@technomoron/mail-magic-client 1.0.25 → 1.0.30

package/CHANGES

@@ -1,3 +1,38 @@
+Version 1.0.30 (2026-02-17)
+
+- Refactor template preprocess compilation to use per-invocation configuration
+  (remove module-level mutable config state).
+- Add regression coverage to ensure preprocess options (such as
+  `inline_includes`) do not leak between compile calls.
+
+Version 1.0.29 (2026-02-11)
+
+- Expand client coverage for mail-magic-owned endpoints:
+  - Add `storeFormRecipient()` for `POST /api/v1/form/recipient`.
+  - Add `getSwaggerSpec()` for `GET /api/swagger`.
+  - Add `fetchPublicAsset()` for public asset routes (`/asset/...` and `/api/asset/...`).
+- Extend `storeFormTemplate()` input support for newer form fields:
+  `replyto_email`, `replyto_from_fields`, `allowed_fields`, and `captcha_required`.
+- Add tests for the new client methods and route mappings.
+- Refresh README usage docs for recipient upserts, swagger retrieval, and public asset fetch helpers.
+
+Version 1.0.28 (2026-02-08)
+
+- Refresh README/examples to match current server auth and public form submission semantics (`_mm_form_key`,
+  `_mm_locale`, `_mm_recipients`).
+- Update `sendFormMessage()` to require `_mm_form_key` and default attachment multipart fields to `_mm_fileN`.
+
+Version 1.0.27 (2026-02-07)
+
+- Harden the template compiler to prevent `{% include %}` paths from escaping the
+  configured template root directory.
+
+Version 1.0.26 (2026-02-07)
+
+- Fix `GET` requests to omit request bodies and only set `Content-Type` when
+  sending JSON payloads.
+- `mm-cli version` now reports the package version instead of a hardcoded string.
+
 Version 1.0.25 (2026-02-07)
 
 - `sendFormMessage()` now requires `domain` when sending by `formid`, and also

package/README.md

@@ -1,4 +1,4 @@
-# mail-magic-client
+# @technomoron/mail-magic-client
 
 Client library and CLI for the mail-magic server.
 
@@ -13,7 +13,13 @@ npm install @technomoron/mail-magic-client
 ```ts
 import TemplateClient from '@technomoron/mail-magic-client';
 
-const client = new TemplateClient('http://localhost:3000', 'username:token');
+// Use the server origin (no /api).
+const baseUrl = 'http://127.0.0.1:3776';
+
+// This is the user token from init-data.json / the admin API.
+const token = 'example-token';
+
+const client = new TemplateClient(baseUrl, token);
 
 await client.storeTxTemplate({
 	domain: 'example.test',
@@ -31,6 +37,62 @@ await client.sendTxMessage({
 });
 ```
 
+## Forms
+
+Store/update a form template (authenticated). The response includes `data.form_key`, a stable random identifier (nanoid)
+that is preferred for public form submissions:
+
+```ts
+const res = await client.storeFormTemplate({
+	domain: 'example.test',
+	idname: 'contact',
+	sender: 'Example Forms <forms@example.test>',
+	recipient: 'owner@example.test',
+	subject: 'New contact form submission',
+	secret: 's3cret',
+	template: '<p>Hello {{ _fields_.name }}</p>'
+});
+
+const form_key = res.data.form_key;
+```
+
+Store/update form recipient mappings (authenticated):
+
+```ts
+await client.storeFormRecipient({
+	domain: 'example.test',
+	idname: 'support',
+	email: 'Support <support@example.test>',
+	name: 'Support Team',
+	formid: 'contact',
+	locale: 'en'
+});
+```
+
+Submit a form publicly (no auth required):
+
+```ts
+await fetch(`${baseUrl}/api/v1/form/message`, {
+	method: 'POST',
+	headers: { 'Content-Type': 'application/json' },
+	body: JSON.stringify({
+		_mm_form_key: form_key,
+		name: 'Sam',
+		email: 'sam@example.test',
+		message: 'Hello from the website'
+	})
+});
+```
+
+If you want to use the client helper (`sendFormMessage()`), pass `_mm_form_key` (public form key):
+
+```ts
+await client.sendFormMessage({
+	_mm_form_key: form_key,
+	fields: { name: 'Sam', email: 'sam@example.test', message: 'Hello' }
+});
+```
+
 ## CLI
 
 The package ships `mm-cli`.
@@ -40,14 +102,14 @@ The package ships `mm-cli`.
 Create `.mmcli-env` in your working directory to set defaults:
 
 ```ini
-MMCLI_API=http://localhost:3000
-MMCLI_TOKEN=username:token
-# or, split token:
-MMCLI_USERNAME=username
-MMCLI_PASSWORD=token
+MMCLI_API=http://127.0.0.1:3776
+MMCLI_TOKEN=example-token
 MMCLI_DOMAIN=example.test
 ```
 
