hypermail-mcp 0.4.0 → 0.4.2

package/dist/cli.js

@@ -4,7 +4,7 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID6 } from "crypto";
 import { createServer as createHttpServer } from "http";
 
 // src/store/account-store.ts
@@ -159,12 +159,31 @@ async function tryKeytarSet(key) {
 }
 
 // src/providers/outlook/index.ts
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 import { writeFileSync } from "fs";
 import { tmpdir } from "os";
 import { join as pathJoin } from "path";
 import { ResponseType } from "@microsoft/microsoft-graph-client";
 
+// src/providers/shared/inline-images.ts
+import { randomUUID } from "crypto";
+function parseInlineImages(html) {
+  const images = [];
+  const re = /src="data:image\/([\w+]+);base64,([^"]+)"/gi;
+  const transformed = html.replace(re, (_fullMatch, mimeSubtype, b64) => {
+    const contentId = `sig-img-${randomUUID()}`;
+    const ext = mimeSubtype.toLowerCase().replace(/\+/g, "-") === "svg-xml" ? "svg" : mimeSubtype.toLowerCase().replace(/\+/g, "-");
+    images.push({
+      cid: contentId,
+      contentBytes: b64,
+      contentType: `image/${mimeSubtype}`,
+      filename: `signature-image.${ext}`
+    });
+    return `src="cid:${contentId}"`;
+  });
+  return { body: transformed, images };
+}
+
 // src/providers/outlook/client.ts
 import "isomorphic-fetch";
 import {
@@ -182,9 +201,14 @@ var DEFAULT_SCOPES = [
   "Mail.ReadWrite",
   "Mail.Send"
 ];
-function makeConfig(prevCacheJson) {
-  const clientId = process.env.MS_CLIENT_ID || DEFAULT_CLIENT_ID;
-  const tenant = process.env.MS_TENANT_ID || "common";
+function isSerializedTokens(obj) {
+  if (typeof obj !== "object" || obj === null) return false;
+  const o = obj;
+  return typeof o.msalCache === "string" && typeof o.homeAccountId === "string" && typeof o.tenantId === "string" && typeof o.username === "string" && Array.isArray(o.scopes);
+}
+function makeConfig(prevCacheJson, clientIdOverride, tenantOverride) {
+  const clientId = clientIdOverride || process.env.MS_CLIENT_ID || DEFAULT_CLIENT_ID;
+  const tenant = tenantOverride || process.env.MS_TENANT_ID || "common";
   return {
     auth: {
       clientId,
@@ -196,15 +220,15 @@ function makeConfig(prevCacheJson) {
     } : void 0
   };
 }
-function buildPca(prevCacheJson) {
-  const pca = new PublicClientApplication(makeConfig(prevCacheJson));
+function buildPca(prevCacheJson, clientIdOverride, tenantOverride) {
+  const pca = new PublicClientApplication(makeConfig(prevCacheJson, clientIdOverride, tenantOverride));
   if (prevCacheJson) {
     pca.getTokenCache().deserialize(prevCacheJson);
   }
   return pca;
 }
-function beginDeviceCode(scopes = DEFAULT_SCOPES) {
-  const pca = buildPca();
+function beginDeviceCode(scopes = DEFAULT_SCOPES, clientIdOverride, tenantOverride) {
+  const pca = buildPca(void 0, clientIdOverride, tenantOverride);
   let resolve;
   let reject;
   const result = new Promise(
@@ -284,8 +308,8 @@ async function awaitDeviceCodeReady(b) {
   const r = b._ready;
   await r;
 }
-async function acquireAccessToken(tokens, scopes = DEFAULT_SCOPES) {
-  const pca = buildPca(tokens.msalCache);
+async function acquireAccessToken(tokens, scopes = DEFAULT_SCOPES, clientIdOverride, tenantOverride) {
+  const pca = buildPca(tokens.msalCache, clientIdOverride, tenantOverride);
   const cache = pca.getTokenCache();
   const account = await cache.getAccountByHomeId(tokens.homeAccountId) ?? (await cache.getAllAccounts()).find((a) => a.username === tokens.username);
   if (!account) {
@@ -305,10 +329,14 @@ async function acquireAccessToken(tokens, scopes = DEFAULT_SCOPES) {
 
 // src/providers/outlook/client.ts
 var OutlookClientFactory = class {
-  constructor(store) {
+  constructor(store, clientId, tenantId) {
     this.store = store;
+    this.clientId = clientId;
+    this.tenantId = tenantId;
   }
   store;
+  clientId;
+  tenantId;
   cache = /* @__PURE__ */ new Map();
   get(account) {
     const key = account.email.toLowerCase();
@@ -318,8 +346,18 @@ var OutlookClientFactory = class {
     const provider = {
       getAccessToken: async () => {
         const fresh = store.getAccount(account.email) ?? account;
+        if (!isSerializedTokens(fresh.tokens)) {
+          throw new Error(
+            "Outlook account tokens are missing or corrupted \u2014 re-run add_account"
+          );
+        }
         const tokens = fresh.tokens;
-        const { accessToken, tokens: nextTokens } = await acquireAccessToken(tokens);
+        const { accessToken, tokens: nextTokens } = await acquireAccessToken(
+          tokens,
+          void 0,
+          this.clientId,
+          this.tenantId
+        );
         if (nextTokens.msalCache !== tokens.msalCache) {
           store.upsertAccount({
             ...fresh,
@@ -342,37 +380,35 @@ var OutlookClientFactory = class {
 
 // src/providers/outlook/index.ts
 function convertInlineImages(body) {
-  const attachments = [];
-  const re = /src="data:image\/([\w+]+);base64,([^"]+)"/gi;
-  const transformed = body.replace(re, (_fullMatch, mimeSubtype, b64) => {
-    const contentId = `sig-img-${randomUUID()}`;
-    const ext = mimeSubtype.toLowerCase().replace(/\+/g, "-") === "svg-xml" ? "svg" : mimeSubtype.toLowerCase().replace(/\+/g, "-");
-    attachments.push({
-      "@odata.type": "#microsoft.graph.fileAttachment",
-      name: `signature-image.${ext}`,
-      contentType: `image/${mimeSubtype}`,
-      contentId,
-      contentBytes: b64,
-      isInline: true
-    });
-    return `src="cid:${contentId}"`;
-  });
+  const { body: transformed, images } = parseInlineImages(body);
+  const attachments = images.map((img) => ({
+    "@odata.type": "#microsoft.graph.fileAttachment",
+    name: img.filename,
+    contentType: img.contentType,
+    contentId: img.cid,
+    contentBytes: img.contentBytes,
+    isInline: true
+  }));
   return { body: transformed, attachments };
 }
 var OutlookProvider = class {
   constructor(opts) {
     this.opts = opts;
-    this.clients = new OutlookClientFactory(opts.store);
+    this.clientId = opts.clientId;
+    this.tenantId = opts.tenantId;
+    this.clients = new OutlookClientFactory(opts.store, opts.clientId, opts.tenantId);
   }
   opts;
   id = "outlook";
   clients;
   pending = /* @__PURE__ */ new Map();
+  clientId;
+  tenantId;
   // ---------- account lifecycle ----------
   async addAccount(input) {
-    const begin = beginDeviceCode();
+    const begin = beginDeviceCode(void 0, this.clientId, this.tenantId);
     await awaitDeviceCodeReady(begin);
-    const handle = randomUUID();
+    const handle = randomUUID2();
     const flow = {
       begin,
       emailHint: input.email,
@@ -440,7 +476,7 @@ var OutlookProvider = class {
     const folder = opts.folder ?? "inbox";
     const filterParts = [];
     if (opts.unreadOnly) filterParts.push("isRead eq false");
-    let req = client.api(`/me/mailFolders/${encodeURIComponent(folder)}/messages`).top(limit).select([
+    let req = client.api(`/me/mailFolders/${encodeURIComponent(folder)}/messages`).top(limit).skip(opts.skip ?? 0).select([
       "id",
       "subject",
       "from",
@@ -452,7 +488,10 @@ var OutlookProvider = class {
     ].join(",")).orderby("receivedDateTime DESC");
     if (filterParts.length > 0) req = req.filter(filterParts.join(" and "));
     const res = await req.get();
-    return res.value.map((m) => mapSummary(m, folder));
+    return {
+      items: res.value.map((m) => mapSummary(m, folder)),
+      hasMore: !!res["@odata.nextLink"]
+    };
   }
   async searchEmails(account, query, opts) {
     const client = this.clients.get(account);
@@ -543,83 +582,25 @@ var OutlookProvider = class {
     }
     return draft.id;
   }
-  async sendEmail(account, msg) {
-    const client = this.clients.get(account);
-    if (msg.inReplyTo && msg.forwardMessageId) {
-      throw new Error(
-        "inReplyTo and forwardMessageId are mutually exclusive \u2014 use one or the other"
-      );
-    }
-    const converted = convertInlineImages(msg.body);
-    if (msg.forwardMessageId) {
-      const draftId = await this.buildDraftFromReference(
-        client,
-        `/me/messages/${encodeURIComponent(msg.forwardMessageId)}/createForward`,
-        {
-          message: {
-            toRecipients: msg.to.map(toRecipient),
-            ccRecipients: (msg.cc ?? []).map(toRecipient),
-            bccRecipients: (msg.bcc ?? []).map(toRecipient)
-          },
-          comment: ""
-        },
-        converted
-      );
-      await client.api(`/me/messages/${draftId}/send`).post({});
-      return { id: draftId };
-    }
-    if (msg.inReplyTo) {
-      const createEndpoint = msg.replyAll ? `/me/messages/${encodeURIComponent(msg.inReplyTo)}/createReplyAll` : `/me/messages/${encodeURIComponent(msg.inReplyTo)}/createReply`;
-      const draftId = await this.buildDraftFromReference(
-        client,
-        createEndpoint,
-        {},
-        converted
-      );
-      await client.api(`/me/messages/${draftId}/send`).post({});
-      return { id: draftId };
-    }
-    const payload = {
-      message: {
-        subject: msg.subject,
-        body: {
-          contentType: msg.isHtml ? "HTML" : "Text",
-          content: converted.body
-        },
-        toRecipients: msg.to.map(toRecipient),
-        ccRecipients: (msg.cc ?? []).map(toRecipient),
-        bccRecipients: (msg.bcc ?? []).map(toRecipient)
-      },
-      saveToSentItems: true
-    };
-    if (converted.attachments.length > 0) {
-      payload.message.attachments = converted.attachments;
-    }
-    await client.api("/me/sendMail").post(payload);
-    return { id: "" };
-  }
-  async saveDraft(account, msg) {
+  // Shared backend for sendEmail and saveDraft — handles forward, reply, and
+  // new-message paths. The `mode` controls whether the message is sent
+  // immediately or saved as a draft.
+  async sendOrSave(account, msg, mode) {
     const client = this.clients.get(account);
-    if (msg.inReplyTo && msg.forwardMessageId) {
-      throw new Error(
-        "inReplyTo and forwardMessageId are mutually exclusive \u2014 use one or the other"
-      );
-    }
     const converted = convertInlineImages(msg.body);
+    const toRecipients = msg.to.map(toRecipient);
+    const ccRecipients = (msg.cc ?? []).map(toRecipient);
+    const bccRecipients = (msg.bcc ?? []).map(toRecipient);
     if (msg.forwardMessageId) {
       const draftId = await this.buildDraftFromReference(
         client,
         `/me/messages/${encodeURIComponent(msg.forwardMessageId)}/createForward`,
-        {
-          message: {
-            toRecipients: msg.to.map(toRecipient),
-            ccRecipients: (msg.cc ?? []).map(toRecipient),
-            bccRecipients: (msg.bcc ?? []).map(toRecipient)
-          },
-          comment: ""
-        },
+        { message: { toRecipients, ccRecipients, bccRecipients }, comment: "" },
         converted
       );
+      if (mode === "send") {
+        await client.api(`/me/messages/${draftId}/send`).post({});
+      }
       return { id: draftId };
     }
     if (msg.inReplyTo) {
@@ -630,24 +611,40 @@ var OutlookProvider = class {
         {},
         converted
       );
+      if (mode === "send") {
+        await client.api(`/me/messages/${draftId}/send`).post({});
+      }
       return { id: draftId };
     }
-    const draftPayload = {
+    const messagePayload = {
       subject: msg.subject,
       body: {
         contentType: msg.isHtml ? "HTML" : "Text",
         content: converted.body
       },
-      toRecipients: msg.to.map(toRecipient),
-      ccRecipients: (msg.cc ?? []).map(toRecipient),
-      bccRecipients: (msg.bcc ?? []).map(toRecipient)
+      toRecipients,
+      ccRecipients,
+      bccRecipients
     };
     if (converted.attachments.length > 0) {
-      draftPayload.attachments = converted.attachments;
+      messagePayload.attachments = converted.attachments;
+    }
+    if (mode === "send") {
+      await client.api("/me/sendMail").post({
+        message: messagePayload,
+        saveToSentItems: true
+      });
+      return { id: "" };
     }
-    const draft = await client.api("/me/messages").post(draftPayload);
+    const draft = await client.api("/me/messages").post(messagePayload);
     return { id: draft.id };
   }
+  async sendEmail(account, msg) {
+    return this.sendOrSave(account, msg, "send");
+  }
+  async saveDraft(account, msg) {
+    return this.sendOrSave(account, msg, "draft");
+  }
   async updateDraft(account, id, update) {
     const client = this.clients.get(account);
     const payload = {};
@@ -680,7 +677,67 @@ var OutlookProvider = class {
     const client = this.clients.get(account);
     await client.api(`/me/messages/${encodeURIComponent(id)}/move`).post({ destinationId });
   }
+  async sendDraft(account, id) {
+    const client = this.clients.get(account);
+    await client.api(`/me/messages/${encodeURIComponent(id)}/send`).post({});
+    return { id };
+  }
+  async addAttachmentToDraft(account, draftId, name, contentBytes, contentType) {
+    const client = this.clients.get(account);
+    const att = await client.api(`/me/messages/${encodeURIComponent(draftId)}/attachments`).post({
+      "@odata.type": "#microsoft.graph.fileAttachment",
+      name,
+      contentType: contentType ?? "application/octet-stream",
+      contentBytes
+    });
+    return {
+      id: draftId,
+      attachment: { id: att.id, name: att.name, contentType: att.contentType }
+    };
+  }
+  async markRead(account, id, isRead) {
+    const client = this.clients.get(account);
+    await client.api(`/me/messages/${encodeURIComponent(id)}`).patch({ isRead });
+  }
+  async listFolders(account, opts) {
+    const client = this.clients.get(account);
+    const endpoint = opts.parentFolderId ? `/me/mailFolders/${encodeURIComponent(opts.parentFolderId)}/childFolders` : "/me/mailFolders";
+    const res = await client.api(endpoint).select([
+      "id",
+      "displayName",
+      "parentFolderId",
+      "childFolderCount",
+      "totalItemCount",
+      "unreadItemCount"
+    ].join(",")).get();
+    return (res.value ?? []).map(mapFolder);
+  }
+  async createFolder(account, input) {
+    const client = this.clients.get(account);
+    const parentId = input.parentFolderId ?? "msgfolderroot";
+    const created = await client.api(`/me/mailFolders/${encodeURIComponent(parentId)}/childFolders`).post({ displayName: input.displayName });
+    return mapFolder(created);
+  }
+  async renameFolder(account, folderId, newName) {
+    const client = this.clients.get(account);
+    const updated = await client.api(`/me/mailFolders/${encodeURIComponent(folderId)}`).patch({ displayName: newName });
+    return mapFolder(updated);
+  }
+  async deleteFolder(account, folderId) {
+    const client = this.clients.get(account);
+    await client.api(`/me/mailFolders/${encodeURIComponent(folderId)}`).delete();
+  }
 };
+function mapFolder(f) {
+  return {
+    id: f.id,
+    displayName: f.displayName,
+    parentFolderId: f.parentFolderId,
+    childFolderCount: f.childFolderCount,
+    totalItemCount: f.totalItemCount,
+    unreadItemCount: f.unreadItemCount
+  };
+}
 function mapRecipient(r) {
   return {
     name: r.emailAddress?.name,
@@ -708,133 +765,1750 @@ function clampLimit(v, dflt, max) {
   return Math.min(v, max);
 }
 
-// src/providers/imap/index.ts
-var NOT_IMPLEMENTED = "IMAP provider is not yet implemented in v1. Tracked at src/providers/imap/index.ts \u2014 see src/providers/types.ts for the contract.";
-var ImapProvider = class {
-  id = "imap";
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  async addAccount(_input) {
-    throw new Error(NOT_IMPLEMENTED);
-  }
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  async completeAddAccount(_handle) {
-    return { status: "error", error: NOT_IMPLEMENTED };
-  }
-  async listEmails(_account, _opts) {
-    throw new Error(NOT_IMPLEMENTED);
+// src/providers/imap/client.ts
+import { ImapFlow } from "imapflow";
+import nodemailer from "nodemailer";
+function isImapTokens(obj) {
+  if (typeof obj !== "object" || obj === null) return false;
+  const o = obj;
+  return typeof o.host === "string" && typeof o.port === "number" && typeof o.user === "string" && typeof o.password === "string" && typeof o.smtpHost === "string" && typeof o.smtpPort === "number";
+}
+function extractTokens(account) {
+  if (!isImapTokens(account.tokens)) {
+    throw new Error(
+      "IMAP account tokens are missing or corrupted \u2014 re-run add_account"
+    );
   }
-  async searchEmails(_account, _query, _opts) {
-    throw new Error(NOT_IMPLEMENTED);
+  return account.tokens;
+}
+var ImapClient = class {
+  constructor(tokens) {
+    this.tokens = tokens;
   }
-  async readEmail(_account, _id) {
-    throw new Error(NOT_IMPLEMENTED);
+  tokens;
+  imap = null;
+  transporter = null;
+  connecting = null;
+  /** Get (or create) the ImapFlow instance. */
+  async getImap() {
+    if (this.imap) return this.imap;
+    this.imap = new ImapFlow({
+      host: this.tokens.host,
+      port: this.tokens.port,
+      secure: this.tokens.secure,
+      auth: {
+        user: this.tokens.user,
+        pass: this.tokens.password
+      },
+      logger: false
+    });
+    if (!this.connecting) {
+      this.connecting = this.imap.connect().catch((err) => {
+        this.imap = null;
+        this.connecting = null;
+        throw err;
+      });
+    }
+    await this.connecting;
+    return this.imap;
   }
-  async readAttachment(_account, _messageId, _attachmentId) {
-    throw new Error(NOT_IMPLEMENTED);
+  /** Get (or create) a nodemailer SMTP transporter. */
+  getTransporter() {
+    if (this.transporter) return this.transporter;
+    this.transporter = nodemailer.createTransport({
+      host: this.tokens.smtpHost,
+      port: this.tokens.smtpPort,
+      secure: this.tokens.smtpSecure,
+      auth: {
+        user: this.tokens.user,
+        pass: this.tokens.password
+      }
+    });
+    return this.transporter;
   }
-  async sendEmail(_account, _msg) {
-    throw new Error(NOT_IMPLEMENTED);
+  /**
+   * Acquire a mailbox lock and run `fn` with the mailbox selected.
