@realtimex/email-automator 2.2.0 → 2.3.0

package/api/server.ts

@@ -66,8 +66,10 @@ app.use('/api', apiRateLimit);
 // API routes
 app.use('/api', routes);
 
-// Serve static files in production or if dist exists
-const distPath = path.join(__dirname, '..', 'dist');
+// Serve static files - robust resolution for compiled app
+// In npx/dist mode, dist is at ../../../dist relative to this file
+// In dev mode, it is at ../dist
+const distPath = path.join(process.cwd(), 'dist');
 app.use(express.static(distPath));
 
 // Handle client-side routing
@@ -109,12 +111,6 @@ const server = app.listen(config.port, () => {
     if (getServerSupabase()) {
         startScheduler();
     }
-
-    // Automatically open browser unless -n flag is provided
-    if (!config.noUi) {
-        const startCommand = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
-        spawn(startCommand, [url], { detached: true }).unref();
-    }
 });
 
 // Handle server errors

package/api/src/config/index.ts

@@ -2,6 +2,9 @@ import dotenv from 'dotenv';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 
+// 1. Try to load from current working directory (e.g. where npx is run)
+dotenv.config({ path: join(process.cwd(), '.env') });
+// 2. Fallback to package root
 dotenv.config();
 
 const __filename = fileURLToPath(import.meta.url);
@@ -32,9 +35,9 @@ export const config = {
     nodeEnv: process.env.NODE_ENV || 'development',
     isProduction: process.env.NODE_ENV === 'production',
 
-    // Paths
-    rootDir: join(__dirname, '..', '..', '..'),
-    scriptsDir: join(__dirname, '..', '..', '..', 'scripts'),
+    // Paths - Robust resolution for both TS source and compiled JS in dist/
+    rootDir: process.cwd(),
+    scriptsDir: join(process.cwd(), 'scripts'),
 
     // Supabase
     supabase: {

package/bin/email-automator-setup.js

@@ -30,9 +30,8 @@ async function setup() {
   console.log('========================');
   console.log('');
 
-  const envPath = join(__dirname, '..', '.env');
-  const envExamplePath = join(__dirname, '..', '.env.example');
-
+  const envPath = join(process.cwd(), '.env');
+  
   // Check if .env already exists
   if (existsSync(envPath)) {
     const overwrite = await question('⚠️  .env file already exists. Overwrite? (y/N): ');

package/bin/email-automator.js

@@ -5,9 +5,10 @@
  * Main command to run the Email Automator API server
  */
 
-import { spawn } from 'child_process';
+import { spawn, execSync } from 'child_process';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
+import { existsSync } from 'fs';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -24,21 +25,16 @@ if (portIndex !== -1 && args[portIndex + 1]) {
 
 const noUi = args.includes('--no-ui');
 
-console.log('🚀 Starting Email Automator...');
+console.log('🚀 Email Automator starting...');
 console.log(`📡 Port: ${port}`);
 if (noUi) console.log('🖥️  Mode: No-UI');
 console.log('');
 
-// Path to server
-const serverPath = join(__dirname, '..', 'api', 'server.ts');
+// Path to compiled server
+const serverPath = join(__dirname, '..', 'dist', 'api', 'server.js');
 
-// Resolve tsx binary path
-// In npx/installed mode, it will be in ../node_modules/.bin/tsx
-// In dev mode, it will be in ../node_modules/.bin/tsx
-const tsxPath = join(__dirname, '..', 'node_modules', '.bin', 'tsx');
-
-// Start server with resolved tsx
-const server = spawn(tsxPath, [serverPath, ...args], {
+// Start server with standard node
+const server = spawn(process.execPath, [serverPath, ...args], {
   stdio: 'inherit',
   env: { ...process.env, PORT: port },
 });

