hypermail-mcp 0.6.2 → 0.7.0

package/dist/cli.js

@@ -9,7 +9,6 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { randomUUID as randomUUID6 } from "crypto";
 import { createServer as createHttpServer } from "http";
-import path4 from "path";
 
 // src/store/account-store.ts
 import { promises as fs2 } from "fs";
@@ -86,23 +85,6 @@ async function resolveKey(dataDir) {
   await tryKeytarSet(gen);
   return gen;
 }
-function hashApiKey(apiKey) {
-  const salt = randomBytes(16).toString("hex");
-  const hash = scryptSync(apiKey, salt, 32).toString("hex");
-  return `${salt}:${hash}`;
-}
-function verifyApiKey(apiKey, stored) {
-  const [salt, hash] = stored.split(":");
-  if (!salt || !hash) return false;
-  try {
-    const computed = scryptSync(apiKey, salt, 32);
-    const expected = Buffer.from(hash, "hex");
-    if (computed.length !== expected.length) return false;
-    return timingSafeEqual(computed, expected);
-  } catch {
-    return false;
-  }
-}
 async function writeAtomic(filePath, data) {
   const tmp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
   await fs.writeFile(tmp, data, { mode: 384 });
@@ -188,128 +170,6 @@ var AccountStore = class _AccountStore {
   }
 };
 
-// src/store/agent-store.ts
-import path3 from "path";
-import { promises as fs3 } from "fs";
-var FILE_NAME2 = "agents.json.enc";
-var AgentStore = class _AgentStore {
-  constructor(filePath, key, data) {
-    this.filePath = filePath;
-    this.key = key;
-    this.data = data;
-  }
-  filePath;
-  key;
-  data;
-  static async open(opts = {}) {
-    const dataDir = resolveDataDir(opts.dataDir);
-    await fs3.mkdir(dataDir, { recursive: true, mode: 448 });
-    const filePath = path3.join(dataDir, FILE_NAME2);
-    const key = opts.key ?? await resolveKey(dataDir);
-    let data;
-    try {
-      const buf = await fs3.readFile(filePath);
-      data = decrypt(buf, key);
-    } catch (err) {
-      if (err.code === "ENOENT") {
-        data = { version: 1, agents: [] };
-      } else {
-        throw err;
-      }
-    }
-    return new _AgentStore(filePath, key, data);
-  }
-  // ── queries ──
-  listAgents() {
-    return this.data.agents.map((a) => ({ ...a }));
-  }
-  getAgent(id) {
-    const rec = this.data.agents.find((a) => a.id === id);
-    return rec ? { ...rec } : void 0;
-  }
-  /**
-   * Look up an agent by plaintext API key. Hashes the incoming key and
-   * compares against stored hashes with constant-time comparison.
-   * Returns undefined if no agent matches.
-   */
-  findAgentByApiKey(apiKey) {
-    for (const agent of this.data.agents) {
-      if (verifyApiKey(apiKey, agent.apiKeyHash)) {
-        return { ...agent };
-      }
-    }
-    return void 0;
-  }
-  // ── mutations ──
-  /**
-   * Add or update an agent. If `plaintextApiKey` is provided, it is hashed
-   * and stored; if omitted, the existing hash is preserved (useful for
-   * updates that don't change the key).
-   */
-  async upsertAgent(rec) {
-    const idx = this.data.agents.findIndex((a) => a.id === rec.id);
-    const existing = idx >= 0 ? this.data.agents[idx] : void 0;
-    const apiKeyHash = rec.plaintextApiKey ? hashApiKey(rec.plaintextApiKey) : existing?.apiKeyHash;
-    if (!apiKeyHash) {
-      throw new Error(
-        `agent ${rec.id}: must provide plaintextApiKey for new agents`
-      );
-    }
-    const next = {
-      id: rec.id,
-      apiKeyHash,
-      name: rec.name,
-      accounts: [...rec.accounts ?? []],
-      provisioning: rec.provisioning ?? false,
-      createdAt: existing?.createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
-    };
-    if (idx >= 0) {
-      this.data.agents[idx] = next;
-    } else {
-      this.data.agents.push(next);
-    }
-    await this.flush();
-    return { ...next };
-  }
-  async removeAgent(id) {
-    const before = this.data.agents.length;
-    this.data.agents = this.data.agents.filter((a) => a.id !== id);
-    if (this.data.agents.length === before) return false;
-    await this.flush();
-    return true;
-  }
-  /**
-   * Assign an email account to an agent. Idempotent — no error if already
-   * assigned. Auto-assignment from `add_account` in HTTP mode calls this.
-   */
-  async assignAccount(agentId, email) {
-    const norm = email.trim().toLowerCase();
-    const agent = this.data.agents.find((a) => a.id === agentId);
-    if (!agent) throw new Error(`agent ${agentId} not found`);
-    if (!agent.accounts.includes(norm)) {
-      agent.accounts.push(norm);
-      await this.flush();
-    }
-    return { ...agent };
-  }
-  /**
-   * Remove an email account from an agent's assignments. Idempotent.