+   * Releases the lock automatically after `fn` completes.
+   */
+  async withMailbox(mailbox, fn) {
+    const imap = await this.getImap();
+    const lock = await imap.getMailboxLock(mailbox);
+    try {
+      return await fn(imap);
+    } finally {
+      lock.release();
+    }
   }
-  async saveDraft(_account, _msg) {
-    throw new Error(NOT_IMPLEMENTED);
+  /** Disconnect IMAP and close the SMTP pool. */
+  async disconnect() {
+    if (this.imap) {
+      try {
+        await this.imap.logout();
+      } catch {
+      }
+      this.imap = null;
+      this.connecting = null;
+    }
+    if (this.transporter) {
+      this.transporter.close();
+      this.transporter = null;
+    }
   }
-  async updateDraft(_account, _id, _update) {
-    throw new Error(NOT_IMPLEMENTED);
+};
+var ImapClientFactory = class {
+  cache = /* @__PURE__ */ new Map();
+  get(account) {
+    const key = account.email.toLowerCase();
+    const existing = this.cache.get(key);
+    if (existing) return existing;
+    const tokens = extractTokens(account);
+    const client = new ImapClient(tokens);
+    this.cache.set(key, client);
+    return client;
   }
-  async moveEmail(_account, _id, _destinationId) {
-    throw new Error(NOT_IMPLEMENTED);
+  /** Drop a cached client (e.g. after removeAccount). */
+  invalidate(email) {
+    const key = email.toLowerCase();
+    const existing = this.cache.get(key);
+    if (existing) {
+      existing.disconnect().catch(() => {
+      });
+      this.cache.delete(key);
+    }
   }
 };
 
-// src/providers/registry.ts
-function buildRegistry(opts) {
-  const providers = /* @__PURE__ */ new Map();
-  providers.set("outlook", new OutlookProvider({ store: opts.store }));
-  providers.set("imap", new ImapProvider());
-  function get(id) {
-    const p = providers.get(id);
-    if (!p) throw new Error(`unknown provider: ${id}`);
-    return p;
+// src/providers/imap/read-ops.ts
+import { createWriteStream } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { join as pathJoin2 } from "path";
+import { pipeline } from "stream/promises";
+
+// src/providers/imap/helpers.ts
+var WELL_KNOWN_TO_IMAP = {
+  archive: "Archive",
+  deleteditems: "Trash",
+  inbox: "INBOX",
+  drafts: "Drafts",
+  sentitems: "Sent",
+  junkemail: "Junk",
+  outbox: "Outbox"
+};
+function resolveFolder(wellKnownOrPath) {
+  return WELL_KNOWN_TO_IMAP[wellKnownOrPath.toLowerCase()] ?? wellKnownOrPath;
+}
+function clampLimit2(v, dflt, max) {
+  if (!v || v <= 0) return dflt;
+  return Math.min(v, max);
+}
+function encodeId(folder, uid) {
+  return `${folder}/${uid}`;
+}
+function decodeId(id) {
+  const idx = id.lastIndexOf("/");
+  if (idx === -1) throw new Error(`invalid message ID: ${id}`);
+  const folder = id.slice(0, idx);
+  const uid = Number(id.slice(idx + 1));
+  if (!Number.isFinite(uid) || uid <= 0) {
+    throw new Error(`invalid message UID in ID: ${id}`);
   }
-  function resolveByEmail(email) {
-    const account = opts.store.getAccount(email);
-    if (!account) {
-      throw new Error(
-        `no account registered for "${email}". Call add_account first.`
-      );
+  return { folder, uid };
+}
+function findAttachments(node) {
+  const attachments = [];
+  const topType = (node.type ?? "").split("/")[0];
+  const isAttachment = node.disposition === "attachment" || !!node.type && topType !== "text" && topType !== "multipart" && !node.disposition;
+  if (isAttachment) {
+    attachments.push({
+      part: node.part ?? "1",
+      name: node.dispositionParameters?.filename ?? node.parameters?.name ?? "attachment",
+      contentType: node.type,
+      size: node.size
+    });
+  }
+  if (node.childNodes) {
+    for (const child of node.childNodes) {
+      attachments.push(...findAttachments(child));
     }
-    return { provider: get(account.provider), account };
   }
+  return attachments;
+}
+function findPartByType(node, contentType) {
+  if (node.type === contentType) return node.part ?? "1";
+  if (node.childNodes) {
+    for (const child of node.childNodes) {
+      const found = findPartByType(child, contentType);
+      if (found) return found;
+    }
+  }
+  return void 0;
+}
+function mapEnvelopeAddr(a) {
+  return { name: a.name, address: a.address ?? "" };
+}
+function mapSummary2(uid, folder, envelope, flags = /* @__PURE__ */ new Set()) {
+  const fromAddr = envelope.from && envelope.from.length > 0 && envelope.from[0] ? mapEnvelopeAddr(envelope.from[0]) : void 0;
   return {
-    get,
-    resolveByEmail,
-    list: () => Array.from(providers.values())
+    id: encodeId(folder, uid),
+    subject: envelope.subject ?? "",
+    from: fromAddr,
+    to: (envelope.to ?? []).map(mapEnvelopeAddr),
+    receivedAt: envelope.date ? envelope.date.toISOString() : void 0,
+    isRead: flags.has("\\Seen"),
+    folder
+  };
+}
+function mapMailboxToListEntry(m) {
+  const lastSep = m.path.lastIndexOf("/");
+  const parentFolderId = lastSep === -1 ? void 0 : m.path.slice(0, lastSep);
+  return {
+    id: m.path,
+    displayName: m.path,
+    parentFolderId,
+    childFolderCount: 0,
+    totalItemCount: m.status?.messages ?? 0,
+    unreadItemCount: m.status?.unseen ?? 0
   };
 }
 
-// src/tools/index.ts
-import { z } from "zod";
-
-// src/html-to-markdown.ts
-import TurndownService from "turndown";
-var turndown = new TurndownService();
-function htmlToMarkdown(html) {
-  return turndown.turndown(html);
+// src/providers/imap/read-ops.ts
+async function listEmails(clients, account, opts) {
+  const client = clients.get(account);
+  const folder = resolveFolder(opts.folder ?? "INBOX");
+  const limit = clampLimit2(opts.limit, 25, 100);
+  const skip = opts.skip ?? 0;
+  return client.withMailbox(folder, async (imap) => {
+    const searchCriteria = {};
+    if (opts.unreadOnly) searchCriteria.seen = false;
+    const allUids = Object.keys(searchCriteria).length > 0 ? await imap.search(searchCriteria, { uid: true }) : await imap.search({ all: true }, { uid: true });
+    allUids.sort((a, b) => b - a);
+    const pageUids = allUids.slice(skip, skip + limit);
+    const hasMore = skip + limit < allUids.length;
+    if (pageUids.length === 0) {
+      return { items: [], hasMore };
+    }
+    const messages = await imap.fetchAll(
+      pageUids,
+      { envelope: true, flags: true },
+      { uid: true }
+    );
+    const items = [];
+    for (const msg of messages) {
+      items.push(
+        mapSummary2(
+          msg.uid,
+          folder,
+          msg.envelope,
+          msg.flags
+        )
+      );
+    }
+    return { items, hasMore };
+  });
 }
-function selectBody(msg, format) {
-  switch (format) {
-    case "markdown": {
-      if (msg.bodyHtml) return htmlToMarkdown(msg.bodyHtml);
-      if (msg.bodyText) return msg.bodyText;
-      return "";
+async function searchEmails(clients, account, query, opts) {
+  const client = clients.get(account);
+  const limit = clampLimit2(opts.limit, 25, 100);
+  return client.withMailbox("INBOX", async (imap) => {
+    const uids = await imap.search({ text: query }, { uid: true });
+    uids.sort((a, b) => b - a);
+    const pageUids = uids.slice(0, limit);
+    if (pageUids.length === 0) return [];
+    const messages = await imap.fetchAll(
+      pageUids,
+      { envelope: true, flags: true },
+      { uid: true }
+    );
+    return messages.map(
+      (msg) => mapSummary2(
+        msg.uid,
+        "INBOX",
+        msg.envelope,
+        msg.flags
+      )
+    );
+  });
+}
+async function readEmail(clients, account, id) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(id);
+  return client.withMailbox(folder, async (imap) => {
+    const msg = await imap.fetchOne(
+      uid,
+      { bodyStructure: true, envelope: true, flags: true },
+      { uid: true }
+    );
+    if (!msg || !msg.envelope) {
+      throw new Error(`message not found: ${id}`);
     }
-    case "html": {
-      if (msg.bodyHtml) return msg.bodyHtml;
-      if (msg.bodyText) return msg.bodyText;
-      return "";
+    const envelope = msg.envelope;
+    const structure = msg.bodyStructure;
+    const flags = msg.flags ?? /* @__PURE__ */ new Set();
+    let bodyText;
+    let bodyHtml;
+    const textPart = findPartByType(structure, "text/plain");
+    const htmlPart = findPartByType(structure, "text/html");
+    if (textPart) {
+      const { content } = await imap.download(uid, textPart, { uid: true });
+      const chunks = [];
+      for await (const chunk of content) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+      }
+      bodyText = Buffer.concat(chunks).toString("utf-8");
     }
-    case "text": {
-      if (msg.bodyText) return msg.bodyText;
-      if (msg.bodyHtml) return msg.bodyHtml.replace(/<[^>]*>/g, "");
-      return "";
+    if (htmlPart) {
+      const { content } = await imap.download(uid, htmlPart, { uid: true });
+      const chunks = [];
+      for await (const chunk of content) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+      }
+      bodyHtml = Buffer.concat(chunks).toString("utf-8");
+    }
+    const attachments = findAttachments(
+      structure
+    ).map((a) => ({
+      id: a.part,
+      name: a.name,
+      contentType: a.contentType,
+      size: a.size
+    }));
+    const summary = mapSummary2(uid, folder, envelope, flags);
+    return {
+      ...summary,
+      cc: (envelope.cc ?? []).map(mapEnvelopeAddr),
+      bcc: (envelope.bcc ?? []).map(mapEnvelopeAddr),
+      bodyText,
+      bodyHtml,
+      attachments: attachments.length > 0 ? attachments : void 0,
+      hasAttachments: attachments.length > 0
+    };
+  });
+}
+async function readAttachment(clients, account, messageId, attachmentId) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(messageId);
+  return client.withMailbox(folder, async (imap) => {
+    const msg = await imap.fetchOne(
+      uid,
+      { bodyStructure: true },
+      { uid: true }
+    );
+    let name = "attachment";
+    let contentType;
+    if (msg && msg.bodyStructure) {
+      const attachments = findAttachments(msg.bodyStructure);
+      const match = attachments.find((a) => a.part === attachmentId);
+      if (match) {
+        name = match.name;
+        contentType = match.contentType;
+      }
     }
+    const { meta, content } = await imap.download(uid, attachmentId, {
+      uid: true
+    });
+    const outPath = pathJoin2(tmpdir2(), name);
+    await pipeline(
+      content,
+      createWriteStream(outPath)
+    );
+    return {
+      name,
+      contentType: contentType ?? meta.contentType,
+      path: outPath
+    };
+  });
+}
+async function listFolders(clients, account, opts) {
+  const client = clients.get(account);
+  const imap = await client.getImap();
+  const mailboxes = await imap.list({
+    statusQuery: { messages: true, unseen: true, uidNext: true }
+  });
+  let results = mailboxes.map(mapMailboxToListEntry);
+  if (opts.parentFolderId) {
+    const parentPath = opts.parentFolderId;
+    results = results.filter(
+      (f) => f.parentFolderId === parentPath || parentPath === "INBOX" && f.displayName === "INBOX"
+    );
+  } else {
+    const allPaths = new Set(results.map((f) => f.displayName));
+    results = results.filter((f) => {
+      const lastSep = f.displayName.lastIndexOf("/");
+      if (lastSep === -1) return true;
+      const parent = f.displayName.slice(0, lastSep);
+      return !allPaths.has(parent);
+    });
   }
+  return results;
 }
 
-// src/tools/index.ts
-function ok(data, structuredContent) {
-  const result = {
-    content: [
-      { type: "text", text: JSON.stringify(data, null, 2) }
-    ]
+// src/providers/imap/write-ops.ts
+import { randomUUID as randomUUID3 } from "crypto";
+import MailComposer from "nodemailer/lib/mail-composer/index.js";
+async function addAccount(clients, store, input) {
+  const cfg = input.config ?? {};
+  const host = String(cfg.host ?? "");
+  const port = Number(cfg.port ?? 993);
+  const secure = cfg.secure !== false;
+  const user = String(cfg.user ?? input.email ?? "");
+  const password = String(cfg.password ?? "");
+  const smtpHost = String(cfg.smtpHost ?? host);
+  const smtpPort = Number(cfg.smtpPort ?? 587);
+  const smtpSecure = cfg.smtpSecure === true;
+  if (!host || !user || !password) {
+    throw new Error(
+      "IMAP requires config: { host, port?, secure?, user, password, smtpHost?, smtpPort?, smtpSecure? }"
+    );
+  }
+  const tokens = {
+    host,
+    port,
+    secure,
+    user,
+    password,
+    smtpHost: smtpHost || host,
+    smtpPort: smtpPort || 587,
+    smtpSecure
   };
-  if (structuredContent !== void 0) {
-    result.structuredContent = structuredContent;
+  const client = clients.get({
+    email: user.toLowerCase(),
+    provider: "imap",
+    tokens,
+    addedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  try {
+    await client.getImap();
+  } finally {
+    clients.invalidate(user.toLowerCase());
   }
-  return result;
+  try {
+    const t = client.getTransporter();
+    await t.verify();
+  } catch {
+  }
+  const email = user.toLowerCase();
+  const rec = {
+    email,
+    provider: "imap",
+    displayName: input.email ?? user,
+    tokens,
+    addedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const saved = await store.upsertAccount(rec);
+  return { status: "ready", account: saved };
 }
-function fail(message) {
+function completeAddAccount() {
   return {
-    isError: true,
-    content: [{ type: "text", text: message }]
+    status: "error",
+    error: "IMAP accounts are set up synchronously \u2014 no polling needed. Call add_account with IMAP config to create the account directly."
