@technomoron/mail-magic 1.0.6 → 1.0.9

package/.do-realease.sh

@@ -4,7 +4,51 @@ VERSION=$(node -p "require('./package.json').version")
 
 echo "Creating release for ${VERSION}"
 
+if [ -n "$(git status --porcelain)" ]; then
+	echo "Working tree is not clean. Commit or stash changes before release." >&2
+	exit 1
+fi
+
+UPSTREAM=$(git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null || true)
+if [ -z "$UPSTREAM" ]; then
+	echo "No upstream configured for $(git rev-parse --abbrev-ref HEAD). Set upstream before release." >&2
+	exit 1
+fi
+
+if ! git fetch --quiet; then
+	echo "Failed to fetch remote updates. Check your network or remote access." >&2
+	exit 1
+fi
+
+set -- $(git rev-list --left-right --count "${UPSTREAM}...HEAD")
+BEHIND_COUNT=$1
+AHEAD_COUNT=$2
+
+if [ "$BEHIND_COUNT" -ne 0 ] || [ "$AHEAD_COUNT" -ne 0 ]; then
+	echo "Branch is not in sync with ${UPSTREAM} (behind ${BEHIND_COUNT}, ahead ${AHEAD_COUNT})." >&2
+	echo "Pull/push until the branch matches upstream before release." >&2
+	exit 1
+fi
+
+if ! npm whoami >/dev/null 2>&1; then
+	echo "Not logged into npm. Run 'npm login' before release." >&2
+	exit 1
+fi
+
+if git rev-parse -q --verify "refs/tags/v${VERSION}" >/dev/null; then
+	echo "Tag v${VERSION} already exists. Aborting." >&2
+	exit 1
+fi
+
 git tag -a "v${VERSION}" -m "Release version ${VERSION}"
 git push origin "v${VERSION}"
 
-npm publish --access=public
+# detect prerelease versions (contains a hyphen)
+if echo "$VERSION" | grep -q "-"; then
+  TAG=$(echo "$VERSION" | sed 's/^[0-9.]*-\([a-zA-Z0-9]*\).*/\1/')
+  echo "Detected prerelease. Publishing with tag '$TAG'"
+  npm publish --tag "$TAG" --access=public
+else
+  echo "Stable release. Publishing as latest"
+  npm publish --access=public
+fi

package/.env-dist

@@ -16,8 +16,17 @@ DB_FORCE_SYNC=false
 # Sets the public URL for the API (i.e. https://ml.example.com:3790)
 API_URL=http://localhost:3776
 
+# Enable the Swagger/OpenAPI endpoint [boolean]
+SWAGGER_ENABLED=false
+
+# Path to expose the Swagger/OpenAPI spec (default: /api/swagger when enabled)
+SWAGGER_PATH=
+
+# Route prefix exposed for config assets
+ASSET_ROUTE=/asset
+
 # Path to directory where config files are located
-CONFIG_PATH=./config/
+CONFIG_PATH=./data/
 
 # Database username for API database
 DB_USER=
@@ -58,5 +67,5 @@ SMTP_USER=
 # Password for SMTP host
 SMTP_PASSWORD=
 
-# Path for attached files
-UPLOAD_PATH=./uploads/
+# Path for attached files. Use {domain} to scope per domain.
+UPLOAD_PATH=./{domain}/uploads

package/.vscode/extensions.json

@@ -1,15 +1,3 @@
 {
-	"recommendations": [
-		"dbaeumer.vscode-eslint",
-		"esbenp.prettier-vscode",
-		"editorconfig.editorconfig",
-		"Vue.volar",
-		"wayou.vscode-todo-highlight"
-	],
-	"unwantedRecommendations": [
-		"octref.vetur",
-		"hookyqr.beautify",
-		"dbaeumer.jshint",
-		"ms-vscode.vscode-typescript-tslint-plugin"
-	]
+	"recommendations": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"]
 }

