@technomoron/mail-magic-client 1.0.23 → 1.0.28

package/CHANGES

@@ -1,3 +1,36 @@
+Version 1.0.29 (2026-02-11)
+
+- Expand client coverage for mail-magic-owned endpoints:
+  - Add `storeFormRecipient()` for `POST /api/v1/form/recipient`.
+  - Add `getSwaggerSpec()` for `GET /api/swagger`.
+  - Add `fetchPublicAsset()` for public asset routes (`/asset/...` and `/api/asset/...`).
+- Extend `storeFormTemplate()` input support for newer form fields:
+  `replyto_email`, `replyto_from_fields`, `allowed_fields`, and `captcha_required`.
+- Add tests for the new client methods and route mappings.
+- Refresh README usage docs for recipient upserts, swagger retrieval, and public asset fetch helpers.
+
+Version 1.0.28 (2026-02-08)
+
+- Refresh README/examples to match current server auth and public form submission semantics (`_mm_form_key`,
+  `_mm_locale`, `_mm_recipients`).
+- Update `sendFormMessage()` to require `_mm_form_key` and default attachment multipart fields to `_mm_fileN`.
+
+Version 1.0.27 (2026-02-07)
+
+- Harden the template compiler to prevent `{% include %}` paths from escaping the
+  configured template root directory.
+
+Version 1.0.26 (2026-02-07)
+
+- Fix `GET` requests to omit request bodies and only set `Content-Type` when
+  sending JSON payloads.
+- `mm-cli version` now reports the package version instead of a hardcoded string.
+
+Version 1.0.25 (2026-02-07)
+
+- `sendFormMessage()` now requires `domain` when sending by `formid`, and also
+  supports sending by `form_key`.
+
 Version 1.0.23 (2026-01-31)
 
 - Fixed the per-package release script name and tag format used to trigger

package/README.md

@@ -1,4 +1,4 @@
-# mail-magic-client
+# @technomoron/mail-magic-client
 
 Client library and CLI for the mail-magic server.
 
@@ -13,7 +13,13 @@ npm install @technomoron/mail-magic-client
 ```ts
 import TemplateClient from '@technomoron/mail-magic-client';
 
-const client = new TemplateClient('http://localhost:3000', 'username:token');
+// Use the server origin (no /api).
+const baseUrl = 'http://127.0.0.1:3776';
+
+// This is the user token from init-data.json / the admin API.
+const token = 'example-token';
+
+const client = new TemplateClient(baseUrl, token);
 
 await client.storeTxTemplate({
 	domain: 'example.test',
@@ -31,6 +37,62 @@ await client.sendTxMessage({
 });
 ```
 
+## Forms
+
+Store/update a form template (authenticated). The response includes `data.form_key`, a stable random identifier (nanoid)
+that is preferred for public form submissions:
+
+```ts
+const res = await client.storeFormTemplate({
+	domain: 'example.test',
+	idname: 'contact',
+	sender: 'Example Forms <forms@example.test>',
+	recipient: 'owner@example.test',
+	subject: 'New contact form submission',
+	secret: 's3cret',
+	template: '<p>Hello {{ _fields_.name }}</p>'
+});
+
+const form_key = res.data.form_key;
+```
+
+Store/update form recipient mappings (authenticated):
+
+```ts
+await client.storeFormRecipient({
+	domain: 'example.test',
+	idname: 'support',
+	email: 'Support <support@example.test>',
+	name: 'Support Team',
+	formid: 'contact',
+	locale: 'en'
+});
+```
+
+Submit a form publicly (no auth required):
+
+```ts
+await fetch(`${baseUrl}/api/v1/form/message`, {
+	method: 'POST',
+	headers: { 'Content-Type': 'application/json' },
+	body: JSON.stringify({
+		_mm_form_key: form_key,
+		name: 'Sam',
+		email: 'sam@example.test',
+		message: 'Hello from the website'
+	})
+});
+```
+
+If you want to use the client helper (`sendFormMessage()`), pass `_mm_form_key` (public form key):
+
+```ts
+await client.sendFormMessage({
+	_mm_form_key: form_key,
+	fields: { name: 'Sam', email: 'sam@example.test', message: 'Hello' }
+});
+```
+
 ## CLI
 
