@technomoron/mail-magic 1.0.23 → 1.0.32

package/CHANGES

@@ -1,3 +1,43 @@
+Version 1.0.32 (2026-02-08)
+
+- Add regression coverage for legacy plaintext API token migration to `token_hmac`.
+
+Version 1.0.31 (2026-02-08)
+
+- Add regression coverage for form lookup ambiguity handling and secret-gated recipient overrides.
+
+Version 1.0.30 (2026-02-08)
+
+- Add regression coverage for Nunjucks HTML autoescape behavior and the `|safe` filter.
+
+Version 1.0.29 (2026-02-08)
+
+- Add regression coverage for CAPTCHA verification flows on the public form endpoint.
+
+Version 1.0.28 (2026-02-08)
+
+- Add regression coverage for public form anti-abuse controls (rate limiting, attachment limits, and upload cleanup).
+
+Version 1.0.27 (2026-02-08)
+
+- Refresh README/TUTORIAL with current API routes, config layout, and security-related configuration (API token pepper,
+  form_key, recipient allowlist, and form anti-abuse options).
+- Update `config-example/` to match the current init-data schema and domain-rooted config directory layout.
+
+Version 1.0.26 (2026-02-07)
+
+- Fix env/docs polish and remove unused code flagged by ESLint.
+
+Version 1.0.25 (2026-02-07)
+
+- Default `DB_AUTO_RELOAD` to false to avoid unexpected config reloads in production.
+- Added `DB_SYNC_ALTER` to control Sequelize `sync({ alter: ... })` on startup.
+
+Version 1.0.24 (2026-02-07)
+
+- Validate imported domain names against a safe pattern to prevent config path
+  traversal via malformed domain identifiers.
+
 Version 1.0.23 (2026-02-07)
 
 - Added a form recipient allowlist table plus `POST /api/v1/form/recipient` to map a

package/README.md

@@ -1,97 +1,221 @@
 # @technomoron/mail-magic
 
-Mail Magic is a TypeScript service for managing, templating, and delivering transactional emails. It exposes a small
-REST API built on `@technomoron/api-server-base`, persists data with Sequelize/SQLite, and renders outbound messages
-with Nunjucks templates.
+Mail Magic is a TypeScript service for managing, templating, and delivering transactional emails and public form
+submissions. It exposes a small REST API built on `@technomoron/api-server-base`, persists data with Sequelize/SQLite
+(by default), and renders outbound messages with Nunjucks templates.
 