package/.vscode/settings.json

@@ -1,123 +1,22 @@
 {
-	"editor.detectIndentation": false,
-	"editor.insertSpaces": false,
-	"editor.tabSize": 4,
-	"editor.bracketPairColorization.enabled": true,
-	"editor.guides.bracketPairs": true,
 	"editor.formatOnSave": true,
 	"editor.defaultFormatter": "esbenp.prettier-vscode",
-	"editor.codeActionsOnSave": {
-		"source.fixAll": "always",
-		"source.fixAll.eslint": "always"
+	"[javascript]": {
+		"editor.defaultFormatter": "esbenp.prettier-vscode"
 	},
-	"[json]": {
+	"[typescript]": {
+		"editor.defaultFormatter": "esbenp.prettier-vscode"
+	},
+	"[vue]": {
 		"editor.defaultFormatter": "esbenp.prettier-vscode"
 	},
-	"[jsonc]": {
+	"[json]": {
 		"editor.defaultFormatter": "esbenp.prettier-vscode"
 	},
-	"eslint.alwaysShowStatus": true,
-	"prettier.enable": true,
-	"typescript.tsdk": "node_modules/typescript/lib",
-	"eslint.run": "onSave",
-	"eslint.format.enable": true,
-	"editor.formatOnType": true,
-	"eslint.useFlatConfig": true,
-	"eslint.probe": ["javascript", "javascriptreact", "typescript", "typescriptreact", "vue"],
-	"eslint.validate": ["javascript", "javascriptreact", "typescript", "typescriptreact", "vue"],
-	"explorer.fileNesting.enabled": true,
-	"explorer.fileNesting.expand": false,
-	"explorer.fileNesting.patterns": {
-		".clang-tidy": ".clang-format, .clangd, compile_commands.json",
-		".env": "*.env, .env.*, .envrc, env.d.ts",
-		".gitignore": ".gitattributes, .gitmodules, .gitmessage, .lfsconfig, .mailmap, .git-blame*",
-		".project": ".classpath",
-		"+layout.svelte": "+layout.ts,+layout.ts,+layout.js,+layout.server.ts,+layout.server.js,+layout.gql",
-		"+page.svelte": "+page.server.ts,+page.server.js,+page.ts,+page.js,+page.gql",
-		"ansible.cfg": "ansible.cfg, .ansible-lint, requirements.yml",
-		"app.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"application.properties": "*.properties",
-		"artisan": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, server.php, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, webpack.mix.js, windi.config.*",
-		"astro.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"build-wrapper.log": "build-wrapper*.log, build-wrapper-dump*.json, build-wrapper-win*.exe, build-wrapper-linux*, build-wrapper-macosx*",
-		"BUILD.bazel": "*.bzl, *.bazel, *.bazelrc, bazel.rc, .bazelignore, .bazelproject, .bazelversion, MODULE.bazel.lock, WORKSPACE",
-		"Cargo.toml": ".clippy.toml, .rustfmt.toml, Cargo.Bazel.lock, Cargo.lock, clippy.toml, cross.toml, insta.yaml, rust-toolchain.toml, rustfmt.toml",
-		"CMakeLists.txt": "*.cmake, *.cmake.in, .cmake-format.yaml, CMakePresets.json, CMakeCache.txt",
-		"composer.json": ".php*.cache, composer.lock, phpunit.xml*, psalm*.xml",
-		"default.nix": "shell.nix",
-		"deno.json*": "*.env, .env.*, .envrc, api-extractor.json, deno.lock, env.d.ts, import-map.json, import_map.json, jsconfig.*, tsconfig.*, tsdoc.*",
-		"Dockerfile": "*.dockerfile, .devcontainer.*, .dockerignore, captain-definition, compose.*, docker-compose.*, dockerfile*",
-		"flake.nix": "flake.lock",
-		"gatsby-config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, gatsby-browser.*, gatsby-node.*, gatsby-ssr.*, gatsby-transformer.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"gemfile": ".ruby-version, gemfile.lock",
-		"go.mod": ".air*, go.sum",
-		"go.work": "go.work.sum",
-		"hatch.toml": ".editorconfig, .flake8, .isort.cfg, .python-version, hatch.toml, requirements*.in, requirements*.pip, requirements*.txt, tox.ini",
-		"I*.cs": "$(capture).cs",
-		"Makefile": "*.mk",
-		"mix.exs": ".credo.exs, .dialyzer_ignore.exs, .formatter.exs, .iex.exs, .tool-versions, mix.lock",
-		"next.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, next-env.d.ts, next-i18next.config.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"nuxt.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .nuxtignore, .nuxtrc, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"package.json": "*.code-workspace, .browserslist*, .circleci*, .commitlint*, .cspell*, .cursor*, .cz-config.js, .czrc, .dlint.json, .dprint.json*, .editorconfig, .eslint*, .firebase*, .flowconfig, .github*, .gitlab*, .gitmojirc.json, .gitpod*, .huskyrc*, .jslint*, .knip.*, .lintstagedrc*, .ls-lint.yml, .markdownlint*, .node-version, .nodemon*, .npm*, .nvmrc, .pm2*, .pnp.*, .pnpm*, .prettier*, .pylintrc, .release-please*.json, .releaserc*, .ruff.toml, .sentry*, .shellcheckrc, .simple-git-hooks*, .stackblitz*, .styleci*, .stylelint*, .tazerc*, .textlint*, .tool-versions, .travis*, .versionrc*, .vscode*, .watchman*, .windsurfrules, .xo-config*, .yamllint*, .yarnrc*, Procfile, apollo.config.*, appveyor*, azure-pipelines*, biome.json*, bower.json, build.config.*, bun.lock, bun.lockb, bunfig.toml, colada.options.ts, commitlint*, crowdin*, cspell*, dangerfile*, dlint.json, dprint.json*, ec.config.*, electron-builder.*, eslint*, firebase.json, grunt*, gulp*, jenkins*, knip.*, lerna*, lint-staged*, nest-cli.*, netlify*, nixpacks*, nodemon*, npm-shrinkwrap.json, nx.*, package-lock.json, package.nls*.json, phpcs.xml, pm2.*, pnpm*, prettier*, pullapprove*, pyrightconfig.json, release-please*.json, release-tasks.sh, release.config.*, renovate*, rolldown.config.*, rollup.config.*, rspack*, ruff.toml, sentry.*.config.ts, simple-git-hooks*, sonar-project.properties, stylelint*, tsdown.config.*, tslint*, tsup.config.*, turbo*, typedoc*, unlighthouse*, vercel*, vetur.config.*, webpack*, workspace.json, wrangler.*, xo.config.*, yarn*",