package/dist/api/server.js

@@ -0,0 +1,109 @@
+import express from 'express';
+import cors from 'cors';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { config, validateConfig } from './src/config/index.js';
+import { errorHandler } from './src/middleware/errorHandler.js';
+import { apiRateLimit } from './src/middleware/rateLimit.js';
+import routes from './src/routes/index.js';
+import { logger } from './src/utils/logger.js';
+import { getServerSupabase } from './src/services/supabase.js';
+import { startScheduler, stopScheduler } from './src/services/scheduler.js';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+// Validate configuration
+const configValidation = validateConfig();
+if (!configValidation.valid) {
+    logger.warn('Configuration warnings', { errors: configValidation.errors });
+}
+const app = express();
+// Security headers
+app.use((req, res, next) => {
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('X-XSS-Protection', '1; mode=block');
+    if (config.isProduction) {
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    }
+    next();
+});
+// CORS configuration
+app.use(cors({
+    origin: config.isProduction
+        ? config.security.corsOrigins
+        : true, // Allow all in development
+    credentials: true,
+    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'X-Supabase-Url', 'X-Supabase-Anon-Key'],
+}));
+// Body parsing
+app.use(express.json({ limit: '10mb' }));
+app.use(express.urlencoded({ extended: true, limit: '10mb' }));
+// Request logging
+app.use((req, res, next) => {
+    const start = Date.now();
+    res.on('finish', () => {
+        const duration = Date.now() - start;
+        logger.debug(`${req.method} ${req.path}`, {
+            status: res.statusCode,
+            duration: `${duration}ms`,
+        });
+    });
+    next();
+});
+// Rate limiting (global)
+app.use('/api', apiRateLimit);
+// API routes
+app.use('/api', routes);
+// Serve static files - robust resolution for compiled app
+// In npx/dist mode, dist is at ../../../dist relative to this file
+// In dev mode, it is at ../dist
+const distPath = path.join(process.cwd(), 'dist');
+app.use(express.static(distPath));
+// Handle client-side routing
+app.get(/.*/, (req, res, next) => {
+    if (req.path.startsWith('/api'))
+        return next();
+    res.sendFile(path.join(distPath, 'index.html'), (err) => {
+        if (err) {
+            // If dist doesn't exist, return 404 for non-API routes
+            res.status(404).json({
+                success: false,
+                error: { code: 'NOT_FOUND', message: 'Frontend not built or endpoint not found' }
+            });
+        }
+    });
+});
+// Error handler (must be last)
+app.use(errorHandler);
+// Graceful shutdown
+const shutdown = () => {
+    logger.info('Shutting down gracefully...');
+    stopScheduler();
+    process.exit(0);
+};
+process.on('SIGTERM', shutdown);
+process.on('SIGINT', shutdown);
+// Start server
+const server = app.listen(config.port, () => {
+    const url = `http://localhost:${config.port}`;
+    logger.info(`Server running at ${url}`, {
+        environment: config.nodeEnv,
+        supabase: getServerSupabase() ? 'connected' : 'not configured',
+    });
+    // Start background scheduler
+    if (getServerSupabase()) {
+        startScheduler();
+    }
+});
+// Handle server errors
+server.on('error', (error) => {
+    if (error.code === 'EADDRINUSE') {
+        logger.error(`Port ${config.port} is already in use`);
+    }
+    else {
+        logger.error('Server error', error);
+    }
+    process.exit(1);
+});
+export default app;