-   */
-  async unassignAccount(agentId, email) {
-    const norm = email.trim().toLowerCase();
-    const agent = this.data.agents.find((a) => a.id === agentId);
-    if (!agent) throw new Error(`agent ${agentId} not found`);
-    agent.accounts = agent.accounts.filter((a) => a !== norm);
-    await this.flush();
-    return { ...agent };
-  }
-  // ── persistence ──
-  async flush() {
-    const buf = encrypt(this.data, this.key);
-    await writeAtomic(this.filePath, buf);
-  }
-};
-
 // src/providers/outlook/index.ts
 import { randomUUID as randomUUID2 } from "crypto";
 import { writeFileSync } from "fs";
@@ -1565,8 +1425,8 @@ async function markRead(clients, account, id, isRead) {
 async function createFolder(clients, account, input) {
   const client = clients.get(account);
   const imap = await client.getImap();
-  const path5 = input.parentFolderId ? `${input.parentFolderId}/${input.displayName}` : input.displayName;
-  const result = await imap.mailboxCreate(path5);
+  const path3 = input.parentFolderId ? `${input.parentFolderId}/${input.displayName}` : input.displayName;
+  const result = await imap.mailboxCreate(path3);
   return {
     id: result.path,
     displayName: result.path,
@@ -2754,27 +2614,10 @@ function shouldRegister(name, tools) {
 }
 
 // src/tools/accounts.ts
-import { promises as fs4 } from "fs";
+import { promises as fs3 } from "fs";
 import { z as z2 } from "zod";
-
-// src/tools/agent-context.ts
-function checkAccountAccess(agentContext, accountEmail) {
-  if (!agentContext) return null;
-  const norm = accountEmail.trim().toLowerCase();
-  if (agentContext.accounts.some((a) => a.toLowerCase() === norm)) {
-    return null;
-  }
-  return `Agent "${agentContext.agentId}" is not authorized for account "${accountEmail}"`;
-}
-function checkProvisioning(agentContext) {
-  if (!agentContext) return null;
-  if (agentContext.provisioning) return null;
-  return `Agent "${agentContext.agentId}" does not have provisioning permission`;
-}
-
-// src/tools/accounts.ts
 function registerAccountTools(server, ctx) {
-  const { store, registry, tools, agentContext, agentStore } = ctx;
+  const { store, registry, tools } = ctx;
   const listAccountsOutputSchema = z2.object({
     accounts: z2.array(accountSummaryOutputSchema)
   });
@@ -2828,8 +2671,6 @@ function registerAccountTools(server, ctx) {
         outputSchema: addAccountOutputSchema
       },
       async (args) => {
-        const permErr = checkProvisioning(agentContext ?? null);
-        if (permErr) return fail(permErr);
         const provider = registry.get(args.provider);
         try {
           const res = await provider.addAccount({
@@ -2860,8 +2701,6 @@ function registerAccountTools(server, ctx) {
         outputSchema: completeAddAccountOutputSchema
       },
       async (args) => {
-        const permErr = checkProvisioning(agentContext ?? null);
-        if (permErr) return fail(permErr);
         const provider = registry.get(args.provider);
         if (!provider.completeAddAccount) {
           return fail(
@@ -2870,10 +2709,6 @@ function registerAccountTools(server, ctx) {
         }
         try {
           const res = await provider.completeAddAccount(args.handle);
-          if (res.status === "ready" && res.account && agentContext && agentStore) {
-            agentStore.assignAccount(agentContext.agentId, res.account.email).catch(() => {
-            });
-          }
           return ok(res, res);
         } catch (err) {
           return fail(errMsg(err));
@@ -2895,8 +2730,6 @@ function registerAccountTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const acct = store.getAccount(args.account);
           if (!acct)
             return fail(`no account registered for "${args.account}"`);
@@ -2941,14 +2774,12 @@ function registerAccountTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const acct = store.getAccount(args.account);
           if (!acct)
             return fail(`no account registered for "${args.account}"`);
           let resolvedSignature = acct.signature;
           if (args.signaturePath) {
-            resolvedSignature = await fs4.readFile(args.signaturePath, "utf-8");
+            resolvedSignature = await fs3.readFile(args.signaturePath, "utf-8");
           } else if (args.signature !== void 0) {
             resolvedSignature = args.signature || void 0;
           }
@@ -2981,8 +2812,6 @@ function registerAccountTools(server, ctx) {
         outputSchema: removeAccountOutputSchema
       },
       async (args) => {
-        const permErr = checkProvisioning(agentContext ?? null);
-        if (permErr) return fail(permErr);
         const removed = await store.removeAccount(args.email);
         const data = { removed, email: args.email };
         return ok(data, data);
@@ -3022,7 +2851,7 @@ function selectBody(msg, format) {
 
 // src/tools/browse.ts