-		"Pipfile": ".editorconfig, .flake8, .isort.cfg, .python-version, Pipfile, Pipfile.lock, requirements*.in, requirements*.pip, requirements*.txt, tox.ini",
-		"pom.xml": "mvnw*",
-		"pubspec.yaml": ".metadata, .packages, all_lint_rules.yaml, analysis_options.yaml, build.yaml, pubspec.lock, pubspec_overrides.yaml",
-		"pyproject.toml": ".commitlint*, .cspell*, .dlint.json, .dprint.json*, .editorconfig, .eslint*, .flake8, .flowconfig, .isort.cfg, .jslint*, .lintstagedrc*, .ls-lint.yml, .markdownlint*, .pdm-python, .pdm.toml, .prettier*, .pylintrc, .python-version, .ruff.toml, .shellcheckrc, .stylelint*, .textlint*, .xo-config*, .yamllint*, MANIFEST.in, Pipfile, Pipfile.lock, biome.json*, commitlint*, cspell*, dangerfile*, dlint.json, dprint.json*, eslint*, hatch.toml, lint-staged*, pdm.lock, phpcs.xml, poetry.lock, poetry.toml, prettier*, pyproject.toml, pyrightconfig.json, requirements*.in, requirements*.pip, requirements*.txt, ruff.toml, setup.cfg, setup.py, stylelint*, tox.ini, tslint*, uv.lock, uv.toml, xo.config.*",
-		"quasar.conf.js": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, quasar.extensions.json, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"readme*": "AUTHORS, Authors, BACKERS*, Backers*, CHANGELOG*, CITATION*, CODEOWNERS, CODE_OF_CONDUCT*, CONTRIBUTING*, CONTRIBUTORS, COPYING*, CREDITS, Changelog*, Citation*, Code_Of_Conduct*, Codeowners, Contributing*, Contributors, Copying*, Credits, GOVERNANCE.MD, Governance.md, HISTORY.MD, History.md, LICENSE*, License*, MAINTAINERS, Maintainers, README-*, README_*, RELEASE_NOTES*, ROADMAP.MD, Readme-*, Readme_*, Release_Notes*, Roadmap.md, SECURITY.MD, SPONSORS*, Security.md, Sponsors*, authors, backers*, changelog*, citation*, code_of_conduct*, codeowners, contributing*, contributors, copying*, credits, governance.md, history.md, license*, maintainers, readme-*, readme_*, release_notes*, roadmap.md, security.md, sponsors*",
-		"Readme*": "AUTHORS, Authors, BACKERS*, Backers*, CHANGELOG*, CITATION*, CODEOWNERS, CODE_OF_CONDUCT*, CONTRIBUTING*, CONTRIBUTORS, COPYING*, CREDITS, Changelog*, Citation*, Code_Of_Conduct*, Codeowners, Contributing*, Contributors, Copying*, Credits, GOVERNANCE.MD, Governance.md, HISTORY.MD, History.md, LICENSE*, License*, MAINTAINERS, Maintainers, README-*, README_*, RELEASE_NOTES*, ROADMAP.MD, Readme-*, Readme_*, Release_Notes*, Roadmap.md, SECURITY.MD, SPONSORS*, Security.md, Sponsors*, authors, backers*, changelog*, citation*, code_of_conduct*, codeowners, contributing*, contributors, copying*, credits, governance.md, history.md, license*, maintainers, readme-*, readme_*, release_notes*, roadmap.md, security.md, sponsors*",
-		"README*": "AUTHORS, Authors, BACKERS*, Backers*, CHANGELOG*, CITATION*, CODEOWNERS, CODE_OF_CONDUCT*, CONTRIBUTING*, CONTRIBUTORS, COPYING*, CREDITS, Changelog*, Citation*, Code_Of_Conduct*, Codeowners, Contributing*, Contributors, Copying*, Credits, GOVERNANCE.MD, Governance.md, HISTORY.MD, History.md, LICENSE*, License*, MAINTAINERS, Maintainers, README-*, README_*, RELEASE_NOTES*, ROADMAP.MD, Readme-*, Readme_*, Release_Notes*, Roadmap.md, SECURITY.MD, SPONSORS*, Security.md, Sponsors*, authors, backers*, changelog*, citation*, code_of_conduct*, codeowners, contributing*, contributors, copying*, credits, governance.md, history.md, license*, maintainers, readme-*, readme_*, release_notes*, roadmap.md, security.md, sponsors*",
-		"remix.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, remix.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"requirements.txt": ".editorconfig, .flake8, .isort.cfg, .python-version, requirements*.in, requirements*.pip, requirements*.txt, tox.ini",
-		"rush.json": "*.code-workspace, .browserslist*, .circleci*, .commitlint*, .cspell*, .cursor*, .cz-config.js, .czrc, .dlint.json, .dprint.json*, .editorconfig, .eslint*, .firebase*, .flowconfig, .github*, .gitlab*, .gitmojirc.json, .gitpod*, .huskyrc*, .jslint*, .knip.*, .lintstagedrc*, .ls-lint.yml, .markdownlint*, .node-version, .nodemon*, .npm*, .nvmrc, .pm2*, .pnp.*, .pnpm*, .prettier*, .pylintrc, .release-please*.json, .releaserc*, .ruff.toml, .sentry*, .shellcheckrc, .simple-git-hooks*, .stackblitz*, .styleci*, .stylelint*, .tazerc*, .textlint*, .tool-versions, .travis*, .versionrc*, .vscode*, .watchman*, .windsurfrules, .xo-config*, .yamllint*, .yarnrc*, Procfile, apollo.config.*, appveyor*, azure-pipelines*, biome.json*, bower.json, build.config.*, bun.lock, bun.lockb, bunfig.toml, colada.options.ts, commitlint*, crowdin*, cspell*, dangerfile*, dlint.json, dprint.json*, ec.config.*, electron-builder.*, eslint*, firebase.json, grunt*, gulp*, jenkins*, knip.*, lerna*, lint-staged*, nest-cli.*, netlify*, nixpacks*, nodemon*, npm-shrinkwrap.json, nx.*, package-lock.json, package.nls*.json, phpcs.xml, pm2.*, pnpm*, prettier*, pullapprove*, pyrightconfig.json, release-please*.json, release-tasks.sh, release.config.*, renovate*, rolldown.config.*, rollup.config.*, rspack*, ruff.toml, sentry.*.config.ts, simple-git-hooks*, sonar-project.properties, stylelint*, tsdown.config.*, tslint*, tsup.config.*, turbo*, typedoc*, unlighthouse*, vercel*, vetur.config.*, webpack*, workspace.json, wrangler.*, xo.config.*, yarn*",