package/dist/api/src/config/index.js

@@ -0,0 +1,88 @@
+import dotenv from 'dotenv';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+// 1. Try to load from current working directory (e.g. where npx is run)
+dotenv.config({ path: join(process.cwd(), '.env') });
+// 2. Fallback to package root
+dotenv.config();
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+function parseArgs(args) {
+    const portIndex = args.indexOf('--port');
+    let port = null;
+    if (portIndex !== -1 && args[portIndex + 1]) {
+        const p = parseInt(args[portIndex + 1], 10);
+        if (!isNaN(p) && p > 0 && p < 65536) {
+            port = p;
+        }
+    }
+    const noUi = args.includes('--no-ui');
+    return { port, noUi };
+}
+const cliArgs = parseArgs(process.argv.slice(2));
+export const config = {
+    // Server
+    // Default port 3004 (RealTimeX Desktop uses 3001/3002)
+    port: cliArgs.port || (process.env.PORT ? parseInt(process.env.PORT, 10) : 3004),
+    noUi: cliArgs.noUi,
+    nodeEnv: process.env.NODE_ENV || 'development',
+    isProduction: process.env.NODE_ENV === 'production',
+    // Paths - Robust resolution for both TS source and compiled JS in dist/
+    rootDir: process.cwd(),
+    scriptsDir: join(process.cwd(), 'scripts'),
+    // Supabase
+    supabase: {
+        url: process.env.SUPABASE_URL || process.env.VITE_SUPABASE_URL || '',
+        anonKey: process.env.SUPABASE_ANON_KEY || process.env.VITE_SUPABASE_ANON_KEY || '',
+        serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || '',
+    },
+    // LLM
+    llm: {
+        apiKey: process.env.LLM_API_KEY || '',
+        baseUrl: process.env.LLM_BASE_URL,
+        model: process.env.LLM_MODEL || 'gpt-4o-mini',
+    },
+    // OAuth - Gmail
+    gmail: {
+        clientId: process.env.GMAIL_CLIENT_ID || '',
+        clientSecret: process.env.GMAIL_CLIENT_SECRET || '',
+        redirectUri: process.env.GMAIL_REDIRECT_URI || 'urn:ietf:wg:oauth:2.0:oob',
+    },
+    // OAuth - Microsoft
+    microsoft: {
+        clientId: process.env.MS_GRAPH_CLIENT_ID || '',
+        tenantId: process.env.MS_GRAPH_TENANT_ID || 'common',
+        clientSecret: process.env.MS_GRAPH_CLIENT_SECRET || '',
+    },
+    // Security
+    security: {
+        encryptionKey: process.env.TOKEN_ENCRYPTION_KEY || '',
+        jwtSecret: process.env.JWT_SECRET || 'dev-secret-change-in-production',
+        corsOrigins: process.env.CORS_ORIGINS?.split(',') || ['http://localhost:3003', 'http://localhost:5173'],
+        rateLimitWindowMs: 15 * 60 * 1000, // 15 minutes
+        rateLimitMax: 100,
+        disableAuth: process.env.DISABLE_AUTH === 'true',
+    },
+    // Processing
+    processing: {
+        batchSize: parseInt(process.env.EMAIL_BATCH_SIZE || '20', 10),
+        syncIntervalMs: parseInt(process.env.SYNC_INTERVAL_MS || '60000', 10), // 1 minute
+        maxRetries: 3,
+    },
+};
+export function validateConfig() {
+    const errors = [];
+    if (!config.supabase.url) {
+        errors.push('SUPABASE_URL is required');
+    }
+    if (!config.supabase.anonKey) {
+        errors.push('SUPABASE_ANON_KEY is required');
+    }
+    if (config.isProduction && config.security.jwtSecret === 'dev-secret-change-in-production') {
+        errors.push('JWT_SECRET must be set in production');
+    }
+    if (config.isProduction && !config.security.encryptionKey) {
+        errors.push('TOKEN_ENCRYPTION_KEY must be set in production');
+    }
+    return { valid: errors.length === 0, errors };
+}