 function registerBrowseTools(server, ctx) {
-  const { registry, tools, agentContext } = ctx;
+  const { registry, tools } = ctx;
   const emailListOutputSchema = z3.object({
     account: z3.string(),
     count: z3.number(),
@@ -3051,8 +2880,6 @@ function registerBrowseTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const { items, hasMore } = await provider.listEmails(account, {
             folder: args.folder,
@@ -3088,8 +2915,6 @@ function registerBrowseTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const items = await provider.searchEmails(account, args.query, {
             limit: args.limit
@@ -3138,8 +2963,6 @@ function registerBrowseTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const msg = await provider.readEmail(account, args.id);
           const format = args.format ?? "markdown";
@@ -3186,8 +3009,6 @@ function registerBrowseTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const res = await provider.readAttachment(
             account,
@@ -3206,7 +3027,7 @@ function registerBrowseTools(server, ctx) {
 // src/tools/folders.ts
 import { z as z4 } from "zod";
 function registerFolderTools(server, ctx) {
-  const { registry, tools, agentContext } = ctx;
+  const { registry, tools } = ctx;
   const listFoldersOutputSchema = z4.object({
     account: z4.string(),
     count: z4.number(),
@@ -3227,8 +3048,6 @@ function registerFolderTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const items = await provider.listFolders(account, {
             parentFolderId: args.parentFolderId
@@ -3265,8 +3084,6 @@ function registerFolderTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const folder = await provider.createFolder(account, {
             displayName: args.displayName,
@@ -3297,8 +3114,6 @@ function registerFolderTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           await provider.deleteFolder(account, args.folderId);
           const data = { deleted: true, id: args.folderId };
@@ -3327,8 +3142,6 @@ function registerFolderTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const folder = await provider.renameFolder(
             account,
@@ -3348,7 +3161,7 @@ function registerFolderTools(server, ctx) {
 // src/tools/organize.ts
 import { z as z5 } from "zod";
 function registerOrganizeTools(server, ctx) {
-  const { registry, tools, agentContext } = ctx;
+  const { registry, tools } = ctx;
   async function moveToWellKnown(args, destination, resultKey) {
     const { provider, account } = registry.resolveByEmail(args.account);
     await provider.moveEmail(account, args.id, destination);
@@ -3380,8 +3193,6 @@ function registerOrganizeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           return await moveToWellKnown(args, "archive", "archived");
         } catch (err) {
           return fail(errMsg(err));
@@ -3403,8 +3214,6 @@ function registerOrganizeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           return await moveToWellKnown(args, "deleteditems", "trashed");
         } catch (err) {
           return fail(errMsg(err));
@@ -3433,8 +3242,6 @@ function registerOrganizeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           await provider.moveEmail(account, args.id, args.destination);
           const data = {
@@ -3468,8 +3275,6 @@ function registerOrganizeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           return await markReadState(args, true);
         } catch (err) {
           return fail(errMsg(err));
@@ -3487,8 +3292,6 @@ function registerOrganizeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           return await markReadState(args, false);
         } catch (err) {
           return fail(errMsg(err));
@@ -3501,7 +3304,7 @@ function registerOrganizeTools(server, ctx) {
 // src/tools/compose.ts
 import { z as z6 } from "zod";
 function registerComposeTools(server, ctx) {
-  const { store, registry, tools, agentContext } = ctx;
+  const { store, registry, tools } = ctx;
   const sendEmailSchema = z6.object({
     account: z6.string().email(),
     to: z6.array(emailAddrSchema).min(1),
@@ -3527,8 +3330,6 @@ function registerComposeTools(server, ctx) {
   });
   async function handleSendOrDraft(args, action, resultKey, toolName) {
     try {
-      const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-      if (accessErr) return fail(accessErr);
       const { provider, account } = registry.resolveByEmail(args.account);
       if (args.include_signature && !account.signature) {
         return fail(
@@ -3640,8 +3441,6 @@ function registerComposeTools(server, ctx) {
       async (args) => {
         const a = args;
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, a.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(a.account);
           if (a.include_signature && !account.signature) {
             return fail(
