribeOneClick } from "../lib/api-client.js";
+import { getMessage, updateFlags, allowRemoteContent, flagSenderOrDomain, getAttachment, addContact, listContacts, upsertContact, unsubscribeOneClick, addPreferredContact } from "../lib/api-client.js";
 import { showContextMenu } from "./context-menu.js";
 import * as state from "../lib/message-state.js";
 /** Currently displayed message (for reply/forward) */
@@ -348,6 +348,28 @@ export async function showMessage(accountId, uid, folderId, specialUse, isRetry
                             await showAddContactDialog(name, addr.address);
                         },
                     });
+                    // "Add to preferred" — separate path: writes to
+                    // contacts.jsonc#preferred[] with an optional source tag.
+                    // Distinct from "Add to contacts" which goes into the DB +
+                    // pushes to Google. Preferred entries rank higher in
+                    // autocomplete and survive Google sync's churn.
+                    items.push({
+                        label: `Add to preferred: ${addr.address}`,
+                        action: async () => {
+                            const tag = prompt("Tag (e.g. work, family, vendor) — leave blank for default:", "");
+                            if (tag === null)
+                                return; // user cancelled
+                            try {
+                                await addPreferredContact({ name, email: addr.address, source: tag.trim() || undefined });
+                                const status = document.getElementById("status-sync");
+                                if (status)
+                                    status.textContent = `Added to preferred: ${addr.address}${tag ? ` [${tag}]` : ""}`;
+                            }
+                            catch (e) {
+                                alert(`Couldn't add to preferred: ${e?.message || e}`);
+                            }
+                        },
+                    });
                     items.push({ label: "", action: () => { }, separator: true });
                 }
                 items.push({ label: "Reply", action: () => document.dispatchEvent(new CustomEvent("mailx-compose", { detail: { mode: "reply" } })) });
@@ -548,12 +570,22 @@ export async function showMessage(accountId, uid, folderId, specialUse, isRetry
             const toAddr = msg.to?.[0]?.address || "";
             const returnPath = msg.returnPath || "";
             const isFlagged = !!msg.isFlagged;
+            const reputation = msg.reputation;
+            const reputationFlagged = !!(reputation && reputation.flagged);
+            const reputationText = reputationFlagged
+                ? `⚠ ${reputation.listedCount} of ${reputation.checkedCount} reputation services flag <strong>${escapeText(senderDomain)}</strong> as <strong>${escapeText(reputation.verdict)}</strong> (${escapeText(reputation.sources.map(s => s.service).join(", "))})`
+                : "";
             const banner = document.createElement("div");
-            banner.className = "mv-remote-banner" + (isFlagged ? " mv-remote-banner-flagged" : "");
+            banner.className = "mv-remote-banner"
+                + (isFlagged ? " mv-remote-banner-flagged" : "")
+                + (reputationFlagged ? " mv-remote-banner-reputation" : "");
             banner.innerHTML =
                 (isFlagged
                     ? `<div class="mv-rb-flagged">⚠ FLAGGED: this sender or domain is on your flagged list</div>`
                     : "") +
+                    (reputationFlagged
+                        ? `<div class="mv-rb-reputation">${reputationText}</div>`
+                        : "") +
                     `<div class="mv-rb-summary">` +
                     `<span class="mv-rb-toggle">&#x25B8;</span>` +
                     `<span>Remote content blocked</span>` +

package/client/index.html CHANGED Viewed

@@ -55,6 +55,7 @@
                     <label class="tb-menu-item" title="Ghost-text completions while composing — Ollama / Claude / OpenAI back-end, off by default"><input type="checkbox" id="opt-autocomplete"> AI autocomplete</label>
                     <label class="tb-menu-item" title="Right-click in message body → Translate"><input type="checkbox" id="opt-ai-translate"> AI translate (off by default)</label>
                     <label class="tb-menu-item" title="Right-click in compose editor → Proofread (when wired)"><input type="checkbox" id="opt-ai-proofread"> AI proofread (off by default)</label>
+                    <label class="tb-menu-item" title="When opening a message with remote content, look up the sender's domain in three free DNS blocklists in parallel: Spamhaus DBL, SURBL, URIBL. The banner shows N-of-3 services flagging the domain. Each query leaks the bare domain to that DNSBL's DNS. Off by default."><input type="checkbox" id="opt-check-reputation"> Check sender reputation (DNSBLs)</label>
                     <hr class="tb-menu-sep">
                     <button class="tb-menu-item" id="btn-edit-jsonc" title="Edit accounts.jsonc / allowlist.jsonc">Edit config files...</button>
                     <button class="tb-menu-item" id="btn-open-mailx-dir" title="Open ~/.mailx in file explorer">Open mailx folder...</button>
@@ -183,6 +184,7 @@
         </header>
         <div class="cal-side-actions">
             <button class="cal-side-new" id="cal-side-new" title="New event">＋ New event</button>
+            <button class="cal-side-new" id="cal-side-refresh-events" title="Refresh events from Google">↻</button>
             <label class="cal-side-opt" title="Include expanded instances of recurring events">
                 <input type="checkbox" id="cal-side-show-recurring" checked> Show recurring
             </label>

