@technomoron/mail-magic 1.0.38 → 1.0.41

package/CHANGES

@@ -1,3 +1,51 @@
+CHANGES
+=======
+
+Version 1.0.41 (2026-02-22)
+
+- chore(release): add package-level `release:check` script and wire `release` to shared publish script.
+- chore(scripts): replace `rm -rf` cleanup scripts with `rimraf`.
+- chore(examples): move example data, scripts, and `.env-dist` from standalone `packages/examples/` workspace into `packages/server/examples/`; add `examples` to the npm `files` list so they are shipped with the package.
+- chore(repo): rename admin package directory from `mail-magic-admin` to `admin` (npm package name unchanged).
+- test(logging): suppress noisy SQL/startup stdout in automated tests by default (`DB_LOG=false` in test setup; startup logs debug-only).
+- test(logging): quiet package test output by default (silent Vitest + silent sync step) and remove Node `DEP0170` warning in schema-drift test DB setup.
+- fix(forms): replace global `nunjucks.configure()` call in `postSendForm` with a scoped `nunjucks.Environment` instance, matching the pattern already used in `post_send`.
+- fix(forms): add plain-text email part to form submissions via `html-to-text` (was HTML-only, harming deliverability).
+- fix(forms): derive `recipients` template variable from already-resolved DB records instead of re-parsing the raw input with a second `parseIdnameList` call.
+- fix(forms): remove silent `catch` in `resolveFormKeyForTemplate` so DB errors propagate instead of being silently treated as "no existing form".
+- fix(forms): extract `buildFormSlugAndFilename` into `util/paths.ts` to eliminate duplicated slug/filename generation between the API upload path and the DB upsert path.
+- fix(models): filter `allowed_fields` JSON getter to string elements only; previously returned non-string values (numbers, nulls) typed as `string[]`.
+- fix(smtp): make `requireTLS` configurable via `SMTP_REQUIRE_TLS` env var (default `true`, preserving existing behaviour); allows disabling STARTTLS for servers such as MailHog.
+- fix(smtp): change `SMTP_TLS_REJECT` default from `false` to `true` so TLS certificates are validated in production by default.
+- fix(smtp): correct `SMTP_TLS_REJECT` description (previously described the inverse of what the option does).
+- fix(config): change `DB_SYNC_ALTER` default from `true` to `false` to prevent automatic DDL on production startups.
+- fix(config): add `mysql` and `postgres` to the `DB_TYPE` allowed-values list to match what the connection code already supports.
+- fix(ratelimit): skip rate limiting when the client IP cannot be resolved, rather than bucketing all unresolvable IPs under a shared `unknown` key.
+- fix(captcha): throw an explicit error for unknown CAPTCHA providers instead of silently falling back to Turnstile.
+- fix(auth): make `domain` optional in `assert_domain_and_user`; when absent from the request body, fall back to the authenticated user's default domain (`api_user.domain`).
+- fix(build): remove `noImplicitAny: false` override from `tsconfig/tsconfig.esm.json`; the root tsconfig already enables `strict`, which includes `noImplicitAny`.
+- fix(build): add `declaration: true` to `tsconfig/tsconfig.esm.json` to emit `.d.ts` files; generate `dist/cjs/index.d.ts` re-exporting ESM types; add `types` condition to package exports; extract `STARTUP_ERROR_MESSAGE` from compiled ESM output instead of hardcoding it in the CJS shim script.
+- fix(scripts): remove `--ext` flags from all `lint`/`lintfix` npm scripts — ESLint v9 flat config silently ignores these flags; file coverage is already provided by the glob patterns in `eslint.config.mjs`.
+- docs(swagger): remove `domain` from the `required` array in all authenticated request schemas (`TxTemplateUpsertRequest`, `TxSendRequest`, `TxSendMultipartRequest`, `FormRecipientUpsertRequest`, `FormTemplateUpsertRequest`); mark property descriptions as optional; bump spec version to 1.0.41.
+- docs(readme): add `SMTP_REQUIRE_TLS` to quick-start `.env` example and configuration reference.