-		"sanity.config.*": "sanity.cli.*, sanity.types.ts, schema.json",
-		"setup.cfg": ".editorconfig, .flake8, .isort.cfg, .python-version, MANIFEST.in, requirements*.in, requirements*.pip, requirements*.txt, setup.cfg, tox.ini",
-		"setup.py": ".editorconfig, .flake8, .isort.cfg, .python-version, MANIFEST.in, requirements*.in, requirements*.pip, requirements*.txt, setup.cfg, setup.py, tox.ini",
-		"shims.d.ts": "*.d.ts",
-		"svelte.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, houdini.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, mdsvex.config.js, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vite.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"vite.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"vue.config.*": "*.env, .babelrc*, .codecov, .cssnanorc*, .env.*, .envrc, .htmlnanorc*, .lighthouserc.*, .mocha*, .postcssrc*, .terserrc*, api-extractor.json, ava.config.*, babel.config.*, capacitor.config.*, content.config.*, contentlayer.config.*, cssnano.config.*, cypress.*, env.d.ts, formkit.config.*, formulate.config.*, histoire.config.*, htmlnanorc.*, i18n.config.*, ionic.config.*, jasmine.*, jest.config.*, jsconfig.*, karma*, lighthouserc.*, panda.config.*, playwright.config.*, postcss.config.*, puppeteer.config.*, react-router.config.*, rspack.config.*, sst.config.*, svgo.config.*, tailwind.config.*, tsconfig.*, tsdoc.*, uno.config.*, unocss.config.*, vitest.config.*, vuetify.config.*, webpack.config.*, windi.config.*",
-		"*.asax": "$(capture).*.cs, $(capture).*.vb",
-		"*.ascx": "$(capture).*.cs, $(capture).*.vb",
-		"*.ashx": "$(capture).*.cs, $(capture).*.vb",
-		"*.aspx": "$(capture).*.cs, $(capture).*.vb",
-		"*.axaml": "$(capture).axaml.cs",
-		"*.bloc.dart": "$(capture).event.dart, $(capture).state.dart",
-		"*.c": "$(capture).h",
-		"*.cc": "$(capture).hpp, $(capture).h, $(capture).hxx, $(capture).hh",
-		"*.cjs": "$(capture).cjs.map, $(capture).*.cjs, $(capture)_*.cjs",
-		"*.component.ts": "$(capture).component.html, $(capture).component.spec.ts, $(capture).component.css, $(capture).component.scss, $(capture).component.sass, $(capture).component.less",
-		"*.cpp": "$(capture).hpp, $(capture).h, $(capture).hxx, $(capture).hh",
-		"*.cs": "$(capture).*.cs",
-		"*.cshtml": "$(capture).cshtml.cs, $(capture).cshtml.css",
-		"*.csproj": "*.config, *proj.user, appsettings.*, bundleconfig.json",
-		"*.css": "$(capture).css.map, $(capture).*.css",
-		"*.cxx": "$(capture).hpp, $(capture).h, $(capture).hxx, $(capture).hh",
-		"*.dart": "$(capture).freezed.dart, $(capture).g.dart",
-		"*.db": "*.db-shm, *.db-wal",
-		"*.ex": "$(capture).html.eex, $(capture).html.heex, $(capture).html.leex",
-		"*.fs": "$(capture).fs.js, $(capture).fs.js.map, $(capture).fs.jsx, $(capture).fs.ts, $(capture).fs.tsx, $(capture).fs.rs, $(capture).fs.php, $(capture).fs.dart",
-		"*.go": "$(capture)_test.go",
-		"*.java": "$(capture).class",
-		"*.js": "$(capture).js.map, $(capture).*.js, $(capture)_*.js, $(capture).d.ts, $(capture).d.ts.map, $(capture).js.flow",
-		"*.jsx": "$(capture).js, $(capture).*.jsx, $(capture)_*.js, $(capture)_*.jsx, $(capture).css, $(capture).module.css, $(capture).less, $(capture).module.less, $(capture).module.less.d.ts, $(capture).scss, $(capture).module.scss, $(capture).module.scss.d.ts",
-		"*.master": "$(capture).*.cs, $(capture).*.vb",
-		"*.md": "$(capture).*",
-		"*.mjs": "$(capture).mjs.map, $(capture).*.mjs, $(capture)_*.mjs",
-		"*.module.ts": "$(capture).resolver.ts, $(capture).controller.ts, $(capture).service.ts",
-		"*.mts": "$(capture).mts.map, $(capture).*.mts, $(capture)_*.mts",
-		"*.proto": "$(capture).pb.go, $(capture).pb.micro.go",
-		"*.pubxml": "$(capture).pubxml.user",
-		"*.py": "$(capture).pyi",
-		"*.razor": "$(capture).razor.cs, $(capture).razor.css, $(capture).razor.scss",
-		"*.resx": "$(capture).*.resx, $(capture).designer.cs, $(capture).designer.vb",
-		"*.tex": "$(capture).acn, $(capture).acr, $(capture).alg, $(capture).aux, $(capture).bbl, $(capture).bbl-SAVE-ERROR, $(capture).bcf, $(capture).blg, $(capture).fdb_latexmk, $(capture).fls, $(capture).glg, $(capture).glo, $(capture).gls, $(capture).idx, $(capture).ind, $(capture).ist, $(capture).lof, $(capture).log, $(capture).lot, $(capture).nav, $(capture).out, $(capture).run.xml, $(capture).snm, $(capture).synctex.gz, $(capture).toc, $(capture).xdv",
-		"*.ts": "$(capture).js, $(capture).d.ts.map, $(capture).*.ts, $(capture)_*.js, $(capture)_*.ts",
-		"*.tsx": "$(capture).ts, $(capture).*.tsx, $(capture)_*.ts, $(capture)_*.tsx, $(capture).css, $(capture).module.css, $(capture).less, $(capture).module.less, $(capture).module.less.d.ts, $(capture).scss, $(capture).module.scss, $(capture).module.scss.d.ts, $(capture).css.ts",
-		"*.vbproj": "*.config, *proj.user, appsettings.*, bundleconfig.json",
-		"*.vue": "$(capture).*.ts, $(capture).*.js, $(capture).story.vue",
-		"*.w": "$(capture).*.w, I$(capture).w",
-		"*.wat": "$(capture).wasm",
-		"*.xaml": "$(capture).xaml.cs"
-	}
+	"editor.codeActionsOnSave": {
+		"source.fixAll.eslint": "explicit"
+	},
+	"eslint.enable": true,
+	"eslint.workingDirectories": ["./"],
+	"eslint.validate": ["javascript", "javascriptreact", "typescript", "typescriptreact", "vue"]
 }

