@yujinapp/yuemail 0.4.0

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@yujinapp/yuemail",
+  "version": "0.4.0",
+  "description": "Voice-first single-user email client. Dictate, sign, send. Local-only, BYOK encrypted vault.",
+  "license": "MIT",
+  "type": "module",
+  "engines": { "node": ">=18.0.0" },
+  "bin": { "yuemail": "./bin/yuemail.mjs" },
+  "main": "./server-dist/index.js",
+  "files": [
+    "bin/",
+    "dist/",
+    "server-dist/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "dev:web": "vite",
+    "dev:server": "tsc -p tsconfig.server.json --watch",
+    "build:web": "vite build",
+    "build:server": "tsc -p tsconfig.server.json",
+    "build": "npm run build:web && npm run build:server",
+    "typecheck": "tsc --noEmit && tsc -p tsconfig.server.json --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "start": "node bin/yuemail.mjs start",
+    "prepublishOnly": "npm run typecheck && npm run test && npm run build"
+  },
+  "dependencies": {
+    "docx": "^8.5.0",
+    "express": "^4.19.2",
+    "imapflow": "^1.0.162",
+    "nodemailer": "^6.9.13",
+    "open": "^10.1.0"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.12.7",
+    "@types/nodemailer": "^6.4.14",
+    "@types/react": "^18.3.3",
+    "@types/react-dom": "^18.3.0",
+    "@vitejs/plugin-react": "^4.3.1",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
+    "typescript": "^5.4.5",
+    "vite": "^5.2.11",
+    "vitest": "^1.6.0"
+  },
+  "keywords": [
+    "email",
+    "voice",
+    "accessibility",
+    "a11y",
+    "dictation",
+    "byok",
+    "local-only",
+    "yujin"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/yujinapp/yuemail-v3.git"
+  }
+}

