icloud-mcp 2.0.0 → 2.3.0

package/index.js

@@ -1,1980 +1,45 @@
 #!/usr/bin/env node
-import { ImapFlow } from 'imapflow';
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { CallToolRequestSchema, ListToolsRequestSchema } from '@modelcontextprotocol/sdk/types.js';
-import { readFileSync, writeFileSync, existsSync } from 'fs';
-import { homedir } from 'os';
-import { join } from 'path';
+import {
+  TIMEOUT, withTimeout, createRateLimitedClient,
+  fetchEmails, getInboxSummary, getMailboxSummary, getTopSenders, getUnreadSenders,
+  getEmailsBySender, getEmailsByDateRange, searchEmails,
+  getEmailContent, getEmailRaw, listAttachments, getAttachment, getUnsubscribeInfo,
+  getThread, getStorageReport,
+  flagEmail, markAsRead, deleteEmail, moveEmail, listMailboxes,
+  bulkMove, bulkMoveBySender, bulkMoveByDomain, archiveOlderThan,
+  bulkDelete, bulkDeleteBySender, bulkDeleteBySubject, deleteOlderThan,
+  bulkMarkRead, bulkMarkUnread, markOlderThanRead,
+  bulkFlag, bulkFlagBySender, emptyTrash,
+  createMailbox, renameMailbox, deleteMailbox,
+  getMoveStatus, abandonMove, countEmails,
+  createRule, listRules, runRule, deleteRule, runAllRules,
+} from './lib/imap.js';
+import { logRead, logWrite, logClear } from './lib/session.js';
+import { composeEmail, replyToEmail, forwardEmail, saveDraft } from './lib/smtp.js';
+import { listContacts, searchContacts, getContact, createContact, updateContact, deleteContact } from './lib/carddav.js';
+import { formatEmailForExtraction } from './lib/event-extractor.js';
+import { listCalendars, listEvents, getEvent, createEvent, updateEvent, deleteEvent, searchEvents } from './lib/caldav.js';
 