package/CHANGES

@@ -1,7 +1,29 @@
+Version 1.0.9 (2026-01-02)
+
+- Default CONFIG_PATH to ./data and document the data-rooted layout, including
+  per-domain uploads.
+- Allow UPLOAD_PATH to include {domain}, staging incoming uploads under
+  <CONFIG_PATH>/_uploads before relocating to <CONFIG_PATH>/<domain>/uploads
+  for transactional and form submissions.
+
+Version 1.0.7 (2026-01-01)
+
+- Harden asset serving and template resolution against traversal/symlink escapes by
+  resolving real paths and requiring files to exist.
+- Enforce domain ownership for form/template and mailer endpoints, validate
+  reply-to/recipient addresses, and allow reply-to plus custom headers on
+  transactional sends.
+- Constrain stored template/form filenames to safe relative paths and widen the
+  txmail template column to TEXT for larger templates.
+- Added Vitest-based integration tests with a local SMTP harness, plus test
+  scripts and dependencies.
+
 Version 1.0.6 (2025-11-06)
 
 - Added the dedicated asset API module so files stored under `config/<domain>/assets`
   are served directly from `/asset/<domain>/<path>` (configurable via `ASSET_ROUTE`).
+- Updated `@technomoron/api-server-base` to the latest 2.x beta and aligned mailer
+  server access with the new API server types.
 - Tightened the template preprocessor to require non-inline assets to live in the
   domain `assets/` folder and automatically rewrite `asset('logo.png')` calls to the
   public route.

