npm - apple-mail-mcp - Versions diffs - 1.2.0 → 1.2.1 - Mend

apple-mail-mcp 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +21 -14
package/build/index.js +38 -19
package/build/services/appleMailManager.d.ts.map +1 -1
package/build/services/appleMailManager.js +33 -13
package/package.json +3 -1

package/README.md CHANGED Viewed

@@ -191,7 +191,7 @@ Send a new email immediately.
 | `cc` | string[] | No | CC recipients |
 | `bcc` | string[] | No | BCC recipients |
 | `account` | string | No | Send from specific account |
-| `attachments` | string[] | No | Absolute file paths to attach (e.g., `["/Users/me/report.pdf"]`) |
+| `attachments` | string[] | No | Absolute file paths to attach, max 20 files (e.g., `["/Users/me/report.pdf"]`) |
 **Example:**
 ```json
@@ -212,11 +212,11 @@ Send individual personalized emails to a list of recipients (mail merge). Each r
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
-| `recipients` | object[] | Yes | List of recipients (see below) |
+| `recipients` | object[] | Yes | List of recipients, max 100 (see below) |
 | `subject` | string | Yes | Email subject — use `{{Key}}` for placeholders |
 | `body` | string | Yes | Email body — use `{{Key}}` for placeholders |
 | `account` | string | No | Send from specific account |
-| `delayMs` | number | No | Delay between sends in ms (default: 500) |
+| `delayMs` | number | No | Delay between sends in ms (default: 500, max 10000) |
 Each recipient object:
@@ -253,7 +253,7 @@ Save an email to Drafts without sending.
 | `cc` | string[] | No | CC recipients |
 | `bcc` | string[] | No | BCC recipients |
 | `account` | string | No | Account for draft |
-| `attachments` | string[] | No | Absolute file paths to attach |
+| `attachments` | string[] | No | Absolute file paths to attach, max 20 files |
 **Returns:** Confirmation that draft was created.
@@ -371,19 +371,19 @@ Save a message attachment to disk.
 ### Batch Operations
-All batch operations accept an array of message IDs and return per-item success/failure results.
+All batch operations accept an array of message IDs (max 100 per batch) and return per-item success/failure results.
 #### `batch-delete-messages`
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
-| `ids` | string[] | Yes | Message IDs to delete |
+| `ids` | string[] | Yes | Message IDs to delete (max 100) |
 #### `batch-move-messages`
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
-| `ids` | string[] | Yes | Message IDs to move |
+| `ids` | string[] | Yes | Message IDs to move (max 100) |
 | `mailbox` | string | Yes | Destination mailbox |
 | `account` | string | No | Account containing mailbox |
@@ -391,13 +391,13 @@ All batch operations accept an array of message IDs and return per-item success/
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
-| `ids` | string[] | Yes | Message IDs |
+| `ids` | string[] | Yes | Message IDs (max 100) |
 #### `batch-flag-messages` / `batch-unflag-messages`
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
-| `ids` | string[] | Yes | Message IDs |
+| `ids` | string[] | Yes | Message IDs (max 100) |
 ---
@@ -718,6 +718,11 @@ If installed from source, use this configuration:
 | Attachments require absolute paths | File attachments must use full absolute paths (e.g., `/Users/me/file.pdf`) |
 | No smart mailboxes | Cannot access Smart Mailboxes via AppleScript |
 | In-memory templates | Email templates are not persisted across server restarts |
+| Numeric-only message IDs | Message IDs must contain only digits (validated by schema) |
+| Batch size cap | Batch operations are limited to 100 messages per request |
+| Date filter format | Date filters accept alphanumeric characters and safe punctuation only |
+| Attachment save path restrictions | `save-attachment` only allows saving to home directory, `/tmp`, `/private/tmp`, and `/Volumes`; path traversal is blocked |
+| Attachment count limit | `send-email` and `create-draft` accept a maximum of 20 file attachments |