+- (Changes generated/assisted by Claude Code (profile: anthropic-claude-sonnet-4-6/high).)
+
+Version 1.0.40 (2026-02-22)
+
+- chore(changes): normalize this package changelog to required CHANGES format.
+- (Changes generated/assisted by Codex (profile: chatgpt-5.3-codex/medium).)
+
+Version 1.0.39 (2026-02-19)
+
+- Code clarity pass: restore `DB_LOG` env-driven logging config (was commented
+  out), normalize import path in `db.ts`.
+- Simplify `create_mail_transport` by removing unnecessary spread and
+  intermediate variable.
+- Simplify `buildReplyToValue` by removing redundant variable and duplicate
+  return path in `forms.ts`.
+- Replace `forEach` with `for...of` and use separate `const` declarations in
+  `validateEmails` (`mailer.ts`).
+
 Version 1.0.38 (2026-02-17)
 
 - Prefer `fs.watch` for init-data auto-reload with automatic fallback to

package/README.md

@@ -60,6 +60,7 @@ API_URL=http://127.0.0.1:3776
 SMTP_HOST=127.0.0.1
 SMTP_PORT=1025
 SMTP_SECURE=false
+SMTP_REQUIRE_TLS=false
 SMTP_TLS_REJECT=false
 ```
 
@@ -144,6 +145,10 @@ Commonly used variables:
     - `FORM_RATE_LIMIT_WINDOW_SEC`, `FORM_RATE_LIMIT_MAX`
     - `FORM_MAX_ATTACHMENTS`, `FORM_KEEP_UPLOADS`
     - `FORM_CAPTCHA_PROVIDER`, `FORM_CAPTCHA_SECRET`, `FORM_CAPTCHA_REQUIRED`
+- SMTP:
+    - `SMTP_HOST`, `SMTP_PORT`, `SMTP_SECURE`
+    - `SMTP_REQUIRE_TLS` (default `true`; set to `false` for local dev servers like MailHog that don't support STARTTLS)
+    - `SMTP_TLS_REJECT` (default `true`; set to `false` to accept self-signed certificates)
 - Swagger/OpenAPI:
     - `SWAGGER_ENABLED`, `SWAGGER_PATH`
 
@@ -308,5 +313,5 @@ pnpm -w --filter @technomoron/mail-magic cleanbuild
 
 Documentation:
 
-- `packages/mail-magic/docs/tutorial.md` is a hands-on config walkthrough.
-- `packages/mail-magic/docs/form-security.md` covers the public form endpoint contract and recommended mitigations.
+- `packages/server/docs/tutorial.md` is a hands-on config walkthrough.
+- `packages/server/docs/form-security.md` covers the public form endpoint contract and recommended mitigations.

package/dist/cjs/index.d.ts

@@ -0,0 +1 @@
+export * from '../esm/index.js';

package/dist/cjs/index.js

@@ -3,7 +3,7 @@
 const load = () => import('../esm/index.js');
 
 module.exports = {
-  STARTUP_ERROR_MESSAGE: 'Failed to start mail-magic:',
+  STARTUP_ERROR_MESSAGE: "Failed to start mail-magic:",
   createMailMagicServer: async (...args) => (await load()).createMailMagicServer(...args),
   startMailMagicServer: async (...args) => (await load()).startMailMagicServer(...args)
 };

package/dist/cjs/package.json

@@ -1,3 +1,3 @@
 {
-  "type": "commonjs"
+	"type": "commonjs"
 }

package/dist/esm/api/assets.d.ts

@@ -0,0 +1,9 @@
+import { ApiModule, ApiRoute } from '@technomoron/api-server-base';
+import { mailApiServer } from '../server.js';
+import type { NextFunction, Request, Response } from 'express';
+export declare class AssetAPI extends ApiModule<mailApiServer> {
+    private resolveTemplateDir;
+    private postAssets;
+    defineRoutes(): ApiRoute[];
+}
+export declare function createAssetHandler(server: mailApiServer): (req: Request, res: Response, next?: NextFunction) => Promise<void>;

package/dist/esm/api/auth.d.ts

@@ -0,0 +1,2 @@
+import type { mailApiRequest } from '../types.js';
+export declare function assert_domain_and_user(apireq: mailApiRequest): Promise<void>;

package/dist/esm/api/auth.js