+`MMCLI_TOKEN` is treated as the server token string. As a convenience, `MMCLI_USERNAME` + `MMCLI_PASSWORD` can be used
+to build a combined token string (for legacy setups).
+
 ### Template Commands
 
 Compile a template locally:
@@ -100,3 +162,7 @@ mm-cli assets --file ./hero.png --domain example.test --template-type tx --templ
 
 - `push-dir` expects a `init-data.json` and domain folders that match the server config layout.
 - Asset uploads use the server endpoint `POST /api/v1/assets`.
+- OpenAPI spec (when enabled): `await client.getSwaggerSpec()`
+- Public asset fetch helpers:
+    - `await client.fetchPublicAsset('example.test', 'images/logo.png')` -> `/asset/{domain}/{path}`
+    - `await client.fetchPublicAsset('example.test', 'images/logo.png', true)` -> `/api/asset/{domain}/{path}`

package/dist/cjs/mail-magic-client.d.ts

@@ -21,6 +21,19 @@ interface formTemplateData {
     subject?: string;
     locale?: string;
     secret?: string;
+    replyto_email?: string;
+    replyto_from_fields?: boolean;
+    allowed_fields?: string[] | string;
+    captcha_required?: boolean;
+}
+interface formRecipientData {
+    domain: string;
+    idname: string;
+    email: string;
+    name?: string;
+    form_key?: string;
+    formid?: string;
+    locale?: string;
 }
 interface sendTemplateData {
     name: string;
@@ -33,14 +46,9 @@ interface sendTemplateData {
     attachments?: AttachmentInput[];
 }
 interface sendFormData {
-    formid?: string;
-    form_key?: string;
-    secret?: string;
-    recipient?: string;
-    domain?: string;
-    locale?: string;
-    vars?: Record<string, unknown>;
-    replyTo?: string;
+    _mm_form_key: string;
+    _mm_locale?: string;
+    _mm_recipients?: string[] | string;
     fields?: Record<string, unknown>;
     attachments?: AttachmentInput[];
 }
@@ -82,7 +90,10 @@ declare class templateClient {
     storeTxTemplate(td: templateData): Promise<unknown>;
     sendTxMessage(std: sendTemplateData): Promise<unknown>;
     storeFormTemplate(data: formTemplateData): Promise<unknown>;
+    storeFormRecipient(data: formRecipientData): Promise<unknown>;
     sendFormMessage(data: sendFormData): Promise<unknown>;
     uploadAssets(data: uploadAssetsData): Promise<unknown>;
+    getSwaggerSpec(): Promise<unknown>;
+    fetchPublicAsset(domain: string, assetPath: string, viaApiBase?: boolean): Promise<ArrayBuffer>;
 }
 export default templateClient;