package/server-dist/autoconfig.js

@@ -0,0 +1,228 @@
+/**
+ * Email server autoconfiguration (F10).
+ *
+ * Given just an email address, resolve IMAP + SMTP settings in three
+ * tiers (first hit wins):
+ *
+ *   1. known    -- built-in table of major providers (Gmail, Outlook,
+ *                  Yahoo, iCloud, ...). Instant, offline, includes the
+ *                  app-password caveat each provider imposes.
+ *   2. ispdb    -- Mozilla Thunderbird autoconfig database
+ *                  (autoconfig.thunderbird.net). Covers thousands of
+ *                  smaller ISPs. Network fetch with a 6s timeout.
+ *   3. guess    -- convention fallback: imap.<domain>:993 (SSL) +
+ *                  smtp.<domain>:587 (STARTTLS), flagged as a guess so
+ *                  the UI tells the user to run the connection test.
+ *
+ * Providers with no public IMAP/SMTP (Proton without Bridge, Tuta) are
+ * reported as unsupported with a human explanation instead of a guess
+ * that can never work.
+ *
+ * The `secure` flag follows the vault convention: true = direct TLS
+ * (993/465), false = plaintext upgrade via STARTTLS (143/587).
+ *
+ * ASCII-only.
+ */
+const KNOWN_PROVIDERS = [
+    {
+        label: 'Gmail',
+        domains: ['gmail.com', 'googlemail.com'],
+        imap: { host: 'imap.gmail.com', port: 993, secure: true },
+        smtp: { host: 'smtp.gmail.com', port: 465, secure: true },
+        note: 'Gmail requiere una App Password: activa la verificacion en dos pasos en tu cuenta Google y genera una en myaccount.google.com/apppasswords. Tu contrasena normal no funciona.',
+    },
+    {
+        label: 'Outlook / Hotmail',
+        domains: ['outlook.com', 'outlook.es', 'hotmail.com', 'hotmail.es', 'live.com', 'msn.com'],
+        imap: { host: 'outlook.office365.com', port: 993, secure: true },
+        smtp: { host: 'smtp-mail.outlook.com', port: 587, secure: false },
+        note: 'Microsoft puede exigir una contrasena de aplicacion segun la configuracion de seguridad de la cuenta. Ademas esta migrando las cuentas personales a autenticacion moderna (OAuth): si el login con contrasena falla aunque sea correcta, es probable que tu cuenta ya no acepte IMAP con contrasena basica.',
+    },
+    {
+        label: 'Yahoo',
+        domains: ['yahoo.com', 'yahoo.es', 'yahoo.com.ar', 'yahoo.com.mx', 'ymail.com'],
+        imap: { host: 'imap.mail.yahoo.com', port: 993, secure: true },
+        smtp: { host: 'smtp.mail.yahoo.com', port: 465, secure: true },
+        note: 'Yahoo requiere una App Password generada en la seccion de seguridad de la cuenta.',
+    },
+    {
+        label: 'iCloud',
+        domains: ['icloud.com', 'me.com', 'mac.com'],
+        imap: { host: 'imap.mail.me.com', port: 993, secure: true },
+        smtp: { host: 'smtp.mail.me.com', port: 587, secure: false },
+        note: 'iCloud requiere una contrasena especifica de app, generada en appleid.apple.com.',
+    },
+    {
+        label: 'AOL',
+        domains: ['aol.com'],
+        imap: { host: 'imap.aol.com', port: 993, secure: true },
+        smtp: { host: 'smtp.aol.com', port: 465, secure: true },
+        note: 'AOL requiere una App Password generada en la seguridad de la cuenta.',
+    },
+    {
+        label: 'GMX',
+        domains: ['gmx.com'],
+        imap: { host: 'imap.gmx.com', port: 993, secure: true },
+        smtp: { host: 'mail.gmx.com', port: 587, secure: false },
+        note: 'GMX trae IMAP desactivado por defecto: activalo primero en la web de GMX (Configuracion > POP3/IMAP > permitir acceso IMAP) o el login va a fallar.',
+    },
+    {
+        label: 'GMX',
+        domains: ['gmx.net', 'gmx.de'],
+        imap: { host: 'imap.gmx.net', port: 993, secure: true },
+        smtp: { host: 'mail.gmx.net', port: 587, secure: false },
+        note: 'GMX trae IMAP desactivado por defecto: activalo primero en la web de GMX (Configuracion > POP3/IMAP > permitir acceso IMAP) o el login va a fallar.',
+    },
+    {
+        label: 'Zoho',
+        domains: ['zoho.com', 'zohomail.com'],
+        imap: { host: 'imap.zoho.com', port: 993, secure: true },
+        smtp: { host: 'smtp.zoho.com', port: 465, secure: true },
+        note: 'Zoho requiere activar IMAP en Mail Settings y, si tenes verificacion en dos pasos, una contrasena de aplicacion generada en la seccion de seguridad de la cuenta.',
+    },
+    {
+        label: 'Fastmail',
+        domains: ['fastmail.com', 'fastmail.fm'],
+        imap: { host: 'imap.fastmail.com', port: 993, secure: true },
+        smtp: { host: 'smtp.fastmail.com', port: 465, secure: true },
+        note: 'Fastmail requiere una contrasena de app para clientes IMAP.',
+    },
+    {
+        label: 'Yandex',
+        domains: ['yandex.com', 'yandex.ru'],
+        imap: { host: 'imap.yandex.com', port: 993, secure: true },
+        smtp: { host: 'smtp.yandex.com', port: 465, secure: true },
+        note: 'Yandex requiere una contrasena de aplicacion (creala en id.yandex.com, seccion de contrasenas de aplicacion) y tener IMAP habilitado en la configuracion del correo.',
+    },
+];
+/* Providers that do not expose IMAP/SMTP at all -- a convention guess
+ * would never connect, so fail with an explanation instead. */
+const UNSUPPORTED_DOMAINS = {