 The package ships `mm-cli`.
@@ -40,14 +102,14 @@ The package ships `mm-cli`.
 Create `.mmcli-env` in your working directory to set defaults:
 
 ```ini
-MMCLI_API=http://localhost:3000
-MMCLI_TOKEN=username:token
-# or, split token:
-MMCLI_USERNAME=username
-MMCLI_PASSWORD=token
+MMCLI_API=http://127.0.0.1:3776
+MMCLI_TOKEN=example-token
 MMCLI_DOMAIN=example.test
 ```
 
+`MMCLI_TOKEN` is treated as the server token string. As a convenience, `MMCLI_USERNAME` + `MMCLI_PASSWORD` can be used
+to build a combined token string (for legacy setups).
+
 ### Template Commands
 
 Compile a template locally:
@@ -100,3 +162,7 @@ mm-cli assets --file ./hero.png --domain example.test --template-type tx --templ
 
 - `push-dir` expects a `init-data.json` and domain folders that match the server config layout.
 - Asset uploads use the server endpoint `POST /api/v1/assets`.
+- OpenAPI spec (when enabled): `await client.getSwaggerSpec()`
+- Public asset fetch helpers:
+    - `await client.fetchPublicAsset('example.test', 'images/logo.png')` -> `/asset/{domain}/{path}`
+    - `await client.fetchPublicAsset('example.test', 'images/logo.png', true)` -> `/api/asset/{domain}/{path}`

package/dist/cjs/mail-magic-client.d.ts

@@ -1,3 +1,8 @@
+type JsonPrimitive = string | number | boolean | null;
+type JsonValue = JsonPrimitive | JsonValue[] | {
+    [key: string]: JsonValue;
+};
+type RequestBody = JsonValue | object;
 interface templateData {
     template: string;
     domain: string;
@@ -16,25 +21,34 @@ interface formTemplateData {
     subject?: string;
     locale?: string;
     secret?: string;
+    replyto_email?: string;
+    replyto_from_fields?: boolean;
+    allowed_fields?: string[] | string;
+    captcha_required?: boolean;
+}
+interface formRecipientData {
+    domain: string;
+    idname: string;
+    email: string;
+    name?: string;
+    form_key?: string;
+    formid?: string;
+    locale?: string;
 }
 interface sendTemplateData {
     name: string;
     rcpt: string;
     domain: string;
     locale?: string;
-    vars?: object;
+    vars?: Record<string, unknown>;
     replyTo?: string;
     headers?: Record<string, string>;
     attachments?: AttachmentInput[];
 }
 interface sendFormData {
-    formid: string;
-    secret?: string;
-    recipient?: string;
-    domain?: string;
-    locale?: string;
-    vars?: object;
-    replyTo?: string;
+    _mm_form_key: string;
+    _mm_locale?: string;
+    _mm_recipients?: string[] | string;
     fields?: Record<string, unknown>;
     attachments?: AttachmentInput[];
 }
@@ -57,11 +71,11 @@ declare class templateClient {
     private baseURL;
     private apiKey;
     constructor(baseURL: string, apiKey: string);
-    request<T>(method: 'GET' | 'POST' | 'PUT' | 'DELETE', command: string, body?: any): Promise<T>;
+    request<T>(method: 'GET' | 'POST' | 'PUT' | 'DELETE', command: string, body?: RequestBody): Promise<T>;
     get<T>(command: string): Promise<T>;
-    post<T>(command: string, body: any): Promise<T>;
-    put<T>(command: string, body: any): Promise<T>;
-    delete<T>(command: string, body?: any): Promise<T>;
+    post<T>(command: string, body: RequestBody): Promise<T>;
+    put<T>(command: string, body: RequestBody): Promise<T>;
+    delete<T>(command: string, body?: RequestBody): Promise<T>;
     validateEmails(list: string): {
         valid: string[];
         invalid: string[];
@@ -71,12 +85,15 @@ declare class templateClient {
     private createAttachmentPayload;
     private appendFields;
     private postFormData;
-    storeTemplate(td: templateData): Promise<any>;
-    sendTemplate(std: sendTemplateData): Promise<any>;
-    storeTxTemplate(td: templateData): Promise<any>;
-    sendTxMessage(std: sendTemplateData): Promise<any>;
-    storeFormTemplate(data: formTemplateData): Promise<any>;
-    sendFormMessage(data: sendFormData): Promise<any>;
-    uploadAssets(data: uploadAssetsData): Promise<any>;
+    storeTemplate(td: templateData): Promise<unknown>;
+    sendTemplate(std: sendTemplateData): Promise<unknown>;
+    storeTxTemplate(td: templateData): Promise<unknown>;
+    sendTxMessage(std: sendTemplateData): Promise<unknown>;
+    storeFormTemplate(data: formTemplateData): Promise<unknown>;
+    storeFormRecipient(data: formRecipientData): Promise<unknown>;
+    sendFormMessage(data: sendFormData): Promise<unknown>;
+    uploadAssets(data: uploadAssetsData): Promise<unknown>;
+    getSwaggerSpec(): Promise<unknown>;
+    fetchPublicAsset(domain: string, assetPath: string, viaApiBase?: boolean): Promise<ArrayBuffer>;
 }
 export default templateClient;