package/dist/cjs/mail-magic-client.js

@@ -17,21 +17,24 @@ class templateClient {
     }
     async request(method, command, body) {
         const url = `${this.baseURL}${command}`;
+        const headers = {
+            Accept: 'application/json',
+            Authorization: `Bearer apikey-${this.apiKey}`
+        };
         const options = {
             method,
-            headers: {
-                'Content-Type': 'application/json',
-                Authorization: `Bearer apikey-${this.apiKey}`
-            },
-            body: body ? JSON.stringify(body) : '{}'
+            headers
         };
-        //        console.log(JSON.stringify({ options, url }));
+        // Avoid GET bodies (they're non-standard and can break under some proxies).
+        if (method !== 'GET' && body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            options.body = JSON.stringify(body);
+        }
         const response = await fetch(url, options);
         const j = await response.json();
         if (response.ok) {
             return j;
         }
-        // console.log(JSON.stringify(j, undefined, 2));
         if (j && j.message) {
             throw new Error(`FETCH FAILED: ${response.status} ${j.message}`);
         }
@@ -70,10 +73,16 @@ class templateClient {
     }
     validateTemplate(template) {
         try {
-            const env = new nunjucks_1.default.Environment(new nunjucks_1.default.FileSystemLoader(['./templates']));
-            env.renderString(template, {});
+            const env = new nunjucks_1.default.Environment(null, { autoescape: true });
+            const compiled = nunjucks_1.default.compile(template, env);
+            compiled.render({});
         }
         catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            // Syntax validation should not require local template loaders.
+            if (/template not found|no loader|unable to find template/i.test(message)) {
+                return;
+            }
             if (error instanceof Error) {
                 throw new Error(`Template validation failed: ${error.message}`);
             }
@@ -139,13 +148,7 @@ class templateClient {
         throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
     }
     async storeTemplate(td) {
-        if (!td.template) {
-            throw new Error('No template data provided');
-        }
-        this.validateTemplate(td.template);
-        if (td.sender) {
-            this.validateSender(td.sender);
-        }
+        // Backward-compatible alias for transactional template storage.
         return this.storeTxTemplate(td);
     }
     async sendTemplate(std) {
@@ -172,7 +175,6 @@ class templateClient {
         if (invalid.length > 0) {
             throw new Error('Invalid email address(es): ' + invalid.join(','));
         }
-        // this.validateTemplate(template);
         const body = {
             name: std.name,
             rcpt: std.rcpt,
@@ -182,7 +184,6 @@ class templateClient {
             replyTo: std.replyTo,
             headers: std.headers
         };
-        // console.log(JSON.stringify(body, undefined, 2));
         if (std.attachments && std.attachments.length > 0) {
             if (std.headers) {
                 throw new Error('Headers are not supported with attachment uploads');
@@ -217,36 +218,46 @@ class templateClient {
         this.validateSender(data.sender);
         return this.post('/api/v1/form/template', data);
     }
-    async sendFormMessage(data) {
-        if (!data.form_key && !data.formid) {
-            throw new Error('Invalid request body; formid or form_key required');
+    async storeFormRecipient(data) {
+        if (!data.domain) {
+            throw new Error('Missing domain');
+        }
+        if (!data.idname) {
+            throw new Error('Missing recipient identifier');
+        }
+        if (!data.email) {
+            throw new Error('Missing recipient email');
         }
-        if (!data.form_key && !data.domain) {
-            throw new Error('Invalid request body; domain required when sending by formid');
+        const parsed = email_addresses_1.default.parseOneAddress(data.email);
+        if (!parsed || !parsed.address) {
+            throw new Error('Invalid recipient email address');
+        }
+        return this.post('/api/v1/form/recipient', data);
+    }
+    async sendFormMessage(data) {
+        if (!data._mm_form_key) {
+            throw new Error('Invalid request body; _mm_form_key required');
         }
         const fields = data.fields || {};
         const baseFields = {
-            formid: data.formid,
-            form_key: data.form_key,
-            secret: data.secret,
-            recipient: data.recipient,
-            domain: data.domain,
-            locale: data.locale,
-            vars: data.vars || {},
-            replyTo: data.replyTo,
+            _mm_form_key: data._mm_form_key,
+            _mm_locale: data._mm_locale,
+            _mm_recipients: data._mm_recipients,
             ...fields
         };
         if (data.attachments && data.attachments.length > 0) {
-            const { formData } = this.createAttachmentPayload(data.attachments);
+            const normalized = data.attachments.map((attachment, idx) => {
+                const field = attachment.field || `_mm_file${idx + 1}`;
+                if (!field.startsWith('_mm_file')) {
+                    throw new Error('Form attachments must use multipart field names starting with _mm_file');
+                }
+                return { ...attachment, field };
+            });
+            const { formData } = this.createAttachmentPayload(normalized);
             this.appendFields(formData, {
-                formid: data.formid,
-                form_key: data.form_key,
-                secret: data.secret,
-                recipient: data.recipient,
-                domain: data.domain,
-                locale: data.locale,
-                vars: JSON.stringify(data.vars || {}),
-                replyTo: data.replyTo
+                _mm_form_key: data._mm_form_key,
+                _mm_locale: data._mm_locale,
+                _mm_recipients: data._mm_recipients
             });
             this.appendFields(formData, fields);
             return this.postFormData('/api/v1/form/message', formData);
@@ -282,5 +293,36 @@ class templateClient {
         });
         return this.postFormData('/api/v1/assets', formData);
     }
+    async getSwaggerSpec() {
+        return this.get('/api/swagger');
+    }
+    async fetchPublicAsset(domain, assetPath, viaApiBase = false) {
+        if (!domain) {
+            throw new Error('domain is required');
+        }
+        if (!assetPath) {
+            throw new Error('assetPath is required');
+        }
+        const cleanedPath = assetPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => encodeURIComponent(segment))
+            .join('/');
+        if (!cleanedPath) {
+            throw new Error('assetPath is required');
+        }
+        const prefix = viaApiBase ? '/api/asset' : '/asset';
+        const url = `${this.baseURL}${prefix}/${encodeURIComponent(domain)}/${cleanedPath}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Accept: '*/*'
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
+        }
+        return response.arrayBuffer();
+    }
 }
 exports.default = templateClient;