@@ -3699,8 +3498,6 @@ function registerComposeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const res = await provider.sendDraft(account, args.id);
           const data = { sent: true, id: res.id };
@@ -3736,8 +3533,6 @@ function registerComposeTools(server, ctx) {
       },
       async (args) => {
         try {
-          const accessErr = checkAccountAccess(agentContext ?? null, args.account);
-          if (accessErr) return fail(accessErr);
           const { provider, account } = registry.resolveByEmail(args.account);
           const res = await provider.addAttachmentToDraft(
             account,
@@ -3760,69 +3555,20 @@ function registerComposeTools(server, ctx) {
   }
 }
 
-// src/tools/notifications.ts
-import { z as z7 } from "zod";
-function registerNotificationTools(server, ctx) {
-  const { tools, notificationBuffer, agentContext } = ctx;
-  const notifyOutputSchema = z7.object({
-    count: z7.number(),
-    items: z7.array(
-      z7.object({
-        type: z7.enum(["new_emails", "auth_failure"]),
-        account: z7.string(),
-        emails: z7.array(z7.unknown()).optional(),
-        error: z7.string().optional(),
-        timestamp: z7.string()
-      })
-    )
-  });
-  if (shouldRegister("check_notifications", tools)) {
-    server.registerTool(
-      "check_notifications",
-      {
-        description: "Check for pending email watch notifications. Returns new-email alerts and auth-failure warnings that the inbox watcher has accumulated since the last call. Drains the notification buffer on read.",
-        inputSchema: z7.object({}),
-        outputSchema: notifyOutputSchema
-      },
-      async () => {
-        try {
-          const pending = notificationBuffer.splice(0);
-          const filtered = agentContext ? pending.filter(
-            (n) => agentContext.accounts.some(
-              (a) => a.toLowerCase() === n.account.toLowerCase()
-            )
-          ) : pending;
-          const data = { count: filtered.length, items: filtered };
-          return ok(data, data);
-        } catch (err) {
-          return fail(errMsg(err));
-        }
-      }
-    );
-  }
-}
-
 // src/tools/index.ts
 function registerTools(server, opts) {
-  const { store, registry, tools, agentContext, agentStore } = opts;
-  registerAccountTools(server, { store, registry, tools, agentContext, agentStore });
-  registerBrowseTools(server, { registry, tools, agentContext });
-  registerFolderTools(server, { registry, tools, agentContext });
-  registerOrganizeTools(server, { registry, tools, agentContext });
-  registerComposeTools(server, { store, registry, tools, agentContext });
-  if (opts.notificationBuffer) {
-    registerNotificationTools(server, {
-      tools,
-      notificationBuffer: opts.notificationBuffer,
-      agentContext
-    });
-  }
+  const { store, registry, tools } = opts;
+  registerAccountTools(server, { store, registry, tools });
+  registerBrowseTools(server, { registry, tools });
+  registerFolderTools(server, { registry, tools });
+  registerOrganizeTools(server, { registry, tools });
+  registerComposeTools(server, { store, registry, tools });
 }
 
 // package.json
 var package_default = {
   name: "hypermail-mcp",
-  version: "0.6.2",
+  version: "0.7.0",
   description: "Unified email MCP server \u2014 operate any inbox (Outlook now, IMAP/Gmail later) by passing an email address.",
   type: "module",
   bin: {
@@ -3871,7 +3617,6 @@ var package_default = {
     googleapis: "^144.0.0",
     imapflow: "^1.3.3",
     "isomorphic-fetch": "^3.0.0",
-    "js-yaml": "^4.2.0",
     marked: "^18.0.4",
     nodemailer: "^8.0.8",
     turndown: "^7.2.4",
@@ -3882,7 +3627,6 @@ var package_default = {
   },
   devDependencies: {
     "@types/isomorphic-fetch": "^0.0.39",
-    "@types/js-yaml": "^4.0.9",
     "@types/node": "^22.10.2",
     "@types/nodemailer": "^8.0.0",
     tsup: "^8.3.5",
@@ -3894,36 +3638,153 @@ var package_default = {
 // src/version.ts
 var VERSION = package_default.version;
 
+// src/watcher/webhook.ts
+async function postWebhook(email, config) {
+  if (!config.webhook) return false;
+  const { url, retry } = config.webhook;
+  const maxAttempts = retry.maxAttempts;
+  const baseDelayMs = retry.baseDelayMs;
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    if (attempt > 0) {
+      const delay = baseDelayMs * 2 ** (attempt - 1);
+      await sleep(delay);
+    }
+    try {
+      const res = await fetch(url, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify(email)
+      });
+      if (res.ok) return true;
+      console.error(
+        `[hypermail-watch] webhook POST ${email.id} attempt ${attempt + 1}/${maxAttempts}: HTTP ${res.status}`
+      );
+    } catch (err) {
+      const code = err.code ?? "";
+      console.error(
+        `[hypermail-watch] webhook POST ${email.id} attempt ${attempt + 1}/${maxAttempts}: ${code || String(err)}`
+      );
+    }
+  }