package/README.md

@@ -15,7 +15,7 @@ Mail Magic is a TypeScript service for managing, templating, and delivering tran
 1. Clone the repository: `git clone git@github.com:technomoron/mail-magic.git`
 2. Install dependencies: `npm install`
 3. Create your environment file: copy `.env-dist` to `.env` and adjust values
-4. Populate the config directory (see `config-example/` for a reference layout)
+4. Populate the config directory (defaults to `./data/`; see `config-example/` for a reference layout). You can point `CONFIG_PATH` at `./config` to use the bundled sample data.
 5. Build the project: `npm run build`
 6. Start the API server: `npm run start`
 
@@ -24,14 +24,15 @@ During development you can run `npm run dev` for a watch mode that recompiles on
 ## Configuration
 
 - **Environment variables** are defined in `src/store/envloader.ts`. Important settings include SMTP credentials, API host/port, the config directory path, and database options.
-- **Config directory** (`CONFIG_PATH`) contains JSON seed data (`init-data.json`), optional API key files, and template assets. Each domain now lives directly under the config root (for example `config/example.com/form-template/…`). Review `config-example/` for the recommended layout, in particular the `form-template/` and `tx-template/` folders used for compiled Nunjucks templates.
+- **Config directory** (`CONFIG_PATH`) contains JSON seed data (`init-data.json`), optional API key files, and template assets. Each domain now lives directly under the config root (for example `data/example.com/form-template/…`). Use an absolute path or a relative one like `../data` when you want the config outside the repo. Review `config-example/` for the recommended layout, in particular the `form-template/` and `tx-template/` folders used for compiled Nunjucks templates.
 - **Database** defaults to SQLite (`maildata.db`). You can switch dialects by updating the environment options if your deployment requires another database.
+- **Uploads** default to `<CONFIG_PATH>/<domain>/uploads` via `UPLOAD_PATH=./{domain}/uploads`. Set a fixed path if you prefer a shared upload directory.
 
 When `DB_AUTO_RELOAD` is enabled the service watches `init-data.json` and refreshes templates and forms without a restart.
 
 ### Template assets and inline resources
 
-- Keep any non-inline files (images, attachments, etc.) under `config/<domain>/assets`. Mail Magic rewrites `asset('logo.png')` to the public route `/asset/<domain>/logo.png` (or whatever you set via `ASSET_ROUTE`).
+- Keep any non-inline files (images, attachments, etc.) under `<CONFIG_PATH>/<domain>/assets`. Mail Magic rewrites `asset('logo.png')` to the public route `/asset/<domain>/logo.png` (or whatever you set via `ASSET_ROUTE`).
 - Pass `true` as the second argument when you want to embed a file as an inline CID attachment: `asset('logo.png', true)` stores the file in Nodemailer and rewrites the HTML to reference `cid:logo.png`.
 - Avoid mixing template-type folders for assets; everything that should be linked externally belongs in the shared `<domain>/assets` tree so it can be served for both form and transactional templates.
 

package/TUTORIAL.MD

@@ -19,6 +19,7 @@ Update your `.env` (or runtime environment) to point at the new workspace:
 ```
 CONFIG_PATH=${CONFIG_ROOT}
 DB_AUTO_RELOAD=1  # optional: hot‑reload init-data and templates
+UPLOAD_PATH=./{domain}/uploads
 ```
 
 From now on the tutorial assumes `${CONFIG_ROOT}` is the root of the custom config tree.

package/dist/api/assets.js

@@ -1,6 +1,6 @@
 import fs from 'fs';
 import path from 'path';
-import { ApiModule, ApiError } from '@technomoron/api-server-base';
+import { ApiError, ApiModule } from '@technomoron/api-server-base';
 import { decodeComponent, sendFileAsync } from '../util.js';
 const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
 const SEGMENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
@@ -19,27 +19,40 @@ export class AssetAPI extends ApiModule {
             throw new ApiError({ code: 404, message: 'Asset not found' });
         }
         const assetsRoot = path.join(this.server.storage.configpath, domain, 'assets');
-        const resolvedRoot = path.resolve(assetsRoot);
+        if (!fs.existsSync(assetsRoot)) {
+            throw new ApiError({ code: 404, message: 'Asset not found' });
+        }
+        const resolvedRoot = fs.realpathSync(assetsRoot);
         const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
         const candidate = path.resolve(assetsRoot, path.join(...segments));
-        if (!candidate.startsWith(normalizedRoot)) {
+        try {
+            const stats = await fs.promises.stat(candidate);
+            if (!stats.isFile()) {
+                throw new ApiError({ code: 404, message: 'Asset not found' });
+            }
+        }
+        catch {
             throw new ApiError({ code: 404, message: 'Asset not found' });
         }
+        let realCandidate;
         try {
-            await fs.promises.access(candidate, fs.constants.R_OK);
+            realCandidate = await fs.promises.realpath(candidate);
         }
         catch {
             throw new ApiError({ code: 404, message: 'Asset not found' });
         }
+        if (!realCandidate.startsWith(normalizedRoot)) {
+            throw new ApiError({ code: 404, message: 'Asset not found' });
+        }
         const { res } = apiReq;
         const originalStatus = res.status.bind(res);
         const originalJson = res.json.bind(res);
         res.status = ((code) => (res.headersSent ? res : originalStatus(code)));
         res.json = ((body) => (res.headersSent ? res : originalJson(body)));
-        res.type(path.extname(candidate));
+        res.type(path.extname(realCandidate));
         res.set('Cache-Control', 'public, max-age=300');
         try {
-            await sendFileAsync(res, candidate);
+            await sendFileAsync(res, realCandidate);
         }
         catch (err) {
             this.server.storage.print_debug(`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`);