package/dist/cjs/mail-magic-client.js

@@ -17,14 +17,19 @@ class templateClient {
     }
     async request(method, command, body) {
         const url = `${this.baseURL}${command}`;
+        const headers = {
+            Accept: 'application/json',
+            Authorization: `Bearer apikey-${this.apiKey}`
+        };
         const options = {
             method,
-            headers: {
-                'Content-Type': 'application/json',
-                Authorization: `Bearer apikey-${this.apiKey}`
-            },
-            body: body ? JSON.stringify(body) : '{}'
+            headers
         };
+        // Avoid GET bodies (they're non-standard and can break under some proxies).
+        if (method !== 'GET' && body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            options.body = JSON.stringify(body);
+        }
         //        console.log(JSON.stringify({ options, url }));
         const response = await fetch(url, options);
         const j = await response.json();
@@ -71,7 +76,7 @@ class templateClient {
     validateTemplate(template) {
         try {
             const env = new nunjucks_1.default.Environment(new nunjucks_1.default.FileSystemLoader(['./templates']));
-            const t = env.renderString(template, {});
+            env.renderString(template, {});
         }
         catch (error) {
             if (error instanceof Error) {
@@ -168,7 +173,7 @@ class templateClient {
         if (!std.name || !std.rcpt) {
             throw new Error('Invalid request body; name/rcpt required');
         }
-        const { valid, invalid } = this.validateEmails(std.rcpt);
+        const { invalid } = this.validateEmails(std.rcpt);
         if (invalid.length > 0) {
             throw new Error('Invalid email address(es): ' + invalid.join(','));
         }
@@ -217,31 +222,46 @@ class templateClient {
         this.validateSender(data.sender);
         return this.post('/api/v1/form/template', data);
     }
+    async storeFormRecipient(data) {
+        if (!data.domain) {
+            throw new Error('Missing domain');
+        }
+        if (!data.idname) {
+            throw new Error('Missing recipient identifier');
+        }
+        if (!data.email) {
+            throw new Error('Missing recipient email');
+        }
+        const parsed = email_addresses_1.default.parseOneAddress(data.email);
+        if (!parsed || !parsed.address) {
+            throw new Error('Invalid recipient email address');
+        }
+        return this.post('/api/v1/form/recipient', data);
+    }
     async sendFormMessage(data) {
-        if (!data.formid) {
-            throw new Error('Invalid request body; formid required');
+        if (!data._mm_form_key) {
+            throw new Error('Invalid request body; _mm_form_key required');
         }
         const fields = data.fields || {};
         const baseFields = {
-            formid: data.formid,
-            secret: data.secret,
-            recipient: data.recipient,
-            domain: data.domain,
-            locale: data.locale,
-            vars: data.vars || {},
-            replyTo: data.replyTo,
+            _mm_form_key: data._mm_form_key,
+            _mm_locale: data._mm_locale,
+            _mm_recipients: data._mm_recipients,
             ...fields
         };
         if (data.attachments && data.attachments.length > 0) {
-            const { formData } = this.createAttachmentPayload(data.attachments);
+            const normalized = data.attachments.map((attachment, idx) => {
+                const field = attachment.field || `_mm_file${idx + 1}`;
+                if (!field.startsWith('_mm_file')) {
+                    throw new Error('Form attachments must use multipart field names starting with _mm_file');
+                }
+                return { ...attachment, field };
+            });
+            const { formData } = this.createAttachmentPayload(normalized);
             this.appendFields(formData, {
-                formid: data.formid,
-                secret: data.secret,
-                recipient: data.recipient,
-                domain: data.domain,
-                locale: data.locale,
-                vars: JSON.stringify(data.vars || {}),
-                replyTo: data.replyTo
+                _mm_form_key: data._mm_form_key,
+                _mm_locale: data._mm_locale,
+                _mm_recipients: data._mm_recipients
             });
             this.appendFields(formData, fields);
             return this.postFormData('/api/v1/form/message', formData);
@@ -277,5 +297,36 @@ class templateClient {
         });
         return this.postFormData('/api/v1/assets', formData);
     }
+    async getSwaggerSpec() {
+        return this.get('/api/swagger');
+    }
+    async fetchPublicAsset(domain, assetPath, viaApiBase = false) {
+        if (!domain) {
+            throw new Error('domain is required');
+        }
+        if (!assetPath) {
+            throw new Error('assetPath is required');
+        }
+        const cleanedPath = assetPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => encodeURIComponent(segment))
+            .join('/');
+        if (!cleanedPath) {
+            throw new Error('assetPath is required');
+        }
+        const prefix = viaApiBase ? '/api/asset' : '/asset';
+        const url = `${this.baseURL}${prefix}/${encodeURIComponent(domain)}/${cleanedPath}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Accept: '*/*'
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
+        }
+        return response.arrayBuffer();
+    }
 }
 exports.default = templateClient;