   };
 }
-var emailAddrSchema = z.object({
-  address: z.string().email(),
-  name: z.string().optional()
-});
-var emailAddrOutputSchema = z.object({
-  name: z.string().optional(),
-  address: z.string()
+async function sendEmail(clients, account, msg) {
+  const client = clients.get(account);
+  const transporter = client.getTransporter();
+  const mailOptions = {
+    from: `${account.displayName ?? ""} <${account.email}>`,
+    to: msg.to.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", "),
+    subject: msg.subject
+  };
+  if (msg.isHtml) {
+    mailOptions.html = msg.body;
+  } else {
+    mailOptions.text = msg.body;
+  }
+  mailOptions.attachDataUrls = true;
+  if (msg.cc && msg.cc.length > 0) {
+    mailOptions.cc = msg.cc.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", ");
+  }
+  if (msg.bcc && msg.bcc.length > 0) {
+    mailOptions.bcc = msg.bcc.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", ");
+  }
+  if (msg.inReplyTo || msg.forwardMessageId) {
+    const refId = msg.inReplyTo ?? msg.forwardMessageId;
+    if (refId) {
+      try {
+        const { folder: refFolder, uid: refUid } = decodeId(refId);
+        const refMsg = await client.withMailbox(refFolder, async (imap) => {
+          return imap.fetchOne(
+            refUid,
+            { envelope: true, source: true },
+            { uid: true }
+          );
+        });
+        if (refMsg?.envelope) {
+          const env = refMsg.envelope;
+          if (msg.inReplyTo && env.messageId && !msg.forwardMessageId) {
+            mailOptions.inReplyTo = env.messageId;
+            mailOptions.references = env.messageId;
+          }
+        }
+        if (msg.forwardMessageId && refMsg?.source) {
+          const sourceStr = typeof refMsg.source === "string" ? refMsg.source : Buffer.from(refMsg.source).toString("utf-8");
+          const divider = '\n\n<div style="line-height:12px"><br></div>\n\n<div style="border-left:2px solid #ccc; padding-left:8px; margin-left:0; color:#666">\n---------- Forwarded message ---------<br>' + sourceStr + "\n</div>";
+          if (mailOptions.html) {
+            mailOptions.html += divider;
+          } else if (mailOptions.text) {
+            mailOptions.text += "\n\n---------- Forwarded message ---------\n" + sourceStr;
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  const info = await transporter.sendMail(mailOptions);
+  try {
+    const rawMsg = await buildRawMessage(account, msg, info.messageId);
+    await client.withMailbox("Sent", async (imap) => {
+      await imap.append("Sent", rawMsg, ["\\Seen"]);
+    });
+  } catch {
+  }
+  return { id: info.messageId };
+}
+async function saveDraft(clients, account, msg) {
+  const client = clients.get(account);
+  const rawMsg = await buildRawMessage(account, msg);
+  return client.withMailbox("Drafts", async (imap) => {
+    const result = await imap.append("Drafts", rawMsg, ["\\Draft"]);
+    return { id: encodeId("Drafts", result.uid) };
+  });
+}
+async function updateDraft(clients, account, id, update) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(id);
+  return client.withMailbox(folder, async (imap) => {
+    const existing = await imap.fetchOne(
+      uid,
+      { source: true, envelope: true },
+      { uid: true }
+    );
+    if (!existing?.source) {
+      throw new Error(`draft not found: ${id}`);
+    }
+    const origSubject = existing.envelope ? existing.envelope.subject ?? "" : "";
+    const updatedMsg = {
+      from: `${account.displayName ?? ""} <${account.email}>`,
+      subject: update.subject ?? origSubject,
+      attachDataUrls: true
+    };
+    if (update.body !== void 0) {
+      if (update.isHtml) {
+        updatedMsg.html = update.body;
+      } else {
+        updatedMsg.text = update.body;
+      }
+    }
+    const raw = await new Promise((resolve, reject) => {
+      const mc = new MailComposer(updatedMsg);
+      mc.compile().build((err, buf) => {
+        if (err) reject(err);
+        else resolve(buf);
+      });
+    });
+    await imap.messageDelete(uid, { uid: true });
+    const result = await imap.append(folder, raw, ["\\Draft"]);
+    return { id: encodeId(folder, result.uid) };
+  });
+}
+async function moveEmail(clients, account, id, destinationId) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(id);
+  const dest = resolveFolder(destinationId);
+  return client.withMailbox(folder, async (imap) => {
+    await imap.messageMove(uid, dest, { uid: true });
+  });
+}
+async function sendDraft(clients, account, id) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(id);
+  return client.withMailbox(folder, async (imap) => {
+    const draft = await imap.fetchOne(
+      uid,
+      { source: true },
+      { uid: true }
+    );
+    if (!draft?.source) {
+      throw new Error(`draft not found: ${id}`);
+    }
+    const sourceStr = typeof draft.source === "string" ? draft.source : Buffer.from(draft.source).toString("utf-8");
+    const transporter = client.getTransporter();
+    const info = await transporter.sendMail({ raw: sourceStr });
+    try {
+      await imap.messageMove(uid, "Sent", { uid: true });
+    } catch {
+    }
+    return { id: info.messageId };
+  });
+}
+async function addAttachmentToDraft(clients, account, draftId, name, contentBytes, contentType) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(draftId);
+  return client.withMailbox(folder, async (imap) => {
+    const existing = await imap.fetchOne(
+      uid,
+      { source: true },
+      { uid: true }
+    );
+    if (!existing?.source) {
+      throw new Error(`draft not found: ${draftId}`);
+    }
+    const sourceStr = typeof existing.source === "string" ? existing.source : Buffer.from(existing.source).toString("utf-8");
+    const built = await new Promise((resolve, reject) => {
+      const mc = new MailComposer({
+        raw: sourceStr,
+        attachments: [
+          {
+            filename: name,
+            content: Buffer.from(contentBytes, "base64"),
+            contentType: contentType ?? "application/octet-stream"
+          }
+        ]
+      });
+      mc.compile().build((err, buf) => {
+        if (err) reject(err);
+        else resolve(buf);
+      });
+    });
+    await imap.messageDelete(uid, { uid: true });
+    const result = await imap.append(folder, built, ["\\Draft"]);
+    return {
+      id: encodeId(folder, result.uid),
+      attachment: {
+        id: randomUUID3(),
+        name,
+        contentType: contentType ?? "application/octet-stream"
+      }
+    };
+  });
+}
+async function markRead(clients, account, id, isRead) {
+  const client = clients.get(account);
+  const { folder, uid } = decodeId(id);
+  return client.withMailbox(folder, async (imap) => {
+    if (isRead) {
+      await imap.messageFlagsAdd(uid, ["\\Seen"], { uid: true });
+    } else {
+      await imap.messageFlagsRemove(uid, ["\\Seen"], { uid: true });
+    }
+  });
+}
+async function createFolder(clients, account, input) {
+  const client = clients.get(account);
+  const imap = await client.getImap();
+  const path2 = input.parentFolderId ? `${input.parentFolderId}/${input.displayName}` : input.displayName;
+  const result = await imap.mailboxCreate(path2);
+  return {
+    id: result.path,
+    displayName: result.path,
+    parentFolderId: input.parentFolderId,
+    childFolderCount: 0,
+    totalItemCount: 0,
+    unreadItemCount: 0
+  };
+}
+async function renameFolder(clients, account, folderId, newName) {
+  const client = clients.get(account);
+  const imap = await client.getImap();
+  const lastSep = folderId.lastIndexOf("/");
+  const newPath = lastSep === -1 ? newName : folderId.slice(0, lastSep + 1) + newName;
+  const result = await imap.mailboxRename(folderId, newPath);
+  return {
+    id: result.path,
+    displayName: result.path,
+    parentFolderId: lastSep === -1 ? void 0 : folderId.slice(0, lastSep),
+    childFolderCount: 0,
+    totalItemCount: 0,
+    unreadItemCount: 0
+  };
+}
+async function deleteFolder(clients, account, folderId) {
+  const client = clients.get(account);
+  const imap = await client.getImap();
+  await imap.mailboxDelete(folderId);
+}
+async function buildRawMessage(account, msg, messageId) {
+  const mailOptions = {
+    from: `${account.displayName ?? ""} <${account.email}>`,
+    to: msg.to.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", "),
+    subject: msg.subject,
+    attachDataUrls: true
+  };
+  if (msg.isHtml) {
+    mailOptions.html = msg.body;
+  } else {
+    mailOptions.text = msg.body;
+  }
+  if (msg.cc && msg.cc.length > 0) {
+    mailOptions.cc = msg.cc.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", ");
+  }
+  if (msg.bcc && msg.bcc.length > 0) {
+    mailOptions.bcc = msg.bcc.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", ");
+  }
+  if (messageId) {
+    mailOptions.messageId = messageId;
+  }
+  return new Promise((resolve, reject) => {
+    const mc = new MailComposer(mailOptions);
+    mc.compile().build((err, buf) => {
+      if (err) reject(err);
+      else resolve(buf.toString("utf-8"));
+    });
+  });
+}
+
+// src/providers/imap/index.ts
+var ImapProvider = class {
+  constructor(store) {
+    this.store = store;
+  }
+  store;
+  id = "imap";
+  clients = new ImapClientFactory();
+  // ---------- account lifecycle ----------
+  async addAccount(input) {
+    if (!this.store) throw new Error("IMAP provider requires an AccountStore");
+    return addAccount(this.clients, this.store, input);
+  }
+  async completeAddAccount(_handle) {
+    return completeAddAccount();
+  }
+  // ---------- browse ----------
+  async listEmails(account, opts) {
+    return listEmails(this.clients, account, opts);
+  }
+  async searchEmails(account, query, opts) {
+    return searchEmails(this.clients, account, query, opts);
+  }
+  async readEmail(account, id) {
+    return readEmail(this.clients, account, id);
+  }
+  async readAttachment(account, messageId, attachmentId) {
+    return readAttachment(this.clients, account, messageId, attachmentId);
+  }
+  // ---------- compose ----------
+  async sendEmail(account, msg) {
+    return sendEmail(this.clients, account, msg);
+  }
+  async saveDraft(account, msg) {
+    return saveDraft(this.clients, account, msg);
+  }
+  async updateDraft(account, id, update) {
+    return updateDraft(this.clients, account, id, update);
+  }
+  async moveEmail(account, id, destinationId) {
+    return moveEmail(this.clients, account, id, destinationId);
+  }
+  async sendDraft(account, id) {
+    return sendDraft(this.clients, account, id);
+  }
+  async addAttachmentToDraft(account, draftId, name, contentBytes, contentType) {
+    return addAttachmentToDraft(this.clients, account, draftId, name, contentBytes, contentType);
+  }
+  // ---------- organize ----------
+  async markRead(account, id, isRead) {
+    return markRead(this.clients, account, id, isRead);
+  }
+  // ---------- folders ----------
+  async listFolders(account, opts) {
+    return listFolders(this.clients, account, opts);
+  }
+  async createFolder(account, input) {
+    return createFolder(this.clients, account, input);
+  }
+  async renameFolder(account, folderId, newName) {
+    return renameFolder(this.clients, account, folderId, newName);
+  }
+  async deleteFolder(account, folderId) {
+    return deleteFolder(this.clients, account, folderId);
+  }
+};
+
+// src/providers/gmail/index.ts
+import { randomUUID as randomUUID5 } from "crypto";
+
+// src/providers/gmail/auth.ts
+import { OAuth2Client } from "google-auth-library";
+var GOOGLE_DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code";
+var GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+var DEFAULT_SCOPES2 = [
+  "https://www.googleapis.com/auth/gmail.modify"
+];
+function isSerializedGmailTokens(obj) {
+  if (typeof obj !== "object" || obj === null) return false;
+  const o = obj;
+  return typeof o.clientId === "string" && (o.clientSecret === void 0 || typeof o.clientSecret === "string") && typeof o.accessToken === "string" && typeof o.refreshToken === "string" && typeof o.expiryDate === "number" && Array.isArray(o.scopes) && typeof o.email === "string";
+}
+function buildOAuth2Client(tokens) {
+  const client = new OAuth2Client({
+    clientId: tokens?.clientId,
+    clientSecret: tokens?.clientSecret
+  });
+  if (tokens) {
+    client.setCredentials({
+      access_token: tokens.accessToken,
+      refresh_token: tokens.refreshToken,
+      expiry_date: tokens.expiryDate,
+      scope: tokens.scopes.join(" ")
+    });
+  }
+  return client;
+}
+async function getEmailFromToken(accessToken) {
+  const res = await fetch(
+    "https://gmail.googleapis.com/gmail/v1/users/me/profile",
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    }
+  );
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(
+      `Failed to get Gmail profile (${res.status}): ${body}`
+    );
+  }
+  const data = await res.json();
+  return data.emailAddress;
+}
+function beginDeviceCode2(scopes = DEFAULT_SCOPES2, clientIdOverride, clientSecretOverride) {
+  const clientId = clientIdOverride || process.env.GOOGLE_CLIENT_ID;
+  if (!clientId) {
+    throw new Error(
+      "GOOGLE_CLIENT_ID is required for Gmail OAuth \u2014 set it in env or provider config"
+    );
+  }
+  const clientSecret = clientSecretOverride || process.env.GOOGLE_CLIENT_SECRET || void 0;
+  let resolve;
+  let reject;
+  const result = new Promise(
+    (res, rej) => {
+      resolve = res;
+      reject = rej;
+    }
+  );
+  let userCode = "";
+  let verificationUri = "";
+  let message = "";
+  let expiresAt = new Date(Date.now() + 15 * 6e4).toISOString();
+  let aborted = false;
+  const ready = (async () => {
+    try {
+      const dcParams = new URLSearchParams();
+      dcParams.set("client_id", clientId);
+      if (clientSecret) dcParams.set("client_secret", clientSecret);
+      dcParams.set("scope", scopes.join(" "));
+      const dcRes = await fetch(GOOGLE_DEVICE_CODE_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: dcParams.toString()
+      });
+      if (!dcRes.ok) {
+        const errBody = await dcRes.json().catch(() => ({}));
+        throw new Error(
+          `Google device-code request failed: ${errBody.error_description ?? errBody.error ?? dcRes.statusText}`
+        );
+      }
+      const dcData = await dcRes.json();
+      userCode = dcData.user_code;
+      verificationUri = dcData.verification_url;
+      const deviceCode = dcData.device_code;
+      let interval = dcData.interval ?? 5;
+      if (dcData.expires_in) {
+        expiresAt = new Date(
+          Date.now() + dcData.expires_in * 1e3
+        ).toISOString();
+      }
+      message = `Go to ${verificationUri} and enter code: ${userCode}`;
+      const tokenParams = new URLSearchParams();
+      tokenParams.set("client_id", clientId);
+      if (clientSecret) tokenParams.set("client_secret", clientSecret);
+      tokenParams.set("device_code", deviceCode);
+      tokenParams.set(
+        "grant_type",
+        "urn:ietf:params:oauth:grant-type:device_code"
+      );
+      const deadline = Date.now() + dcData.expires_in * 1e3;
+      while (Date.now() < deadline && !aborted) {
+        await new Promise((r) => setTimeout(r, interval * 1e3));
+        if (aborted) return;
+        const tokenRes = await fetch(GOOGLE_TOKEN_URL, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: tokenParams.toString()
+        });
+        const tokenData = await tokenRes.json();
+        if (tokenData.access_token) {
+          const email = await getEmailFromToken(tokenData.access_token);
+          const tokens = {
+            clientId,
+            clientSecret,
+            accessToken: tokenData.access_token,
+            refreshToken: tokenData.refresh_token ?? "",
+            expiryDate: tokenData.expires_in ? Date.now() + tokenData.expires_in * 1e3 : Date.now() + 36e5,
+            scopes: tokenData.scope ? tokenData.scope.split(" ") : scopes,
+            email
+          };
+          resolve({ tokens, email });
+          return;
+        }
+        switch (tokenData.error) {
+          case "authorization_pending":
+            break;
+          // keep polling
+          case "slow_down":
+            interval += 1;
+            break;
+          case "expired_token":
+            throw new Error("Device code expired \u2014 please try again");
+          case "access_denied":
+            throw new Error("User denied access");
+          default:
+            throw new Error(
+              `Token request failed: ${tokenData.error ?? "unknown error"}`
+            );
+        }
+      }
+      if (!aborted) {
+        throw new Error("Device code expired \u2014 please try again");
+      }
+    } catch (err) {
+      if (!aborted) reject(err);
+    }
+  })();
+  return {
+    get userCode() {
+      return userCode;
+    },
+    get verificationUri() {
+      return verificationUri;
+    },
+    get message() {
+      return message;
+    },
+    get expiresAt() {
+      return expiresAt;
+    },
+    result,
+    cancel() {
+      aborted = true;
+    },
+    ...{ _ready: ready }
+  };
+}
+async function awaitDeviceCodeReady2(b) {
+  const r = b._ready;
+  await r;
+}
+
+// src/providers/gmail/client.ts
+import { google } from "googleapis";
+var GmailClientFactory = class {
+  constructor(store, clientId, clientSecret) {
+    this.store = store;
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+  }
+  store;
+  clientId;
+  clientSecret;
+  cache = /* @__PURE__ */ new Map();
+  get(account) {
+    const key = account.email.toLowerCase();
+    const existing = this.cache.get(key);
+    if (existing) return existing;
+    if (!isSerializedGmailTokens(account.tokens)) {
+      throw new Error(
+        "Gmail account tokens are missing or corrupted \u2014 re-run add_account"
+      );
+    }
+    const tokens = account.tokens;
+    const resolvedClientId = tokens.clientId || this.clientId;
+    const resolvedSecret = tokens.clientSecret || this.clientSecret;
+    const auth = buildOAuth2Client({
+      ...tokens,
+      clientId: resolvedClientId ?? tokens.clientId,
+      clientSecret: resolvedSecret
+    });
+    const store = this.store;
+    auth.on("tokens", (updated) => {
+      if (!updated.refresh_token && !updated.access_token) return;
+      const fresh = store.getAccount(account.email) ?? account;
+      const currentTokens = isSerializedGmailTokens(fresh.tokens) ? fresh.tokens : tokens;
+      const nextTokens = {
+        ...currentTokens,
+        accessToken: updated.access_token ?? currentTokens.accessToken,
+        refreshToken: updated.refresh_token ?? currentTokens.refreshToken,
+        expiryDate: updated.expiry_date ?? currentTokens.expiryDate,
+        scopes: updated.scope ? updated.scope.split(" ") : currentTokens.scopes
+      };
+      store.upsertAccount({
+        ...fresh,
+        tokens: nextTokens
+      }).catch(() => {
+      });
+    });
+    const gmail = google.gmail({ version: "v1", auth });
+    const entry = { auth, gmail };
+    this.cache.set(key, entry);
+    return entry;
+  }
+  /** Drop a cached client (e.g. after removeAccount). */
+  invalidate(email) {
+    this.cache.delete(email.toLowerCase());
+  }
+};
+
+// src/providers/gmail/read-ops.ts
+import { writeFileSync as writeFileSync2 } from "fs";
+import { tmpdir as tmpdir3 } from "os";
+import { join as pathJoin3 } from "path";
+
+// src/providers/gmail/helpers.ts
+import MailComposer2 from "nodemailer/lib/mail-composer/index.js";
+var WELL_KNOWN_TO_LABEL = {
+  inbox: "INBOX",
+  sentitems: "SENT",
+  drafts: "DRAFT",
+  deleteditems: "TRASH",
+  junkemail: "SPAM",
+  outbox: ""
+  // Gmail has no outbox; sendEmail handles this.
