@ouro.bot/cli 0.1.0-alpha.55 → 0.1.0-alpha.551

package/dist/mailroom/outbound.js

@@ -0,0 +1,380 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseAcsEmailDeliveryReportEvent = void 0;
+exports.createAcsEmailProviderClient = createAcsEmailProviderClient;
+exports.resolveOutboundProviderClient = resolveOutboundProviderClient;
+exports.resolveOutboundTransport = resolveOutboundTransport;
+exports.createMailDraft = createMailDraft;
+exports.confirmMailDraftSend = confirmMailDraftSend;
+exports.listMailOutboundRecords = listMailOutboundRecords;
+exports.reconcileOutboundDeliveryEvent = reconcileOutboundDeliveryEvent;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../nerves/runtime");
+const autonomy_1 = require("./autonomy");
+const core_1 = require("./core");
+Object.defineProperty(exports, "parseAcsEmailDeliveryReportEvent", { enumerable: true, get: function () { return core_1.parseAcsEmailDeliveryReportEvent; } });
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function textField(value, key) {
+    const raw = value[key];
+    return typeof raw === "string" ? raw.trim() : "";
+}
+function credentialFields(value) {
+    if (!isRecord(value))
+        return undefined;
+    const accessKey = textField(value, "accessKey");
+    const connectionString = textField(value, "connectionString");
+    const fields = {
+        ...(accessKey ? { accessKey } : {}),
+        ...(connectionString ? { connectionString } : {}),
+    };
+    return Object.keys(fields).length > 0 ? fields : undefined;
+}
+function normalizeList(values) {
+    return values
+        .map((value) => value.trim())
+        .filter(Boolean)
+        .map(core_1.normalizeMailAddress);
+}
+function contentHash(body) {
+    return crypto.createHash("sha256").update(body, "utf-8").digest("base64");
+}
+function hmacSignature(input) {
+    const stringToSign = `${input.method}\n${input.pathAndQuery}\n${input.date};${input.host};${input.contentHash}`;
+    return crypto.createHmac("sha256", Buffer.from(input.accessKey, "base64")).update(stringToSign, "utf-8").digest("base64");
+}
+function recipientObjects(addresses) {
+    return addresses.map((address) => ({ address }));
+}
+function providerMessageIdFromOperationLocation(operationLocation) {
+    const match = operationLocation.match(/\/operations\/([^?/#]+)/);
+    return match?.[1] ?? "";
+}
+function createAcsEmailProviderClient(input) {
+    const endpoint = input.endpoint.replace(/\/+$/, "");
+    const fetchImpl = input.fetch ?? fetch;
+    return {
+        async submit(submitInput) {
+            const url = new URL(`${endpoint}/emails:send?api-version=2025-09-01`);
+            const senderAddress = submitInput.transport.senderAddress ?? submitInput.draft.from;
+            const body = JSON.stringify({
+                senderAddress,
+                recipients: {
+                    to: recipientObjects(submitInput.draft.to),
+                    cc: recipientObjects(submitInput.draft.cc),
+                    bcc: recipientObjects(submitInput.draft.bcc),
+                },
+                content: {
+                    subject: submitInput.draft.subject,
+                    plainText: submitInput.draft.text,
+                },
+            });
+            const date = (input.now ?? (() => new Date()))().toUTCString();
+            const hash = contentHash(body);
+            const signature = hmacSignature({
+                method: "POST",
+                pathAndQuery: `${url.pathname}${url.search}`,
+                date,
+                host: url.host,
+                contentHash: hash,
+                accessKey: input.accessKey,
+            });
+            const response = await fetchImpl(url.toString(), {
+                method: "POST",
+                headers: {
+                    "content-type": "application/json",
+                    "x-ms-date": date,
+                    "x-ms-content-sha256": hash,
+                    authorization: `HMAC-SHA256 SignedHeaders=x-ms-date;host;x-ms-content-sha256&Signature=${signature}`,
+                },
+                body,
+            });
+            const operationLocation = response.headers.get("operation-location") ?? undefined;
+            const providerRequestId = response.headers.get("x-ms-request-id") ?? undefined;
+            const payload = await response.json().catch(() => ({}));
+            if (!response.ok) {
+                const reason = typeof payload.error?.message === "string" ? payload.error.message : `HTTP ${response.status}`;
+                throw new Error(`ACS outbound send failed: ${reason}`);
+            }
+            const providerMessageId = typeof payload.id === "string"
+                ? payload.id
+                : operationLocation
+                    ? providerMessageIdFromOperationLocation(operationLocation)
+                    : "";