package/dist/cli.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 const readline_1 = __importDefault(require("readline"));
 const commander_1 = require("commander");
 const cli_env_1 = require("./cli-env");
@@ -15,6 +16,16 @@ const program = new commander_1.Command();
 const envDefaults = (0, cli_env_1.loadCliEnv)();
 const defaultToken = (0, cli_env_1.resolveToken)(envDefaults);
 const apiDefault = envDefaults.api || 'http://localhost:3000';
+function resolvePackageVersion() {
+    try {
+        const raw = fs_1.default.readFileSync(path_1.default.join(__dirname, '../package.json'), 'utf8');
+        const data = JSON.parse(raw);
+        return typeof data.version === 'string' && data.version ? data.version : 'unknown';
+    }
+    catch {
+        return 'unknown';
+    }
+}
 program.option('-a, --api <api>', 'Base API endpoint', apiDefault);
 if (defaultToken) {
     program.option('-t, --token <token>', 'Authentication token in the format "username:token"', defaultToken);
@@ -66,6 +77,24 @@ const getTemplateData = async () => {
         return await readStdin();
     }
 };
+const isPlainObject = (value) => typeof value === 'object' && value !== null && !Array.isArray(value);
+const parseVarsOption = (input) => {
+    if (!input) {
+        return {};
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(input);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`Invalid JSON for --vars: ${message}`);
+    }
+    if (!isPlainObject(parsed)) {
+        throw new Error('--vars must be a JSON object');
+    }
+    return parsed;
+};
 program
     .command('template')
     .description('Store a template on the server')
@@ -82,7 +111,7 @@ program
             domain: program.opts().domain,
             part: !!program.opts().part
         };
-        const result = await client.storeTemplate(templateData);
+        await client.storeTemplate(templateData);
         console.log('Template updated');
     }
     catch (error) {
@@ -101,8 +130,7 @@ program
     .action(async () => {
     const client = new mail_magic_client_1.default(program.opts().api, program.opts().token);
     try {
-        const template = await getTemplateData();
-        const vars = program.opts().vars ? JSON.parse(program.opts().vars) : '{}';
+        const vars = parseVarsOption(program.opts().vars);
         const templateData = {
             name: program.opts().name,
             rcpt: program.opts().rcpt,
@@ -110,7 +138,7 @@ program
             locale: program.opts().locale,
             vars
         };
-        const result = await client.sendTemplate(templateData);
+        await client.sendTemplate(templateData);
         console.log('Template sent');
     }
     catch (error) {
@@ -126,8 +154,8 @@ program
 program
     .command('version')
     .description('Show current client version')
-    .action(async (cmdOptions) => {
-    console.log('1.0.19');
+    .action(async () => {
+    console.log(resolvePackageVersion());
 });
 program
     .command('compile')