+};
+function resolveLabel(wellKnownOrId) {
+  const lower = wellKnownOrId.toLowerCase();
+  return WELL_KNOWN_TO_LABEL[lower] ?? wellKnownOrId;
+}
+function resolveLabelsForMove(destinationId) {
+  if (destinationId.toLowerCase() === "archive") {
+    return { addLabelIds: [], removeLabelIds: ["INBOX"] };
+  }
+  return { addLabelIds: [resolveLabel(destinationId)], removeLabelIds: [] };
+}
+function mapHeaderAddr(raw) {
+  if (!raw) return [];
+  const addrs = raw.split(",");
+  return addrs.map((a) => {
+    const trimmed = a.trim();
+    const match = trimmed.match(/^(.+?)\s*<(.+@.+)>$/);
+    if (match) return { name: match[1].trim(), address: match[2] };
+    return { address: trimmed };
+  });
+}
+function findHeader(headers, name) {
+  if (!headers) return void 0;
+  const h = headers.find(
+    (h2) => h2.name?.toLowerCase() === name.toLowerCase()
+  );
+  return h?.value ?? void 0;
+}
+function decodeBody(body) {
+  if (!body?.data) return "";
+  return Buffer.from(
+    body.data.replace(/-/g, "+").replace(/_/g, "/"),
+    "base64"
+  ).toString("utf-8");
+}
+function parsePayload(payload, prefix = "") {
+  let bodyText;
+  let bodyHtml;
+  const attachments = [];
+  function walk(part, partPrefix) {
+    const mime = part.mimeType ?? "";
+    if (mime === "text/plain" && bodyText === void 0) {
+      bodyText = decodeBody(part.body ?? {});
+      return;
+    }
+    if (mime === "text/html" && bodyHtml === void 0) {
+      bodyHtml = decodeBody(part.body ?? {});
+      return;
+    }
+    if (part.parts) {
+      for (let i = 0; i < part.parts.length; i++) {
+        walk(part.parts[i], (partPrefix ? `${partPrefix}.` : "") + String(i));
+      }
+      return;
+    }
+    const topType = mime.split("/")[0] ?? "";
+    const hasFilename = !!part.filename || !!part.body?.attachmentId;
+    const isAttachment = hasFilename || !!mime && topType !== "text" && topType !== "multipart";
+    if (isAttachment && part.body?.attachmentId) {
+      attachments.push({
+        id: part.body.attachmentId,
+        name: part.filename ?? part.partId ?? "attachment",
+        contentType: mime || void 0,
+        size: part.body.size != null ? Number(part.body.size) : void 0
+      });
+    }
+  }
+  walk(payload, prefix);
+  return { bodyText, bodyHtml, attachments };
+}
+function mapSummary3(id, headers, flags) {
+  return {
+    id,
+    subject: findHeader(headers, "Subject") ?? "",
+    from: mapHeaderAddr(findHeader(headers, "From"))[0],
+    to: mapHeaderAddr(findHeader(headers, "To")),
+    receivedAt: flags.internalDate ? new Date(Number(flags.internalDate)).toISOString() : void 0,
+    preview: void 0,
+    isRead: !(flags.labelIds?.includes("UNREAD") ?? false),
+    hasAttachments: false
+  };
+}
+function mapFolder2(label) {
+  return {
+    id: label.id ?? "",
+    displayName: label.name ?? "",
+    parentFolderId: void 0,
+    childFolderCount: 0,
+    totalItemCount: label.messagesTotal ?? 0,
+    unreadItemCount: label.messagesUnread ?? 0
+  };
+}
+function clampLimit3(v, dflt, max) {
+  if (!v || v <= 0) return dflt;
+  return Math.min(v, max);
+}
+async function pool(items, concurrency, fn) {
+  const results = new Array(items.length);
+  let idx = 0;
+  async function worker() {
+    while (idx < items.length) {
+      const i = idx++;
+      results[i] = await fn(items[i]);
+    }
+  }
+  const workers = Array.from(
+    { length: Math.min(concurrency, items.length) },
+    () => worker()
+  );
+  await Promise.all(workers);
+  return results;
+}
+function base64urlEncode(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function buildRawMessage2(account, msg, messageId) {
+  const { body: transformed, images } = parseInlineImages(msg.body);
+  const mailOptions = {
+    from: `${account.displayName ?? ""} <${account.email}>`,
+    to: msg.to.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", "),
+    subject: msg.subject,
+    attachDataUrls: true
+  };
+  if (msg.isHtml) {
+    mailOptions.html = transformed;
+  } else {
+    mailOptions.text = transformed;
+  }
+  if (msg.cc && msg.cc.length > 0) {
+    mailOptions.cc = msg.cc.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", ");
+  }
+  if (msg.bcc && msg.bcc.length > 0) {
+    mailOptions.bcc = msg.bcc.map((a) => a.name ? `"${a.name}" <${a.address}>` : a.address).join(", ");
+  }
+  if (images.length > 0) {
+    mailOptions.attachments = images.map((img) => ({
+      filename: img.filename,
+      content: Buffer.from(img.contentBytes, "base64"),
+      contentType: img.contentType,
+      cid: img.cid
+    }));
+  }
+  if (messageId) {
+    mailOptions.messageId = messageId;
+  }
+  const rawStr = await new Promise((resolve, reject) => {
+    const mc = new MailComposer2(mailOptions);
+    mc.compile().build((err, buf) => {
+      if (err) reject(err);
+      else resolve(buf.toString("utf-8"));
+    });
+  });
+  return { raw: base64urlEncode(Buffer.from(rawStr, "utf-8")) };
+}
+
+// src/providers/gmail/read-ops.ts
+async function listEmails2(clients, account, opts) {
+  const { gmail } = clients.get(account);
+  const limit = clampLimit3(opts.limit, 25, 100);
+  const label = resolveLabel(opts.folder ?? "inbox");
+  const params = {
+    userId: "me",
+    labelIds: [label],
+    maxResults: limit
+  };
+  if (opts.unreadOnly) {
+    params.q = "is:unread";
+  }
+  const allIds = [];
+  let pageToken;
+  do {
+    const res = await gmail.users.messages.list({ ...params, pageToken });
+    if (res.data.messages) allIds.push(...res.data.messages);
+    pageToken = res.data.nextPageToken ?? void 0;
+  } while (pageToken && allIds.length < (opts.skip ?? 0) + limit);
+  const skip = opts.skip ?? 0;
+  const pageIds = allIds.slice(skip, skip + limit);
+  const hasMore = skip + limit < allIds.length;
+  if (pageIds.length === 0) {
+    return { items: [], hasMore };
+  }
+  const items = await pool(pageIds, 10, async (entry) => {
+    const msgId = entry.id ?? "";
+    const msgRes = await gmail.users.messages.get({
+      userId: "me",
+      id: msgId,
+      format: "metadata",
+      metadataHeaders: ["From", "Subject", "To", "Date"]
+    });
+    const msg = msgRes.data;
+    return mapSummary3(msgId, msg.payload?.headers ?? [], {
+      labelIds: msg.labelIds,
+      internalDate: msg.internalDate
+    });
+  });
+  return { items, hasMore };
+}
+async function searchEmails2(clients, account, query, opts) {
+  const { gmail } = clients.get(account);
+  const limit = clampLimit3(opts.limit, 25, 100);
+  const res = await gmail.users.messages.list({
+    userId: "me",
+    q: query,
+    maxResults: limit
+  });
+  const ids = res.data.messages ?? [];
+  if (ids.length === 0) return [];
+  const items = await pool(ids, 10, async (entry) => {
+    const msgId = entry.id ?? "";
+    const msgRes = await gmail.users.messages.get({
+      userId: "me",
+      id: msgId,
+      format: "metadata",
+      metadataHeaders: ["From", "Subject", "To", "Date"]
+    });
+    const msg = msgRes.data;
+    return mapSummary3(msgId, msg.payload?.headers ?? [], {
+      labelIds: msg.labelIds,
+      internalDate: msg.internalDate
+    });
+  });
+  return items;
+}
+async function readEmail2(clients, account, id) {
+  const { gmail } = clients.get(account);
+  const res = await gmail.users.messages.get({
+    userId: "me",
+    id,
+    format: "full"
+  });
+  const msg = res.data;
+  if (!msg) throw new Error(`message not found: ${id}`);
+  const headers = msg.payload?.headers ?? [];
+  const { bodyText, bodyHtml, attachments } = parsePayload(msg.payload ?? {});
+  const summary = mapSummary3(id, headers, {
+    labelIds: msg.labelIds,
+    internalDate: msg.internalDate
+  });
+  return {
+    ...summary,
+    cc: mapHeaderAddr(findHeader(headers, "Cc")),
+    bcc: mapHeaderAddr(findHeader(headers, "Bcc")),
+    bodyText,
+    bodyHtml,
+    attachments: attachments.length > 0 ? attachments : void 0,
+    hasAttachments: attachments.length > 0
+  };
+}
+async function readAttachment2(clients, account, messageId, attachmentId) {
+  const { gmail } = clients.get(account);
+  const msgRes = await gmail.users.messages.get({
+    userId: "me",
+    id: messageId,
+    format: "full"
+  });
+  const { attachments } = parsePayload(msgRes.data.payload ?? {});
+  const match = attachments.find((a) => a.id === attachmentId);
+  const name = match?.name ?? "attachment";
+  const contentType = match?.contentType;
+  const attRes = await gmail.users.messages.attachments.get({
+    userId: "me",
+    messageId,
+    id: attachmentId
+  });
+  const data = attRes.data.data;
+  if (!data) throw new Error("attachment data is empty");
+  const buf = Buffer.from(
+    data.replace(/-/g, "+").replace(/_/g, "/"),
+    "base64"
+  );
+  const outPath = pathJoin3(tmpdir3(), name);
+  writeFileSync2(outPath, buf);
+  return { name, contentType, path: outPath };
+}
+async function listFolders2(clients, account, _opts) {
+  const { gmail } = clients.get(account);
+  const res = await gmail.users.labels.list({ userId: "me" });
+  const labels = res.data.labels ?? [];
+  return labels.map(mapFolder2);
+}
+
+// src/providers/gmail/write-ops.ts
+import { randomUUID as randomUUID4 } from "crypto";
+import { Buffer as Buffer2 } from "buffer";
+import MailComposer3 from "nodemailer/lib/mail-composer/index.js";
+async function sendEmail2(clients, account, msg) {
+  const { gmail } = clients.get(account);
+  let threadId;
+  let rawBody;
+  if (msg.forwardMessageId) {
+    const fwdRes = await gmail.users.messages.get({
+      userId: "me",
+      id: msg.forwardMessageId,
+      format: "raw"
+    });
+    threadId = fwdRes.data.threadId ?? void 0;
+    const fwdRaw = fwdRes.data.raw;
+    if (fwdRaw) {
+      const fwdStr = Buffer2.from(
+        fwdRaw.replace(/-/g, "+").replace(/_/g, "/"),
+        "base64"
+      ).toString("utf-8");
+      const divider = '\n\n<div style="line-height:12px"><br></div>\n\n<div style="border-left:2px solid #ccc; padding-left:8px; margin-left:0; color:#666">\n---------- Forwarded message ---------<br>' + fwdStr + "\n</div>";
+      const combinedMsg = { ...msg, body: msg.body + divider };
+      rawBody = await buildRawMessage2(account, combinedMsg);
+    } else {
+      rawBody = await buildRawMessage2(account, msg);
+    }
+  } else {
+    rawBody = await buildRawMessage2(account, msg);
+    if (msg.inReplyTo) {
+      try {
+        const refRes = await gmail.users.messages.get({
+          userId: "me",
+          id: msg.inReplyTo,
+          format: "minimal"
+        });
+        threadId = refRes.data.threadId ?? void 0;
+      } catch {
+      }
+    }
+  }
+  const sendRes = await gmail.users.messages.send({
+    userId: "me",
+    requestBody: {
+      raw: rawBody.raw,
+      threadId
+    }
+  });
+  return { id: sendRes.data.id ?? "" };
+}
+async function saveDraft2(clients, account, msg) {
+  const { gmail } = clients.get(account);
+  const { raw } = await buildRawMessage2(account, msg);
+  let threadId;
+  if (msg.inReplyTo) {
+    try {
+      const refRes = await gmail.users.messages.get({
+        userId: "me",
+        id: msg.inReplyTo,
+        format: "minimal"
+      });
+      threadId = refRes.data.threadId ?? void 0;
+    } catch {
+    }
+  }
+  const draftRes = await gmail.users.drafts.create({
+    userId: "me",
+    requestBody: {
+      message: { raw, threadId }
+    }
+  });
+  return { id: draftRes.data.message?.id ?? draftRes.data.id ?? "" };
+}
+async function updateDraft2(clients, account, id, update) {
+  const { gmail } = clients.get(account);
+  const draftRes = await gmail.users.drafts.get({
+    userId: "me",
+    id,
+    format: "raw"
+  });
+  const existingMessage = draftRes.data.message;
+  if (!existingMessage?.raw) {
+    throw new Error(`draft not found: ${id}`);
+  }
+  const existingHeaders = existingMessage.payload?.headers ?? [];
+  const origSubject = findHeader(existingHeaders, "Subject") ?? "";
+  const rawStr = Buffer2.from(
+    existingMessage.raw.replace(/-/g, "+").replace(/_/g, "/"),
+    "base64"
+  ).toString("utf-8");
+  const existingTo = update.to ?? mapHeaderAddr(findHeader(existingHeaders, "To"));
+  const existingCc = update.cc ?? mapHeaderAddr(findHeader(existingHeaders, "Cc"));
+  const existingBcc = update.bcc ?? mapHeaderAddr(findHeader(existingHeaders, "Bcc"));
+  const { raw } = await buildRawMessage2(account, {
+    to: existingTo,
+    subject: update.subject ?? origSubject,
+    body: update.body ?? "",
+    isHtml: update.isHtml,
+    cc: existingCc.length > 0 ? existingCc : void 0,
+    bcc: existingBcc.length > 0 ? existingBcc : void 0
+  });
+  const updated = await gmail.users.drafts.update({
+    userId: "me",
+    id,
+    requestBody: {
+      message: {
+        raw,
+        threadId: existingMessage.threadId ?? void 0
+      }
+    }
+  });
+  return { id: updated.data.message?.id ?? updated.data.id ?? id };
+}
+async function moveEmail2(clients, account, id, destinationId) {
+  const { gmail } = clients.get(account);
+  const { addLabelIds, removeLabelIds } = resolveLabelsForMove(destinationId);
+  await gmail.users.messages.modify({
+    userId: "me",
+    id,
+    requestBody: { addLabelIds, removeLabelIds }
+  });
+}
+async function sendDraft2(clients, account, id) {
+  const { gmail } = clients.get(account);
+  const res = await gmail.users.drafts.send({
+    userId: "me",
+    requestBody: { id }
+  });
+  return { id: res.data.id ?? id };
+}
+async function addAttachmentToDraft2(clients, account, draftId, name, contentBytes, contentType) {
+  const { gmail } = clients.get(account);
+  const draftRes = await gmail.users.drafts.get({
+    userId: "me",
+    id: draftId,
+    format: "raw"
+  });
+  const existingMessage = draftRes.data.message;
+  if (!existingMessage?.raw) {
+    throw new Error(`draft not found: ${draftId}`);
+  }
+  const rawStr = Buffer2.from(
+    existingMessage.raw.replace(/-/g, "+").replace(/_/g, "/"),
+    "base64"
+  ).toString("utf-8");
+  const newRawStr = await new Promise((resolve, reject) => {
+    const mc = new MailComposer3({
+      raw: rawStr,
+      attachments: [
+        {
+          filename: name,
+          content: Buffer2.from(contentBytes, "base64"),
+          contentType: contentType ?? "application/octet-stream"
+        }
+      ]
+    });
+    mc.compile().build((err, buf) => {
+      if (err) reject(err);