 ## Features
 
-- Upload, store, and send templated email content through a JSON API
-- Preprocess template assets with `@technomoron/unyuck` before persisting
+- Store and send transactional templates through a JSON API
+- Store and deliver form submission templates through a public endpoint
+- Optional recipient allowlist so public forms can target a named recipient without exposing email addresses
+- Optional anti-abuse controls for public forms (rate limiting, attachment limits, CAPTCHA)
+- Preprocess templates (includes + `asset(...)` rewrites) with `@technomoron/unyuck`
 - Nodemailer transport configuration driven by environment variables
-- SQLite-backed data models for domains, users, forms, and templates
-- Type-safe configuration loader powered by `@technomoron/env-loader`
-- Bundled admin UI (placeholder) served at the root path `/`
-
-## Getting Started
-
-1. Clone the repository: `git clone git@github.com:technomoron/mail-magic.git`
-2. Install dependencies: `npm install`
-3. Create your environment file: copy `.env-dist` to `.env` and adjust values
-4. Populate the config directory (defaults to `./data/`; see `config-example/` for a reference layout). You can point
-   `CONFIG_PATH` at `./config` to use the bundled sample data.
-5. Build the project: `npm run build`
-6. Start the API server: `npm run start`
-
-During development you can run `npm run dev` for a watch mode that recompiles on change and restarts via `nodemon`.
-
-## Configuration
-
-- **Environment variables** are defined in `src/store/envloader.ts`. Important settings include SMTP credentials, API
-  host/port, the config directory path, database options, and `ADMIN_ENABLED`/`ADMIN_APP_PATH` to control the admin
-  UI/API.
-- **Config directory** (`CONFIG_PATH`) contains JSON seed data (`init-data.json`), optional API key files, and template
-  assets. Each domain now lives directly under the config root (for example `data/example.com/form-template/…`). Use an
-  absolute path or a relative one like `../data` when you want the config outside the repo. Review `config-example/` for
-  the recommended layout, in particular the `form-template/` and `tx-template/` folders used for compiled Nunjucks
-  templates.
-- **Database** defaults to SQLite (`maildata.db`). You can switch dialects by updating the environment options if your
-  deployment requires another database.
-- **Uploads** default to `<CONFIG_PATH>/<domain>/uploads` via `UPLOAD_PATH=./{domain}/uploads`. Set a fixed path if you
-  prefer a shared upload directory.
-
-When `DB_AUTO_RELOAD` is enabled the service watches `init-data.json` and refreshes templates and forms without a
-restart.
-
-### Admin UI
-
-The server mounts the admin UI at `/` only when `ADMIN_ENABLED` is true and the `@technomoron/mail-magic-admin` package
-is installed. You can point `ADMIN_APP_PATH` at a dist folder (or its parent) to override the package-provided build.
-The admin API module is loaded from the admin package as well. This is a placeholder Vue app today, but it is already
-wired so future admin features can live there without changing the server routing.
-
-### Template assets and inline resources
-
-- Keep any non-inline files (images, attachments, etc.) under `<CONFIG_PATH>/<domain>/assets`. Mail Magic rewrites
-  `asset('logo.png')` using `ASSET_ROUTE` (default `/asset`) and a base URL from `ASSET_PUBLIC_BASE` (or `API_URL` if
-  unset). The default output looks like `http://localhost:3776/asset/<domain>/logo.png`.
-- Pass `true` as the second argument when you want to embed a file as an inline CID attachment:
-  `asset('logo.png', true)` stores the file in Nodemailer and rewrites the HTML to reference `cid:logo.png`.
-- Avoid mixing template-type folders for assets; everything that should be linked externally belongs in the shared
-  `<domain>/assets` tree so it can be served for both form and transactional templates.
+- Optional bundled admin UI (placeholder) served at `/` when enabled
 
-## API Overview
+## Install
+
+```bash
+npm install @technomoron/mail-magic
+```
+
+The package ships a `mail-magic` CLI.
+
+## Run
+
+Mail Magic loads:
+
+- **Environment variables** (the `mail-magic` CLI supports `.env`)
+- **Config directory** (`CONFIG_PATH`) containing `init-data.json`, templates, and assets
+
+### 1. Create `.env`
+
+Copy `.env-dist` and fill in the required bits:
+
+```ini
+# Required: used to HMAC API tokens before DB lookup (keep it stable).
+API_TOKEN_PEPPER=change-me-please-use-a-long-random-string
+
+CONFIG_PATH=./data
+
+API_HOST=127.0.0.1
+API_PORT=3776
+API_BASE_PATH=/api
+API_URL=http://127.0.0.1:3776
+
+SMTP_HOST=127.0.0.1
+SMTP_PORT=1025
+SMTP_SECURE=false
+SMTP_TLS_REJECT=false
+```
+
+### 2. Create a config directory
+
+Minimum layout:
 
-| Method | Path                | Description                                   |
-| ------ | ------------------- | --------------------------------------------- |
-| POST   | `/v1/tx/template`   | Store or update a transactional mail template |
-| POST   | `/v1/tx/message`    | Render and send a stored transactional mail   |
-| POST   | `/v1/form/template` | Store or update a form submission template    |
-| POST   | `/v1/form/message`  | Submit a form payload and deliver the email   |
+```text
+data/
+  init-data.json
+  example.test/
+    assets/
+      images/logo.png
+      files/banner.png
+    tx-template/
+      welcome.njk
+      partials/
+        header.njk
+    form-template/
+      contact.njk
+      partials/
+        fields.njk
+```
+
+Important: assets referenced via `asset('...')` must live under `<CONFIG_PATH>/<domain>/assets` (not under
+`tx-template/` or `form-template/`).
+
+### 3. Start the server
+
+```bash
+mail-magic --env ./.env
+```
+
+In this repository, development is optimized for `pnpm`:
+
+```bash
+pnpm install
+pnpm -w --filter @technomoron/mail-magic dev
+```
+
+## Authentication (API Tokens)
+
+Authenticated endpoints require:
+
+```text
+Authorization: Bearer apikey-<user_token>
+```
+
+Tokens are stored as `HMAC-SHA256(token, API_TOKEN_PEPPER)` in the database. You can seed a plaintext `token` in
+`init-data.json`; it will be HMACed on import and the plaintext cleared.
+
+## API Overview
 
 All routes are mounted under `API_BASE_PATH` (default `/api`), so the full path is typically `/api/v1/...`.
 