+            if (!providerMessageId)
+                throw new Error("ACS outbound send did not return an operation id");
+            return {
+                provider: "azure-communication-services",
+                providerMessageId,
+                ...(operationLocation ? { operationLocation } : {}),
+                ...(providerRequestId ? { providerRequestId } : {}),
+                submittedAt: submitInput.submittedAt,
+            };
+        },
+    };
+}
+async function resolveOutboundProviderClient(transport, reader, options = {}) {
+    if (transport.kind !== "azure-communication-services")
+        return undefined;
+    const credentialItem = transport.credentialItem?.trim();
+    if (!credentialItem) {
+        throw new Error("outbound Azure Communication Services transport is missing credentialItem");
+    }
+    const accessKeyField = transport.credentialFields?.accessKey?.trim() || "accessKey";
+    const accessKey = (await reader.readSecretField(credentialItem, accessKeyField)).trim();
+    if (!accessKey) {
+        throw new Error(`outbound Azure Communication Services required secret field ${accessKeyField} is blank`);
+    }
+    return createAcsEmailProviderClient({
+        endpoint: transport.endpoint,
+        accessKey,
+        ...(options.fetch ? { fetch: options.fetch } : {}),
+        ...(options.now ? { now: options.now } : {}),
+    });
+}
+function draftId() {
+    return `draft_${crypto.randomBytes(12).toString("hex")}`;
+}
+function ensureRecipients(to) {
+    if (to.length === 0)
+        throw new Error("at least one recipient is required");
+}
+function resolveOutboundTransport(config) {
+    const outbound = isRecord(config) && isRecord(config.outbound) ? config.outbound : null;
+    if (!outbound) {
+        throw new Error("outbound mail transport is not configured; human-required: set mailroom.outbound before confirmed sends");
+    }
+    const transport = textField(outbound, "transport");
+    if (transport === "local-sink") {
+        const sinkPath = textField(outbound, "sinkPath");
+        if (!sinkPath)
+            throw new Error("outbound local-sink transport is missing sinkPath");
+        return { kind: "local-sink", sinkPath };
+    }
+    if (transport === "azure-communication-services") {
+        if ("credentialItemNoteQuery" in outbound || "noteQuery" in outbound || "notes" in outbound) {
+            throw new Error("outbound provider binding must not infer credentials from vault notes");
+        }
+        const endpoint = textField(outbound, "endpoint");
+        if (!endpoint)
+            throw new Error("outbound Azure Communication Services transport is missing endpoint");
+        const senderAddress = textField(outbound, "senderAddress");
+        const credentialItem = textField(outbound, "credentialItem");
+        const fields = credentialFields(outbound.credentialFields);
+        return {
+            kind: "azure-communication-services",
+            endpoint,
+            ...(senderAddress ? { senderAddress } : {}),
+            ...(credentialItem ? { credentialItem } : {}),
+            ...(fields ? { credentialFields: fields } : {}),
+        };
+    }
+    throw new Error("outbound mail transport is not configured; human-required: choose local-sink or azure-communication-services");
+}
+async function createMailDraft(input) {
+    const now = (input.now ?? (() => new Date()))().toISOString();
+    const to = normalizeList(input.to);
+    ensureRecipients(to);
+    const record = {
+        schemaVersion: 1,
+        id: draftId(),
+        agentId: input.agentId,
+        status: "draft",
+        mailboxRole: "agent-native-mailbox",
+        sendAuthority: "agent-native",
+        ownerEmail: null,
+        source: null,
+        from: (0, core_1.normalizeMailAddress)(input.from),
+        to,
+        cc: normalizeList(input.cc ?? []),
+        bcc: normalizeList(input.bcc ?? []),
+        subject: input.subject.trim(),
+        text: input.text,
+        actor: input.actor,
+        reason: input.reason,
+        createdAt: now,
+        updatedAt: now,
+    };
+    await input.store.upsertMailOutbound(record);
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_draft_created",
+        message: "mail draft created",
+        meta: { agentId: record.agentId, id: record.id, toCount: record.to.length },
+    });
+    return record;
+}
+function appendLocalSink(transport, record, sentAt) {
+    fs.mkdirSync(path.dirname(transport.sinkPath), { recursive: true });
+    const transportMessageId = `local_${crypto.randomBytes(10).toString("hex")}`;
+    fs.appendFileSync(transport.sinkPath, `${JSON.stringify({
+        schemaVersion: 1,
+        transportMessageId,
+        draftId: record.id,
+        agentId: record.agentId,
+        from: record.from,
+        to: record.to,
+        cc: record.cc,
+        bcc: record.bcc,