+      else resolve(buf.toString("utf-8"));
+    });
+  });
+  const updated = await gmail.users.drafts.update({
+    userId: "me",
+    id: draftId,
+    requestBody: {
+      message: {
+        raw: base64urlEncode(Buffer2.from(newRawStr, "utf-8")),
+        threadId: existingMessage.threadId ?? void 0
+      }
+    }
+  });
+  return {
+    id: updated.data.message?.id ?? updated.data.id ?? draftId,
+    attachment: {
+      id: randomUUID4(),
+      name,
+      contentType: contentType ?? "application/octet-stream"
+    }
+  };
+}
+async function markRead2(clients, account, id, isRead) {
+  const { gmail } = clients.get(account);
+  await gmail.users.messages.modify({
+    userId: "me",
+    id,
+    requestBody: {
+      removeLabelIds: isRead ? ["UNREAD"] : void 0,
+      addLabelIds: isRead ? void 0 : ["UNREAD"]
+    }
+  });
+}
+async function createFolder2(clients, account, input) {
+  const { gmail } = clients.get(account);
+  const created = await gmail.users.labels.create({
+    userId: "me",
+    requestBody: {
+      name: input.displayName,
+      messageListVisibility: "show",
+      labelListVisibility: "labelShow"
+    }
+  });
+  return mapFolder2(created.data);
+}
+async function renameFolder2(clients, account, folderId, newName) {
+  const { gmail } = clients.get(account);
+  const updated = await gmail.users.labels.patch({
+    userId: "me",
+    id: folderId,
+    requestBody: { name: newName }
+  });
+  return mapFolder2(updated.data);
+}
+async function deleteFolder2(clients, account, folderId) {
+  const { gmail } = clients.get(account);
+  await gmail.users.labels.delete({
+    userId: "me",
+    id: folderId
+  });
+}
+
+// src/providers/gmail/index.ts
+var GmailProvider = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.clientId = opts.clientId;
+    this.clientSecret = opts.clientSecret;
+    this.clients = new GmailClientFactory(
+      opts.store,
+      opts.clientId,
+      opts.clientSecret
+    );
+  }
+  opts;
+  id = "gmail";
+  clients;
+  pending = /* @__PURE__ */ new Map();
+  clientId;
+  clientSecret;
+  // ── account lifecycle ──
+  async addAccount(input) {
+    const begin = beginDeviceCode2(
+      void 0,
+      this.clientId,
+      this.clientSecret
+    );
+    await awaitDeviceCodeReady2(begin);
+    const handle = randomUUID5();
+    const flow = {
+      begin,
+      emailHint: input.email,
+      startedAt: Date.now(),
+      settled: "pending"
+    };
+    this.pending.set(handle, flow);
+    begin.result.then(async ({ tokens, email }) => {
+      const resolvedEmail = (email || input.email || "").toLowerCase();
+      if (!resolvedEmail) {
+        flow.settled = "error";
+        flow.error = "no email returned from Google account";
+        return;
+      }
+      const rec = {
+        email: resolvedEmail,
+        provider: "gmail",
+        displayName: resolvedEmail,
+        tokens,
+        addedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      const saved = await this.opts.store.upsertAccount(rec);
+      flow.account = saved;
+      flow.settled = "ready";
+    }).catch((err) => {
+      flow.settled = "error";
+      flow.error = err instanceof Error ? err.message : String(err);
+    });
+    return {
+      status: "pending",
+      handle,
+      verification: {
+        userCode: begin.userCode,
+        verificationUri: begin.verificationUri,
+        expiresAt: begin.expiresAt,
+        message: begin.message
+      }
+    };
+  }
+  async completeAddAccount(handle) {
+    const flow = this.pending.get(handle);
+    if (!flow) return { status: "error", error: "unknown handle" };
+    if (Date.now() - flow.startedAt > 20 * 6e4 && flow.settled === "pending") {
+      flow.settled = "expired";
+      flow.begin.cancel();
+    }
+    if (flow.settled === "ready" && flow.account) {
+      this.pending.delete(handle);
+      return { status: "ready", account: flow.account };
+    }
+    if (flow.settled === "error") {
+      this.pending.delete(handle);
+      return { status: "error", error: flow.error ?? "unknown error" };
+    }
+    if (flow.settled === "expired") {
+      this.pending.delete(handle);
+      return { status: "expired" };
+    }
+    return { status: "pending" };
+  }
+  // ── browse ──
+  async listEmails(account, opts) {
+    return listEmails2(this.clients, account, opts);
+  }
+  async searchEmails(account, query, opts) {
+    return searchEmails2(this.clients, account, query, opts);
+  }
+  async readEmail(account, id) {
+    return readEmail2(this.clients, account, id);
+  }
+  async readAttachment(account, messageId, attachmentId) {
+    return readAttachment2(this.clients, account, messageId, attachmentId);
+  }
+  // ── compose ──
+  async sendEmail(account, msg) {
+    return sendEmail2(this.clients, account, msg);
+  }
+  async saveDraft(account, msg) {
+    return saveDraft2(this.clients, account, msg);
+  }
+  async updateDraft(account, id, update) {
+    return updateDraft2(this.clients, account, id, update);
+  }
+  async moveEmail(account, id, destinationId) {
+    return moveEmail2(this.clients, account, id, destinationId);
+  }
+  async sendDraft(account, id) {
+    return sendDraft2(this.clients, account, id);
+  }
+  async addAttachmentToDraft(account, draftId, name, contentBytes, contentType) {
+    return addAttachmentToDraft2(
+      this.clients,
+      account,
+      draftId,
+      name,
+      contentBytes,
+      contentType
+    );
+  }
+  // ── organize ──
+  async markRead(account, id, isRead) {
+    return markRead2(this.clients, account, id, isRead);
+  }
+  // ── folders ──
+  async listFolders(account, opts) {
+    return listFolders2(this.clients, account, opts);
+  }
+  async createFolder(account, input) {
+    return createFolder2(this.clients, account, input);
+  }
+  async renameFolder(account, folderId, newName) {
+    return renameFolder2(this.clients, account, folderId, newName);
+  }
+  async deleteFolder(account, folderId) {
+    return deleteFolder2(this.clients, account, folderId);
+  }
+};
+
+// src/providers/registry.ts
+function buildRegistry(opts) {
+  const outlookCfg = opts.providers?.outlook;
+  const providers = /* @__PURE__ */ new Map();
+  providers.set("outlook", new OutlookProvider({
+    store: opts.store,
+    clientId: outlookCfg?.clientId,
+    tenantId: outlookCfg?.tenantId
+  }));
+  providers.set("imap", new ImapProvider(opts.store));
+  const gmailCfg = opts.providers?.gmail;
+  providers.set("gmail", new GmailProvider({
+    store: opts.store,
+    clientId: gmailCfg?.clientId,
+    clientSecret: gmailCfg?.clientSecret
+  }));
+  function get(id) {
+    const p = providers.get(id);
+    if (!p) throw new Error(`unknown provider: ${id}`);
+    return p;
+  }
+  function resolveByEmail(email) {
+    const account = opts.store.getAccount(email);
+    if (!account) {
+      throw new Error(
+        `no account registered for "${email}". Call add_account first.`
+      );
+    }
+    return { provider: get(account.provider), account };
+  }
+  return {
+    get,
+    resolveByEmail,
+    list: () => Array.from(providers.values())
+  };
+}
+
+// src/tools/shared.ts
+import { z } from "zod";
+function ok(data, structuredContent) {
+  const result = {
+    content: [{ type: "text", text: JSON.stringify(data, null, 2) }]
+  };
+  if (structuredContent !== void 0) {
+    result.structuredContent = structuredContent;
+  }
+  return result;
+}
+function fail(message) {
+  return {
+    isError: true,
+    content: [{ type: "text", text: message }]
+  };
+}
+function errMsg(err) {
+  if (err instanceof Error) return err.message;
+  return String(err);
+}
+var providerIdEnum = z.enum(["outlook", "imap", "gmail"]);
+var emailAddrSchema = z.object({
+  address: z.string().email(),
+  name: z.string().optional()
+});
+var emailAddrOutputSchema = z.object({
+  name: z.string().optional(),
+  address: z.string()
 });
 var accountSummaryOutputSchema = z.object({
   email: z.string(),
-  provider: z.enum(["outlook", "imap", "gmail"]),
+  provider: providerIdEnum,
   displayName: z.string().optional(),
   addedAt: z.string(),
   hasSignature: z.boolean(),
   hasStyle: z.boolean()
 });
+var styleOutputSchema = z.object({
+  fontFamily: z.string().optional(),
+  fontSize: z.string().optional(),
+  fontColor: z.string().optional()
+});
+var accountFullOutputSchema = z.object({
+  email: z.string(),
+  provider: providerIdEnum,
+  displayName: z.string().optional(),
+  tokens: z.record(z.unknown()),
+  addedAt: z.string(),
+  signature: z.string().optional(),
+  style: styleOutputSchema.optional()
+});
 var emailSummaryOutputSchema = z.object({
   id: z.string(),
   subject: z.string(),
@@ -852,374 +2526,680 @@ var attachmentMetaOutputSchema = z.object({
   contentType: z.string().optional(),
   size: z.number().optional()
 });
-var styleOutputSchema = z.object({
-  fontFamily: z.string().optional(),
-  fontSize: z.string().optional(),
-  fontColor: z.string().optional()
+var folderInfoOutputSchema = z.object({
+  id: z.string(),
+  displayName: z.string(),
+  parentFolderId: z.string().optional(),
+  childFolderCount: z.number(),
+  totalItemCount: z.number(),
+  unreadItemCount: z.number()
 });
-function registerTools(server, opts) {
-  const { store, registry, readOnly = false, draftOnly = false } = opts;
+function composeBody(input) {
+  const { body, isHtml = false, signature, style, includeSignature } = input;
+  const hasSignature = includeSignature && !!signature;
+  const hasStyle = !!(style && (style.fontFamily || style.fontSize || style.fontColor));
+  if (!hasSignature && !hasStyle) {
+    return { body, isHtml };
+  }
+  const styleAttr = hasStyle ? buildStyleAttr(style) : "";
+  if (isHtml) {
+    let result2 = hasStyle ? `<div style="${styleAttr}">${body}</div>` : body;
+    if (hasSignature) result2 += `
+<div class="signature">${signature}</div>`;
+    return { body: result2, isHtml: true };
+  }
+  const escaped = escapeHtml(body);
+  let result = `<div style="${styleAttr}">${escaped}</div>`;
+  if (hasSignature) result += `
+<div class="signature">${signature}</div>`;
+  return { body: result, isHtml: true };
+}
+function buildStyleAttr(style) {
+  const parts = [];
+  if (style.fontFamily) parts.push(`font-family: ${style.fontFamily}`);
+  if (style.fontSize) parts.push(`font-size: ${style.fontSize}`);
+  if (style.fontColor) parts.push(`color: ${style.fontColor}`);
+  return parts.join("; ");
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/\n/g, "<br>");
+}
+function shouldRegister(name, tools) {
+  if (tools.enabledTools) {
+    return tools.enabledTools.has(name);
+  }
+  if (tools.disabledTools) {
+    return !tools.disabledTools.has(name);
+  }
+  return true;
+}
+
+// src/tools/accounts.ts
+import { z as z2 } from "zod";
+function registerAccountTools(server, ctx) {
+  const { store, registry, tools } = ctx;
   const listAccountsOutputSchema = {
-    accounts: z.array(accountSummaryOutputSchema)
+    accounts: z2.array(accountSummaryOutputSchema)
   };
-  server.registerTool(
-    "list_accounts",
-    {
-      description: "List all email accounts known to this server (no secrets). Use the returned `email` value as the `account` argument to other tools.",
-      inputSchema: {},
-      outputSchema: listAccountsOutputSchema
-    },
-    async () => {
-      const rows = store.listAccounts().map((a) => ({
-        email: a.email,
-        provider: a.provider,
-        displayName: a.displayName,
-        addedAt: a.addedAt,
-        hasSignature: !!a.signature,
-        hasStyle: !!(a.style && (a.style.fontFamily || a.style.fontSize || a.style.fontColor))
-      }));
-      const data = { accounts: rows };
-      return ok(data, data);
-    }
-  );
-  const addAccountOutputSchema = z.discriminatedUnion("status", [
-    z.object({
-      status: z.literal("pending"),
-      handle: z.string(),
-      verification: z.object({
-        userCode: z.string(),
-        verificationUri: z.string(),
-        expiresAt: z.string(),
-        message: z.string()
+  if (shouldRegister("list_accounts", tools)) {
+    server.registerTool(
+      "list_accounts",
+      {
+        description: "List all email accounts known to this server (no secrets). Use the returned `email` value as the `account` argument to other tools.",
+        inputSchema: {},
+        outputSchema: listAccountsOutputSchema
+      },
+      async () => {
+        const rows = store.listAccounts().map((a) => ({
+          email: a.email,
+          provider: a.provider,
+          displayName: a.displayName,
+          addedAt: a.addedAt,
+          hasSignature: !!a.signature,
+          hasStyle: !!(a.style && (a.style.fontFamily || a.style.fontSize || a.style.fontColor))
+        }));
+        const data = { accounts: rows };
+        return ok(data, data);
+      }
+    );
+  }
+  const addAccountOutputSchema = z2.discriminatedUnion("status", [
+    z2.object({
+      status: z2.literal("pending"),
+      handle: z2.string(),
+      verification: z2.object({
+        userCode: z2.string(),
+        verificationUri: z2.string(),
+        expiresAt: z2.string(),
+        message: z2.string()
       })
     }),
-    z.object({
-      status: z.literal("ready"),
-      account: z.object({
-        email: z.string(),
-        provider: z.enum(["outlook", "imap", "gmail"]),
-        displayName: z.string().optional(),
-        tokens: z.record(z.unknown()),
-        addedAt: z.string(),
-        signature: z.string().optional(),
-        style: styleOutputSchema.optional()
-      })
+    z2.object({
+      status: z2.literal("ready"),
+      account: accountFullOutputSchema
     })
   ]);
-  server.registerTool(
-    "add_account",
-    {
-      description: "Start adding an email account. For Outlook this returns a device code the user must enter at the verification URL; then call `complete_add_account` with the returned `handle` to finalize. Disabled in --read-only mode.",
-      inputSchema: {
-        provider: z.enum(["outlook", "imap", "gmail"]).describe("Email backend. v1 only fully implements 'outlook'."),
-        email: z.string().email().optional().describe("Optional hint \u2014 the provider will verify it against the auth result."),
-        config: z.record(z.unknown()).optional().describe("Provider-specific config (e.g. IMAP host/port). Unused for Outlook.")