-All authenticated routes expect an API token associated with a configured user. Attachments can be uploaded alongside
-the `/v1/tx/message` request and are forwarded by Nodemailer.
+| Auth | Method | Path                 | Description                                             |
+| ---- | ------ | -------------------- | ------------------------------------------------------- |
+| No   | GET    | `/v1/ping`           | Health check                                            |
+| Yes  | POST   | `/v1/tx/template`    | Store/update a transactional template                   |
+| Yes  | POST   | `/v1/tx/message`     | Render + deliver a stored transactional message         |
+| Yes  | POST   | `/v1/form/template`  | Store/update a form template (returns `form_key`)       |
+| Yes  | POST   | `/v1/form/recipient` | Upsert a recipient mapping (domain-wide or form-scoped) |
+| No   | POST   | `/v1/form/message`   | Public form submission endpoint                         |
+| Yes  | POST   | `/v1/assets`         | Upload domain or template-scoped assets                 |
+
+Public assets are served from `ASSET_ROUTE` (default `/asset`). When `API_BASE_PATH` is in use, assets are also
+reachable under `/api/asset/...` to match older `API_URL` defaults.
+
+## Public Forms (`form_key`) and Recipient Allowlist
+
+### Prefer `form_key` for public submissions
+
+`POST /api/v1/form/template` returns a stable random ID (`data.form_key`, generated via nanoid). Public form submissions
+should use `form_key` instead of `domain + formid`, because `domain + formid` can be ambiguous across locales or
+multi-tenant setups.
+
+### Public recipient selection without exposing email addresses
+
+For cases like "contact a journalist", you can configure named recipients (allowlist) and let the public client select
+by `recipient_idname`:
+
+1. Upsert recipient mapping (authenticated): `POST /api/v1/form/recipient` `{ domain, form_key?, idname, email, name? }`
+2. Submit the public form (no auth): `POST /api/v1/form/message` `{ form_key, recipient_idname, ...fields }`
+
+Mappings are scoped by `(domain_id, form_key, idname)`:
+
+- Use `form_key` to create a per-form allowlist.
+- Omit `form_key` to create a domain-wide default allowlist.
+- Form-scoped mappings override domain-wide mappings for the same `idname`.
+
+### Overriding `recipient` is secret-gated
+
+The `recipient` field on the public endpoint is accepted only when the form has a `secret` configured. This prevents
+turning `/v1/form/message` into an open relay.
+
+## Anti-Abuse Controls (Public Form Endpoint)
+
+All knobs below are optional and default to "off" unless stated otherwise:
+
+- Upload size limit per file: `UPLOAD_MAX` (bytes, enforced by the API server)
+- Attachment count limit: `FORM_MAX_ATTACHMENTS` (`-1` unlimited, `0` disables attachments)
+- Rate limiting: `FORM_RATE_LIMIT_WINDOW_SEC` + `FORM_RATE_LIMIT_MAX` (fixed window, in-memory, per client IP)
+- Upload cleanup: `FORM_KEEP_UPLOADS` (when `false`, uploaded files are deleted after processing, even on failure)
+
+### CAPTCHA (optional)
+
+CAPTCHA verification is enabled when `FORM_CAPTCHA_SECRET` is set. You can require tokens globally with
+`FORM_CAPTCHA_REQUIRED=true`, or per form with `captcha_required=true` on `POST /api/v1/form/template`.
+
+Supported providers (`FORM_CAPTCHA_PROVIDER`):
+
+- `turnstile` (Cloudflare)
+- `hcaptcha`
+- `recaptcha` (Google)
+
+Token field names accepted by the server:
+
+- `cf-turnstile-response`
+- `h-captcha-response`
+- `g-recaptcha-response`
+- `captcha` (generic)
+
+## Template Rendering Notes
+
+### Autoescape (`AUTOESCAPE_HTML`)
+
+Nunjucks HTML autoescape is enabled by default. You can toggle it via `AUTOESCAPE_HTML` (default: `true`).
+
+Nunjucks also supports the `|safe` filter. Use it only for trusted content.
+
+### Context Variables
+
+Transactional templates receive:
+
+- `_rcpt_email_`: current recipient
+- `_vars_`: the `vars` object
+- `_attachments_`: multipart field-name to filename map for uploaded attachments
+- `_meta_`: request metadata (`client_ip`, `ip_chain`, `received_at`)
+
+Form templates receive:
+
+- `_fields_`: all submitted fields (including `vars`, `formid`, etc)
+- `_files_`: uploaded files
+- `_attachments_`, `_vars_`, `_meta_`
+- `_rcpt_email_`, `_rcpt_name_`, `_rcpt_idname_` (when using `recipient_idname`)
+
+### Assets (`asset('...')`)
+
+In HTML templates, write:
 