package/dist/cli-version.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolvePackageVersion = resolvePackageVersion;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+function resolvePackageVersion(options = {}) {
+    const argv1 = options.argv1 ?? process.argv[1] ?? '';
+    const cwd = options.cwd ?? process.cwd();
+    const candidates = [
+        argv1 ? path_1.default.resolve(path_1.default.dirname(argv1), '../package.json') : '',
+        path_1.default.resolve(cwd, 'package.json'),
+        path_1.default.resolve(cwd, 'packages/mail-magic-client/package.json')
+    ].filter(Boolean);
+    for (const candidate of candidates) {
+        if (!fs_1.default.existsSync(candidate)) {
+            continue;
+        }
+        try {
+            const raw = fs_1.default.readFileSync(candidate, 'utf8');
+            const data = JSON.parse(raw);
+            if (data.name === '@technomoron/mail-magic-client') {
+                return typeof data.version === 'string' && data.version ? data.version : 'unknown';
+            }
+        }
+        catch {
+            // Try next candidate.
+        }
+    }
+    return 'unknown';
+}

package/dist/cli.js

@@ -9,6 +9,7 @@ const readline_1 = __importDefault(require("readline"));
 const commander_1 = require("commander");
 const cli_env_1 = require("./cli-env");
 const cli_helpers_1 = require("./cli-helpers");
+const cli_version_1 = require("./cli-version");
 const mail_magic_client_1 = __importDefault(require("./mail-magic-client"));
 const preprocess_1 = require("./preprocess");
 const program = new commander_1.Command();
@@ -144,7 +145,7 @@ program
     .command('version')
     .description('Show current client version')
     .action(async () => {
-    console.log('1.0.19');
+    console.log((0, cli_version_1.resolvePackageVersion)());
 });
 program
     .command('compile')