 ### Backslash Escaping (Important for AI Agents)
@@ -776,11 +781,13 @@ The `\\\\` in JSON becomes `\\` in the actual string, which represents a single
 ## Development
 ```bash
-npm install      # Install dependencies
-npm run build    # Compile TypeScript
-npm test         # Run test suite (28 tests)
-npm run lint     # Check code style
-npm run format   # Format code
+npm install            # Install dependencies
+npm run build          # Compile TypeScript
+npm test               # Run unit tests
+npm run test:integration  # Run integration tests (requires Mail.app)
+npm run test:all       # Run all tests (unit + integration)
+npm run lint           # Check code style
+npm run format         # Format code
 ```
 ---

package/build/index.js CHANGED Viewed

@@ -24,6 +24,23 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { AppleMailManager } from "./services/appleMailManager.js";
+// =============================================================================
+// Shared Validation Schemas
+// =============================================================================
+/** Message IDs in Apple Mail are always numeric. Enforce this at the schema level
+ *  to prevent AppleScript injection via the `whose id is ${id}` interpolation. */
+const MESSAGE_ID_SCHEMA = z.string().regex(/^\d+$/, "Message ID must be numeric");
+/** Batch operations are capped to prevent unbounded loops / DoS. */
+const BATCH_IDS_SCHEMA = z
+    .array(MESSAGE_ID_SCHEMA)
+    .min(1, "At least one message ID is required")
+    .max(100, "Cannot process more than 100 messages in a single batch");
+/** Date filter strings must look like natural-language dates (e.g. "March 1, 2026").
+ *  Block characters that could escape an AppleScript `date "..."` literal. */
+const DATE_FILTER_SCHEMA = z
+    .string()
+    .regex(/^[a-zA-Z0-9 ,/\-:]+$/, "Date must contain only alphanumeric characters, spaces, commas, slashes, hyphens, and colons")
+    .optional();
 // Read version from package.json to keep it in sync
 const require = createRequire(import.meta.url);
 const { version } = require("../package.json");
@@ -89,8 +106,8 @@ server.tool("search-messages", {
     account: z.string().optional().describe("Account to search in (omit to search all accounts)"),
     isRead: z.boolean().optional().describe("Filter by read status"),
     isFlagged: z.boolean().optional().describe("Filter by flagged status"),
-    dateFrom: z.string().optional().describe("Start date filter (e.g., 'January 1, 2026')"),
-    dateTo: z.string().optional().describe("End date filter (e.g., 'March 1, 2026')"),
+    dateFrom: DATE_FILTER_SCHEMA.describe("Start date filter (e.g., 'January 1, 2026')"),
+    dateTo: DATE_FILTER_SCHEMA.describe("End date filter (e.g., 'March 1, 2026')"),
     limit: z.number().optional().describe("Maximum number of results (default: 50)"),
 }, withErrorHandling(({ query, mailbox, account, limit = 50, dateFrom, dateTo }) => {
     const messages = mailManager.searchMessages(query, mailbox, account, limit, dateFrom, dateTo);
@@ -104,7 +121,7 @@ server.tool("search-messages", {
 }, "Error searching messages"));
 // --- get-message ---
 server.tool("get-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
     preferHtml: z.boolean().optional().describe("Return HTML source instead of plain text"),
 }, withErrorHandling(({ id, preferHtml }) => {
     const content = mailManager.getMessageContent(id);
@@ -144,6 +161,7 @@ server.tool("send-email", {
     account: z.string().optional().describe("Account to send from"),
     attachments: z
         .array(z.string())
+        .max(20, "Cannot attach more than 20 files")
         .optional()
         .describe("Absolute file paths to attach (e.g., ['/Users/me/report.pdf'])"),
 }, withErrorHandling(({ to, subject, body, cc, bcc, account, attachments }) => {
@@ -208,6 +226,7 @@ server.tool("create-draft", {
     account: z.string().optional().describe("Account to create draft in"),