package/dist/api/src/middleware/auth.js

@@ -0,0 +1,119 @@
+import { createClient } from '@supabase/supabase-js';
+import { config } from '../config/index.js';
+import { AuthenticationError, AuthorizationError } from './errorHandler.js';
+import { createLogger, Logger } from '../utils/logger.js';
+const logger = createLogger('AuthMiddleware');
+import { getServerSupabase, isValidUrl } from '../services/supabase.js';
+// Check if anon key looks valid (JWT or publishable key format)
+function isValidAnonKey(key) {
+    if (!key)
+        return false;
+    // JWT anon keys start with eyJ, publishable keys start with sb_publishable_
+    return key.startsWith('eyJ') || key.startsWith('sb_publishable_');
+}
+// Helper to get Supabase config from request headers (frontend passes these)
+function getSupabaseConfigFromRequest(req) {
+    const url = req.headers['x-supabase-url'];
+    const anonKey = req.headers['x-supabase-anon-key'];
+    if (url && anonKey && isValidUrl(url) && isValidAnonKey(anonKey)) {
+        return { url, anonKey };
+    }
+    return null;
+}
+export async function authMiddleware(req, _res, next) {
+    try {
+        // Get Supabase config: prefer env vars, fallback to request headers
+        const headerConfig = getSupabaseConfigFromRequest(req);
+        const envUrl = config.supabase.url;
+        const envKey = config.supabase.anonKey;
+        // Basic validation: URL must start with http(s)
+        // This prevents using placeholders like "CHANGE_ME" or empty strings
+        const isEnvUrlValid = envUrl && (envUrl.startsWith('http://') || envUrl.startsWith('https://'));
+        const isEnvKeyValid = !!envKey && envKey.length > 0;
+        const supabaseUrl = isEnvUrlValid ? envUrl : (headerConfig?.url || '');
+        const supabaseAnonKey = isEnvKeyValid ? envKey : (headerConfig?.anonKey || '');
+        // Development bypass: skip auth if DISABLE_AUTH=true in non-production
+        if (config.security.disableAuth && !config.isProduction) {
+            logger.warn('Auth disabled for development - creating mock user');
+            // Create a mock user for development
+            req.user = {
+                id: '00000000-0000-0000-0000-000000000000',
+                email: 'dev@local.test',
+                user_metadata: {},
+                app_metadata: {},
+                aud: 'authenticated',
+                created_at: new Date().toISOString(),
+            };
+            // Use the shared Supabase client, or create one from request headers
+            let supabase = getServerSupabase();
+            if (!supabase && supabaseUrl && supabaseAnonKey) {
+                supabase = createClient(supabaseUrl, supabaseAnonKey, {
+                    auth: { autoRefreshToken: false, persistSession: false },
+                });
+            }
+            if (supabase) {
+                req.supabase = supabase;
+                // Initialize logger persistence for mock user
+                Logger.setPersistence(supabase, req.user.id);
+            }
+            else {
+                throw new AuthenticationError('Supabase not configured. Please set up Supabase in the app or provide SUPABASE_URL/ANON_KEY in .env');
+            }
+            return next();
+        }
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
+            throw new AuthenticationError('Missing or invalid authorization header');
+        }
+        const token = authHeader.substring(7);
+        if (!supabaseUrl || !supabaseAnonKey) {
+            throw new AuthenticationError('Supabase not configured. Please set up Supabase in the app or provide SUPABASE_URL/ANON_KEY in .env');
+        }
+        // Create a Supabase client with the user's token
+        const supabase = createClient(supabaseUrl, supabaseAnonKey, {
+            global: {
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                },
+            },
+        });
+        // Verify the token by getting the user
+        const { data: { user }, error } = await supabase.auth.getUser(token);
+        if (error || !user) {
+            logger.debug('Auth failed', { error: error?.message });
+            throw new AuthenticationError('Invalid or expired token');
+        }
+        // Initialize logger persistence for this request
+        Logger.setPersistence(supabase, user.id);
+        // Attach user and supabase client to request
+        req.user = user;
+        req.supabase = supabase;
+        next();
+    }
+    catch (error) {
+        logger.error('Auth middleware error', error);
+        next(error);
+    }
+}
+export function optionalAuth(req, _res, next) {
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith('Bearer ')) {
+        // No auth provided, continue without user
+        return next();
+    }
+    // If auth is provided, validate it
+    authMiddleware(req, _res, next);
+}
+export function requireRole(roles) {
+    return async (req, _res, next) => {
+        if (!req.user) {
+            return next(new AuthenticationError());
+        }
+        // Check user metadata for role (customize based on your auth setup)
+        const userRole = req.user.user_metadata?.role || 'user';
+        if (!roles.includes(userRole)) {
+            return next(new AuthorizationError(`Requires one of: ${roles.join(', ')}`));
+        }
+        next();
+    };
+}