+  console.error(
+    `[hypermail-watch] webhook delivery failed after ${maxAttempts} retries for ${email.id}`
+  );
+  return false;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/watcher/manager.ts
+var WatcherManager = class {
+  constructor(store, registry, config) {
+    this.store = store;
+    this.registry = registry;
+    this.config = config;
+  }
+  store;
+  registry;
+  config;
+  intervalId = null;
+  /** Start the poll loop. Fires immediately on the first tick, then every
+   *  `pollIntervalSeconds`. Safe to call multiple times — subsequent calls
+   *  are no-ops. */
+  start() {
+    if (this.intervalId !== null) return;
+    this.poll();
+    this.intervalId = setInterval(
+      () => this.poll(),
+      this.config.pollIntervalSeconds * 1e3
+    );
+  }
+  /** Stop the poll loop and release the interval. Safe to call when already
+   *  stopped. */
+  stop() {
+    if (this.intervalId !== null) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
+    }
+  }
+  // ── private ──
+  async poll() {
+    const accounts = this.store.listAccounts();
+    for (const acct of accounts) {
+      try {
+        await this.pollAccount(acct.email);
+      } catch (err) {
+        console.error(
+          `[hypermail-watch] poll failed for ${acct.email}:`,
+          err
+        );
+      }
+    }
+  }
+  async pollAccount(email) {
+    const { provider, account } = this.registry.resolveByEmail(email);
+    const result = await provider.listEmails(account, {
+      folder: "inbox",
+      limit: 50
+    });
+    const knownIds = [...account.lastSeenIds ?? []];
+    const newEmails = result.items.filter((e) => !knownIds.includes(e.id));
+    if (newEmails.length === 0) return;
+    for (const summary of newEmails) {
+      try {
+        const full = await provider.readEmail(account, summary.id);
+        await this.emit(full);
+        knownIds.unshift(summary.id);
+      } catch (err) {
+        console.error(
+          `[hypermail-watch] emission failed for ${email}/${summary.id}:`,
+          err
+        );
+      }
+    }
+    const capped = knownIds.slice(0, 200);
+    await this.store.upsertAccount({ ...account, lastSeenIds: capped });
+  }
+  async emit(full) {
+    await postWebhook(full, this.config);
+  }
+};
+
 // src/config.ts
 import { readFileSync } from "fs";
-import { z as z8 } from "zod";
-var httpConfigSchema = z8.object({
-  enabled: z8.boolean().default(false),
-  port: z8.number().int().min(1).max(65535).default(3e3),
-  host: z8.string().default("127.0.0.1")
+import { z as z7 } from "zod";
+var httpConfigSchema = z7.object({
+  enabled: z7.boolean().default(false),
+  port: z7.number().int().min(1).max(65535).default(3e3),
+  host: z7.string().default("127.0.0.1")
 });
-var toolsConfigSchema = z8.object({
-  disabled: z8.array(z8.string()).optional(),
-  enabled: z8.array(z8.string()).optional()
+var toolsConfigSchema = z7.object({
+  disabled: z7.array(z7.string()).optional(),
+  enabled: z7.array(z7.string()).optional()
 });
-var outlookProviderSchema = z8.object({
-  clientId: z8.string().optional(),
-  tenantId: z8.string().optional()
+var outlookProviderSchema = z7.object({
+  clientId: z7.string().optional(),
+  tenantId: z7.string().optional()
 });
-var gmailProviderSchema = z8.object({
-  clientId: z8.string().optional(),
-  clientSecret: z8.string().optional()
+var gmailProviderSchema = z7.object({
+  clientId: z7.string().optional(),
+  clientSecret: z7.string().optional()
 });
-var providersConfigSchema = z8.object({
+var providersConfigSchema = z7.object({
   outlook: outlookProviderSchema.optional(),
   gmail: gmailProviderSchema.optional()
 });
-var watchConfigSchema = z8.object({
-  enabled: z8.boolean().default(true),
-  pollIntervalSeconds: z8.number().int().min(10).max(3600).default(60)
+var watchConfigSchema = z7.object({
+  enabled: z7.boolean().default(false),
+  pollIntervalSeconds: z7.number().int().min(10).max(3600).default(10),
+  webhook: z7.object({
+    url: z7.string(),
+    retry: z7.object({
+      maxAttempts: z7.number().int().min(1).max(10).default(5),
+      baseDelayMs: z7.number().int().min(100).default(1e3)
+    }).optional()
+  }).optional()
 });
-var rawConfigSchema = z8.object({
-  dataDir: z8.string().optional(),
+var rawConfigSchema = z7.object({
+  dataDir: z7.string().optional(),
   http: httpConfigSchema.optional(),
   tools: toolsConfigSchema.optional(),
   providers: providersConfigSchema.optional(),
@@ -4016,13 +3877,20 @@ function loadConfig(configPath, cliOverrides = {}) {
     port: cliOverrides.port ?? parsed.http?.port ?? 3e3,
     host: cliOverrides.host ?? parsed.http?.host ?? "127.0.0.1"
   };
+  let watch;
+  if (parsed.watch || process.env.HYPERMAIL_WATCH_ENABLED === "true") {
+    watch = {
+      enabled: process.env.HYPERMAIL_WATCH_ENABLED === "true" || Boolean(parsed.watch?.enabled),