+        subject: record.subject,
+        text: record.text,
+        sendMode: record.sendMode,
+        policyId: record.policyDecision?.policyId ?? null,
+        sentAt,
+    })}\n`, "utf-8");
+    return transportMessageId;
+}
+function transportSend(transport, record, sentAt) {
+    return appendLocalSink(transport, record, sentAt);
+}
+async function confirmMailDraftSend(input) {
+    const draft = await input.store.getMailOutbound(input.draftId);
+    if (!draft || draft.agentId !== input.agentId)
+        throw new Error(`No draft found for ${input.draftId}`);
+    if (draft.status !== "draft")
+        throw new Error(`Draft ${input.draftId} is already ${draft.status}`);
+    const sentAt = (input.now ?? (() => new Date()))().toISOString();
+    const recentOutbound = await input.store.listMailOutbound(input.agentId);
+    const policyDecision = input.autonomous
+        ? (() => {
+            if (!input.autonomyPolicy) {
+                throw new Error("Autonomous mail sending requires an enabled native-agent policy");
+            }
+            const decision = (0, autonomy_1.evaluateNativeMailSendPolicy)({
+                policy: input.autonomyPolicy,
+                draft,
+                recentOutbound,
+                now: new Date(sentAt),
+            });
+            if (!decision.allowed) {
+                if (decision.mode === "confirmation-required") {
+                    throw new Error(`Autonomous mail send ${decision.code} requires confirmation=CONFIRM_SEND: ${decision.reason}`);
+                }
+                throw new Error(`${decision.code}: ${decision.reason}`);
+            }
+            return decision;
+        })()
+        : (() => {
+            if (input.confirmation !== "CONFIRM_SEND") {
+                throw new Error("mail_send requires confirmation=CONFIRM_SEND before any outbound mail leaves the agent");
+            }
+            return (0, autonomy_1.buildConfirmedMailSendDecision)({
+                draft,
+                policy: input.autonomyPolicy,
+                now: new Date(sentAt),
+            });
+        })();
+    const pendingSent = {
+        ...draft,
+        status: input.transport.kind === "local-sink" ? "sent" : "submitted",
+        actor: input.actor,
+        reason: input.reason,
+        updatedAt: sentAt,
+        sendMode: input.autonomous ? "autonomous" : "confirmed",
+        policyDecision,
+        sentAt,
+    };
+    if (input.transport.kind === "azure-communication-services") {
+        if (!input.providerClient) {
+            throw new Error("Azure Communication Services outbound send is configured but not enabled on this machine; human-required setup is still needed");
+        }
+        const submission = await input.providerClient.submit({
+            draft: pendingSent,
+            transport: input.transport,
+            submittedAt: sentAt,
+        });
+        const submitted = {
+            ...(0, core_1.buildMailProviderSubmission)({
+                draft: pendingSent,
+                provider: submission.provider,
+                providerMessageId: submission.providerMessageId,
+                submittedAt: submission.submittedAt ?? sentAt,
+                ...(submission.operationLocation ? { operationLocation: submission.operationLocation } : {}),
+                ...(submission.providerRequestId ? { providerRequestId: submission.providerRequestId } : {}),
+            }),
+            transport: input.transport.kind,
+        };
+        await input.store.upsertMailOutbound(submitted);
+        (0, runtime_1.emitNervesEvent)({
+            component: "senses",
+            event: "senses.mail_draft_submitted",
+            message: "mail draft submitted to outbound provider",
+            meta: { agentId: submitted.agentId, id: submitted.id, provider: submitted.provider, providerMessageId: submitted.providerMessageId },
+        });
+        return submitted;
+    }
+    const transportMessageId = transportSend(input.transport, pendingSent, sentAt);
+    const sent = {
+        ...pendingSent,
+        transport: input.transport.kind,
+        transportMessageId,
+    };
+    await input.store.upsertMailOutbound(sent);
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_draft_sent",
+        message: "mail draft sent",
+        meta: { agentId: sent.agentId, id: sent.id, transport: sent.transport },
+    });
+    return sent;
+}
+function listMailOutboundRecords(store, agentId) {
+    return store.listMailOutbound(agentId);
+}
+async function reconcileOutboundDeliveryEvent(input) {
+    const records = await input.store.listMailOutbound(input.agentId);
+    const outbound = records.find((record) => record.providerMessageId === input.event.providerMessageId);
+    if (!outbound)
+        throw new Error(`No outbound record found for provider message ${input.event.providerMessageId}`);