-## Available Scripts
+- `asset('images/logo.png', true)` to embed as a CID attachment (`cid:images/logo.png`)
+- `asset('files/banner.png')` to rewrite to a public URL under `ASSET_ROUTE`
 
-- `npm run dev` – Start the API server in watch mode
-- `npm run build` – Compile TypeScript to the `dist/` directory
-- `npm run start` – Launch the compiled server from `dist/`
-- `npm run lint` – Lint the project with ESLint
-- `npm run format` – Apply ESLint autofixes followed by Prettier formatting
-- `npm run cleanbuild` – Clean, lint, format, and rebuild the project
+Files must exist under `<CONFIG_PATH>/<domain>/assets`.
 
-## Repository & Support
+## Database Notes
 
-- Repository: https://github.com/technomoron/mail-magic
-- Issues: https://github.com/technomoron/mail-magic/issues
+- `DB_AUTO_RELOAD` watches `init-data.json` and refreshes templates/forms without a restart (development).
+- `DB_FORCE_SYNC` drops and recreates tables on startup (dangerous).
+- `DB_SYNC_ALTER` controls Sequelize `sync({ alter: ... })` on startup.
 
-## License
+## Admin UI / Swagger
 
-This project is released under the MIT License. See the [LICENSE](LICENSE) file for details.
+- `ADMIN_ENABLED=true` enables the optional admin UI and admin API module (if `@technomoron/mail-magic-admin` is
+  installed).
+- `SWAGGER_ENABLED=true` exposes Swagger/OpenAPI (path defaults to `/api/swagger`).
 
-## Copyright
+## Available Scripts (Repository)
 
-Copyright (c) 2025 Bjørn Erik Jacobsen. All rights reserved.
+- `pnpm -w --filter @technomoron/mail-magic dev` - start watch mode via `nodemon`
+- `pnpm -w --filter @technomoron/mail-magic test` - run server tests
+- `pnpm -w --filter @technomoron/mail-magic cleanbuild` - format + build

package/TUTORIAL.MD

@@ -17,8 +17,9 @@ export CONFIG_ROOT=$(realpath ../myorg-config)
 Update your `.env` (or runtime environment) to point at the new workspace:
 
 ```
+API_TOKEN_PEPPER=<generate-a-long-random-string>
 CONFIG_PATH=${CONFIG_ROOT}
-DB_AUTO_RELOAD=1  # optional: hot‑reload init-data and templates
+DB_AUTO_RELOAD=1  # optional: hot-reload init-data and templates
 UPLOAD_PATH=./{domain}/uploads
 ```
 
@@ -30,9 +31,9 @@ From now on the tutorial assumes `${CONFIG_ROOT}` is the root of the custom conf
 
 ```bash
 mkdir -p \
-  "$CONFIG_ROOT"/myorg.com/{form-template,tx-template} \
-  "$CONFIG_ROOT"/myorg.com/form-template/{partials,assets} \
-  "$CONFIG_ROOT"/myorg.com/tx-template/{partials,assets}
+  "$CONFIG_ROOT"/myorg.com/assets \
+  "$CONFIG_ROOT"/myorg.com/form-template/partials \
+  "$CONFIG_ROOT"/myorg.com/tx-template/partials
 ```
 