@@ -4,11 +4,8 @@ import { api_user } from '../models/user.js';
 import { getBodyValue } from '../util/utils.js';
 export async function assert_domain_and_user(apireq) {
     const body = apireq.req.body ?? {};
-    const domain = getBodyValue(body, 'domain');
+    const domainRaw = getBodyValue(body, 'domain');
     const locale = getBodyValue(body, 'locale');
-    if (!domain) {
-        throw new ApiError({ code: 401, message: 'Missing domain' });
-    }
     const rawUid = apireq.getRealUid();
     const uid = rawUid === null ? null : Number(rawUid);
     if (!uid || Number.isNaN(uid)) {
@@ -18,12 +15,24 @@ export async function assert_domain_and_user(apireq) {
     if (!user) {
         throw new ApiError({ code: 401, message: 'Invalid/Unknown API Key/Token' });
     }
-    const dbdomain = await api_domain.findOne({ where: { name: domain } });
-    if (!dbdomain) {
-        throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
+    let dbdomain;
+    if (domainRaw) {
+        dbdomain = await api_domain.findOne({ where: { name: domainRaw } });
+        if (!dbdomain) {
+            throw new ApiError({ code: 401, message: `Unable to look up the domain ${domainRaw}` });
+        }
+    }
+    else if (user.domain != null) {
+        dbdomain = await api_domain.findByPk(user.domain);
+        if (!dbdomain) {
+            throw new ApiError({ code: 401, message: 'Unable to resolve default domain for this user' });
+        }
+    }
+    else {
+        throw new ApiError({ code: 401, message: 'Missing domain' });
     }
     if (dbdomain.user_id !== user.user_id) {
-        throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+        throw new ApiError({ code: 403, message: `Domain ${dbdomain.name} is not owned by this user` });
     }
     apireq.domain = dbdomain;
     apireq.user = user;

package/dist/esm/api/forms.d.ts

@@ -0,0 +1,9 @@
+import { ApiRoute, ApiModule } from '@technomoron/api-server-base';
+import { mailApiServer } from '../server.js';
+export declare class FormAPI extends ApiModule<mailApiServer> {
+    private readonly rateLimiter;
+    private postFormRecipient;
+    private postFormTemplate;
+    private postSendForm;
+    defineRoutes(): ApiRoute[];
+}

package/dist/esm/api/forms.js

@@ -1,11 +1,12 @@
 import { ApiModule, ApiError } from '@technomoron/api-server-base';
+import { convert } from 'html-to-text';
 import { nanoid } from 'nanoid';
 import nunjucks from 'nunjucks';
 import { UniqueConstraintError } from 'sequelize';
 import { api_domain } from '../models/domain.js';
 import { api_form } from '../models/form.js';
 import { api_recipient } from '../models/recipient.js';
-import { buildFormTemplateRecord, buildFormTemplatePaths, buildRecipientTo, buildReplyToValue, buildSubmissionContext, enforceAttachmentPolicy, enforceCaptchaPolicy, filterSubmissionFields, getPrimaryRecipientInfo, normalizeRecipientEmail, normalizeRecipientIdname, normalizeRecipientName, parseIdnameList, parseFormTemplatePayload, parseRecipientPayload, parsePublicSubmissionOrThrow, resolveFormKeyForTemplate, resolveFormKeyForRecipient, resolveRecipients, validateFormTemplatePayload } from '../util/forms.js';
+import { buildFormTemplateRecord, buildFormTemplatePaths, buildRecipientTo, buildReplyToValue, buildSubmissionContext, enforceAttachmentPolicy, enforceCaptchaPolicy, filterSubmissionFields, getPrimaryRecipientInfo, normalizeRecipientEmail, normalizeRecipientIdname, normalizeRecipientName, parseFormTemplatePayload, parseRecipientPayload, parsePublicSubmissionOrThrow, resolveFormKeyForTemplate, resolveFormKeyForRecipient, resolveRecipients, validateFormTemplatePayload } from '../util/forms.js';