     attachments: z
         .array(z.string())
+        .max(20, "Cannot attach more than 20 files")
         .optional()
         .describe("Absolute file paths to attach (e.g., ['/Users/me/report.pdf'])"),
 }, withErrorHandling(({ to, subject, body, cc, bcc, account, attachments }) => {
@@ -220,7 +239,7 @@ server.tool("create-draft", {
 }, "Error creating draft"));
 // --- reply-to-message ---
 server.tool("reply-to-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
     body: z.string().min(1, "Reply body is required"),
     replyAll: z.boolean().optional().default(false).describe("Reply to all recipients"),
     send: z.boolean().optional().default(true).describe("Send immediately (false = save as draft)"),
@@ -233,7 +252,7 @@ server.tool("reply-to-message", {
 }, "Error replying to message"));
 // --- forward-message ---
 server.tool("forward-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
     to: z.array(z.string()).min(1, "At least one recipient is required"),
     body: z.string().optional().describe("Optional message to prepend"),
     send: z.boolean().optional().default(true).describe("Send immediately (false = save as draft)"),
@@ -246,7 +265,7 @@ server.tool("forward-message", {
 }, "Error forwarding message"));
 // --- mark-as-read ---
 server.tool("mark-as-read", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
 }, withErrorHandling(({ id }) => {
     const success = mailManager.markAsRead(id);
     if (!success) {
@@ -256,7 +275,7 @@ server.tool("mark-as-read", {
 }, "Error marking message as read"));
 // --- mark-as-unread ---
 server.tool("mark-as-unread", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
 }, withErrorHandling(({ id }) => {
     const success = mailManager.markAsUnread(id);
     if (!success) {
@@ -266,7 +285,7 @@ server.tool("mark-as-unread", {
 }, "Error marking message as unread"));
 // --- flag-message ---
 server.tool("flag-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
 }, withErrorHandling(({ id }) => {
     const success = mailManager.flagMessage(id);
     if (!success) {
@@ -276,7 +295,7 @@ server.tool("flag-message", {
 }, "Error flagging message"));
 // --- unflag-message ---
 server.tool("unflag-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
 }, withErrorHandling(({ id }) => {
     const success = mailManager.unflagMessage(id);
     if (!success) {
@@ -286,7 +305,7 @@ server.tool("unflag-message", {
 }, "Error unflagging message"));
 // --- delete-message ---
 server.tool("delete-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
 }, withErrorHandling(({ id }) => {
     const success = mailManager.deleteMessage(id);
     if (!success) {
@@ -296,7 +315,7 @@ server.tool("delete-message", {
 }, "Error deleting message"));
 // --- move-message ---
 server.tool("move-message", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
     mailbox: z.string().min(1, "Destination mailbox is required"),
     account: z.string().optional().describe("Account containing the destination mailbox"),
 }, withErrorHandling(({ id, mailbox, account }) => {
@@ -308,7 +327,7 @@ server.tool("move-message", {
 }, "Error moving message"));
 // --- batch-delete-messages ---
 server.tool("batch-delete-messages", {
-    ids: z.array(z.string()).min(1, "At least one message ID is required"),
+    ids: BATCH_IDS_SCHEMA,
 }, withErrorHandling(({ ids }) => {
     const results = mailManager.batchDeleteMessages(ids);
     const successCount = results.filter((r) => r.success).length;
@@ -325,7 +344,7 @@ server.tool("batch-delete-messages", {
 }, "Error batch deleting messages"));
 // --- batch-move-messages ---
 server.tool("batch-move-messages", {
-    ids: z.array(z.string()).min(1, "At least one message ID is required"),
+    ids: BATCH_IDS_SCHEMA,
     mailbox: z.string().min(1, "Destination mailbox is required"),
     account: z.string().optional().describe("Account containing the destination mailbox"),