+    'proton.me': 'Proton Mail no expone IMAP/SMTP directo. Necesitas instalar Proton Mail Bridge y cargar a mano los datos locales que el Bridge te muestra.',
+    'protonmail.com': 'Proton Mail no expone IMAP/SMTP directo. Necesitas instalar Proton Mail Bridge y cargar a mano los datos locales que el Bridge te muestra.',
+    'tuta.com': 'Tuta (Tutanota) no ofrece IMAP/SMTP, no se puede usar con Yuemail.',
+    'tutanota.com': 'Tuta (Tutanota) no ofrece IMAP/SMTP, no se puede usar con Yuemail.',
+};
+export function lookupKnownProvider(domain) {
+    const d = domain.toLowerCase();
+    return KNOWN_PROVIDERS.find((p) => p.domains.includes(d));
+}
+export function guessByConvention(domain) {
+    return {
+        imap: { host: 'imap.' + domain, port: 993, secure: true },
+        smtp: { host: 'smtp.' + domain, port: 587, secure: false },
+    };
+}
+/* --- ISPDB (Thunderbird autoconfig) XML parsing ----------------------
+ * The format is stable and flat; a tag-scoped regex extraction keeps us
+ * dependency-free. We only need the first imap incomingServer and the
+ * first smtp outgoingServer. */
+function firstBlock(xml, tag, type) {
+    const re = new RegExp('<' + tag + '[^>]*type="' + type + '"[\\s\\S]*?</' + tag + '>');
+    const m = xml.match(re);
+    return m ? m[0] : undefined;
+}
+function tagValue(block, tag) {
+    const m = block.match(new RegExp('<' + tag + '>([^<]*)</' + tag + '>'));
+    return m && m[1] !== undefined ? m[1].trim() : undefined;
+}
+function socketTypeToSecure(socketType) {
+    /* SSL = direct TLS. STARTTLS / plain = not direct TLS. */
+    return (socketType ?? '').toUpperCase() === 'SSL';
+}
+function substituteUsername(template, email) {
+    if (!template || template.length === 0)
+        return email;
+    const at = email.lastIndexOf('@');
+    const localPart = at > 0 ? email.slice(0, at) : email;
+    return template
+        .replace(/%EMAILADDRESS%/g, email)
+        .replace(/%EMAILLOCALPART%/g, localPart);
+}
+export function parseIspdbXml(xml, email) {
+    const inc = firstBlock(xml, 'incomingServer', 'imap');
+    const out = firstBlock(xml, 'outgoingServer', 'smtp');
+    if (!inc || !out)
+        return undefined;
+    const imapHost = tagValue(inc, 'hostname');
+    const imapPort = Number(tagValue(inc, 'port'));
+    const smtpHost = tagValue(out, 'hostname');
+    const smtpPort = Number(tagValue(out, 'port'));
+    if (!imapHost || !smtpHost || !Number.isFinite(imapPort) || !Number.isFinite(smtpPort)) {
+        return undefined;
+    }
+    const result = {
+        ok: true,
+        source: 'ispdb',
+        username: substituteUsername(tagValue(inc, 'username'), email),
+        imap: { host: imapHost, port: imapPort, secure: socketTypeToSecure(tagValue(inc, 'socketType')) },
+        smtp: { host: smtpHost, port: smtpPort, secure: socketTypeToSecure(tagValue(out, 'socketType')) },
+    };
+    const label = tagValue(xml, 'displayShortName');
+    if (label)
+        result.provider = label;
+    return result;
+}
+const ISPDB_BASE = 'https://autoconfig.thunderbird.net/v1.1/';
+const ISPDB_TIMEOUT_MS = 6000;
+/**
+ * Resolve IMAP + SMTP configuration for an email address.
+ * `fetchImpl` is injectable so tests never hit the network.
+ */
+export async function autoconfigure(email, fetchImpl = fetch) {
+    const trimmed = email.trim().toLowerCase();
+    const at = trimmed.lastIndexOf('@');
+    if (at <= 0 || at === trimmed.length - 1 || !trimmed.slice(at + 1).includes('.')) {
+        return { ok: false, error: 'Direccion de correo invalida: ' + email };
+    }
+    const domain = trimmed.slice(at + 1);
+    const unsupported = UNSUPPORTED_DOMAINS[domain];
+    if (unsupported)
+        return { ok: false, error: unsupported };
+    /* Tier 1: built-in provider table. */
+    const known = lookupKnownProvider(domain);
+    if (known) {
+        const result = {
+            ok: true,
+            source: 'known',
+            provider: known.label,
+            username: trimmed,
+            imap: known.imap,
+            smtp: known.smtp,
+        };
+        if (known.note)
+            result.note = known.note;
+        return result;
+    }
+    /* Tier 2: Mozilla ISPDB. Any failure (offline, 404, malformed XML)
+     * falls through to the convention guess. */
+    try {
+        const ctrl = new AbortController();
+        const timer = setTimeout(() => ctrl.abort(), ISPDB_TIMEOUT_MS);
+        try {
+            const res = await fetchImpl(ISPDB_BASE + encodeURIComponent(domain), { signal: ctrl.signal });
+            if (res.ok) {
+                const xml = await res.text();
+                const parsed = parseIspdbXml(xml, trimmed);
+                if (parsed)
+                    return parsed;
+            }
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    catch {
+        /* network unavailable -- fall through */
+    }
+    /* Tier 3: convention guess. */
+    const guess = guessByConvention(domain);
+    return {
+        ok: true,
+        source: 'guess',
+        username: trimmed,
+        imap: guess.imap,
+        smtp: guess.smtp,
+        note: 'Servidores estimados por convencion (imap./smtp. + dominio). Usa Probar conexion; si falla, consulta los datos exactos con tu proveedor.',
+    };
+}