 import { FixedWindowRateLimiter, enforceFormRateLimit } from '../util/ratelimit.js';
 import { buildAttachments, cleanupUploadedFiles } from '../util/uploads.js';
 import { getBodyValue } from '../util/utils.js';
@@ -139,7 +140,7 @@ export class FormAPI extends ApiModule {
             const clientIp = apireq.getClientIp() ?? '';
             await enforceCaptchaPolicy({ vars: env, form, captchaToken, clientIp });
             const resolvedRecipients = await resolveRecipients(form, recipientsRaw);
-            const recipients = parseIdnameList(recipientsRaw, 'recipients');
+            const recipients = resolvedRecipients.map((r) => r.idname ?? '').filter(Boolean);
             const { rcptEmail, rcptName, rcptIdname, rcptIdnames } = getPrimaryRecipientInfo(form, resolvedRecipients);
             const domainRecord = await api_domain.findOne({ where: { domain_id: form.domain_id } });
             await this.server.storage.relocateUploads(domainRecord?.name ?? null, rawFiles);
@@ -171,13 +172,15 @@ export class FormAPI extends ApiModule {
                 files: rawFiles,
                 meta
             });
-            nunjucks.configure({ autoescape: this.server.storage.vars.AUTOESCAPE_HTML });
-            const html = nunjucks.renderString(form.template, context);
+            const njkEnv = new nunjucks.Environment(null, { autoescape: this.server.storage.vars.AUTOESCAPE_HTML });
+            const html = njkEnv.renderString(form.template, context);
+            const text = convert(html);
             const mailOptions = {
                 from: form.sender,
                 to,
                 subject: form.subject,
                 html,
+                text,
                 attachments: allAttachments,
                 ...(replyToValue ? { replyTo: replyToValue } : {})
             };

package/dist/esm/api/mailer.d.ts

@@ -0,0 +1,11 @@
+import { ApiModule, ApiRoute } from '@technomoron/api-server-base';
+import { mailApiServer } from '../server.js';
+export declare class MailerAPI extends ApiModule<mailApiServer> {
+    validateEmails(list: string): {
+        valid: string[];
+        invalid: string[];
+    };
+    private post_template;
+    private post_send;
+    defineRoutes(): ApiRoute[];
+}

package/dist/esm/api/mailer.js

@@ -11,12 +11,13 @@ export class MailerAPI extends ApiModule {
     // and valid email addresses.
     //
     validateEmails(list) {
-        const valid = [], invalid = [];
+        const valid = [];
+        const invalid = [];
         const emails = list
             .split(',')
             .map((email) => email.trim())
             .filter((email) => email !== '');
-        emails.forEach((email) => {
+        for (const email of emails) {
             const addr = validateEmail(email);
             if (addr) {
                 valid.push(addr);
@@ -24,7 +25,7 @@ export class MailerAPI extends ApiModule {
             else {
                 invalid.push(email);
             }
-        });
+        }
         return { valid, invalid };
     }
     // Store a template in the database
@@ -62,10 +63,10 @@ export class MailerAPI extends ApiModule {
     }
     // Send a template using posted arguments.