package/dist/api/forms.js

@@ -1,11 +1,19 @@
 import path from 'path';
 import { ApiModule, ApiError } from '@technomoron/api-server-base';
+import emailAddresses from 'email-addresses';
 import nunjucks from 'nunjucks';
 import { api_domain } from '../models/domain.js';
 import { api_form } from '../models/form.js';
 import { api_user } from '../models/user.js';
 import { buildRequestMeta, normalizeSlug } from '../util.js';
 export class FormAPI extends ApiModule {
+    validateEmail(email) {
+        const parsed = emailAddresses.parseOneAddress(email);
+        if (parsed) {
+            return parsed.address;
+        }
+        return undefined;
+    }
     async assertDomainAndUser(apireq) {
         const { domain, locale } = apireq.req.body;
         if (!domain) {
@@ -19,6 +27,9 @@ export class FormAPI extends ApiModule {
         if (!dbdomain) {
             throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
         }
+        if (dbdomain.user_id !== user.user_id) {
+            throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+        }
         apireq.domain = dbdomain;
         apireq.locale = locale || 'en';
         apireq.user = user;
@@ -85,7 +96,7 @@ export class FormAPI extends ApiModule {
         return [200, { Status: 'OK' }];
     }
     async postSendForm(apireq) {
-        const { formid, secret, recipient, vars = {} } = apireq.req.body;
+        const { formid, secret, recipient, vars = {}, replyTo, reply_to } = apireq.req.body;
         if (!formid) {
             throw new ApiError({ code: 404, message: 'Missing formid field in form' });
         }
@@ -102,12 +113,27 @@ export class FormAPI extends ApiModule {
         if (recipient && !form.secret) {
             throw new ApiError({ code: 401, message: "'recipient' parameterer requires form secret to be set" });
         }
+        let normalizedReplyTo;
+        let normalizedRecipient;
+        const replyToValue = (replyTo || reply_to);
+        if (replyToValue) {
+            normalizedReplyTo = this.validateEmail(replyToValue);
+            if (!normalizedReplyTo) {
+                throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+            }
+        }
+        if (recipient) {
+            normalizedRecipient = this.validateEmail(String(recipient));
+            if (!normalizedRecipient) {
+                throw new ApiError({ code: 400, message: 'Invalid recipient email address' });
+            }
+        }
         let parsedVars = vars ?? {};
         if (typeof vars === 'string') {
             try {
                 parsedVars = JSON.parse(vars);
             }
-            catch (error) {
+            catch {
                 throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
             }
         }
@@ -140,10 +166,11 @@ export class FormAPI extends ApiModule {
         const html = nunjucks.renderString(form.template, context);
         const mailOptions = {
             from: form.sender,
-            to: recipient || form.recipient,
+            to: normalizedRecipient || form.recipient,
             subject: form.subject,
             html,
-            attachments
+            attachments,
+            ...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {})
         };
         try {
             const info = await this.server.storage.transport.sendMail(mailOptions);