package/server-dist/documents.js

@@ -0,0 +1,89 @@
+/**
+ * Yuemail document store (F3 / F13).
+ *
+ * Documents persist as JSON under ~/.yuemail/documents/<id>.json. No DB,
+ * no user table, single-user. The store is process-local; callers are
+ * responsible for serialising writes per document id.
+ *
+ * ASCII-only.
+ */
+import { promises as fs, existsSync, mkdirSync } from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import { randomBytes } from 'node:crypto';
+function homeDir() {
+    const env = process.env['YUEMAIL_HOME'];
+    return env ? path.resolve(env) : path.join(os.homedir(), '.yuemail');
+}
+function docsRoot() { return path.join(homeDir(), 'documents'); }
+function ensureDocsDir() {
+    const d = docsRoot();
+    if (!existsSync(d)) {
+        mkdirSync(d, { recursive: true, mode: 0o700 });
+    }
+}
+function newId() {
+    return 'doc-' + randomBytes(6).toString('hex');
+}
+function nowIso() {
+    return new Date().toISOString();
+}
+export async function listDocuments() {
+    ensureDocsDir();
+    const files = (await fs.readdir(docsRoot())).filter((f) => f.endsWith('.json'));
+    const out = [];
+    for (const f of files) {
+        try {
+            const raw = await fs.readFile(path.join(docsRoot(), f), 'utf-8');
+            const d = JSON.parse(raw);
+            out.push({ id: d.id, title: d.title, updated_at: d.updated_at });
+        }
+        catch { /* skip corrupt */ }
+    }
+    out.sort((a, b) => b.updated_at.localeCompare(a.updated_at));
+    return out;
+}
+export async function getDocument(id) {
+    ensureDocsDir();
+    const p = path.join(docsRoot(), id + '.json');
+    if (!existsSync(p))
+        return undefined;
+    const raw = await fs.readFile(p, 'utf-8');
+    return JSON.parse(raw);
+}
+export async function createDocument(input) {
+    ensureDocsDir();
+    const doc = {
+        id: newId(),
+        title: input.title ?? '',
+        blocks: input.blocks ?? [],
+        created_at: nowIso(),
+        updated_at: nowIso(),
+    };
+    await fs.writeFile(path.join(docsRoot(), doc.id + '.json'), JSON.stringify(doc, null, 2), { mode: 0o600 });
+    return doc;
+}
+export async function updateDocument(id, patch) {
+    const existing = await getDocument(id);
+    if (!existing)
+        return undefined;
+    const next = {
+        ...existing,
+        title: patch.title ?? existing.title,
+        blocks: patch.blocks ?? existing.blocks,
+        updated_at: nowIso(),
+    };
+    await fs.writeFile(path.join(docsRoot(), id + '.json'), JSON.stringify(next, null, 2), { mode: 0o600 });
+    return next;
+}
+export async function deleteDocument(id) {
+    const p = path.join(docsRoot(), id + '.json');
+    if (!existsSync(p))
+        return false;
+    await fs.unlink(p);
+    return true;
+}
+export function docsDir() {
+    return docsRoot();
+}
+/* Backwards-compatible alias for an inadvertent reference. */