     async post_send(apireq) {
-        const { name, rcpt, domain = '', locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
+        const { name, rcpt, locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
         await assert_domain_and_user(apireq);
-        if (!name || !rcpt || !domain) {
-            throw new ApiError({ code: 400, message: 'name/rcpt/domain required' });
+        if (!name || !rcpt) {
+            throw new ApiError({ code: 400, message: 'name/rcpt required' });
         }
         let parsedVars = vars ?? {};
         if (typeof vars === 'string') {
@@ -97,7 +98,7 @@ export class MailerAPI extends ApiModule {
         if (!template) {
             throw new ApiError({
                 code: 404,
-                message: `Template "${name}" not found for any locale in domain "${domain}"`
+                message: `Template "${name}" not found for any locale in domain "${apireq.domain.name}"`
             });
         }
         const sender = template.sender || apireq.domain.sender || apireq.user.email;

package/dist/esm/bin/mail-magic.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/esm/index.d.ts

@@ -0,0 +1,12 @@
+import { mailApiServer } from './server.js';
+import { MailStoreVars, mailStore } from './store/store.js';
+import type { ApiServerConf } from '@technomoron/api-server-base';
+export type MailMagicServerOptions = Partial<ApiServerConf>;
+export type MailMagicServerBootstrap = {
+    server: mailApiServer;
+    store: mailStore;
+    vars: MailStoreVars;
+};
+export declare const STARTUP_ERROR_MESSAGE = "Failed to start mail-magic:";
+export declare function createMailMagicServer(overrides?: MailMagicServerOptions, envOverrides?: Partial<MailStoreVars>): Promise<MailMagicServerBootstrap>;
+export declare function startMailMagicServer(overrides?: MailMagicServerOptions, envOverrides?: Partial<MailStoreVars>): Promise<MailMagicServerBootstrap>;

package/dist/esm/models/db.d.ts

@@ -0,0 +1,5 @@
+import { Sequelize } from 'sequelize';
+import { mailStore } from '../store/store.js';
+export declare function usesSqlitePragmas(db: Pick<Sequelize, 'getDialect'>): boolean;
+export declare function init_api_db(db: Sequelize, store: mailStore): Promise<void>;
+export declare function connect_api_db(store: mailStore): Promise<Sequelize>;

package/dist/esm/models/db.js

@@ -97,10 +97,10 @@ export async function init_api_db(db, store) {
     store.print_debug('API Database Initialized...');
 }
 export async function connect_api_db(store) {
-    console.log('DB INIT');
+    store.print_debug('DB INIT');
     const env = store.vars;
     const dbparams = {
-        logging: false, // env.DB_LOG ? console.log : false,
+        logging: env.DB_LOG ? console.log : false,
         dialect: env.DB_TYPE,
         dialectOptions: {
             charset: 'utf8mb4'

package/dist/esm/models/domain.d.ts

@@ -0,0 +1,24 @@
+import { Sequelize, Model } from 'sequelize';
+import { z } from 'zod';
+export declare const api_domain_schema: z.ZodObject<{
+    domain_id: z.ZodNumber;
+    user_id: z.ZodNumber;
+    name: z.ZodString;
+    sender: z.ZodDefault<z.ZodString>;
+    locale: z.ZodDefault<z.ZodString>;
+    is_default: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export type api_domain_input = z.input<typeof api_domain_schema>;
+export type api_domain_type = z.output<typeof api_domain_schema>;
+export type api_domain_creation_type = Omit<api_domain_input, 'domain_id'> & {
+    domain_id?: number;
+};
+export declare class api_domain extends Model<api_domain_type, api_domain_creation_type> {
+    domain_id: number;
+    user_id: number;
+    name: string;
+    sender: string;
+    locale: string;
+    is_default: boolean;
+}
+export declare function init_api_domain(api_db: Sequelize): Promise<typeof api_domain>;

package/dist/esm/models/domain.js

@@ -15,8 +15,6 @@ export const api_domain_schema = z
     is_default: z.boolean().default(false).describe('If true, this is the default domain for the user.')
 })
     .describe('Domain configuration record.');
-// Sequelize typing pattern: merge the Zod-inferred attribute type onto the model instance type.