package/dist/esm/mail-magic-client.js

@@ -12,14 +12,19 @@ class templateClient {
     }
     async request(method, command, body) {
         const url = `${this.baseURL}${command}`;
+        const headers = {
+            Accept: 'application/json',
+            Authorization: `Bearer apikey-${this.apiKey}`
+        };
         const options = {
             method,
-            headers: {
-                'Content-Type': 'application/json',
-                Authorization: `Bearer apikey-${this.apiKey}`
-            },
-            body: body ? JSON.stringify(body) : '{}'
+            headers
         };
+        // Avoid GET bodies (they're non-standard and can break under some proxies).
+        if (method !== 'GET' && body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            options.body = JSON.stringify(body);
+        }
         //        console.log(JSON.stringify({ options, url }));
         const response = await fetch(url, options);
         const j = await response.json();
@@ -66,7 +71,7 @@ class templateClient {
     validateTemplate(template) {
         try {
             const env = new nunjucks.Environment(new nunjucks.FileSystemLoader(['./templates']));
-            const t = env.renderString(template, {});
+            env.renderString(template, {});
         }
         catch (error) {
             if (error instanceof Error) {
@@ -163,7 +168,7 @@ class templateClient {
         if (!std.name || !std.rcpt) {
             throw new Error('Invalid request body; name/rcpt required');
         }
-        const { valid, invalid } = this.validateEmails(std.rcpt);
+        const { invalid } = this.validateEmails(std.rcpt);
         if (invalid.length > 0) {
             throw new Error('Invalid email address(es): ' + invalid.join(','));
         }
@@ -212,31 +217,46 @@ class templateClient {
         this.validateSender(data.sender);
         return this.post('/api/v1/form/template', data);
     }
+    async storeFormRecipient(data) {
+        if (!data.domain) {
+            throw new Error('Missing domain');
+        }
+        if (!data.idname) {
+            throw new Error('Missing recipient identifier');
+        }
+        if (!data.email) {
+            throw new Error('Missing recipient email');
+        }
+        const parsed = emailAddresses.parseOneAddress(data.email);
+        if (!parsed || !parsed.address) {
+            throw new Error('Invalid recipient email address');
+        }
+        return this.post('/api/v1/form/recipient', data);
+    }
     async sendFormMessage(data) {
-        if (!data.formid) {
-            throw new Error('Invalid request body; formid required');
+        if (!data._mm_form_key) {
+            throw new Error('Invalid request body; _mm_form_key required');
         }
         const fields = data.fields || {};
         const baseFields = {
-            formid: data.formid,
-            secret: data.secret,
-            recipient: data.recipient,
-            domain: data.domain,
-            locale: data.locale,
-            vars: data.vars || {},
-            replyTo: data.replyTo,
+            _mm_form_key: data._mm_form_key,
+            _mm_locale: data._mm_locale,
+            _mm_recipients: data._mm_recipients,
             ...fields
         };
         if (data.attachments && data.attachments.length > 0) {
-            const { formData } = this.createAttachmentPayload(data.attachments);
+            const normalized = data.attachments.map((attachment, idx) => {
+                const field = attachment.field || `_mm_file${idx + 1}`;
+                if (!field.startsWith('_mm_file')) {
+                    throw new Error('Form attachments must use multipart field names starting with _mm_file');
+                }
+                return { ...attachment, field };
+            });
+            const { formData } = this.createAttachmentPayload(normalized);
             this.appendFields(formData, {
-                formid: data.formid,
-                secret: data.secret,
-                recipient: data.recipient,
-                domain: data.domain,
-                locale: data.locale,
-                vars: JSON.stringify(data.vars || {}),
-                replyTo: data.replyTo
+                _mm_form_key: data._mm_form_key,
+                _mm_locale: data._mm_locale,
+                _mm_recipients: data._mm_recipients
             });
             this.appendFields(formData, fields);
             return this.postFormData('/api/v1/form/message', formData);
@@ -272,5 +292,36 @@ class templateClient {
         });
         return this.postFormData('/api/v1/assets', formData);
     }
+    async getSwaggerSpec() {
+        return this.get('/api/swagger');
+    }
+    async fetchPublicAsset(domain, assetPath, viaApiBase = false) {
+        if (!domain) {
+            throw new Error('domain is required');
+        }
+        if (!assetPath) {
+            throw new Error('assetPath is required');
+        }
+        const cleanedPath = assetPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => encodeURIComponent(segment))
+            .join('/');
+        if (!cleanedPath) {
+            throw new Error('assetPath is required');
+        }
+        const prefix = viaApiBase ? '/api/asset' : '/asset';
+        const url = `${this.baseURL}${prefix}/${encodeURIComponent(domain)}/${cleanedPath}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Accept: '*/*'
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
+        }
+        return response.arrayBuffer();
+    }
 }
 export default templateClient;