package/dist/api/mailer.js

@@ -15,7 +15,7 @@ export class MailerAPI extends ApiModule {
         if (parsed) {
             return parsed.address;
         }
-        return null;
+        return undefined;
     }
     //
     // Validate a set of email addresses. Return arrays of invalid
@@ -51,6 +51,9 @@ export class MailerAPI extends ApiModule {
         if (!dbdomain) {
             throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
         }
+        if (dbdomain.user_id !== user.user_id) {
+            throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+        }
         apireq.domain = dbdomain;
         apireq.locale = locale || 'en';
         apireq.user = user;
@@ -85,7 +88,7 @@ export class MailerAPI extends ApiModule {
             const [templateRecord, created] = await api_txmail.upsert(data, {
                 returning: true
             });
-            console.log('Template upserted:', templateRecord.name, 'Created:', created);
+            this.server.storage.print_debug(`Template upserted: ${templateRecord.name} (created=${created})`);
         }
         catch (error) {
             throw new ApiError({
@@ -98,7 +101,7 @@ export class MailerAPI extends ApiModule {
     // Send a template using posted arguments.
     async post_send(apireq) {
         await this.assert_domain_and_user(apireq);
-        const { name, rcpt, domain = '', locale = '', vars = {} } = apireq.req.body;
+        const { name, rcpt, domain = '', locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
         if (!name || !rcpt || !domain) {
             throw new ApiError({ code: 400, message: 'name/rcpt/domain required' });
         }
@@ -107,7 +110,7 @@ export class MailerAPI extends ApiModule {
             try {
                 parsedVars = JSON.parse(vars);
             }
-            catch (error) {
+            catch {
                 throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
             }
         }
@@ -118,7 +121,7 @@ export class MailerAPI extends ApiModule {
             throw new ApiError({ code: 400, message: 'Invalid email address(es): ' + invalid.join(',') });
         }
         let template = null;
-        const deflocale = apireq.server.store.deflocale || '';
+        const deflocale = this.server.storage.deflocale || '';
         const domain_id = apireq.domain.domain_id;
         try {
             template =
@@ -159,8 +162,29 @@ export class MailerAPI extends ApiModule {
         for (const file of rawFiles) {
             attachmentMap[file.fieldname] = file.originalname;
         }
-        console.log(JSON.stringify({ vars, thevars }, undefined, 2));
+        this.server.storage.print_debug(`Template vars: ${JSON.stringify({ vars, thevars }, undefined, 2)}`);
         const meta = buildRequestMeta(apireq.req);
+        const replyToValue = (replyTo || reply_to);
+        let normalizedReplyTo;
+        if (replyToValue) {
+            normalizedReplyTo = this.validateEmail(replyToValue);
+            if (!normalizedReplyTo) {
+                throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+            }
+        }
+        let normalizedHeaders;
+        if (headers !== undefined) {
+            if (!headers || typeof headers !== 'object' || Array.isArray(headers)) {
+                throw new ApiError({ code: 400, message: 'headers must be a key/value object' });
+            }
+            normalizedHeaders = {};
+            for (const [key, value] of Object.entries(headers)) {
+                if (typeof value !== 'string') {
+                    throw new ApiError({ code: 400, message: `headers.${key} must be a string` });
+                }
+                normalizedHeaders[key] = value;
+            }
+        }
         try {
             const env = new nunjucks.Environment(null, { autoescape: false });
             const compiled = nunjucks.compile(template.template, env);
@@ -180,9 +204,11 @@ export class MailerAPI extends ApiModule {
                     subject: template.subject || apireq.req.body.subject || '',
                     html,
                     text,
-                    attachments
+                    attachments,
+                    ...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {}),
+                    ...(normalizedHeaders ? { headers: normalizedHeaders } : {})
                 };
-                await apireq.server.storage.transport.sendMail(sendargs);
+                await this.server.storage.transport.sendMail(sendargs);
             }
             return [200, { Status: 'OK', Message: 'Emails sent successfully' }];
         }

package/dist/index.js

@@ -12,6 +12,8 @@ function buildServerConfig(store, overrides) {
         uploadPath: env.UPLOAD_PATH,
         debug: env.DEBUG,
         apiBasePath: '',
+        swaggerEnabled: env.SWAGGER_ENABLED,
+        swaggerPath: env.SWAGGER_PATH,
         ...overrides
     };
 }

package/dist/models/form.js

@@ -128,6 +128,16 @@ export async function init_api_form(api_db) {
     });
     return api_form;
 }
+function assertSafeRelativePath(filename, label) {
+    const normalized = path.normalize(filename);
+    if (path.isAbsolute(normalized)) {
+        throw new Error(`${label} path must be relative`);
+    }
+    if (normalized.split(path.sep).includes('..')) {
+        throw new Error(`${label} path cannot include '..' segments`);
+    }
+    return normalized;
+}
 export async function upsert_form(record) {
     const { user, domain } = await user_and_domain(record.domain_id);
     const idname = normalizeSlug(user.idname);
@@ -150,7 +160,7 @@ export async function upsert_form(record) {
     if (!record.filename.endsWith('.njk')) {
         record.filename += '.njk';
     }
-    record.filename = path.normalize(record.filename);
+    record.filename = assertSafeRelativePath(record.filename, 'Form filename');
     let instance = null;
     instance = await api_form.findByPk(record.form_id);
     if (instance) {

package/dist/models/init.js

@@ -21,16 +21,17 @@ function resolveAsset(basePath, domainName, assetName) {
     if (!fs.existsSync(assetsRoot)) {
         return null;
     }
-    const resolvedRoot = path.resolve(assetsRoot);
+    const resolvedRoot = fs.realpathSync(assetsRoot);
     const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
     const candidate = path.resolve(assetsRoot, assetName);
-    if (!candidate.startsWith(normalizedRoot)) {
+    if (!fs.existsSync(candidate) || !fs.statSync(candidate).isFile()) {
         return null;
     }
-    if (fs.existsSync(candidate) && fs.statSync(candidate).isFile()) {
-        return candidate;
+    const realCandidate = fs.realpathSync(candidate);
+    if (!realCandidate.startsWith(normalizedRoot)) {
+        return null;
     }
-    return null;
+    return realCandidate;
 }
 function buildAssetUrl(baseUrl, route, domainName, assetPath) {
     const trimmedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
@@ -80,8 +81,10 @@ async function _load_template(store, filename, pathname, user, domain, locale, t
     if (filename.startsWith(prefix)) {
         relFile = filename.slice(prefix.length);
     }
-    const absPath = path.resolve(rootDir, pathname || '', relFile);
-    if (!absPath.startsWith(rootDir)) {
+    const resolvedRoot = path.resolve(rootDir);
+    const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+    const absPath = path.resolve(resolvedRoot, pathname || '', relFile);
+    if (!absPath.startsWith(normalizedRoot)) {
         throw new Error(`Invalid template path "${filename}"`);
     }
     if (!fs.existsSync(absPath)) {