+  if (shouldRegister("add_account", tools)) {
+    server.registerTool(
+      "add_account",
+      {
+        description: "Start adding an email account. For Outlook this returns a device code the user must enter at the verification URL; then call `complete_add_account` with the returned `handle` to finalize. Disabled in --read-only mode.",
+        inputSchema: {
+          provider: providerIdEnum.describe("Email backend. 'outlook' (Microsoft Graph) and 'imap' are fully implemented."),
+          email: z2.string().email().optional().describe(
+            "Optional hint \u2014 the provider will verify it against the auth result."
+          ),
+          config: z2.record(z2.unknown()).optional().describe(
+            "Provider-specific config (e.g. IMAP host/port). Unused for Outlook."
+          )
+        },
+        outputSchema: addAccountOutputSchema
       },
-      outputSchema: addAccountOutputSchema
-    },
-    async (args) => {
-      if (readOnly) return fail("server is in --read-only mode; add_account is disabled");
-      const provider = registry.get(args.provider);
-      try {
-        const res = await provider.addAccount({ email: args.email, config: args.config });
-        return ok(res, res);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        const provider = registry.get(args.provider);
+        try {
+          const res = await provider.addAccount({
+            email: args.email,
+            config: args.config
+          });
+          return ok(res, res);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  const completeAddAccountOutputSchema = z.object({
-    status: z.enum(["pending", "ready", "expired", "error"]),
-    account: z.object({
-      email: z.string(),
-      provider: z.enum(["outlook", "imap", "gmail"]),
-      displayName: z.string().optional(),
-      tokens: z.record(z.unknown()),
-      addedAt: z.string(),
-      signature: z.string().optional(),
-      style: styleOutputSchema.optional()
-    }).optional(),
-    error: z.string().optional()
+    );
+  }
+  const completeAddAccountOutputSchema = z2.object({
+    status: z2.enum(["pending", "ready", "expired", "error"]),
+    account: accountFullOutputSchema.optional(),
+    error: z2.string().optional()
   });
-  server.registerTool(
-    "complete_add_account",
-    {
-      description: "Poll/finalize a pending add_account flow. Returns `pending` until the user completes the device-code step, then `ready` with the persisted account.",
-      inputSchema: {
-        provider: z.enum(["outlook", "imap", "gmail"]),
-        handle: z.string().min(1)
+  if (shouldRegister("complete_add_account", tools)) {
+    server.registerTool(
+      "complete_add_account",
+      {
+        description: "Poll/finalize a pending add_account flow. Returns `pending` until the user completes the device-code step, then `ready` with the persisted account.",
+        inputSchema: {
+          provider: providerIdEnum,
+          handle: z2.string().min(1)
+        },
+        outputSchema: completeAddAccountOutputSchema
       },
-      outputSchema: completeAddAccountOutputSchema
-    },
-    async (args) => {
-      const provider = registry.get(args.provider);
-      if (!provider.completeAddAccount) {
-        return fail(`provider ${args.provider} has no async add-account flow`);
-      }
-      try {
-        const res = await provider.completeAddAccount(args.handle);
-        return ok(res, res);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        const provider = registry.get(args.provider);
+        if (!provider.completeAddAccount) {
+          return fail(
+            `provider ${args.provider} has no async add-account flow`
+          );
+        }
+        try {
+          const res = await provider.completeAddAccount(args.handle);
+          return ok(res, res);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
+    );
+  }
   const accountSettingsOutputSchema = {
-    signature: z.string().nullable(),
+    signature: z2.string().nullable(),
     style: styleOutputSchema.nullable()
   };
-  server.registerTool(
-    "get_account_settings",
-    {
-      description: "Get signature (HTML) and style preferences for an account.",
-      inputSchema: { account: z.string().email() },
-      outputSchema: accountSettingsOutputSchema
-    },
-    async (args) => {
-      try {
-        const acct = store.getAccount(args.account);
-        if (!acct) return fail(`no account registered for "${args.account}"`);
-        const data = { signature: acct.signature ?? null, style: acct.style ?? null };
-        return ok(data, data);
-      } catch (err) {
-        return fail(errMsg(err));
+  if (shouldRegister("get_account_settings", tools)) {
+    server.registerTool(
+      "get_account_settings",
+      {
+        description: "Get signature (HTML) and style preferences for an account.",
+        inputSchema: { account: z2.string().email() },
+        outputSchema: accountSettingsOutputSchema
+      },
+      async (args) => {
+        try {
+          const acct = store.getAccount(args.account);
+          if (!acct)
+            return fail(`no account registered for "${args.account}"`);
+          const data = {
+            signature: acct.signature ?? null,
+            style: acct.style ?? null
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  server.registerTool(
-    "set_account_settings",
-    {
-      description: "Set signature (HTML snippet) and/or style preferences for an account. Disabled in --read-only mode.",
-      inputSchema: {
-        account: z.string().email(),
-        signature: z.string().optional().describe("HTML snippet \u2014 may contain formatting, images, links. Pass null to clear."),
-        style: z.object({
-          fontFamily: z.string().optional(),
-          fontSize: z.string().optional(),
-          fontColor: z.string().optional()
-        }).optional().describe("Font preferences applied to outgoing HTML emails. Pass null to clear.")
+    );
+  }
+  if (shouldRegister("set_account_settings", tools)) {
+    server.registerTool(
+      "set_account_settings",
+      {
+        description: "Set signature (HTML snippet) and/or style preferences for an account. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z2.string().email(),
+          signature: z2.string().optional().describe(
+            "HTML snippet \u2014 may contain formatting, images, links. Pass null to clear."
+          ),
+          style: z2.object({
+            fontFamily: z2.string().optional(),
+            fontSize: z2.string().optional(),
+            fontColor: z2.string().optional()
+          }).optional().describe(
+            "Font preferences applied to outgoing HTML emails. Pass null to clear."
+          )
+        },
+        outputSchema: accountSettingsOutputSchema
       },
-      outputSchema: accountSettingsOutputSchema
-    },
-    async (args) => {
-      if (readOnly) return fail("server is in --read-only mode; set_account_settings is disabled");
-      try {
-        const acct = store.getAccount(args.account);
-        if (!acct) return fail(`no account registered for "${args.account}"`);
-        const updated = await store.upsertAccount({
-          ...acct,
-          signature: args.signature ?? acct.signature,
-          style: args.style ?? acct.style
-        });
-        const data = { signature: updated.signature ?? null, style: updated.style ?? null };
-        return ok(data, data);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        try {
+          const acct = store.getAccount(args.account);
+          if (!acct)
+            return fail(`no account registered for "${args.account}"`);
+          const updated = await store.upsertAccount({
+            ...acct,
+            signature: args.signature ?? acct.signature,
+            style: args.style ?? acct.style
+          });
+          const data = {
+            signature: updated.signature ?? null,
+            style: updated.style ?? null
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
+    );
+  }
   const removeAccountOutputSchema = {
-    removed: z.boolean(),
-    email: z.string()
+    removed: z2.boolean(),
+    email: z2.string()
   };
-  server.registerTool(
-    "remove_account",
-    {
-      description: "Forget an account and delete its stored tokens. Disabled in --read-only mode.",
-      inputSchema: { email: z.string().email() },
-      outputSchema: removeAccountOutputSchema
-    },
-    async (args) => {
-      if (readOnly) return fail("server is in --read-only mode; remove_account is disabled");
-      const removed = await store.removeAccount(args.email);
-      const data = { removed, email: args.email };
-      return ok(data, data);
+  if (shouldRegister("remove_account", tools)) {
+    server.registerTool(
+      "remove_account",
+      {
+        description: "Forget an account and delete its stored tokens. Disabled in --read-only mode.",
+        inputSchema: { email: z2.string().email() },
+        outputSchema: removeAccountOutputSchema
+      },
+      async (args) => {
+        const removed = await store.removeAccount(args.email);
+        const data = { removed, email: args.email };
+        return ok(data, data);
+      }
+    );
+  }
+}
+
+// src/tools/browse.ts
+import { z as z3 } from "zod";
+
+// src/html-to-markdown.ts
+import TurndownService from "turndown";
+var turndown = new TurndownService();
+function htmlToMarkdown(html) {
+  return turndown.turndown(html);
+}
+function selectBody(msg, format) {
+  switch (format) {
+    case "markdown": {
+      if (msg.bodyHtml) return htmlToMarkdown(msg.bodyHtml);
+      if (msg.bodyText) return msg.bodyText;
+      return "";
     }
-  );
+    case "html": {
+      if (msg.bodyHtml) return msg.bodyHtml;
+      if (msg.bodyText) return msg.bodyText;
+      return "";
+    }
+    case "text": {
+      if (msg.bodyText) return msg.bodyText;
+      if (msg.bodyHtml) return msg.bodyHtml.replace(/<[^>]*>/g, "");
+      return "";
+    }
+  }
+}
+
+// src/tools/browse.ts
+function registerBrowseTools(server, ctx) {
+  const { registry, tools } = ctx;
   const emailListOutputSchema = {
-    account: z.string(),
-    count: z.number(),
-    items: z.array(emailSummaryOutputSchema)
+    account: z3.string(),
+    count: z3.number(),
+    items: z3.array(emailSummaryOutputSchema),
+    skip: z3.number(),
+    hasMore: z3.boolean()
   };
-  server.registerTool(
-    "list_emails",
-    {
-      description: "List recent emails in a folder of the given account. Pass the user's email address as `account`; the server routes to the correct backend automatically.",
-      inputSchema: {
-        account: z.string().email(),
-        folder: z.string().default("inbox").optional(),
-        limit: z.number().int().positive().max(100).optional(),
-        unreadOnly: z.boolean().optional()
+  const searchEmailsOutputSchema = {
+    account: z3.string(),
+    count: z3.number(),
+    items: z3.array(emailSummaryOutputSchema)
+  };
+  if (shouldRegister("list_emails", tools)) {
+    server.registerTool(
+      "list_emails",
+      {
+        description: "List recent emails in a folder of the given account. Pass the user's email address as `account`; the server routes to the correct backend automatically.",
+        inputSchema: {
+          account: z3.string().email(),
+          folder: z3.string().default("inbox").optional(),
+          limit: z3.number().int().positive().max(100).optional(),
+          unreadOnly: z3.boolean().optional(),
+          skip: z3.number().int().min(0).optional()
+        },
+        outputSchema: emailListOutputSchema
       },
-      outputSchema: emailListOutputSchema
-    },
-    async (args) => {
-      try {
-        const { provider, account } = registry.resolveByEmail(args.account);
-        const items = await provider.listEmails(account, {
-          folder: args.folder,
-          limit: args.limit,
-          unreadOnly: args.unreadOnly
-        });
-        const data = { account: account.email, count: items.length, items };
-        return ok(data, data);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const { items, hasMore } = await provider.listEmails(account, {
+            folder: args.folder,
+            limit: args.limit,
+            unreadOnly: args.unreadOnly,
+            skip: args.skip
+          });
+          const data = {
+            account: account.email,
+            count: items.length,
+            items,
+            skip: args.skip ?? 0,
+            hasMore
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  server.registerTool(
-    "search_emails",
-    {
-      description: "Search emails by free-text query (KQL on Outlook). Returns lightweight summaries.",
-      inputSchema: {
-        account: z.string().email(),
-        query: z.string().min(1),
-        limit: z.number().int().positive().max(100).optional()
+    );
+  }
+  if (shouldRegister("search_emails", tools)) {
+    server.registerTool(
+      "search_emails",
+      {
+        description: "Search emails by free-text query (KQL on Outlook). Returns lightweight summaries.",
+        inputSchema: {
+          account: z3.string().email(),
+          query: z3.string().min(1),
+          limit: z3.number().int().positive().max(100).optional()
+        },
+        outputSchema: searchEmailsOutputSchema
+      },
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const items = await provider.searchEmails(account, args.query, {
+            limit: args.limit
+          });
+          const data = {
+            account: account.email,
+            count: items.length,
+            items
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+  const readEmailOutputSchema = {
+    id: z3.string(),
+    subject: z3.string(),
+    from: emailAddrOutputSchema.optional(),
+    to: z3.array(emailAddrOutputSchema).optional(),
+    cc: z3.array(emailAddrOutputSchema).optional(),
+    bcc: z3.array(emailAddrOutputSchema).optional(),
+    receivedAt: z3.string().optional(),
+    preview: z3.string().optional(),
+    isRead: z3.boolean().optional(),
+    hasAttachments: z3.boolean().optional(),
+    folder: z3.string().optional(),
+    attachments: z3.array(attachmentMetaOutputSchema).optional(),
+    body: z3.string(),
+    bodyFormat: z3.enum(["markdown", "html", "text"])
+  };
+  if (shouldRegister("read_email", tools)) {
+    server.registerTool(
+      "read_email",
+      {
+        description: "Fetch a single email with full body and recipients by id. Body is returned as `body` with `bodyFormat` indicating the format. Default format is 'markdown' \u2014 HTML is automatically converted to save context tokens.",
+        inputSchema: {
+          account: z3.string().email(),
+          id: z3.string().min(1),
+          format: z3.enum(["markdown", "html", "text"]).default("markdown").optional().describe(
+            "Output body format. 'markdown' converts HTML to Markdown (default), 'html' returns the raw HTML, 'text' returns plain text."
+          )
+        },
+        outputSchema: readEmailOutputSchema
+      },
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const msg = await provider.readEmail(account, args.id);
+          const format = args.format ?? "markdown";
+          const body = selectBody(msg, format);
+          const data = {
+            id: msg.id,
+            subject: msg.subject,
+            from: msg.from,
+            to: msg.to,
+            cc: msg.cc,
+            bcc: msg.bcc,
+            receivedAt: msg.receivedAt,
+            preview: msg.preview,
+            isRead: msg.isRead,
+            hasAttachments: msg.hasAttachments,
+            folder: msg.folder,
+            attachments: msg.attachments,
+            body,
+            bodyFormat: format
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+  const readAttachmentOutputSchema = {
+    name: z3.string(),
+    contentType: z3.string().optional(),
+    path: z3.string()
+  };
+  if (shouldRegister("read_attachment", tools)) {
+    server.registerTool(
+      "read_attachment",
+      {
+        description: "Download an email attachment to a temporary file and return its path. Use messageId and attachmentId from a prior read_email call.",
+        inputSchema: {
+          account: z3.string().email(),
+          messageId: z3.string().min(1),
+          attachmentId: z3.string().min(1)
+        },
+        outputSchema: readAttachmentOutputSchema
+      },
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const res = await provider.readAttachment(
+            account,
+            args.messageId,
+            args.attachmentId
+          );
+          return ok(res, res);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+}
+
+// src/tools/folders.ts
+import { z as z4 } from "zod";
+function registerFolderTools(server, ctx) {
+  const { registry, tools } = ctx;
+  const listFoldersOutputSchema = {
+    account: z4.string(),
+    count: z4.number(),
+    items: z4.array(folderInfoOutputSchema)
+  };
+  if (shouldRegister("list_folders", tools)) {
+    server.registerTool(
+      "list_folders",
+      {
+        description: "List available mail folders. Returns top-level folders by default, or child folders of the given parent when `parentFolderId` is provided.",
+        inputSchema: {
+          account: z4.string().email(),
+          parentFolderId: z4.string().optional().describe(
+            "When provided, lists child folders of this folder. When omitted, lists top-level folders (children of the root)."
+          )
+        },
+        outputSchema: listFoldersOutputSchema
+      },
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const items = await provider.listFolders(account, {
+            parentFolderId: args.parentFolderId
+          });
+          const data = {
+            account: account.email,
+            count: items.length,
+            items
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+  const createFolderOutputSchema = {
+    created: z4.literal(true),
+    folder: folderInfoOutputSchema
+  };
+  if (shouldRegister("create_folder", tools)) {
+    server.registerTool(
+      "create_folder",
+      {
+        description: "Create a new mail folder. Creates under the root folder by default, or under the specified parent when `parentFolderId` is provided. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z4.string().email(),
+          displayName: z4.string().min(1).describe("Name of the new folder"),
+          parentFolderId: z4.string().optional().describe(
+            "When provided, creates the folder as a child of this folder. When omitted, creates under the root folder."