package/dist/mail-magic-client.js

@@ -17,14 +17,19 @@ class templateClient {
     }
     async request(method, command, body) {
         const url = `${this.baseURL}${command}`;
+        const headers = {
+            Accept: 'application/json',
+            Authorization: `Bearer apikey-${this.apiKey}`
+        };
         const options = {
             method,
-            headers: {
-                'Content-Type': 'application/json',
-                Authorization: `Bearer apikey-${this.apiKey}`
-            },
-            body: body ? JSON.stringify(body) : '{}'
+            headers
         };
+        // Avoid GET bodies (they're non-standard and can break under some proxies).
+        if (method !== 'GET' && body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            options.body = JSON.stringify(body);
+        }
         //        console.log(JSON.stringify({ options, url }));
         const response = await fetch(url, options);
         const j = await response.json();
@@ -71,7 +76,7 @@ class templateClient {
     validateTemplate(template) {
         try {
             const env = new nunjucks_1.default.Environment(new nunjucks_1.default.FileSystemLoader(['./templates']));
-            const t = env.renderString(template, {});
+            env.renderString(template, {});
         }
         catch (error) {
             if (error instanceof Error) {
@@ -168,7 +173,7 @@ class templateClient {
         if (!std.name || !std.rcpt) {
             throw new Error('Invalid request body; name/rcpt required');
         }
-        const { valid, invalid } = this.validateEmails(std.rcpt);
+        const { invalid } = this.validateEmails(std.rcpt);
         if (invalid.length > 0) {
             throw new Error('Invalid email address(es): ' + invalid.join(','));
         }
@@ -217,31 +222,46 @@ class templateClient {
         this.validateSender(data.sender);
         return this.post('/api/v1/form/template', data);
     }
+    async storeFormRecipient(data) {
+        if (!data.domain) {
+            throw new Error('Missing domain');
+        }
+        if (!data.idname) {
+            throw new Error('Missing recipient identifier');
+        }
+        if (!data.email) {
+            throw new Error('Missing recipient email');
+        }
+        const parsed = email_addresses_1.default.parseOneAddress(data.email);
+        if (!parsed || !parsed.address) {
+            throw new Error('Invalid recipient email address');
+        }
+        return this.post('/api/v1/form/recipient', data);
+    }
     async sendFormMessage(data) {
-        if (!data.formid) {
-            throw new Error('Invalid request body; formid required');
+        if (!data._mm_form_key) {
+            throw new Error('Invalid request body; _mm_form_key required');
         }
         const fields = data.fields || {};
         const baseFields = {
-            formid: data.formid,
-            secret: data.secret,
-            recipient: data.recipient,
-            domain: data.domain,
-            locale: data.locale,
-            vars: data.vars || {},
-            replyTo: data.replyTo,
+            _mm_form_key: data._mm_form_key,
+            _mm_locale: data._mm_locale,
+            _mm_recipients: data._mm_recipients,
             ...fields
         };
         if (data.attachments && data.attachments.length > 0) {
-            const { formData } = this.createAttachmentPayload(data.attachments);
+            const normalized = data.attachments.map((attachment, idx) => {
+                const field = attachment.field || `_mm_file${idx + 1}`;
+                if (!field.startsWith('_mm_file')) {
+                    throw new Error('Form attachments must use multipart field names starting with _mm_file');
+                }
+                return { ...attachment, field };
+            });
+            const { formData } = this.createAttachmentPayload(normalized);
             this.appendFields(formData, {
-                formid: data.formid,
-                secret: data.secret,
-                recipient: data.recipient,
-                domain: data.domain,
-                locale: data.locale,
-                vars: JSON.stringify(data.vars || {}),
-                replyTo: data.replyTo
+                _mm_form_key: data._mm_form_key,
+                _mm_locale: data._mm_locale,
+                _mm_recipients: data._mm_recipients
             });
             this.appendFields(formData, fields);
             return this.postFormData('/api/v1/form/message', formData);
@@ -277,5 +297,36 @@ class templateClient {
         });
         return this.postFormData('/api/v1/assets', formData);
     }
+    async getSwaggerSpec() {
+        return this.get('/api/swagger');
+    }
+    async fetchPublicAsset(domain, assetPath, viaApiBase = false) {
+        if (!domain) {
+            throw new Error('domain is required');
+        }
+        if (!assetPath) {
+            throw new Error('assetPath is required');
+        }
+        const cleanedPath = assetPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => encodeURIComponent(segment))
+            .join('/');
+        if (!cleanedPath) {
+            throw new Error('assetPath is required');
+        }
+        const prefix = viaApiBase ? '/api/asset' : '/asset';
+        const url = `${this.baseURL}${prefix}/${encodeURIComponent(domain)}/${cleanedPath}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Accept: '*/*'
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
+        }
+        return response.arrayBuffer();
+    }
 }
 exports.default = templateClient;