 The resulting tree should look like this (logo placement shown for clarity — add the file in step 4):
@@ -41,15 +42,14 @@ The resulting tree should look like this (logo placement shown for clarity — a
 myorg-config/
 ├── init-data.json
 └── myorg.com/
+    ├── assets/
+    │   └── logo.png
     ├── form-template/
-    │   ├── assets/
     │   ├── contact.njk
     │   └── partials/
     │       ├── footer.njk
     │       └── header.njk
     └── tx-template/
-        ├── assets/
-        │   └── logo.png
         ├── partials/
         │   ├── footer.njk
         │   └── header.njk
@@ -58,7 +58,7 @@ myorg-config/
 
 > **Tip:** If you want to share partials between templates, keep file names aligned (e.g. identical `header.njk` content under both `form-template/partials/` and `tx-template/partials/`).
 
-> **Assets vs inline:** Any file you want to serve as an external URL must live under `myorg.com/assets/`. The template helper `asset('logo.png')` will become `http://localhost:3776/asset/myorg.com/logo.png` by default. You can change the base via `ASSET_PUBLIC_BASE` (or `API_URL`) and the path via `ASSET_ROUTE`. Use `asset('logo.png', true)` when you need the file embedded as a CID attachment instead.
+> **Assets vs inline:** Any file referenced via `asset('...')` must live under `myorg.com/assets/`. The helper `asset('logo.png')` will become `http://localhost:3776/asset/myorg.com/logo.png` by default. You can change the base via `ASSET_PUBLIC_BASE` (or `API_URL`) and the route via `ASSET_ROUTE`. Use `asset('logo.png', true)` when you need the file embedded as a CID attachment instead.
 
 ---
 
@@ -74,7 +74,9 @@ Create `${CONFIG_ROOT}/init-data.json` so the service can bootstrap the MyOrg us
 			"idname": "myorg",
 			"token": "<generate-a-32-char-hex-token>",
 			"name": "MyOrg",
-			"email": "notifications@myorg.com"
+			"email": "notifications@myorg.com",
+			"domain": 10,
+			"locale": "en"
 		}
 	],
 	"domain": [
@@ -82,7 +84,9 @@ Create `${CONFIG_ROOT}/init-data.json` so the service can bootstrap the MyOrg us
 			"domain_id": 10,
 			"user_id": 10,
 			"name": "myorg.com",
-			"sender": "MyOrg Mailer <noreply@myorg.com>"
+			"sender": "MyOrg Mailer <noreply@myorg.com>",
+			"locale": "en",
+			"is_default": true
 		}
 	],
 	"template": [
@@ -91,30 +95,36 @@ Create `${CONFIG_ROOT}/init-data.json` so the service can bootstrap the MyOrg us
 			"user_id": 10,
 			"domain_id": 10,
 			"name": "welcome",
-			"slug": "welcome",
-			"locale": "",
-			"filename": "welcome.njk",
+			"locale": "en",
+			"filename": "",
 			"sender": "support@myorg.com",
 			"subject": "Welcome to MyOrg",
-			"template": ""
+			"template": "",
+			"slug": ""
 		}
 	],
 	"form": [
 		{
 			"form_id": 100,
+			"form_key": "<generate-a-random-form-key>",
 			"user_id": 10,
 			"domain_id": 10,
+			"locale": "en",
 			"idname": "contact",
-			"filename": "contact.njk",
+			"filename": "",
 			"sender": "MyOrg Support <support@myorg.com>",
 			"recipient": "contact@myorg.com",
-			"subject": "New contact form submission"
+			"subject": "New contact form submission",
+			"secret": "s3cret",
+			"slug": ""
 		}
 	]
 }
 ```
 
 - Generate the API token with `openssl rand -hex 16` (or any 32-character hex string).
+- `API_TOKEN_PEPPER` must be set when starting the server. Tokens are stored as `HMAC-SHA256(token, API_TOKEN_PEPPER)`
+  in the database, so the plaintext `token` is cleared after import.
 - Leave `template` empty; Mail Magic will populate it with the flattened HTML the first time it processes the files.
 - Set `DB_AUTO_RELOAD=1` (see step 1) if you want the service to re-import whenever `init-data.json` changes.
 
@@ -261,11 +271,10 @@ Create `${CONFIG_ROOT}/init-data.json` so the service can bootstrap the MyOrg us
 
 ### 4.5 Provide the logo asset
 
-Copy or design a square PNG logo and add it to both asset folders so the inline references resolve (Mail Magic resolves assets per template type):
+Copy or design a square PNG logo and add it under the domain assets folder so the inline references resolve:
 