+      pollIntervalSeconds: parsed.watch?.pollIntervalSeconds ?? 10,
+      webhook: parsed.watch?.webhook
+    };
+  }
   return {
     dataDir: cliOverrides.dataDir ?? parsed.dataDir ?? process.env.HYPERMAIL_MCP_DATA_DIR,
     http,
     tools: parsed.tools ? { disabled: parsed.tools.disabled, enabled: parsed.tools.enabled } : void 0,
     providers: parsed.providers,
-    watch: parsed.watch,
-    agentsConfigPath: cliOverrides.agentsConfig ?? process.env.HYPERMAIL_AGENTS_CONFIG
+    watch
   };
 }
 function resolveTools(config) {
@@ -4035,327 +3903,37 @@ function resolveTools(config) {
   };
 }
 
-// src/watcher/manager.ts
-var WatcherManager = class {
-  opts;
-  timers = [];
-  running = false;
-  /** Per-account inflight guards to prevent overlapping polls. */
-  inflight = /* @__PURE__ */ new Map();
-  /** Accounts with active polling timers (lowercased email). */
-  tracked = /* @__PURE__ */ new Set();
-  constructor(opts) {
-    this.opts = opts;
-  }
-  start() {
-    if (this.running) return;
-    this.running = true;
-    this.scanAccounts();
-    const rescanTimer = setInterval(() => {
-      if (!this.running) return;
-      this.scanAccounts();
-    }, this.opts.pollIntervalSeconds * 1e3);
-    this.timers.push(rescanTimer);
-  }
-  stop() {
-    this.running = false;
-    for (const t of this.timers) clearInterval(t);
-    this.timers = [];
-    this.tracked.clear();
-  }
-  // ── internals ──
-  scanAccounts() {
-    let accounts = this.opts.store.listAccounts();
-    if (this.opts.accountFilter) {
-      const filter = new Set(this.opts.accountFilter.map((e) => e.toLowerCase()));
-      accounts = accounts.filter((a) => filter.has(a.email.toLowerCase()));
-    }
-    for (const account of accounts) {
-      this.schedulePoll(account);
-    }
-  }
-  schedulePoll(account) {
-    const key = account.email.toLowerCase();
-    if (this.tracked.has(key)) return;
-    this.tracked.add(key);
-    this.pollAccount(account).catch(() => {
-    });
-    const timer = setInterval(() => {
-      if (!this.running) return;
-      this.pollAccount(account).catch(() => {
-      });
-    }, this.opts.pollIntervalSeconds * 1e3);
-    this.timers.push(timer);
-  }
-  async pollAccount(account) {
-    const key = account.email.toLowerCase();
-    if (this.inflight.get(key)) return;
-    this.inflight.set(key, true);
-    try {
-      const { provider } = this.opts.registry.resolveByEmail(account.email);
-      const seenIds = new Set(account.lastSeenIds ?? []);
-      const isFirstPoll = !account.lastSeenAt && !account.lastSeenIds?.length;
-      const limit = 25;
-      const MAX_PAGES = 5;
-      let skip = 0;
-      let pageCount = 0;
-      const newEmails = [];
-      let newestTimestamp = account.lastSeenAt ?? "";
-      let hitBoundary = false;
-      while (pageCount < MAX_PAGES) {
-        const { items, hasMore } = await provider.listEmails(account, {
-          folder: "inbox",
-          limit,
-          skip
-        });
-        pageCount++;
-        for (const item of items) {
-          if (!item.receivedAt) continue;
-          if (seenIds.has(item.id)) {
-            hitBoundary = true;
-            break;
-          }
-          newEmails.push(item);
-          if (item.receivedAt > newestTimestamp) {
-            newestTimestamp = item.receivedAt;
-          }
-        }
-        if (hitBoundary || !hasMore) break;
-        skip += limit;
-      }
-      if (!isFirstPoll && newEmails.length > 0) {
-        this.enqueue({
-          type: "new_emails",
-          account: account.email,
-          emails: newEmails,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      }
-      if (isFirstPoll && newEmails.length === 0 && !newestTimestamp) {
-        newestTimestamp = (/* @__PURE__ */ new Date()).toISOString();
-      }
-      const newIds = newEmails.map((e) => e.id);
-      const updatedLastSeenIds = [
-        ...newIds,
-        ...account.lastSeenIds ?? []
-      ].slice(0, 200);
-      try {
-        await this.opts.store.upsertAccount({
-          ...account,
-          lastSeenAt: newestTimestamp || void 0,
-          lastSeenIds: updatedLastSeenIds
-        });
-      } catch (storeErr) {
-        console.error(
-          "[hypermail-mcp] failed to persist poll state for",
-          account.email,
-          ":",
-          storeErr instanceof Error ? storeErr.message : String(storeErr)
-        );
-      }
-    } catch (err) {
-      this.enqueue({
-        type: "auth_failure",
-        account: account.email,
-        error: err instanceof Error ? err.message : String(err),
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    } finally {
-      this.inflight.delete(key);
-    }
-  }
-  enqueue(notification) {
-    this.opts.buffer.push(notification);
-    try {
-      this.opts.onNotification(notification);
-    } catch {
-    }
-  }
-};
-