package/dist/preprocess.js

@@ -31,7 +31,7 @@ function resolveCssPath(cssPath) {
     }
     return node_path_1.default.isAbsolute(cssPath) ? cssPath : node_path_1.default.join(process.cwd(), cssPath);
 }
-function inlineIncludes(content, baseDir, srcRoot, stack) {
+function inlineIncludes(content, baseDir, srcRoot, normalizedSrcRoot, stack) {
     const includeExp = /\{%\s*include\s+['"]([^'"]+)['"][^%]*%\}/g;
     return content.replace(includeExp, (_match, includePath) => {
         const cleaned = includePath.replace(/^\/+/, '');
@@ -41,12 +41,18 @@ function inlineIncludes(content, baseDir, srcRoot, stack) {
             throw new Error(`Include not found: ${includePath}`);
         }
         const resolved = node_fs_1.default.realpathSync(found);
+        if (!resolved.startsWith(normalizedSrcRoot)) {
+            throw new Error(`Include path escapes template root: ${includePath}`);
+        }
+        if (!node_fs_1.default.statSync(resolved).isFile()) {
+            throw new Error(`Include is not a file: ${includePath}`);
+        }
         if (stack.has(resolved)) {
             throw new Error(`Circular include detected for ${includePath}`);
         }
         stack.add(resolved);
         const raw = node_fs_1.default.readFileSync(resolved, 'utf8');
-        const inlined = inlineIncludes(raw, node_path_1.default.dirname(resolved), srcRoot, stack);
+        const inlined = inlineIncludes(raw, node_path_1.default.dirname(resolved), srcRoot, normalizedSrcRoot, stack);
         stack.delete(resolved);
         return inlined;
     });
@@ -55,7 +61,6 @@ class PreprocessExtension {
     constructor() {
         this.tags = ['process_layout'];
     }
-    // types from nunjucks are not exported for parser/nodes; use any
     parse(parser, nodes) {
         const token = parser.nextToken();
         const args = parser.parseSignature(null, true);
@@ -96,12 +101,14 @@ function process_template(tplname, writeOutput = true) {
     console.log(`Processing template: ${tplname}`);
     try {
         const srcRoot = resolvePathRoot(cfg.src_dir);
+        const resolvedSrcRoot = node_fs_1.default.realpathSync(srcRoot);
+        const normalizedSrcRoot = resolvedSrcRoot.endsWith(node_path_1.default.sep) ? resolvedSrcRoot : resolvedSrcRoot + node_path_1.default.sep;
         const templateFile = node_path_1.default.join(srcRoot, `${tplname}.njk`);
         // 1) Resolve template inheritance
         const mergedTemplate = cfg.env.renderString(`{% process_layout "${tplname}.njk" %}`, {});
         // 1.5) Inline partials/includes so the server doesn't need a loader
         const mergedWithPartials = cfg.inline_includes
-            ? inlineIncludes(mergedTemplate, node_path_1.default.dirname(templateFile), srcRoot, new Set())
+            ? inlineIncludes(mergedTemplate, node_path_1.default.dirname(templateFile), srcRoot, normalizedSrcRoot, new Set())
             : mergedTemplate;
         // 2) Protect variables/flow
         const protectedTemplate = cfg.env.filters.protect_variables(mergedWithPartials);
@@ -114,8 +121,8 @@ function process_template(tplname, writeOutput = true) {
                 // decodeEntities: false
             });
             // <container> -> <table>
-            $('container').each(function () {
-                const $container = $(this);
+            $('container').each((_index, element) => {
+                const $container = $(element);
                 const $table = $('<table/>').attr({
                     align: 'center',
                     class: $container.attr('class') || '',
@@ -130,8 +137,8 @@ function process_template(tplname, writeOutput = true) {
                 $container.replaceWith($table);
             });
             // <row> -> <tr>
-            $('row').each(function () {
-                const $row = $(this);
+            $('row').each((_index, element) => {
+                const $row = $(element);
                 const background = $row.attr('background') || '';
                 const $tr = $('<tr/>').attr({ class: $row.attr('class') || '' });
                 if (background)
@@ -140,8 +147,8 @@ function process_template(tplname, writeOutput = true) {
                 $row.replaceWith($tr);
             });
             // <columns> -> <td>
-            $('columns').each(function () {
-                const $columns = $(this);
+            $('columns').each((_index, element) => {
+                const $columns = $(element);
                 const padding = $columns.attr('padding') || '0';
                 const $td = $('<td/>').attr({
                     class: $columns.attr('class') || '',
@@ -151,8 +158,8 @@ function process_template(tplname, writeOutput = true) {
                 $columns.replaceWith($td);
             });
             // <button> -> <a>
-            $('button').each(function () {
-                const $button = $(this);
+            $('button').each((_index, element) => {
+                const $button = $(element);
                 const href = $button.attr('href') || '#';
                 const buttonClass = $button.attr('class') || '';
                 const $a = $('<a/>').attr({