package/dist/esm/mail-magic-client.js

@@ -12,21 +12,24 @@ class templateClient {
     }
     async request(method, command, body) {
         const url = `${this.baseURL}${command}`;
+        const headers = {
+            Accept: 'application/json',
+            Authorization: `Bearer apikey-${this.apiKey}`
+        };
         const options = {
             method,
-            headers: {
-                'Content-Type': 'application/json',
-                Authorization: `Bearer apikey-${this.apiKey}`
-            },
-            body: body ? JSON.stringify(body) : '{}'
+            headers
         };
-        //        console.log(JSON.stringify({ options, url }));
+        // Avoid GET bodies (they're non-standard and can break under some proxies).
+        if (method !== 'GET' && body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            options.body = JSON.stringify(body);
+        }
         const response = await fetch(url, options);
         const j = await response.json();
         if (response.ok) {
             return j;
         }
-        // console.log(JSON.stringify(j, undefined, 2));
         if (j && j.message) {
             throw new Error(`FETCH FAILED: ${response.status} ${j.message}`);
         }
@@ -65,10 +68,16 @@ class templateClient {
     }
     validateTemplate(template) {
         try {
-            const env = new nunjucks.Environment(new nunjucks.FileSystemLoader(['./templates']));
-            env.renderString(template, {});
+            const env = new nunjucks.Environment(null, { autoescape: true });
+            const compiled = nunjucks.compile(template, env);
+            compiled.render({});
         }
         catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            // Syntax validation should not require local template loaders.
+            if (/template not found|no loader|unable to find template/i.test(message)) {
+                return;
+            }
             if (error instanceof Error) {
                 throw new Error(`Template validation failed: ${error.message}`);
             }
@@ -134,13 +143,7 @@ class templateClient {
         throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
     }
     async storeTemplate(td) {
-        if (!td.template) {
-            throw new Error('No template data provided');
-        }
-        this.validateTemplate(td.template);
-        if (td.sender) {
-            this.validateSender(td.sender);
-        }
+        // Backward-compatible alias for transactional template storage.
         return this.storeTxTemplate(td);
     }
     async sendTemplate(std) {
@@ -167,7 +170,6 @@ class templateClient {
         if (invalid.length > 0) {
             throw new Error('Invalid email address(es): ' + invalid.join(','));
         }
-        // this.validateTemplate(template);
         const body = {
             name: std.name,
             rcpt: std.rcpt,
@@ -177,7 +179,6 @@ class templateClient {
             replyTo: std.replyTo,
             headers: std.headers
         };
-        // console.log(JSON.stringify(body, undefined, 2));
         if (std.attachments && std.attachments.length > 0) {
             if (std.headers) {
                 throw new Error('Headers are not supported with attachment uploads');
@@ -212,36 +213,46 @@ class templateClient {
         this.validateSender(data.sender);
         return this.post('/api/v1/form/template', data);
     }
-    async sendFormMessage(data) {
-        if (!data.form_key && !data.formid) {
-            throw new Error('Invalid request body; formid or form_key required');
+    async storeFormRecipient(data) {
+        if (!data.domain) {
+            throw new Error('Missing domain');
+        }
+        if (!data.idname) {
+            throw new Error('Missing recipient identifier');
+        }
+        if (!data.email) {
+            throw new Error('Missing recipient email');
         }
-        if (!data.form_key && !data.domain) {
-            throw new Error('Invalid request body; domain required when sending by formid');
+        const parsed = emailAddresses.parseOneAddress(data.email);
+        if (!parsed || !parsed.address) {
+            throw new Error('Invalid recipient email address');
+        }
+        return this.post('/api/v1/form/recipient', data);
+    }
+    async sendFormMessage(data) {
+        if (!data._mm_form_key) {
+            throw new Error('Invalid request body; _mm_form_key required');
         }
         const fields = data.fields || {};
         const baseFields = {
-            formid: data.formid,
-            form_key: data.form_key,
-            secret: data.secret,
-            recipient: data.recipient,
-            domain: data.domain,
-            locale: data.locale,
-            vars: data.vars || {},
-            replyTo: data.replyTo,
+            _mm_form_key: data._mm_form_key,
+            _mm_locale: data._mm_locale,
+            _mm_recipients: data._mm_recipients,
             ...fields
         };
         if (data.attachments && data.attachments.length > 0) {
-            const { formData } = this.createAttachmentPayload(data.attachments);
+            const normalized = data.attachments.map((attachment, idx) => {
+                const field = attachment.field || `_mm_file${idx + 1}`;
+                if (!field.startsWith('_mm_file')) {
+                    throw new Error('Form attachments must use multipart field names starting with _mm_file');
+                }
+                return { ...attachment, field };
+            });
+            const { formData } = this.createAttachmentPayload(normalized);
             this.appendFields(formData, {
-                formid: data.formid,
-                form_key: data.form_key,
-                secret: data.secret,
-                recipient: data.recipient,
-                domain: data.domain,
-                locale: data.locale,
-                vars: JSON.stringify(data.vars || {}),
-                replyTo: data.replyTo
+                _mm_form_key: data._mm_form_key,
+                _mm_locale: data._mm_locale,
+                _mm_recipients: data._mm_recipients
             });
             this.appendFields(formData, fields);
             return this.postFormData('/api/v1/form/message', formData);
@@ -277,5 +288,36 @@ class templateClient {
         });
         return this.postFormData('/api/v1/assets', formData);
     }
+    async getSwaggerSpec() {
+        return this.get('/api/swagger');
+    }
+    async fetchPublicAsset(domain, assetPath, viaApiBase = false) {
+        if (!domain) {
+            throw new Error('domain is required');
+        }
+        if (!assetPath) {
+            throw new Error('assetPath is required');
+        }
+        const cleanedPath = assetPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => encodeURIComponent(segment))
+            .join('/');
+        if (!cleanedPath) {
+            throw new Error('assetPath is required');
+        }
+        const prefix = viaApiBase ? '/api/asset' : '/asset';
+        const url = `${this.baseURL}${prefix}/${encodeURIComponent(domain)}/${cleanedPath}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Accept: '*/*'
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
+        }
+        return response.arrayBuffer();
+    }
 }
 export default templateClient;