-// eslint-disable-next-line @typescript-eslint/no-unsafe-declaration-merging
 export class api_domain extends Model {
 }
 export async function init_api_domain(api_db) {

package/dist/esm/models/form.d.ts

@@ -0,0 +1,50 @@
+import { Sequelize, Model } from 'sequelize';
+import { z } from 'zod';
+import { StoredFile } from '../types.js';
+export declare const api_form_schema: z.ZodObject<{
+    form_id: z.ZodNumber;
+    form_key: z.ZodDefault<z.ZodString>;
+    user_id: z.ZodNumber;
+    domain_id: z.ZodNumber;
+    locale: z.ZodDefault<z.ZodString>;
+    idname: z.ZodString;
+    sender: z.ZodString;
+    recipient: z.ZodString;
+    subject: z.ZodString;
+    template: z.ZodDefault<z.ZodString>;
+    filename: z.ZodDefault<z.ZodString>;
+    slug: z.ZodDefault<z.ZodString>;
+    secret: z.ZodDefault<z.ZodString>;
+    replyto_email: z.ZodDefault<z.ZodString>;
+    replyto_from_fields: z.ZodDefault<z.ZodBoolean>;
+    allowed_fields: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    captcha_required: z.ZodDefault<z.ZodBoolean>;
+    files: z.ZodDefault<z.ZodArray<z.ZodType<StoredFile, unknown, z.core.$ZodTypeInternals<StoredFile, unknown>>>>;
+}, z.core.$strip>;
+export type api_form_input = z.input<typeof api_form_schema>;
+export type api_form_type = z.output<typeof api_form_schema>;
+export type api_form_creation_type = Omit<api_form_input, 'form_id'> & {
+    form_id?: number;
+};
+export declare class api_form extends Model<api_form_type, api_form_creation_type> {
+    form_id: number;
+    form_key: string;
+    user_id: number;
+    domain_id: number;
+    locale: string;
+    idname: string;
+    sender: string;
+    recipient: string;
+    subject: string;
+    template: string;
+    filename: string;
+    slug: string;
+    secret: string;
+    replyto_email: string;
+    replyto_from_fields: boolean;
+    allowed_fields: string[];
+    captcha_required: boolean;
+    files: StoredFile[];
+}
+export declare function init_api_form(api_db: Sequelize): Promise<typeof api_form>;
+export declare function upsert_form(record: api_form_type): Promise<api_form>;

package/dist/esm/models/form.js

@@ -2,7 +2,7 @@ import path from 'path';
 import { nanoid } from 'nanoid';
 import { Model, DataTypes, UniqueConstraintError } from 'sequelize';
 import { z } from 'zod';
-import { assertSafeRelativePath } from '../util/paths.js';
+import { assertSafeRelativePath, buildFormSlugAndFilename } from '../util/paths.js';
 import { user_and_domain, normalizeSlug } from '../util.js';
 const stored_file_schema = z
     .object({
@@ -68,8 +68,6 @@ export const api_form_schema = z
         .describe('Derived list of template-referenced assets (inline cids and external links) resolved during preprocessing/import.')
 })
     .describe('Form configuration and template used by the public form submission endpoint.');
-// Sequelize typing pattern: merge the Zod-inferred attribute type onto the model instance type.