package/server-dist/docx-builder.js

@@ -0,0 +1,46 @@
+/**
+ * Yuemail .docx generator (F5 / acceptance #7).
+ *
+ * Converts a document JSON (title + ordered blocks of paragraph or
+ * signature image) into a real Office Open XML buffer using the
+ * `docx` library. The buffer's first two bytes are always `PK`
+ * (ZIP magic) because .docx is a ZIP container.
+ *
+ * Never persisted as a separate file -- rebuilt from JSON on demand.
+ *
+ * ASCII-only.
+ */
+import { Document, Packer, Paragraph, TextRun, HeadingLevel, ImageRun, } from 'docx';
+export async function renderDocx(doc) {
+    const children = [];
+    children.push(new Paragraph({
+        heading: HeadingLevel.HEADING_1,
+        children: [new TextRun({ text: doc.title || 'Documento', bold: true })],
+    }));
+    for (const block of doc.blocks) {
+        if (block.type === 'paragraph') {
+            children.push(new Paragraph({
+                children: [new TextRun({ text: block.text })],
+            }));
+        }
+        else if (block.type === 'signature_image') {
+            const png = Buffer.from(block.png_b64, 'base64');
+            children.push(new Paragraph({
+                children: [
+                    new ImageRun({
+                        data: png,
+                        transformation: { width: 200, height: 80 },
+                    }),
+                ],
+            }));
+        }
+    }
+    const docxDoc = new Document({
+        sections: [{ properties: {}, children }],
+    });
+    return Packer.toBuffer(docxDoc);
+}
+/** Sanity helper for tests + the /api/document/:id/docx endpoint. */
+export function isDocxBuffer(buf) {
+    return buf.length >= 2 && buf[0] === 0x50 && buf[1] === 0x4b; /* "PK" */
+}