-// src/config/agents-config.ts
-import { readFileSync as readFileSync2, watch } from "fs";
-import { load as loadYaml } from "js-yaml";
-import { z as z9 } from "zod";
-var agentDefSchema = z9.object({
-  id: z9.string().min(1).regex(
-    /^[a-z0-9_-]+$/,
-    "agent id must contain only lowercase letters, digits, hyphens, and underscores"
-  ),
-  api_key: z9.string().min(1).regex(
-    /^hm_sk_[a-f0-9]{64}$/,
-    "api_key must match hm_sk_ prefix + 64 hex chars (use `hypermail-mcp generate-key`)"
-  ),
-  name: z9.string().min(1),
-  accounts: z9.array(z9.string().email()).optional().default([]),
-  provisioning: z9.boolean().optional().default(false)
-});
-var emailAccountDefSchema = z9.object({
-  provider: z9.enum(["outlook", "imap", "gmail"]),
-  display_name: z9.string().optional()
-});
-var agentsConfigSchema = z9.object({
-  agents: z9.array(agentDefSchema).optional().default([]),
-  email_accounts: z9.record(z9.string().email(), emailAccountDefSchema).optional().default({})
-});
-function loadAgentsConfig(configPath) {
-  let raw;
-  try {
-    raw = loadYaml(readFileSync2(configPath, "utf-8"));
-  } catch (err) {
-    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
-      throw new Error(
-        `Agents config file not found: ${configPath}. Create an agents.yaml with at least one agent to enable HTTP multi-tenant mode.`
-      );
-    }
-    const detail = err instanceof Error ? err.message : String(err);
-    throw new Error(`Failed to parse agents config "${configPath}": ${detail}`);
-  }
-  const parsed = agentsConfigSchema.parse(raw ?? {});
-  const ids = /* @__PURE__ */ new Set();
-  for (const a of parsed.agents) {
-    if (ids.has(a.id)) {
-      throw new Error(`Duplicate agent id "${a.id}" in agents config`);
-    }
-    ids.add(a.id);
-  }
-  return {
-    agents: parsed.agents.map((a) => ({
-      id: a.id,
-      api_key: a.api_key,
-      name: a.name,
-      accounts: a.accounts,
-      provisioning: a.provisioning
-    })),
-    email_accounts: parsed.email_accounts
-  };
-}
-async function syncAgentsToStore(config, store) {
-  const configAgentIds = new Set(config.agents.map((a) => a.id));
-  const storedAgents = store.listAgents();
-  for (const def of config.agents) {
-    await store.upsertAgent({
-      id: def.id,
-      plaintextApiKey: def.api_key,
-      name: def.name,
-      accounts: def.accounts,
-      provisioning: def.provisioning
-    });
-  }
-  const removed = [];
-  for (const stored of storedAgents) {
-    if (!configAgentIds.has(stored.id)) {
-      await store.removeAgent(stored.id);
-      removed.push(stored.id);
-    }
-  }
-  return removed;
-}
-function watchAgentsConfig(configPath, store, onChange, onError) {
-  let timer = null;
-  let watcher = null;
-  const reload = async () => {
-    try {
-      const config = loadAgentsConfig(configPath);
-      const removed = await syncAgentsToStore(config, store);
-      onChange(removed);
-    } catch (err) {
-      onError(err instanceof Error ? err : new Error(String(err)));
-    }
-  };
-  reload().catch((err) => onError(err));
-  try {
-    watcher = watch(configPath, (_eventType) => {
-      if (timer) clearTimeout(timer);
-      timer = setTimeout(() => {
-        timer = null;
-        reload().catch((err) => onError(err));
-      }, 200);
-    });
-  } catch (err) {
-  }
-  return {
-    close() {
-      if (timer) clearTimeout(timer);
-      if (watcher) watcher.close();
-    }
-  };
-}
-
 // src/server.ts
 async function startServer(opts) {
   const { config } = opts;
   const store = await AccountStore.open({ dataDir: config.dataDir });
   const registry = buildRegistry({ store, providers: config.providers });
   const tools = resolveTools(config);
-  const watchEnabled = config.http.enabled && config.watch?.enabled !== false;
-  const notificationBuffer = watchEnabled ? [] : void 0;
-  let agentStoreForFactory;
-  const createServer = (agentContext = null) => {
+  let watcher;
+  if (config.watch?.enabled) {
+    watcher = new WatcherManager(store, registry, config.watch);
+    watcher.start();
+    const stop = () => watcher?.stop();
+    process.on("SIGTERM", stop);
+    process.on("SIGINT", stop);
+  }
+  const createServer = () => {
     const s = new McpServer(
       { name: "hypermail-mcp", version: VERSION },
       { capabilities: { tools: {}, logging: {} } }
     );
-    registerTools(s, { store, registry, tools, notificationBuffer, agentContext, agentStore: agentStoreForFactory });
+    registerTools(s, { store, registry, tools });
     return s;
   };
   if (config.http.enabled) {
-    let liveReloadHandle;
-    if (config.agentsConfigPath) {
-      agentStoreForFactory = await AgentStore.open({ dataDir: config.dataDir });
-      liveReloadHandle = watchAgentsConfig(
-        path4.resolve(config.agentsConfigPath),
-        agentStoreForFactory,
-        (_removedIds) => {