+          )
+        },
+        outputSchema: createFolderOutputSchema
       },
-      outputSchema: emailListOutputSchema
-    },
-    async (args) => {
-      try {
-        const { provider, account } = registry.resolveByEmail(args.account);
-        const items = await provider.searchEmails(account, args.query, {
-          limit: args.limit
-        });
-        const data = { account: account.email, count: items.length, items };
-        return ok(data, data);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const folder = await provider.createFolder(account, {
+            displayName: args.displayName,
+            parentFolderId: args.parentFolderId
+          });
+          const data = { created: true, folder };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  const readEmailOutputSchema = {
-    id: z.string(),
-    subject: z.string(),
-    from: emailAddrOutputSchema.optional(),
-    to: z.array(emailAddrOutputSchema).optional(),
-    cc: z.array(emailAddrOutputSchema).optional(),
-    bcc: z.array(emailAddrOutputSchema).optional(),
-    receivedAt: z.string().optional(),
-    preview: z.string().optional(),
-    isRead: z.boolean().optional(),
-    hasAttachments: z.boolean().optional(),
-    folder: z.string().optional(),
-    attachments: z.array(attachmentMetaOutputSchema).optional(),
-    body: z.string(),
-    bodyFormat: z.enum(["markdown", "html", "text"])
+    );
+  }
+  const deleteFolderOutputSchema = {
+    deleted: z4.literal(true),
+    id: z4.string()
   };
-  server.registerTool(
-    "read_email",
-    {
-      description: "Fetch a single email with full body and recipients by id. Body is returned as `body` with `bodyFormat` indicating the format. Default format is 'markdown' \u2014 HTML is automatically converted to save context tokens.",
-      inputSchema: {
-        account: z.string().email(),
-        id: z.string().min(1),
-        format: z.enum(["markdown", "html", "text"]).default("markdown").optional().describe(
-          "Output body format. 'markdown' converts HTML to Markdown (default), 'html' returns the raw HTML, 'text' returns plain text."
-        )
+  if (shouldRegister("delete_folder", tools)) {
+    server.registerTool(
+      "delete_folder",
+      {
+        description: "Delete a mail folder by ID. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z4.string().email(),
+          folderId: z4.string().min(1).describe("ID of the folder to delete")
+        },
+        outputSchema: deleteFolderOutputSchema
       },
-      outputSchema: readEmailOutputSchema
-    },
-    async (args) => {
-      try {
-        const { provider, account } = registry.resolveByEmail(args.account);
-        const msg = await provider.readEmail(account, args.id);
-        const format = args.format ?? "markdown";
-        const body = selectBody(msg, format);
-        const data = {
-          id: msg.id,
-          subject: msg.subject,
-          from: msg.from,
-          to: msg.to,
-          cc: msg.cc,
-          bcc: msg.bcc,
-          receivedAt: msg.receivedAt,
-          preview: msg.preview,
-          isRead: msg.isRead,
-          hasAttachments: msg.hasAttachments,
-          folder: msg.folder,
-          attachments: msg.attachments,
-          body,
-          bodyFormat: format
-        };
-        return ok(data, data);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          await provider.deleteFolder(account, args.folderId);
+          const data = { deleted: true, id: args.folderId };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  const readAttachmentOutputSchema = {
-    name: z.string(),
-    contentType: z.string().optional(),
-    path: z.string()
+    );
+  }
+  const renameFolderOutputSchema = {
+    renamed: z4.literal(true),
+    folder: folderInfoOutputSchema
   };
-  server.registerTool(
-    "read_attachment",
-    {
-      description: "Download an email attachment to a temporary file and return its path. Use messageId and attachmentId from a prior read_email call.",
-      inputSchema: {
-        account: z.string().email(),
-        messageId: z.string().min(1),
-        attachmentId: z.string().min(1)
+  if (shouldRegister("rename_folder", tools)) {
+    server.registerTool(
+      "rename_folder",
+      {
+        description: "Rename an existing mail folder. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z4.string().email(),
+          folderId: z4.string().min(1).describe("ID of the folder to rename"),
+          newName: z4.string().min(1).describe("New display name for the folder")
+        },
+        outputSchema: renameFolderOutputSchema
       },
-      outputSchema: readAttachmentOutputSchema
-    },
-    async (args) => {
-      try {
-        const { provider, account } = registry.resolveByEmail(args.account);
-        const res = await provider.readAttachment(account, args.messageId, args.attachmentId);
-        return ok(res, res);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const folder = await provider.renameFolder(
+            account,
+            args.folderId,
+            args.newName
+          );
+          const data = { renamed: true, folder };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  {
-    const schema = {
-      account: z.string().email(),
-      id: z.string().min(1).describe("Message ID to move")
-    };
-    const archiveOutputSchema = {
-      archived: z.literal(true),
-      id: z.string()
-    };
+    );
+  }
+}
+
+// src/tools/organize.ts
+import { z as z5 } from "zod";
+function registerOrganizeTools(server, ctx) {
+  const { registry, tools } = ctx;
+  async function moveToWellKnown(args, destination, resultKey) {
+    const { provider, account } = registry.resolveByEmail(args.account);
+    await provider.moveEmail(account, args.id, destination);
+    const data = { id: args.id };
+    data[resultKey] = true;
+    return ok(data, data);
+  }
+  async function markReadState(args, isRead) {
+    const { provider, account } = registry.resolveByEmail(args.account);
+    await provider.markRead(account, args.id, isRead);
+    const data = { marked: true, id: args.id, isRead };
+    return ok(data, data);
+  }
+  const archiveMoveSchema = {
+    account: z5.string().email(),
+    id: z5.string().min(1).describe("Message ID to move")
+  };
+  const archiveOutputSchema = {
+    archived: z5.literal(true),
+    id: z5.string()
+  };
+  if (shouldRegister("archive_email", tools)) {
     server.registerTool(
       "archive_email",
       {
         description: "Move a message to the Archive folder. Disabled in --read-only mode.",
-        inputSchema: schema,
+        inputSchema: archiveMoveSchema,
         outputSchema: archiveOutputSchema
       },
       async (args) => {
-        if (readOnly) return fail("server is in --read-only mode; archive_email is disabled");
         try {
-          const { provider, account } = registry.resolveByEmail(args.account);
-          await provider.moveEmail(account, args.id, "archive");
-          const data = { archived: true, id: args.id };
-          return ok(data, data);
+          return await moveToWellKnown(args, "archive", "archived");
         } catch (err) {
           return fail(errMsg(err));
         }
       }
     );
-    const trashOutputSchema = {
-      trashed: z.literal(true),
-      id: z.string()
-    };
+  }
+  const trashOutputSchema = {
+    trashed: z5.literal(true),
+    id: z5.string()
+  };
+  if (shouldRegister("trash_email", tools)) {
     server.registerTool(
       "trash_email",
       {
         description: "Move a message to the Deleted Items (trash) folder. Disabled in --read-only mode.",
-        inputSchema: schema,
+        inputSchema: archiveMoveSchema,
         outputSchema: trashOutputSchema
       },
       async (args) => {
-        if (readOnly) return fail("server is in --read-only mode; trash_email is disabled");
+        try {
+          return await moveToWellKnown(args, "deleteditems", "trashed");
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+  const moveEmailOutputSchema = {
+    moved: z5.literal(true),
+    id: z5.string(),
+    destination: z5.string()
+  };
+  if (shouldRegister("move_email", tools)) {
+    server.registerTool(
+      "move_email",
+      {
+        description: "Move a message to any folder by well-known name (e.g. 'inbox', 'drafts', 'junkemail', 'sentitems', 'outbox') or custom folder ID. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z5.string().email(),
+          id: z5.string().min(1).describe("Message ID to move"),
+          destination: z5.string().min(1).describe(
+            "Destination folder \u2014 a well-known folder name ('archive', 'deleteditems', 'inbox', 'drafts', 'junkemail', 'sentitems', 'outbox') or a raw folder ID."
+          )
+        },
+        outputSchema: moveEmailOutputSchema
+      },
+      async (args) => {
         try {
           const { provider, account } = registry.resolveByEmail(args.account);
-          await provider.moveEmail(account, args.id, "deleteditems");
-          const data = { trashed: true, id: args.id };
+          await provider.moveEmail(account, args.id, args.destination);
+          const data = {
+            moved: true,
+            id: args.id,
+            destination: args.destination
+          };
           return ok(data, data);
         } catch (err) {
           return fail(errMsg(err));
@@ -1227,59 +3207,77 @@ function registerTools(server, opts) {
       }
     );
   }
-  const moveEmailOutputSchema = {
-    moved: z.literal(true),
-    id: z.string(),
-    destination: z.string()
+  const markReadInputSchema = {
+    account: z5.string().email(),
+    id: z5.string().min(1).describe("Message ID to mark as read")
   };
-  server.registerTool(
-    "move_email",
-    {
-      description: "Move a message to any folder by well-known name (e.g. 'inbox', 'drafts', 'junkemail', 'sentitems', 'outbox') or custom folder ID. Disabled in --read-only mode.",
-      inputSchema: {
-        account: z.string().email(),
-        id: z.string().min(1).describe("Message ID to move"),
-        destination: z.string().min(1).describe(
-          "Destination folder \u2014 a well-known folder name ('archive', 'deleteditems', 'inbox', 'drafts', 'junkemail', 'sentitems', 'outbox') or a raw folder ID."
-        )
+  const markReadOutputSchema = {
+    marked: z5.literal(true),
+    id: z5.string(),
+    isRead: z5.boolean()
+  };
+  if (shouldRegister("mark_read", tools)) {
+    server.registerTool(
+      "mark_read",
+      {
+        description: "Mark a message as read. Disabled in --read-only mode.",
+        inputSchema: markReadInputSchema,
+        outputSchema: markReadOutputSchema
       },
-      outputSchema: moveEmailOutputSchema
-    },
-    async (args) => {
-      if (readOnly) return fail("server is in --read-only mode; move_email is disabled");
-      try {
-        const { provider, account } = registry.resolveByEmail(args.account);
-        await provider.moveEmail(account, args.id, args.destination);
-        const data = { moved: true, id: args.id, destination: args.destination };
-        return ok(data, data);
-      } catch (err) {
-        return fail(errMsg(err));
+      async (args) => {
+        try {
+          return await markReadState(args, true);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
       }
-    }
-  );
-  const sendEmailSchema = z.object({
-    account: z.string().email(),
-    to: z.array(emailAddrSchema).min(1),
-    cc: z.array(emailAddrSchema).optional(),
-    bcc: z.array(emailAddrSchema).optional(),
-    subject: z.string(),
-    body: z.string(),
-    isHtml: z.boolean().optional(),
-    include_signature: z.boolean().describe(
+    );
+  }
+  if (shouldRegister("mark_unread", tools)) {
+    server.registerTool(
+      "mark_unread",
+      {
+        description: "Mark a message as unread. Disabled in --read-only mode.",
+        inputSchema: markReadInputSchema,
+        outputSchema: markReadOutputSchema
+      },
+      async (args) => {
+        try {
+          return await markReadState(args, false);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+}
+
+// src/tools/compose.ts
+import { z as z6 } from "zod";
+function registerComposeTools(server, ctx) {
+  const { store, registry, tools } = ctx;
+  const sendEmailSchema = z6.object({
+    account: z6.string().email(),
+    to: z6.array(emailAddrSchema).min(1),
+    cc: z6.array(emailAddrSchema).optional(),
+    bcc: z6.array(emailAddrSchema).optional(),
+    subject: z6.string(),
+    body: z6.string(),
+    isHtml: z6.boolean().optional(),
+    include_signature: z6.boolean().describe(
       "Whether to append the account's saved HTML signature to the email. If true, don't include a signature in the body param to avoid double signature. Returns an error if true but no signature is configured for this account."
     ),
-    inReplyTo: z.string().optional().describe(
+    inReplyTo: z6.string().optional().describe(
       "Message ID to reply to. When set, sends as a threaded reply which includes the quoted thread history automatically."
     ),
-    replyAll: z.boolean().default(false).optional().describe(
+    replyAll: z6.boolean().default(false).optional().describe(
       "When true and `inReplyTo` is set, reply to all recipients instead of just the sender."
     ),
-    forwardMessageId: z.string().optional().describe(
+    forwardMessageId: z6.string().optional().describe(
       "Message ID to forward. When set, sends as a forward of the specified message, preserving the original content. Mutually exclusive with `inReplyTo`."
     )
   });
   async function handleSendOrDraft(args, action, resultKey, toolName) {
-    if (readOnly) return fail(`server is in --read-only mode; ${toolName} is disabled`);
     try {
       const { provider, account } = registry.resolveByEmail(args.account);
       if (args.include_signature && !account.signature) {
@@ -1321,10 +3319,10 @@ function registerTools(server, opts) {
     }
   }
   const sendEmailOutputSchema = {
-    sent: z.literal(true),
-    id: z.string()
+    sent: z6.literal(true),
+    id: z6.string()
   };
-  if (!draftOnly) {
+  if (shouldRegister("send_email", tools)) {
     server.registerTool(
       "send_email",
       {
@@ -1341,142 +3339,328 @@ function registerTools(server, opts) {
     );
   }
   const draftEmailOutputSchema = {
-    draft: z.literal(true),
-    id: z.string(),
-    draftHtml: z.string().optional()
+    draft: z6.literal(true),
+    id: z6.string(),
+    draftHtml: z6.string().optional()
   };
-  server.registerTool(
-    "draft_email",
-    {
-      description: "Create a draft email from the given account without sending it. Works identically to send_email \u2014 appends signature when `include_signature` is true, applies style, and supports replies and forwards \u2014 but saves the message to the Drafts folder instead of sending. Returns the draft message ID and the draft's HTML body content (`draftHtml`). Before sending the draft, inspect `draftHtml` to verify the draft looks correct: no duplicate signature blocks, no broken or missing inline images, no malformed HTML, and no other formatting issues. Disabled in --read-only mode.",
-      inputSchema: sendEmailSchema,
-      outputSchema: draftEmailOutputSchema
-    },
-    async (args) => handleSendOrDraft(
-      args,
-      (p, a, m) => p.saveDraft(a, m),
-      "draft",
-      "draft_email"
-    )
-  );
-  const editDraftSchema = z.object({
-    account: z.string().email(),
-    id: z.string().min(1).describe("Draft message ID to edit"),
-    to: z.array(emailAddrSchema).optional(),
-    cc: z.array(emailAddrSchema).optional(),
-    bcc: z.array(emailAddrSchema).optional(),
-    subject: z.string().optional(),
-    body: z.string().optional(),
-    isHtml: z.boolean().optional(),
-    include_signature: z.boolean().optional().describe(
+  if (shouldRegister("draft_email", tools)) {
+    server.registerTool(
+      "draft_email",
+      {
+        description: "Create a draft email from the given account without sending it. Works identically to send_email \u2014 appends signature when `include_signature` is true, applies style, and supports replies and forwards \u2014 but saves the message to the Drafts folder instead of sending. Returns the draft message ID and the draft's HTML body content (`draftHtml`). Before sending the draft, inspect `draftHtml` to verify the draft looks correct: no duplicate signature blocks, no broken or missing inline images, no malformed HTML, and no other formatting issues. Disabled in --read-only mode.",
+        inputSchema: sendEmailSchema,
+        outputSchema: draftEmailOutputSchema
+      },
+      async (args) => handleSendOrDraft(
+        args,
+        (p, a, m) => p.saveDraft(a, m),
+        "draft",
+        "draft_email"
+      )
+    );
+  }
+  const editDraftSchema = z6.object({
+    account: z6.string().email(),
+    id: z6.string().min(1).describe("Draft message ID to edit"),
+    to: z6.array(emailAddrSchema).optional(),
+    cc: z6.array(emailAddrSchema).optional(),
+    bcc: z6.array(emailAddrSchema).optional(),
+    subject: z6.string().optional(),
+    body: z6.string().optional(),
+    isHtml: z6.boolean().optional(),
+    include_signature: z6.boolean().optional().describe(
       "Whether to re-apply the account's saved HTML signature to the body. If true, don't include a signature in the body param. Only meaningful when `body` is also provided. Returns an error if true but no signature is configured for this account."