 }, withErrorHandling(({ ids, mailbox, account }) => {
@@ -344,7 +363,7 @@ server.tool("batch-move-messages", {
 }, "Error batch moving messages"));
 // --- batch-mark-as-read ---
 server.tool("batch-mark-as-read", {
-    ids: z.array(z.string()).min(1, "At least one message ID is required"),
+    ids: BATCH_IDS_SCHEMA,
 }, withErrorHandling(({ ids }) => {
     const results = mailManager.batchMarkAsRead(ids);
     const successCount = results.filter((r) => r.success).length;
@@ -361,7 +380,7 @@ server.tool("batch-mark-as-read", {
 }, "Error batch marking messages as read"));
 // --- batch-mark-as-unread ---
 server.tool("batch-mark-as-unread", {
-    ids: z.array(z.string()).min(1, "At least one message ID is required"),
+    ids: BATCH_IDS_SCHEMA,
 }, withErrorHandling(({ ids }) => {
     const results = mailManager.batchMarkAsUnread(ids);
     const successCount = results.filter((r) => r.success).length;
@@ -378,7 +397,7 @@ server.tool("batch-mark-as-unread", {
 }, "Error batch marking messages as unread"));
 // --- batch-flag-messages ---
 server.tool("batch-flag-messages", {
-    ids: z.array(z.string()).min(1, "At least one message ID is required"),
+    ids: BATCH_IDS_SCHEMA,
 }, withErrorHandling(({ ids }) => {
     const results = mailManager.batchFlagMessages(ids);
     const successCount = results.filter((r) => r.success).length;
@@ -395,7 +414,7 @@ server.tool("batch-flag-messages", {
 }, "Error batch flagging messages"));
 // --- batch-unflag-messages ---
 server.tool("batch-unflag-messages", {
-    ids: z.array(z.string()).min(1, "At least one message ID is required"),
+    ids: BATCH_IDS_SCHEMA,
 }, withErrorHandling(({ ids }) => {
     const results = mailManager.batchUnflagMessages(ids);
     const successCount = results.filter((r) => r.success).length;
@@ -412,7 +431,7 @@ server.tool("batch-unflag-messages", {
 }, "Error batch unflagging messages"));
 // --- list-attachments ---
 server.tool("list-attachments", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
 }, withErrorHandling(({ id }) => {
     const attachments = mailManager.listAttachments(id);
     if (attachments.length === 0) {
@@ -428,7 +447,7 @@ server.tool("list-attachments", {
 }, "Error listing attachments"));
 // --- save-attachment ---
 server.tool("save-attachment", {
-    id: z.string().min(1, "Message ID is required"),
+    id: MESSAGE_ID_SCHEMA,
     attachmentName: z.string().min(1, "Attachment name is required"),
     savePath: z.string().min(1, "Save directory path is required"),
 }, withErrorHandling(({ id, attachmentName, savePath }) => {

package/build/services/appleMailManager.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"appleMailManager.d.ts","sourceRoot":"","sources":["../../src/services/appleMailManager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;~~AAMH~~,OAAO,KAAK,EACV,OAAO,EACP,cAAc,EACd,OAAO,EACP,OAAO,EACP,UAAU,EACV,iBAAiB,EACjB,SAAS,EAET,oBAAoB,EACpB,UAAU,EACV,qBAAqB,EACrB,QAAQ,EACR,OAAO,EACP,aAAa,EACb,oBAAoB,EACpB,iBAAiB,EAClB,MAAM,YAAY,CAAC;AA6HpB;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAC3B;;OAEG;IACH,OAAO,CAAC,cAAc,CAAuB;IAE7C;;;;OAIG;IACH,OAAO,CAAC,KAAK,CAGX;IAEF,8CAA8C;IAC9C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAU;IAEvC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAUzB;;;;OAIG;IACH,OAAO,CAAC,qBAAqB;IAW7B;;;OAGG;IACH,OAAO,CAAC,eAAe;IAKvB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAwCtB;;;;;;;;;;;;;;;;;OAiBG;IACH,OAAO,CAAC,cAAc;IAyCtB;;;;;;;;OAQG;IACH,cAAc,CACZ,KAAK,CAAC,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,KAAK,SAAK,EACV,QAAQ,CAAC,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,EAAE;~~IA4EZ~~;;;;;OAKG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI;IAwD1C;;OAEG;IACH,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAgDpD;;;;;;;OAOG;IACH,YAAY,CACV,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,KAAK,SAAK,EACV,IAAI,CAAC,EAAE,MAAM,EACb,MAAM,SAAI,GACT,OAAO,EAAE;IAgDZ;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA2BxB;;;;;;;;;;OAUG;IACH,SAAS,CACP,EAAE,EAAE,MAAM,EAAE,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,GAAG,CAAC,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO;IA0DV;;;;;;;;;;;;OAYG;IACH,eAAe,CACb,UAAU,EAAE,oBAAoB,EAAE,EAClC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,GAAE,MAAY,GACpB,iBAAiB,EAAE;IAgDtB;;;;;;;;;;OAUG;IACH,WAAW,CACT,EAAE,EAAE,MAAM,EAAE,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,GAAG,CAAC,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO;IAwDV;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,UAAQ,EAAE,IAAI,UAAO,GAAG,OAAO;IAqChF;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,UAAO,GAAG,OAAO;IA2C7E;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAsBzB;;OAEG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAY/B;;OAEG;IACH,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYjC;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYhC;;OAEG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYlC;;OAEG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYlC;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IAyCnE;;;;;OAKG;IACH,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAe1D;;;;;;;OAOG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,oBAAoB,EAAE;IAe3F;;OAEG;IACH,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAStD;;OAEG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAaxD;;OAEG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IASxD;;OAEG;IACH,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAS1D;;OAEG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,EAAE;IAsDzC;;OAEG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;~~IA4C7E~~;;OAEG;IACH,aAAa,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE;IA2C1C;;OAEG;IACH,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM;IA8B1D;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IAyBtD;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IA0BtD;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IA4C1E;;OAEG;IACH,YAAY,IAAI,OAAO,EAAE;IAIzB;;;OAGG;IACH,OAAO,CAAC,aAAa;IA2CrB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAwBzB;;OAEG;IACH,SAAS,IAAI,QAAQ,EAAE;IAiCvB;;OAEG;IACH,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO;IA+B3D;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,EAAE;IA4DxC,OAAO,CAAC,SAAS,CAAyC;IAC1D,OAAO,CAAC,cAAc,CAAK;IAE3B;;OAEG;IACH,aAAa,IAAI,aAAa,EAAE;IAIhC;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IAI7C;;OAEG;IACH,YAAY,CACV,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,EAAE,CAAC,EAAE,MAAM,GACV,aAAa;IAOhB;;OAEG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAInC;;OAEG;IACH,WAAW,CACT,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GAC5E,OAAO;IAkBV;;OAEG;IACH,WAAW,IAAI,iBAAiB;IA8EhC;;OAEG;IACH,YAAY,IAAI,SAAS;IA4CzB;;;;;;;OAOG;IACH,wBAAwB,IAAI,qBAAqB;IAyEjD;;;;;;;;;OASG;IACH,aAAa,IAAI,UAAU;CA+D5B"}
1	+ {"version":3,"file":"appleMailManager.d.ts","sourceRoot":"","sources":["../../src/services/appleMailManager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAOH,OAAO,KAAK,EACV,OAAO,EACP,cAAc,EACd,OAAO,EACP,OAAO,EACP,UAAU,EACV,iBAAiB,EACjB,SAAS,EAET,oBAAoB,EACpB,UAAU,EACV,qBAAqB,EACrB,QAAQ,EACR,OAAO,EACP,aAAa,EACb,oBAAoB,EACpB,iBAAiB,EAClB,MAAM,YAAY,CAAC;AA6HpB;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAC3B;;OAEG;IACH,OAAO,CAAC,cAAc,CAAuB;IAE7C;;;;OAIG;IACH,OAAO,CAAC,KAAK,CAGX;IAEF,8CAA8C;IAC9C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAU;IAEvC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAUzB;;;;OAIG;IACH,OAAO,CAAC,qBAAqB;IAW7B;;;OAGG;IACH,OAAO,CAAC,eAAe;IAKvB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAwCtB;;;;;;;;;;;;;;;;;OAiBG;IACH,OAAO,CAAC,cAAc;IAyCtB;;;;;;;;OAQG;IACH,cAAc,CACZ,KAAK,CAAC,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,KAAK,SAAK,EACV,QAAQ,CAAC,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,EAAE;IA+EZ;;;;;OAKG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI;IAwD1C;;OAEG;IACH,