package/client/styles/components.css CHANGED Viewed

@@ -1536,6 +1536,18 @@ body.calendar-sidebar-on .calendar-sidebar { display: flex; }
 .mv-remote-banner-flagged { box-shadow: inset 0 0 0 2px oklch(0.55 0.22 25); }
 .mv-rb-flag-btn { background: oklch(0.42 0.20 25); }
+/* External reputation hit (Spamhaus DBL etc) — orange strip, distinct from
+   the user's manual red flag. Renders below the user-flag strip when both
+   are present so the precedence is visible. */
+.mv-rb-reputation {
+    background: oklch(0.55 0.18 50);
+    color: white;
+    padding: var(--gap-xs) var(--gap-md);
+    font-weight: 600;
+    letter-spacing: 0.02em;
+}
+.mv-remote-banner-reputation { box-shadow: inset 0 0 0 2px oklch(0.65 0.20 50); }
 .mv-rb-summary {
     display: flex;
     align-items: center;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/mailx",
-  "version": "1.0.438",
+  "version": "1.0.440",
   "description": "Local-first email client with IMAP sync and standalone native app",
   "type": "module",
   "main": "bin/mailx.js",

package/packages/mailx-service/index.d.ts CHANGED Viewed

@@ -6,6 +6,18 @@
 import { MailxDB } from "@bobfrankston/mailx-store";
 import { ImapManager } from "@bobfrankston/mailx-imap";
 import type { Folder, AutocompleteRequest, AutocompleteResponse, AutocompleteSettings, AiTransformRequest, AiTransformResponse } from "@bobfrankston/mailx-types";
+interface ReputationResult {
+    flagged: boolean;
+    listedCount: number;
+    checkedCount: number;
+    sources: Array<{
+        service: string;
+        flagged: boolean;
+        verdict: string;
+    }>;
+    verdict: string;
+    service: string;
+}
 export declare class MailxService {
     private db;
     private imapManager;
@@ -82,6 +94,30 @@ export declare class MailxService {
     closeWordEdit(editId: string): Promise<void>;
     updateFlags(accountId: string, uid: number, flags: string[]): Promise<void>;
     allowRemoteContent(type: "sender" | "domain" | "recipient", value: string): Promise<void>;
+    /** Domain-reputation cache. Lookups are fast (~50ms each, three in
+     *  parallel) but we still don't want to redo them on every render of
+     *  the same sender's mail. Five-minute TTL — long enough that scrolling
+     *  a folder fans out one query set, short enough that a newly-listed
+     *  domain surfaces within minutes. */
+    private reputationCache;
+    private static readonly REPUTATION_TTL_MS;
+    private static readonly REPUTATION_TIMEOUT_MS;
+    /** Check a domain against three free no-key DNS blocklists in parallel:
+     *
+     *    Spamhaus DBL    — `<d>.dbl.spamhaus.org`     spam/phish/malware
+     *    SURBL multi     — `<d>.multi.surbl.org`      mixed (ph/mw/abuse)
+     *    URIBL multi     — `<d>.multi.uribl.com`      black/grey/red lists
+     *
+     *  Each lookup is bounded at 500 ms; missing/slow services are treated
+     *  as "unknown" (don't poison the cache). Returns the aggregate plus
+     *  the per-service detail so the UI can show "N of 3 services flag
+     *  this domain" with the contributing source list.
+     *
+     *  Privacy: each query leaks the bare domain to that DNSBL's
+     *  infrastructure plus the user's local resolver. Opt-in via Settings.
+     *
+     *  No API keys, free for personal use across all three services. */
+    checkDomainReputation(domain: string): Promise<ReputationResult | null>;
     /** Mark a sender or domain as suspect. Surfaced in the remote-content
      *  banner as a red warning on subsequent messages. Toggle: calling with
      *  the same value removes it. Returns the new state for UI feedback. */
@@ -311,4 +347,5 @@ export declare class MailxService {
      *  default false. Returns empty text + reason when disabled or on error. */
     aiTransform(req: AiTransformRequest): Promise<AiTransformResponse>;
 }
+export {};
 //# sourceMappingURL=index.d.ts.map