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/mail-magic-client",
-	"version": "1.0.23",
+	"version": "1.0.28",
 	"description": "Client library for mail-magic",
 	"main": "dist/cjs/mail-magic-client.js",
 	"types": "dist/cjs/mail-magic-client.d.ts",
@@ -17,11 +17,11 @@
 		"build": "npm run build:cjs && npm run build:esm && npm run build:cli",
 		"test": "vitest run",
 		"test:watch": "vitest",
-		"lint": "eslint --ext .js,.ts,.vue ./src",
-		"lintfix": "eslint --fix --ext .js,.ts,.vue,.json ./src",
+		"lint": "node ../../node_modules/eslint/bin/eslint.js --config ../../eslint.config.mjs --no-error-on-unmatched-pattern --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue,.json ./src",
+		"lintfix": "node ../../node_modules/eslint/bin/eslint.js --config ../../eslint.config.mjs --fix --no-error-on-unmatched-pattern --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue,.json ./src",
 		"format": "npm run lintfix && npm run pretty",
-		"pretty": "prettier --write \"**/*.{js,ts,vue,json,css,scss,md}\"",
-		"cleanbuild": "rm -rf ./dist/ && npm run lintfix && npm run format && npm run build"
+		"pretty": "node ../../node_modules/prettier/bin/prettier.cjs --config ../../.prettierrc --write \"**/*.{js,ts,vue,json,css,scss,md}\"",
+		"cleanbuild": "rm -rf ./dist/ && npm run format && npm run build"
 	},
 	"repository": {
 		"type": "git",
@@ -40,30 +40,13 @@
 		"cheerio": "^1.1.2",
 		"commander": "^10.0.1",
 		"email-addresses": "^5.0.0",
-		"foundation-emails": "^2.4.0",
-		"inky": "^0.1.0",
 		"juice": "^11.0.1",
-		"node-fetch": "^3.3.2",
 		"nunjucks": "^3.2.4"
 	},
 	"devDependencies": {
-		"@types/cheerio": "^1.0.0",
 		"@types/node": "^20.19.11",
 		"@types/nunjucks": "^3.2.6",
-		"@typescript-eslint/eslint-plugin": "^8.30.1",
-		"@typescript-eslint/parser": "^8.30.1",
-		"@vue/eslint-config-prettier": "^10.2.0",
-		"@vue/eslint-config-typescript": "^14.5.0",
-		"eslint": "^9.34.0",
-		"eslint-config-prettier": "^10.1.5",
-		"eslint-import-resolver-alias": "^1.1.2",
-		"eslint-plugin-import": "^2.31.0",
-		"eslint-plugin-nuxt": "^4.0.0",
-		"eslint-plugin-prettier": "^5.4.1",
-		"eslint-plugin-vue": "^10.0.0",
-		"prettier": "^3.5.3",
 		"typescript": "^5.9.2",
-		"vitest": "^4.0.16",
-		"vue-eslint-parser": "^10.1.3"
+		"vitest": "^4.0.16"
 	}
 }