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAgDpD;;;;;;;OAOG;IACH,YAAY,CACV,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,EAChB,KAAK,SAAK,EACV,IAAI,CAAC,EAAE,MAAM,EACb,MAAM,SAAI,GACT,OAAO,EAAE;IAgDZ;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA2BxB;;;;;;;;;;OAUG;IACH,SAAS,CACP,EAAE,EAAE,MAAM,EAAE,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,GAAG,CAAC,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO;IA0DV;;;;;;;;;;;;OAYG;IACH,eAAe,CACb,UAAU,EAAE,oBAAoB,EAAE,EAClC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,GAAE,MAAY,GACpB,iBAAiB,EAAE;IAgDtB;;;;;;;;;;OAUG;IACH,WAAW,CACT,EAAE,EAAE,MAAM,EAAE,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,GAAG,CAAC,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO;IAwDV;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,UAAQ,EAAE,IAAI,UAAO,GAAG,OAAO;IAqChF;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,UAAO,GAAG,OAAO;IA2C7E;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAsBzB;;OAEG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAY/B;;OAEG;IACH,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYjC;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYhC;;OAEG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYlC;;OAEG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAYlC;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IAyCnE;;;;;OAKG;IACH,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAe1D;;;;;;;OAOG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,oBAAoB,EAAE;IAe3F;;OAEG;IACH,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAStD;;OAEG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAaxD;;OAEG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IASxD;;OAEG;IACH,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE;IAS1D;;OAEG;IACH,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,EAAE;IAsDzC;;OAEG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IA+D7E;;OAEG;IACH,aAAa,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE;IA2C1C;;OAEG;IACH,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM;IA8B1D;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IAyBtD;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IA0BtD;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO;IA4C1E;;OAEG;IACH,YAAY,IAAI,OAAO,EAAE;IAIzB;;;OAGG;IACH,OAAO,CAAC,aAAa;IA2CrB;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAwBzB;;OAEG;IACH,SAAS,IAAI,QAAQ,EAAE;IAiCvB;;OAEG;IACH,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO;IA+B3D;;OAEG;IACH,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,EAAE;IA4DxC,OAAO,CAAC,SAAS,CAAyC;IAC1D,OAAO,CAAC,cAAc,CAAK;IAE3B;;OAEG;IACH,aAAa,IAAI,aAAa,EAAE;IAIhC;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IAI7C;;OAEG;IACH,YAAY,CACV,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,EAAE,CAAC,EAAE,MAAM,EAAE,EACb,EAAE,CAAC,EAAE,MAAM,GACV,aAAa;IAOhB;;OAEG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAInC;;OAEG;IACH,WAAW,CACT,EAAE,EAAE,MAAM,EACV,SAAS,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GAC5E,OAAO;IAkBV;;OAEG;IACH,WAAW,IAAI,iBAAiB;IA8EhC;;OAEG;IACH,YAAY,IAAI,SAAS;IA4CzB;;;;;;;OAOG;IACH,wBAAwB,IAAI,qBAAqB;IAyEjD;;;;;;;;;OASG;IACH,aAAa,IAAI,UAAU;CA+D5B"}

package/build/services/appleMailManager.js CHANGED Viewed

@@ -14,7 +14,8 @@
  */
 import { spawnSync } from "child_process";
 import { existsSync } from "fs";
-import { isAbsolute } from "path";
+import { isAbsolute, resolve } from "path";
+import { homedir } from "os";
 import { executeAppleScript } from "../utils/applescript.js";
 // =============================================================================
 // Text Processing Utilities
@@ -310,15 +311,18 @@ export class AppleMailManager {
             const safeQuery = escapeForAppleScript(query);
             searchCondition = `whose subject contains "${safeQuery}" or sender contains "${safeQuery}"`;
         }
-        // Build date filter AppleScript
+        // Build date filter AppleScript.