package/packages/mailx-service/index.js CHANGED Viewed

@@ -468,11 +468,22 @@ export class MailxService {
         const senderDomain = senderAddr.split("@")[1] || "";
         const isFlagged = !!((allowList.flaggedSenders || []).some((s) => (s || "").toLowerCase() === senderAddr) ||
             (allowList.flaggedDomains || []).some((d) => (d || "").toLowerCase() === senderDomain));
+        // External reputation check — Spamhaus DBL + SURBL + URIBL in parallel.
+        // Off by default (privacy: the domain leaks to those DNSBLs and the
+        // user's local resolver). User opts in via Settings → "Check sender
+        // reputation". Each lookup is bounded at 500 ms; the whole check is
+        // bounded by the slowest, ~500 ms worst case.
+        let reputation = null;
+        const settings = loadSettings() || {};
+        if (settings.checkDomainReputation && senderDomain && hasRemoteContent) {
+            reputation = await this.checkDomainReputation(senderDomain);
+        }
         return {
             ...envelope, bodyHtml, bodyText, hasRemoteContent, remoteAllowed: allowRemote,
             attachments, emlPath, deliveredTo, returnPath,
             listUnsubscribe, listUnsubscribeMail, listUnsubscribeHttp, listUnsubscribeOneClick,
             isFlagged,
+            reputation,
         };
     }
     /** RFC 8058 one-click unsubscribe: POST `List-Unsubscribe=One-Click` to the
@@ -687,6 +698,81 @@ export class MailxService {
         await saveAllowlist(list);
         console.log(`  [allow] Added ${type}: ${value}`);
     }
+    /** Domain-reputation cache. Lookups are fast (~50ms each, three in
+     *  parallel) but we still don't want to redo them on every render of
+     *  the same sender's mail. Five-minute TTL — long enough that scrolling
+     *  a folder fans out one query set, short enough that a newly-listed
+     *  domain surfaces within minutes. */
+    reputationCache = new Map();
+    static REPUTATION_TTL_MS = 5 * 60_000;
+    static REPUTATION_TIMEOUT_MS = 500;
+    /** Check a domain against three free no-key DNS blocklists in parallel:
+     *
+     *    Spamhaus DBL    — `<d>.dbl.spamhaus.org`     spam/phish/malware
+     *    SURBL multi     — `<d>.multi.surbl.org`      mixed (ph/mw/abuse)
+     *    URIBL multi     — `<d>.multi.uribl.com`      black/grey/red lists
+     *
+     *  Each lookup is bounded at 500 ms; missing/slow services are treated
+     *  as "unknown" (don't poison the cache). Returns the aggregate plus
+     *  the per-service detail so the UI can show "N of 3 services flag
+     *  this domain" with the contributing source list.
+     *
+     *  Privacy: each query leaks the bare domain to that DNSBL's
+     *  infrastructure plus the user's local resolver. Opt-in via Settings.
+     *
+     *  No API keys, free for personal use across all three services. */
+    async checkDomainReputation(domain) {
+        domain = (domain || "").toLowerCase().trim();
+        if (!domain)
+            return null;
+        const cached = this.reputationCache.get(domain);
+        if (cached && cached.expiresAt > Date.now())
+            return cached.result;
+        const probe = async (service, host, mapVerdict) => {
+            try {
+                const lookup = dns.resolve4(`${domain}.${host}`);
+                const timeout = new Promise((_, reject) => setTimeout(() => reject(new Error("dnsbl-timeout")), MailxService.REPUTATION_TIMEOUT_MS));
+                const records = await Promise.race([lookup, timeout]);
+                const last = records[0]?.split(".").pop() || "";
+                return { service, flagged: true, verdict: mapVerdict(last) };
+            }
+            catch (e) {
+                const code = e?.code || "";
+                if (code === "ENOTFOUND" || code === "ENODATA") {
+                    return { service, flagged: false, verdict: "clean" };
+                }
+                return null; // timeout / network — unknown
+            }
+        };
+        const dblVerdict = (last) => last === "2" ? "spam" :
+            last === "4" ? "phishing" :
+                last === "5" ? "malware" :
+                    last === "6" ? "botnet" :
+                        "listed";
+        // SURBL/URIBL encode multiple list memberships in a bitfield; the
+        // distinction matters less to the end user than "how many sources
+        // agree", so we keep a generic "listed" verdict for both.
+        const generic = (_last) => "listed";
+        const sources = await Promise.all([
+            probe("Spamhaus DBL", "dbl.spamhaus.org", dblVerdict),
+            probe("SURBL", "multi.surbl.org", generic),
+            probe("URIBL", "multi.uribl.com", generic),
+        ]);
+        const known = sources.filter((s) => s !== null);
+        const flagged = known.filter(s => s.flagged);
+        const result = {
+            flagged: flagged.length > 0,
+            listedCount: flagged.length,
+            checkedCount: known.length,
+            sources: flagged,
+            // Pick the most specific verdict if Spamhaus contributed (since
+            // DBL distinguishes phishing/malware/etc); otherwise generic.
+            verdict: flagged.find(s => s.service === "Spamhaus DBL")?.verdict || flagged[0]?.verdict || "clean",
+            service: flagged.map(s => s.service).join(", ") || "Spamhaus DBL / SURBL / URIBL",
+        };
+        this.reputationCache.set(domain, { result, expiresAt: Date.now() + MailxService.REPUTATION_TTL_MS });
+        return result;
+    }
     /** Mark a sender or domain as suspect. Surfaced in the remote-content
      *  banner as a red warning on subsequent messages. Toggle: calling with
      *  the same value removes it. Returns the new state for UI feedback. */