-// eslint-disable-next-line @typescript-eslint/no-unsafe-declaration-merging
 export class api_form extends Model {
 }
 export async function init_api_form(api_db) {
@@ -175,7 +173,9 @@ export async function init_api_form(api_db) {
                 }
                 try {
                     const parsed = JSON.parse(raw);
-                    return Array.isArray(parsed) ? parsed : [];
+                    return Array.isArray(parsed)
+                        ? parsed.filter((item) => typeof item === 'string')
+                        : [];
                 }
                 catch {
                     return [];
@@ -233,23 +233,24 @@ export async function init_api_form(api_db) {
 export async function upsert_form(record) {
     const { user, domain } = await user_and_domain(record.domain_id);
     const dname = normalizeSlug(domain.name);
-    const name = normalizeSlug(record.idname);
-    const locale = normalizeSlug(record.locale || domain.locale || user.locale || '');
+    const { slug, filename: generatedFilename } = buildFormSlugAndFilename({
+        domainName: domain.name,
+        domainLocale: domain.locale,
+        userLocale: user.locale,
+        idname: record.idname,
+        locale: record.locale
+    });
     if (!record.slug) {
-        record.slug = `${dname}${locale ? '-' + locale : ''}-${name}`;
+        record.slug = slug;
     }
     if (!record.filename) {
-        const parts = [dname, 'form-template'];
-        if (locale)
-            parts.push(locale);
-        parts.push(name);
-        record.filename = path.join(...parts);
+        record.filename = generatedFilename;
     }
     else {
         record.filename = path.join(dname, 'form-template', record.filename);
-    }
-    if (!record.filename.endsWith('.njk')) {
-        record.filename += '.njk';
+        if (!record.filename.endsWith('.njk')) {
+            record.filename += '.njk';
+        }
     }
     record.filename = assertSafeRelativePath(record.filename, 'Form filename');
     let instance = null;

package/dist/esm/models/init.d.ts

@@ -0,0 +1,12 @@
+import { mailStore } from '../store/store.js';
+import { StoredFile } from '../types.js';
+import { api_form_type } from './form.js';
+import { api_txmail_type } from './txmail.js';
+interface LoadedTemplate {
+    html: string;
+    assets: StoredFile[];
+}
+export declare function loadFormTemplate(store: mailStore, form: api_form_type): Promise<LoadedTemplate>;
+export declare function loadTxTemplate(store: mailStore, template: api_txmail_type): Promise<LoadedTemplate>;
+export declare function importData(store: mailStore): Promise<void>;
+export {};

package/dist/esm/models/init.js

@@ -1,8 +1,8 @@
 import fs from 'fs';
 import path from 'path';
-import { Unyuck } from '@technomoron/unyuck';
 import { z } from 'zod';
 import { buildAssetUrl } from '../util/paths.js';
+import { flattenTemplateWithAssets } from '../util/shared-template-flatten.js';
 import { user_and_domain } from '../util.js';
 import { api_domain, api_domain_schema } from './domain.js';
 import { api_form_schema, upsert_form } from './form.js';
@@ -52,35 +52,14 @@ async function _load_template(store, filename, pathname, user, domain, locale, t
         }
         const assetBaseUrl = store.vars.ASSET_PUBLIC_BASE?.trim() ? store.vars.ASSET_PUBLIC_BASE : store.vars.API_URL;
         const assetRoute = store.vars.ASSET_ROUTE;
-        const processor = new Unyuck({
-            basePath: domainRoot,
+        const { html, assets } = flattenTemplateWithAssets({
+            domainRoot,
+            templateKey,
             baseUrl: assetBaseUrl,
-            collectAssets: true,
-            assetFormatter: (ctx) => buildAssetUrl(assetBaseUrl, assetRoute, domain.name, ctx.urlPath)
+            assetFormatter: (urlPath) => buildAssetUrl(assetBaseUrl, assetRoute, domain.name, urlPath),
+            normalizeInlineCid: buildInlineAssetCid
         });
-        const { html: mergedHtml, assets } = processor.flattenWithAssets(templateKey);
-        let html = mergedHtml;
-        const mappedAssets = assets.map((asset) => {
-            const rel = asset.filename.replace(/\\/g, '/');
-            const urlPath = rel.startsWith('assets/') ? rel.slice('assets/'.length) : rel;
-            return {
-                filename: urlPath,
-                path: asset.path,