+    const updated = (0, core_1.reconcileMailDeliveryEvent)({ outbound, event: input.event });
+    await input.store.upsertMailOutbound(updated);
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_delivery_event_reconciled",
+        message: "mail delivery event reconciled",
+        meta: {
+            agentId: updated.agentId,
+            id: updated.id,
+            provider: input.event.provider,
+            providerEventId: input.event.providerEventId,
+            outcome: input.event.outcome,
+        },
+    });
+    return updated;
+}

package/dist/mailroom/policy.js

@@ -0,0 +1,263 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildSenderPolicy = buildSenderPolicy;
+exports.classifyResolvedMailPlacement = classifyResolvedMailPlacement;
+exports.classifyMailPlacement = classifyMailPlacement;
+exports.listPendingScreenerCandidates = listPendingScreenerCandidates;
+exports.applyMailDecision = applyMailDecision;
+const crypto = __importStar(require("node:crypto"));
+const runtime_1 = require("../nerves/runtime");
+const core_1 = require("./core");
+function stableJson(value) {
+    /* v8 ignore next -- current sender-policy IDs are built from object/scalar fields; array support is defensive. @preserve */
+    if (Array.isArray(value))
+        return `[${value.map(stableJson).join(",")}]`;
+    if (value && typeof value === "object") {
+        const record = value;
+        return `{${Object.keys(record).sort().map((key) => `${JSON.stringify(key)}:${stableJson(record[key])}`).join(",")}}`;
+    }
+    return JSON.stringify(value);
+}
+function policyId(input) {
+    return `policy_${crypto.createHash("sha256").update(stableJson({
+        agentId: input.agentId.toLowerCase(),
+        scope: input.scope,
+        match: normalizeMatch(input.match),
+        action: input.action,
+        reason: input.reason,
+    })).digest("hex").slice(0, 16)}`;
+}
+function normalizeSender(sender) {
+    try {
+        return (0, core_1.normalizeMailAddress)(sender);
+    }
+    catch {
+        return null;
+    }
+}
+function senderDomain(sender) {
+    if (!sender)
+        return null;
+    /* v8 ignore next -- normalizeMailAddress guarantees a domain for non-null senders. @preserve */
+    return sender.split("@")[1]?.toLowerCase() ?? null;
+}
+function normalizeMatch(match) {
+    if (match.kind === "email")
+        return { kind: "email", value: (0, core_1.normalizeMailAddress)(match.value) };
+    return { kind: match.kind, value: match.value.trim().toLowerCase() };
+}
+function authenticationFailed(authentication) {
+    if (!authentication)
+        return false;
+    return authentication.dmarc === "fail" || (authentication.spf === "fail" &&
+        authentication.dkim === "fail");
+}
+function scopeMatches(policy, resolved) {
+    if (policy.scope === "all")
+        return true;
+    if (policy.scope === resolved.compartmentKind)
+        return true;
+    if (policy.scope.startsWith("source:"))
+        return resolved.source?.toLowerCase() === policy.scope.slice("source:".length);
+    return false;
+}
+function policyMatches(policy, resolved, sender) {
+    if (policy.agentId !== resolved.agentId || !scopeMatches(policy, resolved))
+        return false;
+    const match = normalizeMatch(policy.match);
+    if (match.kind === "email")
+        return sender === match.value;
+    if (match.kind === "domain")
+        return senderDomain(sender) === match.value;
+    if (match.kind === "source")
+        return resolved.source?.toLowerCase() === match.value;
+    return false;
+}
+function classificationForPolicy(policy) {
+    const placement = policy.action === "allow"
+        ? "imbox"
+        : policy.action === "discard"
+            ? "discarded"
+            : "quarantine";
+    return {
+        placement,
+        candidate: false,
+        trustReason: `sender policy ${policy.action} ${policy.match.kind} ${normalizeMatch(policy.match).value}`,
+    };
+}
+function buildSenderPolicy(input) {
+    const policy = {
+        schemaVersion: 1,
+        policyId: policyId(input),
+        agentId: input.agentId.toLowerCase(),
+        scope: input.scope,
+        match: normalizeMatch(input.match),
+        action: input.action,
+        actor: input.actor,
+        reason: input.reason,
+        createdAt: (input.now ?? new Date()).toISOString(),
+    };
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_sender_policy_built",
+        message: "mail sender policy built",
+        meta: { agentId: policy.agentId, action: policy.action, scope: policy.scope, matchKind: policy.match.kind },
+    });
+    return policy;
+}
+function classifyResolvedMailPlacement(input) {
+    if (authenticationFailed(input.authentication)) {
+        const classification = {
+            placement: "quarantine",
+            candidate: false,