+        // Note: dateFrom/dateTo are already validated by DATE_FILTER_SCHEMA (alphanumeric + safe
+        // punctuation only), so escapeForAppleScript() below is belt-and-suspenders — it won't
+        // alter valid date strings but guards against future schema changes.
         let dateFilter = "";
         if (dateFrom || dateTo) {
             const dateChecks = [];
             if (dateFrom) {
-                dateChecks.push(`date received of msg >= date "${dateFrom}"`);
+                dateChecks.push(`date received of msg >= date "${escapeForAppleScript(dateFrom)}"`);
             }
             if (dateTo) {
-                dateChecks.push(`date received of msg <= date "${dateTo}"`);
+                dateChecks.push(`date received of msg <= date "${escapeForAppleScript(dateTo)}"`);
             }
             dateFilter = dateChecks.join(" and ");
         }
@@ -368,7 +372,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 set msgSubject to subject of msg
@@ -423,7 +427,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 set msgSubject to subject of msg
@@ -728,7 +732,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 set theReply to reply msg with opening window${replyAllClause}
@@ -773,7 +777,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 set theForward to forward msg with opening window
@@ -806,7 +810,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 ${operation}
@@ -894,7 +898,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 set destMailbox to mailbox "${safeMailbox}" of account "${safeAccount}"
@@ -1014,7 +1018,7 @@ export class AppleMailManager {
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${Number(id)})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 set outputText to ""
@@ -1060,14 +1064,30 @@ export class AppleMailManager {
      * Save an attachment from a message to disk.
      */
     saveAttachment(id, attachmentName, savePath) {
+        // Validate attachment name: block path separators, traversal, null bytes, and backslashes
+        if (/[/\\\0]/.test(attachmentName) || attachmentName.includes("..")) {
+            console.error(`Invalid attachment name: "${attachmentName}"`);
+            return false;
+        }
+        // Resolve the save path to prevent symlink / ".." traversal bypass
+        const resolvedPath = resolve(savePath);
+        const allowedPrefixes = [homedir(), "/tmp", "/private/tmp", "/Volumes"];
+        const isAllowed = allowedPrefixes.some((prefix) => resolvedPath.startsWith(prefix));
+        if (!isAllowed) {
+            console.error(`Save path "${savePath}" is outside allowed directories`);
+            return false;
+        }
         const safeName = escapeForAppleScript(attachmentName);
-        const safePath = escapeForAppleScript(savePath);
+        const safePath = escapeForAppleScript(resolvedPath);
+        // Use Number(id) as defense-in-depth — the Zod schema already enforces numeric IDs,
+        // but this ensures raw interpolation into AppleScript is safe even if validation changes.
+        const numericId = Number(id);
         const script = buildAppLevelScript(`
       try
         repeat with acct in accounts
           repeat with mb in mailboxes of acct
             try
-              set matchingMsgs to (messages of mb whose id is ${id})
+              set matchingMsgs to (messages of mb whose id is ${numericId})
               if (count of matchingMsgs) > 0 then
                 set msg to item 1 of matchingMsgs
                 repeat with att in mail attachments of msg

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "apple-mail-mcp",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "MCP server for Apple Mail - read, search, send, and manage emails via Claude",
   "type": "module",
   "main": "build/index.js",
@@ -18,6 +18,8 @@
     "start": "node build/index.js",
     "dev": "tsc --watch",
     "test": "vitest run",
+    "test:integration": "vitest run --config vitest.integration.config.ts",
+    "test:all": "vitest run && vitest run --config vitest.integration.config.ts",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "lint": "eslint src",