package/dist/mail-magic-client.js

@@ -17,21 +17,24 @@ class templateClient {
     }
     async request(method, command, body) {
         const url = `${this.baseURL}${command}`;
+        const headers = {
+            Accept: 'application/json',
+            Authorization: `Bearer apikey-${this.apiKey}`
+        };
         const options = {
             method,
-            headers: {
-                'Content-Type': 'application/json',
-                Authorization: `Bearer apikey-${this.apiKey}`
-            },
-            body: body ? JSON.stringify(body) : '{}'
+            headers
         };
-        //        console.log(JSON.stringify({ options, url }));
+        // Avoid GET bodies (they're non-standard and can break under some proxies).
+        if (method !== 'GET' && body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            options.body = JSON.stringify(body);
+        }
         const response = await fetch(url, options);
         const j = await response.json();
         if (response.ok) {
             return j;
         }
-        // console.log(JSON.stringify(j, undefined, 2));
         if (j && j.message) {
             throw new Error(`FETCH FAILED: ${response.status} ${j.message}`);
         }
@@ -70,10 +73,16 @@ class templateClient {
     }
     validateTemplate(template) {
         try {
-            const env = new nunjucks_1.default.Environment(new nunjucks_1.default.FileSystemLoader(['./templates']));
-            env.renderString(template, {});
+            const env = new nunjucks_1.default.Environment(null, { autoescape: true });
+            const compiled = nunjucks_1.default.compile(template, env);
+            compiled.render({});
         }
         catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            // Syntax validation should not require local template loaders.
+            if (/template not found|no loader|unable to find template/i.test(message)) {
+                return;
+            }
             if (error instanceof Error) {
                 throw new Error(`Template validation failed: ${error.message}`);
             }
@@ -139,13 +148,7 @@ class templateClient {
         throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
     }
     async storeTemplate(td) {
-        if (!td.template) {
-            throw new Error('No template data provided');
-        }
-        this.validateTemplate(td.template);
-        if (td.sender) {
-            this.validateSender(td.sender);
-        }
+        // Backward-compatible alias for transactional template storage.
         return this.storeTxTemplate(td);
     }
     async sendTemplate(std) {
@@ -172,7 +175,6 @@ class templateClient {
         if (invalid.length > 0) {
             throw new Error('Invalid email address(es): ' + invalid.join(','));
         }
-        // this.validateTemplate(template);
         const body = {
             name: std.name,
             rcpt: std.rcpt,
@@ -182,7 +184,6 @@ class templateClient {
             replyTo: std.replyTo,
             headers: std.headers
         };
-        // console.log(JSON.stringify(body, undefined, 2));
         if (std.attachments && std.attachments.length > 0) {
             if (std.headers) {
                 throw new Error('Headers are not supported with attachment uploads');
@@ -217,36 +218,46 @@ class templateClient {
         this.validateSender(data.sender);
         return this.post('/api/v1/form/template', data);
     }
-    async sendFormMessage(data) {
-        if (!data.form_key && !data.formid) {
-            throw new Error('Invalid request body; formid or form_key required');
+    async storeFormRecipient(data) {
+        if (!data.domain) {
+            throw new Error('Missing domain');
+        }
+        if (!data.idname) {
+            throw new Error('Missing recipient identifier');
+        }
+        if (!data.email) {
+            throw new Error('Missing recipient email');
         }
-        if (!data.form_key && !data.domain) {
-            throw new Error('Invalid request body; domain required when sending by formid');
+        const parsed = email_addresses_1.default.parseOneAddress(data.email);
+        if (!parsed || !parsed.address) {
+            throw new Error('Invalid recipient email address');
+        }
+        return this.post('/api/v1/form/recipient', data);
+    }
+    async sendFormMessage(data) {
+        if (!data._mm_form_key) {
+            throw new Error('Invalid request body; _mm_form_key required');
         }
         const fields = data.fields || {};
         const baseFields = {
-            formid: data.formid,
-            form_key: data.form_key,
-            secret: data.secret,
-            recipient: data.recipient,
-            domain: data.domain,
-            locale: data.locale,
-            vars: data.vars || {},
-            replyTo: data.replyTo,
+            _mm_form_key: data._mm_form_key,
+            _mm_locale: data._mm_locale,
+            _mm_recipients: data._mm_recipients,
             ...fields
         };
         if (data.attachments && data.attachments.length > 0) {
-            const { formData } = this.createAttachmentPayload(data.attachments);
+            const normalized = data.attachments.map((attachment, idx) => {
+                const field = attachment.field || `_mm_file${idx + 1}`;
+                if (!field.startsWith('_mm_file')) {
+                    throw new Error('Form attachments must use multipart field names starting with _mm_file');
+                }
+                return { ...attachment, field };
+            });
+            const { formData } = this.createAttachmentPayload(normalized);
             this.appendFields(formData, {
-                formid: data.formid,
-                form_key: data.form_key,
-                secret: data.secret,
-                recipient: data.recipient,
-                domain: data.domain,
-                locale: data.locale,
-                vars: JSON.stringify(data.vars || {}),
-                replyTo: data.replyTo
+                _mm_form_key: data._mm_form_key,
+                _mm_locale: data._mm_locale,
+                _mm_recipients: data._mm_recipients
             });
             this.appendFields(formData, fields);
             return this.postFormData('/api/v1/form/message', formData);
@@ -282,5 +293,36 @@ class templateClient {
         });
         return this.postFormData('/api/v1/assets', formData);
     }
+    async getSwaggerSpec() {
+        return this.get('/api/swagger');
+    }
+    async fetchPublicAsset(domain, assetPath, viaApiBase = false) {
+        if (!domain) {
+            throw new Error('domain is required');
+        }
+        if (!assetPath) {
+            throw new Error('assetPath is required');
+        }
+        const cleanedPath = assetPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => encodeURIComponent(segment))
+            .join('/');
+        if (!cleanedPath) {
+            throw new Error('assetPath is required');
+        }
+        const prefix = viaApiBase ? '/api/asset' : '/asset';
+        const url = `${this.baseURL}${prefix}/${encodeURIComponent(domain)}/${cleanedPath}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                Accept: '*/*'
+            }
+        });
+        if (!response.ok) {
+            throw new Error(`FETCH FAILED: ${response.status} ${response.statusText}`);
+        }
+        return response.arrayBuffer();
+    }
 }
 exports.default = templateClient;