package/server-dist/index.js

@@ -0,0 +1,82 @@
+/**
+ * Yuemail HTTP server.
+ *
+ * Express 4. Binds 127.0.0.1:5180 (loopback only -- never LAN, never
+ * external interface). Mounts:
+ *   /api/health
+ *   /api/vault/*       (BYOK -- read key names + statuses; write set/delete)
+ *   /api/documents/*   (CRUD + .docx render on demand)
+ *   /api/signature/*   (PNG read/write/delete)
+ *   /api/email/send    (POST -- rejects when SMTP unconfigured)
+ *   /api/email/autoconfig (GET -- IMAP/SMTP discovery from the address)
+ *   /api/email/verify  (POST -- live IMAP/SMTP connection test)
+ *   /api/inbox/list    (GET  -- imapflow last N envelopes)
+ *   /*                 (static SPA from dist/, when present)
+ *
+ * ASCII-only.
+ */
+import express from 'express';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { existsSync } from 'node:fs';
+import { registerVaultRoutes } from './routes/vault.js';
+import { registerDocumentsRoutes } from './routes/documents.js';
+import { registerSignatureRoutes } from './routes/signature.js';
+import { registerEmailRoutes } from './routes/email.js';
+import { registerInboxRoutes } from './routes/inbox.js';
+import { registerSettingsRoutes } from './routes/settings.js';
+export const HOST = '127.0.0.1';
+export const PORT = 5180;
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+export function buildApp(opts = {}) {
+    const app = express();
+    app.use(express.json({ limit: '10mb' }));
+    app.get('/api/health', (_req, res) => {
+        res.json({ ok: true, version: '0.3.0' });
+    });
+    registerVaultRoutes(app);
+    registerDocumentsRoutes(app);
+    registerSignatureRoutes(app);
+    registerEmailRoutes(app);
+    registerInboxRoutes(app);
+    registerSettingsRoutes(app);
+    /* Static SPA -- present in production builds, absent in dev. */
+    const staticRoot = opts.staticRoot ?? path.resolve(__dirname, '..', 'dist');
+    if (existsSync(staticRoot)) {
+        app.use(express.static(staticRoot));
+        app.get('*', (_req, res) => {
+            res.sendFile(path.join(staticRoot, 'index.html'));
+        });
+    }
+    /* Error fallback. Keeps the response shape stable for the SPA. */
+    app.use((err, _req, res, _next) => {
+        const message = err instanceof Error ? err.message : String(err);
+        res.status(500).json({ ok: false, error: message });
+    });
+    return app;
+}
+export async function startServer(opts = {}) {
+    const app = buildApp(opts);
+    return await new Promise((resolve, reject) => {
+        const server = app.listen(PORT, HOST, () => {
+            const url = 'http://' + HOST + ':' + PORT;
+            resolve({
+                url,
+                close: () => new Promise((r) => { server.close(() => r()); }),
+            });
+        });
+        server.on('error', reject);
+    });
+}
+/* Direct-run entry: `node server-dist/index.js`. */
+const isDirectRun = process.argv[1] !== undefined &&
+    path.resolve(process.argv[1]) === __filename;
+if (isDirectRun) {
+    startServer().then((s) => {
+        process.stdout.write('Yuemail server listening at ' + s.url + '\n');
+    }).catch((err) => {
+        process.stderr.write('Failed to start: ' + (err instanceof Error ? err.message : String(err)) + '\n');
+        process.exitCode = 1;
+    });
+}

package/server-dist/routes/documents.js

@@ -0,0 +1,56 @@
+import { listDocuments, getDocument, createDocument, updateDocument, deleteDocument, } from '../documents.js';
+import { renderDocx } from '../docx-builder.js';
+export function registerDocumentsRoutes(app) {
+    app.get('/api/documents', async (_req, res) => {
+        const docs = await listDocuments();
+        res.json({ ok: true, documents: docs });
+    });
+    app.get('/api/documents/:id', async (req, res) => {
+        const id = req.params['id'] ?? '';
+        const doc = await getDocument(id);
+        if (!doc) {
+            res.status(404).json({ ok: false, error: 'not found' });
+            return;
+        }
+        res.json({ ok: true, document: doc });
+    });
+    app.post('/api/documents', async (req, res) => {
+        const body = req.body;
+        const title = typeof body?.title === 'string' ? body.title : '';
+        const blocks = Array.isArray(body?.blocks) ? body.blocks : [];
+        const doc = await createDocument({ title, blocks });
+        res.status(201).json({ ok: true, document: doc });
+    });
+    app.put('/api/documents/:id', async (req, res) => {
+        const id = req.params['id'] ?? '';
+        const body = req.body;
+        const patch = {};
+        if (typeof body?.title === 'string')
+            patch.title = body.title;
+        if (Array.isArray(body?.blocks))
+            patch.blocks = body.blocks;
+        const updated = await updateDocument(id, patch);
+        if (!updated) {
+            res.status(404).json({ ok: false, error: 'not found' });
+            return;
+        }
+        res.json({ ok: true, document: updated });
+    });
+    app.delete('/api/documents/:id', async (req, res) => {
+        const id = req.params['id'] ?? '';
+        const ok = await deleteDocument(id);
+        res.status(ok ? 204 : 404).end();
+    });
+    app.get('/api/documents/:id/docx', async (req, res) => {
+        const id = req.params['id'] ?? '';
+        const doc = await getDocument(id);
+        if (!doc) {
+            res.status(404).json({ ok: false, error: 'not found' });
+            return;
+        }
+        const buf = await renderDocx(doc);
+        res.setHeader('Content-Type', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document');
+        res.setHeader('Content-Disposition', 'attachment; filename="' + (doc.title || 'documento') + '.docx"');
+        res.send(buf);
+    });
+}