package/dist/api/src/middleware/errorHandler.js

@@ -0,0 +1,78 @@
+import { createLogger } from '../utils/logger.js';
+import { config } from '../config/index.js';
+const logger = createLogger('ErrorHandler');
+export class AppError extends Error {
+    statusCode;
+    isOperational;
+    code;
+    constructor(message, statusCode = 500, code) {
+        super(message);
+        this.statusCode = statusCode;
+        this.isOperational = true;
+        this.code = code;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+export class ValidationError extends AppError {
+    constructor(message) {
+        super(message, 400, 'VALIDATION_ERROR');
+    }
+}
+export class AuthenticationError extends AppError {
+    constructor(message = 'Authentication required') {
+        super(message, 401, 'AUTHENTICATION_ERROR');
+    }
+}
+export class AuthorizationError extends AppError {
+    constructor(message = 'Insufficient permissions') {
+        super(message, 403, 'AUTHORIZATION_ERROR');
+    }
+}
+export class NotFoundError extends AppError {
+    constructor(resource = 'Resource') {
+        super(`${resource} not found`, 404, 'NOT_FOUND');
+    }
+}
+export class RateLimitError extends AppError {
+    constructor() {
+        super('Too many requests, please try again later', 429, 'RATE_LIMIT_EXCEEDED');
+    }
+}
+export function errorHandler(err, req, res, _next) {
+    // Default to 500 if not an AppError
+    const statusCode = err instanceof AppError ? err.statusCode : 500;
+    const isOperational = err instanceof AppError ? err.isOperational : false;
+    const code = err instanceof AppError ? err.code : 'INTERNAL_ERROR';
+    // Log error
+    if (statusCode >= 500) {
+        logger.error('Server error', err, {
+            method: req.method,
+            path: req.path,
+            statusCode,
+        });
+    }
+    else {
+        logger.warn('Client error', {
+            method: req.method,
+            path: req.path,
+            statusCode,
+            message: err.message,
+        });
+    }
+    // Send response
+    res.status(statusCode).json({
+        success: false,
+        error: {
+            code,
+            message: isOperational || !config.isProduction
+                ? err.message
+                : 'An unexpected error occurred',
+            ...(config.isProduction ? {} : { stack: err.stack }),
+        },
+    });
+}
+export function asyncHandler(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res, next)).catch(next);
+    };
+}

package/dist/api/src/middleware/index.js

@@ -0,0 +1,4 @@
+export { errorHandler, asyncHandler, AppError, ValidationError, AuthenticationError, AuthorizationError, NotFoundError, RateLimitError } from './errorHandler.js';
+export { authMiddleware, optionalAuth, requireRole } from './auth.js';
+export { rateLimit, authRateLimit, apiRateLimit, syncRateLimit } from './rateLimit.js';
+export { validateBody, validateQuery, validateParams, schemas } from './validation.js';

package/dist/api/src/middleware/rateLimit.js

@@ -0,0 +1,57 @@
+import { RateLimitError } from './errorHandler.js';
+import { config } from '../config/index.js';
+// In-memory store (use Redis in production for multi-instance deployments)
+const rateLimitStore = new Map();
+// Cleanup old entries periodically
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of rateLimitStore.entries()) {
+        if (entry.resetAt < now) {
+            rateLimitStore.delete(key);
+        }
+    }
+}, 60000); // Cleanup every minute
+export function rateLimit(options = {}) {
+    const { windowMs = config.security.rateLimitWindowMs, max = config.security.rateLimitMax, keyGenerator = (req) => req.ip || req.headers['x-forwarded-for']?.toString() || 'unknown', skip = () => false, } = options;
+    return (req, res, next) => {
+        if (skip(req)) {
+            return next();
+        }
+        const key = keyGenerator(req);
+        const now = Date.now();
+        let entry = rateLimitStore.get(key);
+        if (!entry || entry.resetAt < now) {
+            entry = {
+                count: 1,
+                resetAt: now + windowMs,
+            };
+            rateLimitStore.set(key, entry);
+        }
+        else {
+            entry.count++;
+        }
+        // Set rate limit headers
+        res.setHeader('X-RateLimit-Limit', max);
+        res.setHeader('X-RateLimit-Remaining', Math.max(0, max - entry.count));
+        res.setHeader('X-RateLimit-Reset', Math.ceil(entry.resetAt / 1000));
+        if (entry.count > max) {
+            return next(new RateLimitError());
+        }
+        next();
+    };
+}
+// Stricter rate limit for auth endpoints
+export const authRateLimit = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 10, // 10 attempts per 15 minutes
+});
+// Standard API rate limit
+export const apiRateLimit = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 60, // 60 requests per minute
+});
+// Sync rate limit (expensive operation)
+export const syncRateLimit = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 5, // 5 sync requests per minute
+});