package/dist/preprocess.js

@@ -14,14 +14,16 @@ const node_path_1 = __importDefault(require("node:path"));
 const cheerio_1 = require("cheerio");
 const juice_1 = __importDefault(require("juice"));
 const nunjucks_1 = __importDefault(require("nunjucks"));
-const cfg = {
-    env: null,
-    src_dir: 'templates',
-    dist_dir: 'templates-dist',
-    css_path: node_path_1.default.join(process.cwd(), 'templates', 'foundation-emails.css'),
-    css_content: null,
-    inline_includes: true
-};
+function createCompileCfg(options) {
+    return {
+        env: null,
+        src_dir: options.src_dir ?? 'templates',
+        dist_dir: options.dist_dir ?? 'templates-dist',
+        css_path: options.css_path ?? node_path_1.default.join(process.cwd(), 'templates', 'foundation-emails.css'),
+        css_content: null,
+        inline_includes: options.inline_includes ?? true
+    };
+}
 function resolvePathRoot(dir) {
     return node_path_1.default.isAbsolute(dir) ? dir : node_path_1.default.join(process.cwd(), dir);
 }
@@ -31,7 +33,7 @@ function resolveCssPath(cssPath) {
     }
     return node_path_1.default.isAbsolute(cssPath) ? cssPath : node_path_1.default.join(process.cwd(), cssPath);
 }
-function inlineIncludes(content, baseDir, srcRoot, stack) {
+function inlineIncludes(content, baseDir, srcRoot, normalizedSrcRoot, stack) {
     const includeExp = /\{%\s*include\s+['"]([^'"]+)['"][^%]*%\}/g;
     return content.replace(includeExp, (_match, includePath) => {
         const cleaned = includePath.replace(/^\/+/, '');
@@ -41,19 +43,26 @@ function inlineIncludes(content, baseDir, srcRoot, stack) {
             throw new Error(`Include not found: ${includePath}`);
         }
         const resolved = node_fs_1.default.realpathSync(found);
+        if (!resolved.startsWith(normalizedSrcRoot)) {
+            throw new Error(`Include path escapes template root: ${includePath}`);
+        }
+        if (!node_fs_1.default.statSync(resolved).isFile()) {
+            throw new Error(`Include is not a file: ${includePath}`);
+        }
         if (stack.has(resolved)) {
             throw new Error(`Circular include detected for ${includePath}`);
         }
         stack.add(resolved);
         const raw = node_fs_1.default.readFileSync(resolved, 'utf8');
-        const inlined = inlineIncludes(raw, node_path_1.default.dirname(resolved), srcRoot, stack);
+        const inlined = inlineIncludes(raw, node_path_1.default.dirname(resolved), srcRoot, normalizedSrcRoot, stack);
         stack.delete(resolved);
         return inlined;
     });
 }
 class PreprocessExtension {
-    constructor() {
+    constructor(cfg) {
         this.tags = ['process_layout'];
+        this.cfg = cfg;
     }
     parse(parser, nodes) {
         const token = parser.nextToken();
@@ -62,13 +71,13 @@ class PreprocessExtension {
         return new nodes.CallExtension(this, 'run', args);
     }
     run(_context, tplname) {
-        const template = cfg.env.getTemplate(tplname);
+        const template = this.cfg.env.getTemplate(tplname);
         const src = template.tmplStr;
         const extmatch = src.match(/\{%\s*extends\s+['"]([^'"]+)['"]\s*%\}/);
         if (!extmatch)
             return src;
         const layoutName = extmatch[1];
-        const layoutTemplate = cfg.env.getTemplate(layoutName);
+        const layoutTemplate = this.cfg.env.getTemplate(layoutName);
         const layoutSrc = layoutTemplate.tmplStr;
         const blocks = {};
         const blockexp = /\{%\s*block\s+([a-zA-Z0-9_]+)\s*%\}([\s\S]*?)\{%\s*endblock\s*%\}/g;
@@ -91,16 +100,18 @@ class PreprocessExtension {
         return merged;
     }
 }
-function process_template(tplname, writeOutput = true) {
+function process_template(cfg, tplname, writeOutput = true) {
     console.log(`Processing template: ${tplname}`);
     try {
         const srcRoot = resolvePathRoot(cfg.src_dir);
+        const resolvedSrcRoot = node_fs_1.default.realpathSync(srcRoot);
+        const normalizedSrcRoot = resolvedSrcRoot.endsWith(node_path_1.default.sep) ? resolvedSrcRoot : resolvedSrcRoot + node_path_1.default.sep;