package/server-dist/routes/email.js

@@ -0,0 +1,109 @@
+import nodemailer from 'nodemailer';
+import { getCategoryStatus, getKey } from '../vault.js';
+import { getDocument } from '../documents.js';
+import { renderDocx } from '../docx-builder.js';
+function isValidEmail(s) {
+    return /^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(s);
+}
+function parseRecipients(raw) {
+    const tokens = raw.split(',').map((t) => t.trim()).filter((t) => t.length > 0);
+    const ok = [];
+    const bad = [];
+    for (const t of tokens) {
+        if (isValidEmail(t))
+            ok.push(t.toLowerCase());
+        else
+            bad.push(t);
+    }
+    return { ok, bad };
+}
+export function registerEmailRoutes(app) {
+    app.post('/api/email/send', async (req, res) => {
+        /* 1. Gate on SMTP configuration (acceptance #4). */
+        const status = await getCategoryStatus();
+        if (!status.smtp.configured) {
+            res.status(400).json({
+                ok: false,
+                error: 'SMTP not configured. Run `yuemail vault setup` to configure your SMTP server before sending.',
+                missing: status.smtp.missing,
+            });
+            return;
+        }
+        /* 2. Validate body. */
+        const body = req.body;
+        const to = typeof body?.to === 'string' ? body.to : '';
+        const subject = typeof body?.subject === 'string' ? body.subject : '';
+        const bodyText = typeof body?.body_text === 'string' ? body.body_text : '';
+        const attachId = typeof body?.attach_document_id === 'string' ? body.attach_document_id : '';
+        const { ok: validTo, bad: badTo } = parseRecipients(to);
+        if (validTo.length === 0) {
+            res.status(400).json({
+                ok: false,
+                error: badTo.length > 0
+                    ? 'No valid recipients. Invalid entries: ' + badTo.join(', ')
+                    : 'No recipients provided.',
+            });
+            return;
+        }
+        /* 3. Build transport from vault. */
+        const host = await getKey('smtp.host');
+        const portStr = await getKey('smtp.port');
+        const user = await getKey('smtp.user');
+        const pass = await getKey('smtp.pass');
+        const secStr = await getKey('smtp.secure');
+        const from = await getKey('identity.from');
+        const name = await getKey('identity.name');
+        if (!host || !portStr || !user || !pass || !from) {
+            res.status(400).json({ ok: false, error: 'SMTP not configured (missing decrypted credential)' });
+            return;
+        }
+        const port = Number(portStr);
+        if (!Number.isFinite(port) || port <= 0) {
+            res.status(400).json({ ok: false, error: 'smtp.port is not a positive integer' });
+            return;
+        }
+        const secure = (secStr ?? '').toLowerCase() === 'true' || port === 465;
+        /* 4. Render attachment (when requested). */
+        const attachments = [];
+        if (attachId.length > 0) {
+            const doc = await getDocument(attachId);
+            if (!doc) {
+                res.status(404).json({ ok: false, error: 'attach_document_id not found' });
+                return;
+            }
+            const buf = await renderDocx(doc);
+            attachments.push({
+                filename: (doc.title || 'documento') + '.docx',
+                content: buf,
+                contentType: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+            });
+        }
+        /* 5. Send. */
+        try {
+            const transporter = nodemailer.createTransport({
+                host,
+                port,
+                secure,
+                auth: { user, pass },
+            });
+            const fromHeader = name && name.length > 0 ? '"' + name + '" <' + from + '>' : from;
+            const info = await transporter.sendMail({
+                from: fromHeader,
+                to: validTo.join(', '),
+                subject: subject.length > 0 ? subject : '(sin asunto)',
+                text: bodyText.length > 0 ? bodyText : 'Adjunto el documento.',
+                attachments,
+            });
+            res.json({
+                ok: true,
+                message_id: info.messageId,
+                accepted: info.accepted,
+                rejected: info.rejected,
+            });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ ok: false, error: 'SMTP send failed: ' + message });
+        }
+    });
+}