     )
   });
   const editDraftOutputSchema = {
-    edited: z.literal(true),
-    id: z.string(),
-    draftHtml: z.string().optional()
+    edited: z6.literal(true),
+    id: z6.string(),
+    draftHtml: z6.string().optional()
   };
-  server.registerTool(
-    "edit_draft",
-    {
-      description: "Edit an existing draft email by ID. Only the fields you provide are updated \u2014 unmentioned fields stay unchanged. When `body` is provided and `include_signature` is true, the account's signature is re-applied. Returns the draft ID and the draft's updated HTML body content (`draftHtml`). Before sending, inspect `draftHtml` to verify the draft looks correct. Does not support changing `inReplyTo` or `forwardMessageId` \u2014 those are set at creation time via `draft_email`. Disabled in --read-only mode.",
-      inputSchema: editDraftSchema,
-      outputSchema: editDraftOutputSchema
-    },
-    async (args) => {
-      const a = args;
-      if (readOnly) return fail("server is in --read-only mode; edit_draft is disabled");
-      try {
-        const { provider, account } = registry.resolveByEmail(a.account);
-        if (a.include_signature && !account.signature) {
-          return fail(
-            "include_signature is true but no signature is configured for this account. Set up a signature first with set_account_settings."
-          );
-        }
-        let bodyPayload;
-        let isHtmlPayload;
-        if (a.body !== void 0) {
-          const composed = composeBody({
-            body: a.body,
-            isHtml: a.isHtml,
-            signature: account.signature,
-            style: account.style,
-            includeSignature: !!a.include_signature
+  if (shouldRegister("edit_draft", tools)) {
+    server.registerTool(
+      "edit_draft",
+      {
+        description: "Edit an existing draft email by ID. Only the fields you provide are updated \u2014 unmentioned fields stay unchanged. When `body` is provided and `include_signature` is true, the account's signature is re-applied. Returns the draft ID and the draft's updated HTML body content (`draftHtml`). Before sending, inspect `draftHtml` to verify the draft looks correct. Does not support changing `inReplyTo` or `forwardMessageId` \u2014 those are set at creation time via `draft_email`. Disabled in --read-only mode.",
+        inputSchema: editDraftSchema,
+        outputSchema: editDraftOutputSchema
+      },
+      async (args) => {
+        const a = args;
+        try {
+          const { provider, account } = registry.resolveByEmail(a.account);
+          if (a.include_signature && !account.signature) {
+            return fail(
+              "include_signature is true but no signature is configured for this account. Set up a signature first with set_account_settings."
+            );
+          }
+          let bodyPayload;
+          let isHtmlPayload;
+          if (a.body !== void 0) {
+            const composed = composeBody({
+              body: a.body,
+              isHtml: a.isHtml,
+              signature: account.signature,
+              style: account.style,
+              includeSignature: !!a.include_signature
+            });
+            bodyPayload = composed.body;
+            isHtmlPayload = composed.isHtml;
+          }
+          const res = await provider.updateDraft(account, a.id, {
+            to: a.to,
+            cc: a.cc,
+            bcc: a.bcc,
+            subject: a.subject,
+            body: bodyPayload,
+            isHtml: isHtmlPayload
           });
-          bodyPayload = composed.body;
-          isHtmlPayload = composed.isHtml;
+          const draft = await provider.readEmail(account, res.id);
+          const result = {
+            edited: true,
+            id: res.id,
+            draftHtml: draft.bodyHtml
+          };
+          return ok(result, result);
+        } catch (err) {
+          return fail(errMsg(err));
         }
-        const res = await provider.updateDraft(account, a.id, {
-          to: a.to,
-          cc: a.cc,
-          bcc: a.bcc,
-          subject: a.subject,
-          body: bodyPayload,
-          isHtml: isHtmlPayload
-        });
-        const draft = await provider.readEmail(account, res.id);
-        const result = {
-          edited: true,
-          id: res.id,
-          draftHtml: draft.bodyHtml
-        };
-        return ok(result, result);
-      } catch (err) {
-        return fail(errMsg(err));
       }
-    }
-  );
-}
-function composeBody(input) {
-  const { body, isHtml = false, signature, style, includeSignature } = input;
-  const hasSignature = includeSignature && !!signature;
-  const hasStyle = !!(style && (style.fontFamily || style.fontSize || style.fontColor));
-  if (!hasSignature && !hasStyle) {
-    return { body, isHtml };
+    );
   }
-  const styleAttr = hasStyle ? buildStyleAttr(style) : "";
-  if (isHtml) {
-    let result2 = hasStyle ? `<div style="${styleAttr}">${body}</div>` : body;
-    if (hasSignature) result2 += `
-<div class="signature">${signature}</div>`;
-    return { body: result2, isHtml: true };
+  const sendDraftOutputSchema = {
+    sent: z6.literal(true),
+    id: z6.string()
+  };
+  if (shouldRegister("send_draft", tools)) {
+    server.registerTool(
+      "send_draft",
+      {
+        description: "Send an existing draft email by ID. Use this with draft IDs returned by `draft_email` or `edit_draft`. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z6.string().email(),
+          id: z6.string().min(1).describe("Draft message ID to send")
+        },
+        outputSchema: sendDraftOutputSchema
+      },
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const res = await provider.sendDraft(account, args.id);
+          const data = { sent: true, id: res.id };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
+  }
+  const addAttachmentOutputSchema = {
+    attached: z6.literal(true),
+    id: z6.string(),
+    attachment: z6.object({
+      id: z6.string(),
+      name: z6.string(),
+      contentType: z6.string().optional()
+    })
+  };
+  if (shouldRegister("add_attachment_to_draft", tools)) {
+    server.registerTool(
+      "add_attachment_to_draft",
+      {
+        description: "Add a file attachment to an existing draft email by ID. `contentBytes` must be base64-encoded file content. `contentType` is the MIME type (e.g. 'application/pdf'); defaults to 'application/octet-stream' if omitted. Disabled in --read-only mode.",
+        inputSchema: {
+          account: z6.string().email(),
+          id: z6.string().min(1).describe("Draft message ID"),
+          name: z6.string().min(1).describe("Attachment filename (e.g. 'report.pdf')"),
+          contentBytes: z6.string().min(1).describe("Base64-encoded file content"),
+          contentType: z6.string().optional().describe("MIME type (e.g. 'application/pdf')")
+        },
+        outputSchema: addAttachmentOutputSchema
+      },
+      async (args) => {
+        try {
+          const { provider, account } = registry.resolveByEmail(args.account);
+          const res = await provider.addAttachmentToDraft(
+            account,
+            args.id,
+            args.name,
+            args.contentBytes,
+            args.contentType
+          );
+          const data = {
+            attached: true,
+            id: res.id,
+            attachment: res.attachment
+          };
+          return ok(data, data);
+        } catch (err) {
+          return fail(errMsg(err));
+        }
+      }
+    );
   }
-  const escaped = escapeHtml(body);
-  let result = `<div style="${styleAttr}">${escaped}</div>`;
-  if (hasSignature) result += `
-<div class="signature">${signature}</div>`;
-  return { body: result, isHtml: true };
-}
-function buildStyleAttr(style) {
-  const parts = [];
-  if (style.fontFamily) parts.push(`font-family: ${style.fontFamily}`);
-  if (style.fontSize) parts.push(`font-size: ${style.fontSize}`);
-  if (style.fontColor) parts.push(`color: ${style.fontColor}`);
-  return parts.join("; ");
-}
-function escapeHtml(text) {
-  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/\n/g, "<br>");
 }
-function errMsg(err) {
-  if (err instanceof Error) return err.message;
-  return String(err);
+
+// src/tools/index.ts
+function registerTools(server, opts) {
+  const { store, registry, tools } = opts;
+  registerAccountTools(server, { store, registry, tools });
+  registerBrowseTools(server, { registry, tools });
+  registerFolderTools(server, { registry, tools });
+  registerOrganizeTools(server, { registry, tools });
+  registerComposeTools(server, { store, registry, tools });
 }
 
 // src/version.ts
-var VERSION = "0.3.0";
+var VERSION = "0.4.1";
+
+// src/config.ts
+import { readFileSync } from "fs";
+import { z as z7 } from "zod";
+var httpConfigSchema = z7.object({
+  enabled: z7.boolean().default(false),
+  port: z7.number().int().min(1).max(65535).default(3e3),
+  host: z7.string().default("127.0.0.1")
+});
+var toolsConfigSchema = z7.object({
+  disabled: z7.array(z7.string()).optional(),
+  enabled: z7.array(z7.string()).optional()
+});
+var outlookProviderSchema = z7.object({
+  clientId: z7.string().optional(),
+  tenantId: z7.string().optional()
+});
+var gmailProviderSchema = z7.object({
+  clientId: z7.string().optional(),
+  clientSecret: z7.string().optional()
+});
+var providersConfigSchema = z7.object({
+  outlook: outlookProviderSchema.optional(),
+  gmail: gmailProviderSchema.optional()
+});
+var rawConfigSchema = z7.object({
+  dataDir: z7.string().optional(),
+  http: httpConfigSchema.optional(),
+  tools: toolsConfigSchema.optional(),
+  providers: providersConfigSchema.optional()
+});
+var KNOWN_TOOLS = [
+  "list_accounts",
+  "add_account",
+  "complete_add_account",
+  "get_account_settings",
+  "set_account_settings",
+  "remove_account",
+  "list_emails",
+  "search_emails",
+  "read_email",
+  "read_attachment",
+  "archive_email",
+  "trash_email",
+  "move_email",
+  "mark_read",
+  "mark_unread",
+  "list_folders",
+  "create_folder",
+  "delete_folder",
+  "rename_folder",
+  "send_email",
+  "draft_email",
+  "edit_draft",
+  "send_draft",
+  "add_attachment_to_draft"
+];
+var ENV_VAR_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveEnvVars(value) {
+  return value.replace(ENV_VAR_RE, (_match, name) => {
+    return process.env[name] ?? "";
+  });
+}
+function deepResolve(obj) {
+  if (typeof obj === "string") return resolveEnvVars(obj);
+  if (Array.isArray(obj)) return obj.map(deepResolve);
+  if (obj && typeof obj === "object") {
+    const out = {};
+    for (const [key, val] of Object.entries(obj)) {
+      out[key] = deepResolve(val);
+    }
+    return out;
+  }
+  return obj;
+}
+function validateToolNames(toolNames, listName) {
+  if (!toolNames || toolNames.length === 0) return;
+  const known = new Set(KNOWN_TOOLS);
+  for (const name of toolNames) {
+    if (!known.has(name)) {
+      throw new Error(
+        `Unknown tool "${name}" in ${listName}. Known tools: ${KNOWN_TOOLS.join(", ")}`
+      );
+    }
+  }
+}
+function loadConfig(configPath, cliOverrides = {}) {
+  let raw = {};
+  if (configPath) {
+    try {
+      raw = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch (err) {
+      const detail = err instanceof SyntaxError ? "Invalid JSON" : err instanceof Error ? err.message : String(err);
+      throw new Error(`Failed to read config file "${configPath}": ${detail}`);
+    }
+  }
+  raw = deepResolve(raw);
+  const parsed = rawConfigSchema.parse(raw);
+  if (parsed.tools) {
+    if (parsed.tools.disabled && parsed.tools.enabled) {
+      throw new Error(
+        "tools.disabled and tools.enabled are mutually exclusive \u2014 use one or the other"
+      );
+    }
+    if (parsed.tools.enabled !== void 0 && parsed.tools.enabled.length === 0) {
+      throw new Error(
+        "tools.enabled is empty \u2014 at least one tool must be listed. To enable all tools, omit the tools section entirely."
+      );
+    }
+    validateToolNames(parsed.tools.disabled, "tools.disabled");
+    validateToolNames(parsed.tools.enabled, "tools.enabled");
+  }
+  const http = {
+    enabled: cliOverrides.http ?? parsed.http?.enabled ?? false,
+    port: cliOverrides.port ?? parsed.http?.port ?? 3e3,
+    host: cliOverrides.host ?? parsed.http?.host ?? "127.0.0.1"
+  };
+  return {
+    dataDir: cliOverrides.dataDir ?? parsed.dataDir ?? process.env.HYPERMAIL_MCP_DATA_DIR,
+    http,
+    tools: parsed.tools ? { disabled: parsed.tools.disabled, enabled: parsed.tools.enabled } : void 0,
+    providers: parsed.providers
+  };
+}
+function resolveTools(config) {
+  if (!config.tools) {
+    return { enabledTools: null, disabledTools: null };
+  }
+  return {
+    enabledTools: config.tools.enabled ? new Set(config.tools.enabled) : null,
+    disabledTools: config.tools.disabled ? new Set(config.tools.disabled) : null
+  };
+}
 
 // src/server.ts
-async function startServer(opts = {}) {
-  const store = await AccountStore.open({ dataDir: opts.dataDir });
-  const registry = buildRegistry({ store });
+async function startServer(opts) {
+  const { config } = opts;
+  const store = await AccountStore.open({ dataDir: config.dataDir });
+  const registry = buildRegistry({ store, providers: config.providers });
+  const tools = resolveTools(config);
   const server = new McpServer(
     { name: "hypermail-mcp", version: VERSION },
     { capabilities: { tools: {}, logging: {} } }
   );
-  registerTools(server, { store, registry, readOnly: !!opts.readOnly, draftOnly: !!opts.draftOnly });
-  if (opts.http) {
-    await startHttp(server, opts.host ?? "127.0.0.1", opts.port ?? 3e3);
+  registerTools(server, { store, registry, tools });
+  if (config.http.enabled) {
+    await startHttp(server, config.http.host, config.http.port);
   } else {
     const transport = new StdioServerTransport();
     await server.connect(transport);
@@ -1495,7 +3679,7 @@ async function startHttp(server, host, port) {
       let transport = sessionId ? sessions.get(sessionId) : void 0;
       if (!transport) {
         transport = new StreamableHTTPServerTransport({
-          sessionIdGenerator: () => randomUUID2(),
+          sessionIdGenerator: () => randomUUID6(),
           onsessioninitialized: (sid) => {
             sessions.set(sid, transport);
           }
@@ -1531,7 +3715,6 @@ function parseArgs(argv) {
     http: false,
     port: 3e3,
     host: "127.0.0.1",
-    readOnly: false,
     help: false
   };
   for (let i = 0; i < argv.length; i++) {
@@ -1549,8 +3732,8 @@ function parseArgs(argv) {
       case "--data-dir":
         out.dataDir = String(argv[++i] ?? "");
         break;
-      case "--read-only":
-        out.readOnly = true;
+      case "--config":
+        out.config = String(argv[++i] ?? "");
         break;
       case "-h":
       case "--help":
@@ -1575,14 +3758,23 @@ Options:
   --host <addr>       HTTP bind address (default: 127.0.0.1)
   --data-dir <path>   Where to store the encrypted accounts file
                       (default: $HYPERMAIL_MCP_DATA_DIR or ~/.hypermail-mcp)
-  --read-only         Disable tools that modify state (send_email, remove_account, add_account)
+  --config <path>     Path to hypermail-config.json
   -h, --help          Show this help
 
-Environment:
-  HYPERMAIL_MCP_DATA_DIR   Same as --data-dir
-  HYPERMAIL_MCP_KEY        32-byte key (base64 or hex) for at-rest encryption
-  MS_CLIENT_ID               Azure AD public client (application) ID
-  MS_TENANT_ID               Tenant (default: "common")
+Configuration:
+  All server settings (data dir, HTTP, tool filtering, provider credentials)
+  live in hypermail-config.json. Pass it via --config.
+
+Example hypermail-config.json:
+  {
+    "dataDir": "/path/to/data",
+    "http": { "enabled": false },
+    "tools": { "disabled": ["send_email"] },
+    "providers": {
+      "outlook": { "clientId": "\${MS_CLIENT_ID}", "tenantId": "\${MS_TENANT_ID}" },
+      "gmail": { "clientId": "\${GOOGLE_CLIENT_ID}", "clientSecret": "\${GOOGLE_CLIENT_SECRET}" }
+    }
+  }
 `;
   process.stdout.write(msg);
 }
@@ -1592,15 +3784,13 @@ async function main() {
     printHelp();
     return;
   }
-  const draftOnly = process.env.HYPERMAIL_DRAFT_ONLY === "true";
-  await startServer({
+  const config = loadConfig(opts.config, {
     http: opts.http,
     port: opts.port,
     host: opts.host,
-    dataDir: opts.dataDir,
-    readOnly: opts.readOnly,
-    draftOnly
+    dataDir: opts.dataDir
   });
+  await startServer({ config });
 }
 main().catch((err) => {
   console.error("[hypermail-mcp] fatal:", err);