         const templateFile = node_path_1.default.join(srcRoot, `${tplname}.njk`);
         // 1) Resolve template inheritance
         const mergedTemplate = cfg.env.renderString(`{% process_layout "${tplname}.njk" %}`, {});
         // 1.5) Inline partials/includes so the server doesn't need a loader
         const mergedWithPartials = cfg.inline_includes
-            ? inlineIncludes(mergedTemplate, node_path_1.default.dirname(templateFile), srcRoot, new Set())
+            ? inlineIncludes(mergedTemplate, node_path_1.default.dirname(templateFile), srcRoot, normalizedSrcRoot, new Set())
             : mergedTemplate;
         // 2) Protect variables/flow
         const protectedTemplate = cfg.env.filters.protect_variables(mergedWithPartials);
@@ -216,7 +227,7 @@ function get_all_files(dir, filelist = []) {
     });
     return filelist;
 }
-function find_templates() {
+function find_templates(cfg) {
     const srcRoot = resolvePathRoot(cfg.src_dir);
     const all = get_all_files(srcRoot);
     return all
@@ -234,16 +245,16 @@ function find_templates() {
         return name.substring(0, name.length - 4);
     });
 }
-async function process_all_templates() {
+async function process_all_templates(cfg) {
     const distRoot = resolvePathRoot(cfg.dist_dir);
     if (!node_fs_1.default.existsSync(distRoot)) {
         node_fs_1.default.mkdirSync(distRoot, { recursive: true });
     }
-    const templates = find_templates();
+    const templates = find_templates(cfg);
     console.log(`Found ${templates.length} templates to process: ${templates.join(', ')}`);
     for (const template of templates) {
         try {
-            process_template(template);
+            process_template(cfg, template);
         }
         catch (error) {
             console.error(`Failed to process ${template}:`, error);
@@ -251,7 +262,7 @@ async function process_all_templates() {
     }
     console.log('All templates processed!');
 }
-function init_env() {
+function init_env(cfg) {
     const loader = new nunjucks_1.default.FileSystemLoader(resolvePathRoot(cfg.src_dir));
     cfg.env = new nunjucks_1.default.Environment(loader, { autoescape: false });
     if (!cfg.env)
@@ -265,7 +276,7 @@ function init_env() {
         cfg.css_content = null;
     }
     // Extension
-    cfg.env.addExtension('PreprocessExtension', new PreprocessExtension());
+    cfg.env.addExtension('PreprocessExtension', new PreprocessExtension(cfg));
     // Filters
     cfg.env.addFilter('protect_variables', function (content) {
         return content
@@ -281,29 +292,17 @@ function init_env() {
     });
 }
 async function do_the_template_thing(options = {}) {
-    if (options.src_dir)
-        cfg.src_dir = options.src_dir;
-    if (options.dist_dir)
-        cfg.dist_dir = options.dist_dir;
-    if (options.css_path)
-        cfg.css_path = options.css_path;
-    if (options.inline_includes !== undefined)
-        cfg.inline_includes = options.inline_includes;
-    init_env();
+    const cfg = createCompileCfg(options);
+    init_env(cfg);
     if (options.tplname) {
-        process_template(options.tplname);
+        process_template(cfg, options.tplname);
     }
     else {
-        await process_all_templates();
+        await process_all_templates(cfg);
     }
 }
 async function compileTemplate(options) {
-    if (options.src_dir)
-        cfg.src_dir = options.src_dir;
-    if (options.css_path)
-        cfg.css_path = options.css_path;
-    if (options.inline_includes !== undefined)
-        cfg.inline_includes = options.inline_includes;
-    init_env();
-    return process_template(options.tplname, false);
+    const cfg = createCompileCfg(options);
+    init_env(cfg);
+    return process_template(cfg, options.tplname, false);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/mail-magic-client",
-	"version": "1.0.25",
+	"version": "1.0.30",
 	"description": "Client library for mail-magic",
 	"main": "dist/cjs/mail-magic-client.js",
 	"types": "dist/cjs/mail-magic-client.d.ts",