-                cid: asset.cid ? buildInlineAssetCid(urlPath) : undefined
-            };
-        });
-        for (const asset of assets) {
-            if (!asset.cid) {
-                continue;
-            }
-            const rel = asset.filename.replace(/\\/g, '/');
-            const urlPath = rel.startsWith('assets/') ? rel.slice('assets/'.length) : rel;
-            const desiredCid = buildInlineAssetCid(urlPath);
-            if (asset.cid !== desiredCid) {
-                html = html.replaceAll(`cid:${asset.cid}`, `cid:${desiredCid}`);
-            }
-        }
-        return { html, assets: mappedAssets };
+        return { html, assets: assets };
     }
     catch (err) {
         throw new Error(`Template "${absPath}" failed to preprocess: ${err.message}`);

package/dist/esm/models/recipient.d.ts

@@ -0,0 +1,24 @@
+import { Sequelize, Model } from 'sequelize';
+import { z } from 'zod';
+export declare const api_recipient_schema: z.ZodObject<{
+    recipient_id: z.ZodNumber;
+    domain_id: z.ZodNumber;
+    form_key: z.ZodDefault<z.ZodString>;
+    idname: z.ZodString;
+    email: z.ZodString;
+    name: z.ZodDefault<z.ZodString>;
+}, z.core.$strip>;
+export type api_recipient_input = z.input<typeof api_recipient_schema>;
+export type api_recipient_type = z.output<typeof api_recipient_schema>;
+export type api_recipient_creation_type = Omit<api_recipient_input, 'recipient_id'> & {
+    recipient_id?: number;
+};
+export declare class api_recipient extends Model<api_recipient_type, api_recipient_creation_type> {
+    recipient_id: number;
+    domain_id: number;
+    form_key: string;
+    idname: string;
+    email: string;
+    name: string;
+}
+export declare function init_api_recipient(api_db: Sequelize): Promise<typeof api_recipient>;

package/dist/esm/models/recipient.js

@@ -11,8 +11,6 @@ export const api_recipient_schema = z
     name: z.string().default('').describe('Optional recipient display name.')
 })
     .describe('Recipient routing record for form submissions.');
-// Sequelize typing pattern: merge the Zod-inferred attribute type onto the model instance type.
-// eslint-disable-next-line @typescript-eslint/no-unsafe-declaration-merging
 export class api_recipient extends Model {
 }
 export async function init_api_recipient(api_db) {

package/dist/esm/models/txmail.d.ts

@@ -0,0 +1,42 @@
+import { Sequelize, Model } from 'sequelize';
+import { z } from 'zod';
+import { StoredFile } from '../types.js';
+export declare const api_txmail_schema: z.ZodObject<{
+    template_id: z.ZodNumber;
+    user_id: z.ZodNumber;
+    domain_id: z.ZodNumber;
+    name: z.ZodString;
+    locale: z.ZodDefault<z.ZodString>;
+    template: z.ZodDefault<z.ZodString>;
+    filename: z.ZodDefault<z.ZodString>;
+    sender: z.ZodString;
+    subject: z.ZodString;
+    slug: z.ZodDefault<z.ZodString>;
+    part: z.ZodDefault<z.ZodBoolean>;
+    files: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        filename: z.ZodString;
+        path: z.ZodString;
+        cid: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export type api_txmail_input = z.input<typeof api_txmail_schema>;
+export type api_txmail_type = z.output<typeof api_txmail_schema>;
+export type api_txmail_creation_type = Omit<api_txmail_input, 'template_id'> & {
+    template_id?: number;
+};
+export declare class api_txmail extends Model<api_txmail_type, api_txmail_creation_type> {
+    template_id: number;
+    user_id: number;
+    domain_id: number;
+    name: string;
+    locale: string;
+    template: string;
+    filename: string;
+    sender: string;
+    subject: string;
+    slug: string;
+    part: boolean;
+    files: StoredFile[];
+}
+export declare function upsert_txmail(record: api_txmail_type): Promise<api_txmail>;
+export declare function init_api_txmail(api_db: Sequelize): Promise<typeof api_txmail>;

package/dist/esm/models/txmail.js

@@ -26,8 +26,6 @@ export const api_txmail_schema = z
         .describe('Derived list of template-referenced assets resolved during preprocessing/import.')
 })
     .describe('Transactional email template configuration.');
-// Sequelize typing pattern: merge the Zod-inferred attribute type onto the model instance type.
-// eslint-disable-next-line @typescript-eslint/no-unsafe-declaration-merging
 export class api_txmail extends Model {
 }
 export async function upsert_txmail(record) {