package/dist/api/src/middleware/validation.js

@@ -0,0 +1,111 @@
+import { z, ZodError } from 'zod';
+import { ValidationError } from './errorHandler.js';
+export function validateBody(schema) {
+    return (req, _res, next) => {
+        try {
+            req.body = schema.parse(req.body);
+            next();
+        }
+        catch (error) {
+            if (error instanceof ZodError) {
+                const messages = error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ');
+                next(new ValidationError(messages));
+            }
+            else {
+                next(error);
+            }
+        }
+    };
+}
+export function validateQuery(schema) {
+    return (req, _res, next) => {
+        try {
+            req.query = schema.parse(req.query);
+            next();
+        }
+        catch (error) {
+            if (error instanceof ZodError) {
+                const messages = error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ');
+                next(new ValidationError(messages));
+            }
+            else {
+                next(error);
+            }
+        }
+    };
+}
+export function validateParams(schema) {
+    return (req, _res, next) => {
+        try {
+            req.params = schema.parse(req.params);
+            next();
+        }
+        catch (error) {
+            if (error instanceof ZodError) {
+                const messages = error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ');
+                next(new ValidationError(messages));
+            }
+            else {
+                next(error);
+            }
+        }
+    };
+}
+// Common validation schemas
+export const schemas = {
+    uuid: z.string().uuid(),
+    email: z.string().email(),
+    // Auth schemas
+    gmailCallback: z.object({
+        code: z.string().min(1, 'Authorization code is required'),
+    }),
+    deviceFlow: z.object({
+        device_code: z.string().min(1, 'Device code is required'),
+    }),
+    // Sync schemas
+    syncRequest: z.object({
+        accountId: z.string().uuid('Invalid account ID'),
+    }),
+    // Action schemas
+    executeAction: z.object({
+        emailId: z.string().uuid('Invalid email ID'),
+        action: z.enum(['delete', 'archive', 'draft', 'flag', 'none']),
+        draftContent: z.string().optional(),
+    }),
+    // Migration schemas
+    migrate: z.object({
+        projectRef: z.string().min(1, 'Project reference is required'),
+        dbPassword: z.string().optional(),
+        accessToken: z.string().optional(),
+    }),
+    // Rule schemas
+    createRule: z.object({
+        name: z.string().min(1).max(100),
+        condition: z.record(z.unknown()),
+        action: z.enum(['delete', 'archive', 'draft', 'star', 'read']),
+        instructions: z.string().optional(),
+        is_enabled: z.boolean().default(true),
+    }),
+    updateRule: z.object({
+        name: z.string().min(1).max(100).optional(),
+        condition: z.record(z.unknown()).optional(),
+        action: z.enum(['delete', 'archive', 'draft', 'star', 'read']).optional(),
+        instructions: z.string().optional(),
+        is_enabled: z.boolean().optional(),
+    }),
+    // Settings schemas
+    updateSettings: z.object({
+        llm_model: z.string().optional(),
+        llm_base_url: z.string().url().optional().or(z.literal('')),
+        llm_api_key: z.string().optional(),
+        auto_trash_spam: z.boolean().optional(),
+        smart_drafts: z.boolean().optional(),
+        sync_interval_minutes: z.number().min(1).max(60).optional(),
+        // BYOK Credentials (transient, moved to integrations)
+        google_client_id: z.string().optional(),
+        google_client_secret: z.string().optional(),
+        microsoft_client_id: z.string().optional(),
+        microsoft_client_secret: z.string().optional(),
+        microsoft_tenant_id: z.string().optional(),
+    }),
+};