-        },
-        (err) => {
-          console.error("[hypermail-mcp] agents.yaml reload error:", err.message);
-        }
-      );
-    }
-    const notifyTargets = /* @__PURE__ */ new Set();
-    const accountFilter = agentStoreForFactory ? (() => {
-      const all = /* @__PURE__ */ new Set();
-      for (const agent of agentStoreForFactory.listAgents()) {
-        for (const email of agent.accounts) {
-          all.add(email.toLowerCase());
-        }
-      }
-      return all.size > 0 ? [...all] : void 0;
-    })() : void 0;
-    if (watchEnabled) {
-      const watcher = new WatcherManager({
-        registry,
-        store,
-        pollIntervalSeconds: config.watch?.pollIntervalSeconds ?? 60,
-        accountFilter,
-        onNotification: (notification) => {
-          for (const fn of notifyTargets) {
-            fn(notification);
-          }
-        },
-        buffer: notificationBuffer
-      });
-      watcher.start();
-    }
-    await startHttp(
-      createServer,
-      config.http.host,
-      config.http.port,
-      notifyTargets,
-      agentStoreForFactory
-    );
-    if (liveReloadHandle) {
-      process.on("SIGINT", () => liveReloadHandle.close());
-      process.on("SIGTERM", () => liveReloadHandle.close());
-    }
+    await startHttp(createServer, config.http.host, config.http.port);
   } else {
     const server = createServer();
     const transport = new StdioServerTransport();
     await server.connect(transport);
   }
 }
-async function startHttp(createServer, host, port, notifyTargets, agentStore) {
+async function startHttp(createServer, host, port) {
   const sessions = /* @__PURE__ */ new Map();
   const http = createHttpServer(async (req, res) => {
     try {
@@ -4367,57 +3945,18 @@ async function startHttp(createServer, host, port, notifyTargets, agentStore) {
       const sessionId = req.headers["mcp-session-id"] ?? void 0;
       let session = sessionId ? sessions.get(sessionId) : void 0;
       if (!session) {
-        let agentContext = null;
-        if (agentStore) {
-          const apiKey = req.headers["x-api-key"]?.trim();
-          if (!apiKey) {
-            res.statusCode = 401;
-            res.setHeader("Content-Type", "application/json");
-            res.end(JSON.stringify({ error: "Missing x-api-key header" }));
-            return;
-          }
-          const agent = agentStore.findAgentByApiKey(apiKey);
-          if (!agent) {
-            res.statusCode = 401;
-            res.setHeader("Content-Type", "application/json");
-            res.end(JSON.stringify({ error: "Invalid API key" }));
-            return;
-          }
-          agentContext = {
-            agentId: agent.id,
-            accounts: agent.accounts,
-            provisioning: agent.provisioning
-          };
-        }
-        const server = createServer(agentContext);
+        const server = createServer();
         const transport = new StreamableHTTPServerTransport({
           sessionIdGenerator: () => randomUUID6(),
           onsessioninitialized: (sid) => {
-            sessions.set(sid, { transport, server, agentContext });
-            const agentAccounts = agentContext ? new Set(agentContext.accounts.map((a) => a.toLowerCase())) : null;
-            const notifyFn = (n) => {
-              if (agentAccounts && !agentAccounts.has(n.account.toLowerCase())) {
-                return;
-              }
-              server.server.notification({
-                method: "notifications/message",
-                params: {
-                  level: n.type === "new_emails" ? "notice" : "warning",
-                  logger: "hypermail-watch",
-                  data: n
-                }
-              }).catch(() => {
-              });
-            };
-            notifyTargets.add(notifyFn);
+            sessions.set(sid, { transport, server });
             transport.onclose = () => {
               if (transport.sessionId) sessions.delete(transport.sessionId);
-              notifyTargets.delete(notifyFn);
             };
           }
         });
         await server.connect(transport);
-        session = { transport, server, agentContext };
+        session = { transport, server };
       }
       let body = void 0;
       if (req.method === "POST" || req.method === "DELETE") {
@@ -4465,9 +4004,6 @@ function parseArgs(argv) {
       case "--config":
         out.config = String(argv[++i] ?? "");
         break;
-      case "--agents-config":
-        out.agentsConfig = String(argv[++i] ?? "");
-        break;
       case "-h":
       case "--help":
         out.help = true;
@@ -4527,8 +4063,7 @@ async function main() {
     http: opts.http,
     port: opts.port,
     host: opts.host,
-    dataDir: opts.dataDir,
-    agentsConfig: opts.agentsConfig
+    dataDir: opts.dataDir
   });
   await startServer({ config });
 }