+            trustReason: "mail authentication failed",
+            authentication: input.authentication,
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "senses",
+            event: "senses.mail_classified",
+            message: "mail classified by authentication failure",
+            meta: { agentId: input.resolved.agentId, placement: classification.placement },
+        });
+        return classification;
+    }
+    const sender = normalizeSender(input.sender);
+    const policy = input.registry.senderPolicies?.find((entry) => policyMatches(entry, input.resolved, sender));
+    if (policy) {
+        const classification = classificationForPolicy(policy);
+        (0, runtime_1.emitNervesEvent)({
+            component: "senses",
+            event: "senses.mail_classified",
+            message: "mail classified by sender policy",
+            meta: { agentId: input.resolved.agentId, placement: classification.placement, policyId: policy.policyId },
+        });
+        return classification;
+    }
+    const placement = input.resolved.defaultPlacement;
+    const classification = {
+        placement,
+        candidate: placement === "screener",
+        trustReason: input.resolved.compartmentKind === "delegated"
+            ? `delegated source grant ${input.resolved.source ?? input.resolved.compartmentId}`
+            : placement === "imbox"
+                ? "screened-in native agent mailbox"
+                : "native agent mailbox default screener",
+        ...(input.authentication ? { authentication: input.authentication } : {}),
+    };
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_classified",
+        message: "mail classified by default placement",
+        meta: { agentId: input.resolved.agentId, placement: classification.placement, candidate: classification.candidate },
+    });
+    return classification;
+}
+function classifyMailPlacement(input) {
+    const resolved = (0, core_1.resolveMailAddress)(input.registry, input.recipient);
+    if (!resolved)
+        throw new Error(`Cannot classify unknown mail recipient ${input.recipient}`);
+    return classifyResolvedMailPlacement({
+        registry: input.registry,
+        resolved,
+        sender: input.sender,
+        ...(input.authentication ? { authentication: input.authentication } : {}),
+    });
+}
+function decisionPlacement(action) {
+    if (action === "discard")
+        return "discarded";
+    if (action === "quarantine")
+        return "quarantine";
+    return "imbox";
+}
+function candidateStatus(action) {
+    if (action === "discard")
+        return "discarded";
+    if (action === "quarantine")
+        return "quarantined";
+    if (action === "restore")
+        return "restored";
+    return "allowed";
+}
+async function listPendingScreenerCandidates(store, agentId) {
+    const candidates = await store.listScreenerCandidates({ agentId, status: "pending" });
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_pending_screener_candidates_listed",
+        message: "pending mail screener candidates listed",
+        meta: { agentId, count: candidates.length },
+    });
+    return candidates;
+}
+async function applyMailDecision(input) {
+    const message = await input.store.getMessage(input.messageId);
+    if (!message || message.agentId !== input.agentId) {
+        throw new Error(`No mail message ${input.messageId} for ${input.agentId}`);
+    }
+    const candidate = (await input.store.listScreenerCandidates({ agentId: input.agentId }))
+        .find((entry) => entry.messageId === input.messageId);
+    const nextPlacement = decisionPlacement(input.action);
+    const decision = await input.store.recordMailDecision({
+        agentId: input.agentId,
+        messageId: input.messageId,
+        ...(candidate ? { candidateId: candidate.id } : {}),
+        action: input.action,
+        actor: input.actor,
+        reason: input.reason,
+        previousPlacement: message.placement,
+        nextPlacement,
+        ...(candidate?.senderEmail ? { senderEmail: candidate.senderEmail } : {}),
+        ...(input.friendId ? { friendId: input.friendId } : {}),
+        ...(input.now ? { createdAt: input.now.toISOString() } : {}),
+    });
+    await input.store.updateMessagePlacement(input.messageId, nextPlacement);
+    if (candidate) {
+        await input.store.updateScreenerCandidate({
+            ...candidate,
+            placement: nextPlacement,
+            status: candidateStatus(input.action),
+            lastSeenAt: decision.createdAt,
+            resolvedByDecisionId: decision.id,
+        });
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "senses",
+        event: "senses.mail_decision_applied",
+        message: "mail decision applied",
+        meta: { agentId: input.agentId, messageId: input.messageId, action: input.action, nextPlacement },
+    });
+    return decision;
+}