 ```bash
-cp path/to/myorg-logo.png "$CONFIG_ROOT"/myorg.com/tx-template/assets/logo.png
-cp path/to/myorg-logo.png "$CONFIG_ROOT"/myorg.com/form-template/assets/logo.png
+cp path/to/myorg-logo.png "$CONFIG_ROOT"/myorg.com/assets/logo.png
 ```
 
 The inline flag (`true`) in `asset('logo.png', true)` tells Mail Magic to attach the image and rewrite the markup to `cid:logo.png` when messages are flattened.
@@ -274,21 +283,97 @@ The inline flag (`true`) in `asset('logo.png', true)` tells Mail Magic to attach
 
 ## 5. Start Mail Magic and verify
 
-1. Restart `mail-magic` (or run `npm run dev`) so it picks up the new `CONFIG_PATH`.
+1. Restart `mail-magic` (or run `pnpm -w --filter @technomoron/mail-magic dev`) so it picks up the new `CONFIG_PATH`.
 2. Confirm the bootstrap worked — the logs should mention importing user `myorg` and domain `myorg.com`.
-3. Trigger a transactional email:
+3. Verify the server is reachable:
     ```bash
-    curl -X POST http://localhost:3000/v1/tx/message \
+    curl http://localhost:3776/api/v1/ping
+    ```
+4. Trigger a transactional email (authenticated):
+    ```bash
+    curl -X POST http://localhost:3776/api/v1/tx/message \
       -H 'Content-Type: application/json' \
-      -H 'X-API-Token: <your 32-char token>' \
+      -H 'Authorization: Bearer apikey-<your token>' \
       -d '{
-        "user": "myorg",
         "domain": "myorg.com",
-        "slug": "welcome",
-        "to": "new.user@myorg.com",
-        "variables": {"first_name": "Kai", "cta_url": "https://myorg.com/confirm"}
+        "name": "welcome",
+        "locale": "en",
+        "rcpt": "new.user@myorg.com",
+        "vars": {
+          "first_name": "Kai",
+          "cta_url": "https://myorg.com/confirm",
+          "support_url": "https://myorg.com/support"
+        }
+      }'
+    ```
+5. Submit the contact form the same way your frontend will post (public endpoint). Using `form_key` is preferred:
+    ```bash
+    curl -X POST http://localhost:3776/api/v1/form/message \
+      -H 'Content-Type: application/json' \
+      -d '{
+        "form_key": "<your form_key>",
+        "secret": "s3cret",
+        "name": "Kai",
+        "email": "kai@myorg.com",
+        "message": "Hello from the contact form"
       }'
     ```
-4. Trigger the contact form template the same way your frontend will post to `/v1/form/message` (Supply `form_id` or `idname` of `contact`). With `DB_AUTO_RELOAD=1`, editing the templates or assets is as simple as saving the file.
+
+With `DB_AUTO_RELOAD=1`, editing templates or assets is as simple as saving the file.
 
 You now have a clean, self-contained configuration for MyOrg that inherits Mail Magic behaviour while keeping templates, partials, and assets under version control in a dedicated folder.
+
+---
+
+## 6. Optional: Recipient allowlist for public forms (`recipient_idname`)
+
+If you have a public form where the frontend must select a recipient (for example "send a message to a journalist"),
+avoid shipping raw email addresses client-side.
+
+Instead:
+
+1. Configure recipients (authenticated) with `POST /api/v1/form/recipient`.
+2. Submit public forms with `recipient_idname`.
+
+Example (domain-wide mapping):
+
+```bash
+curl -X POST http://localhost:3776/api/v1/form/recipient \
+  -H 'Content-Type: application/json' \
+  -H 'Authorization: Bearer apikey-<your token>' \
+  -d '{
+    "domain": "myorg.com",
+    "idname": "desk",
+    "email": "News Desk <desk@myorg.com>"
+  }'
+```
+
+Example (public submit):
+
+```bash
+curl -X POST http://localhost:3776/api/v1/form/message \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "form_key": "<your form_key>",
+    "recipient_idname": "desk",
+    "name": "Kai",
+    "email": "kai@myorg.com",
+    "message": "Hello"
+  }'
+```
+
+Mappings can also be scoped to a specific form by supplying `form_key` on the `/form/recipient` upsert. Form-scoped
+mappings override domain-wide mappings for the same `idname`.
+
+---
+
+## 7. Optional: CAPTCHA and rate limiting for public forms
+
+If the public form endpoint is a spam/volume target, enable one or more of these:
+
+- `FORM_RATE_LIMIT_WINDOW_SEC` + `FORM_RATE_LIMIT_MAX`
+- `FORM_MAX_ATTACHMENTS` and `UPLOAD_MAX`
+- CAPTCHA: set `FORM_CAPTCHA_SECRET` + `FORM_CAPTCHA_PROVIDER`
+
+Per form, you can also set `captcha_required=true` when storing/updating the form template via the API (`POST
+/api/v1/form/template`).

package/dist/index.js

@@ -4,7 +4,6 @@ import { FormAPI } from './api/forms.js';
 import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
 import { mailStore } from './store/store.js';
-const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
 function normalizeRoute(value, fallback = '') {
     if (!value) {
         return fallback;

package/dist/models/db.js

@@ -72,8 +72,9 @@ export async function init_api_db(db, store) {
         as: 'domain'
     });
     await db.query('PRAGMA foreign_keys = OFF');
-    store.print_debug(`Force alter tables: ${store.env.DB_FORCE_SYNC}`);
-    await db.sync({ alter: true, force: store.env.DB_FORCE_SYNC });
+    const alter = Boolean(store.env.DB_SYNC_ALTER);
+    store.print_debug(`DB sync: alter=${alter} force=${store.env.DB_FORCE_SYNC}`);
+    await db.sync({ alter, force: store.env.DB_FORCE_SYNC });
     await db.query('PRAGMA foreign_keys = ON');
     await importData(store);
     try {

package/dist/models/domain.js

@@ -1,9 +1,10 @@
 import { Model, DataTypes } from 'sequelize';
 import { z } from 'zod';
+const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
 export const api_domain_schema = z.object({
     domain_id: z.number().int().nonnegative(),
     user_id: z.number().int().nonnegative(),
-    name: z.string().min(1),
+    name: z.string().min(1).regex(DOMAIN_PATTERN, 'Invalid domain name'),
     sender: z.string().default(''),
     locale: z.string().default(''),
     is_default: z.boolean().default(false)

package/dist/store/envloader.js

@@ -6,7 +6,7 @@ export const envOptions = defineEnvOptions({
         default: 'development'
     },
     API_PORT: {
-        description: 'Defines the port on which the app listens. Default 3780',
+        description: 'Defines the port on which the app listens. Default 3776',
         default: '3776',
         type: 'number'
     },
@@ -15,15 +15,20 @@ export const envOptions = defineEnvOptions({
         default: '0.0.0.0'
     },
     DB_AUTO_RELOAD: {
-        description: 'Reload init-data.db automatically on change',
+        description: 'Reload init-data.json automatically on change',
         type: 'boolean',
-        default: true
+        default: false
     },
     DB_FORCE_SYNC: {
-        description: 'Whether to force sync on table definitions (ALTER TABLE)',
+        description: 'Drop and recreate database tables on startup (DANGEROUS)',
         type: 'boolean',
         default: false
     },
+    DB_SYNC_ALTER: {
+        description: 'Alter existing tables on startup to match models (requires write access to the DB)',
+        type: 'boolean',
+        default: true
+    },
     API_URL: {
         description: 'Sets the public URL for the API (i.e. https://ml.example.com:3790)',
         default: 'http://localhost:3776'

package/dist/util.js

@@ -10,7 +10,7 @@ import { api_user } from './models/user.js';
  *
  * Examples:
  *   normalizeSlug("Hello World!")    -> "hello-world"
- *   normalizeSlug("  Áccêntš  ")     -> "ccnt"
+ *   normalizeSlug("  Áccêntš  ")     -> "cc-nt"
  *   normalizeSlug("My--Slug__Test")  -> "my-slug__test"
  */
 export function normalizeSlug(input) {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/mail-magic",
-	"version": "1.0.23",
+	"version": "1.0.32",
 	"main": "dist/index.js",
 	"type": "module",
 	"bin": {