-const LOG_FILE = join(homedir(), '.icloud-mcp-session.json');
-const MANIFEST_FILE = join(homedir(), '.icloud-mcp-move-manifest.json');
-const MAX_HISTORY = 5;
-
-const IMAP_USER = process.env.IMAP_USER;
-const IMAP_PASSWORD = process.env.IMAP_PASSWORD;
-
-if (!IMAP_USER || !IMAP_PASSWORD) {
-  if (process.argv.includes('--doctor')) {
-    // Doctor will handle missing credentials with friendly output
-  } else {
-    process.stderr.write('Error: IMAP_USER and IMAP_PASSWORD environment variables are required\n');
-    process.exit(1);
-  }
-}
-
-// ─── IMPROVEMENT 1: Connection-level timeout on createClient ──────────────────
-// ImapFlow supports connectionTimeout and greetingTimeout options.
-// This ensures we don't hang forever waiting for iCloud to respond.
-
-function createClient() {
-  return new ImapFlow({
-    host: 'imap.mail.me.com',
-    port: 993,
-    secure: true,
-    auth: { user: IMAP_USER, pass: IMAP_PASSWORD },
-    logger: false,
-    connectionTimeout: 15_000,   // 15s to establish TCP+TLS connection
-    greetingTimeout: 15_000,     // 15s to receive IMAP greeting after connect
-    socketTimeout: 60_000,       // 60s of inactivity before socket is killed
-  });
-}
-
-// ─── Managed client helpers ───────────────────────────────────────────────────
-
-// Rate limit: space out connection initiations within a single server process
-// to avoid triggering iCloud's connection throttle under concurrent tool calls.
-// Wraps connect() on every client returned by createClient() so the gate
-// applies regardless of whether tools use openClient() or createClient() directly.
-// Uses a serialized gate — concurrent callers queue up; each waits 200ms after
-// the previous before initiating its connection. Connections run concurrently
-// after passing the gate.
-let _lastConnectTime = 0;
-let _connectGate = Promise.resolve();
-const MIN_CONNECT_INTERVAL = 10; // ms between connection initiations
-
-function createRateLimitedClient() {
-  const client = createClient();
-  const originalConnect = client.connect.bind(client);
-  client.connect = async () => {
-    await new Promise(resolve => {
-      _connectGate = _connectGate.then(async () => {
-        const wait = MIN_CONNECT_INTERVAL - (Date.now() - _lastConnectTime);
-        if (wait > 0) await new Promise(r => setTimeout(r, wait));
-        _lastConnectTime = Date.now();
-      }).then(resolve, resolve);
-    });
-    return originalConnect();
-  };
-  return client;
-}
-
-async function openClient(mailbox) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  if (mailbox) await client.mailboxOpen(mailbox);
-  return client;
-}
-
-async function safeClose(client) {
-  try { await client.logout(); } catch { try { client.close(); } catch { /* already gone */ } }
-}
-
-async function reconnect(client, mailbox) {
-  safeClose(client);
-  return openClient(mailbox);
-}
-
-// ─── Move Manifest ────────────────────────────────────────────────────────────
-
-const CHUNK_SIZE = 500;
-const CHUNK_SIZE_RETRY = 100;
-const ATTACHMENT_SCAN_LIMIT = 500; // max UIDs to scan client-side for hasAttachment filter
-const MAX_ATTACHMENT_BYTES = 20 * 1024 * 1024; // 20 MB cap for get_attachment downloads
-
-function readManifest() {
-  if (!existsSync(MANIFEST_FILE)) return { current: null, history: [] };
-  try {
-    return JSON.parse(readFileSync(MANIFEST_FILE, 'utf8'));
-  } catch {
-    return { current: null, history: [] };
-  }
-}
-
-function writeManifest(data) {
-  writeFileSync(MANIFEST_FILE, JSON.stringify(data, null, 2));
-}
-
-function updateManifest(updater) {
-  const data = readManifest();
-  if (!data.current) return data; // guard: operation already archived/failed
-  updater(data);
-  if (!data.current) return data; // guard: updater may have archived it
-  data.current.updatedAt = new Date().toISOString();
-  writeManifest(data);
-  return data;
-}
-
-function archiveCurrent(data) {
-  if (data.current) {
-    data.history.unshift(data.current);
-    if (data.history.length > MAX_HISTORY) data.history = data.history.slice(0, MAX_HISTORY);
-    data.current = null;
-  }
-}
-
-function getMoveStatus() {
-  const data = readManifest();
-  if (!data.current) return { status: 'no_operation', history: data.history.map(summarizeOp) };
-
-  const result = {
-    current: formatOperation(data.current),
-    history: data.history.map(summarizeOp)
-  };
-
-  // Stale warning: in_progress but updatedAt is more than 24h ago
-  if (data.current.status === 'in_progress') {
-    const ageMs = Date.now() - new Date(data.current.updatedAt).getTime();
-    if (ageMs > 24 * 60 * 60 * 1000) {
-      result.staleWarning = `Operation ${data.current.operationId} has not been updated in ${Math.round(ageMs / 3_600_000)}h — it may be stale. Call abandon_move to discard it if you want to start a new operation.`;
-    }
-  }
-
-  return result;
-}
-
-function abandonMove() {
-  const data = readManifest();
-  if (!data.current) return { abandoned: false, message: 'No in-progress operation to abandon' };
-  if (data.current.status !== 'in_progress') {
-    return { abandoned: false, message: `Current operation is already '${data.current.status}', nothing to abandon` };
-  }
-  const operationId = data.current.operationId;
-  data.current.status = 'abandoned';
-  data.current.updatedAt = new Date().toISOString();
-  archiveCurrent(data);
-  writeManifest(data);
-  return { abandoned: true, operationId };
-}
-
-function startOperation(source, target, uids) {
-  const data = readManifest();
-
-  if (data.current && data.current.status === 'in_progress') {
-    const op = data.current;
-    throw new Error(
-      `Incomplete move operation detected (${op.operationId}): ` +
-      `${op.summary.emailsMoved} of ${op.totalUids} emails moved from '${op.source}' to '${op.target}' ` +
-      `started at ${op.startedAt}. ` +
-      `Call abandon_move to discard it or get_move_status to inspect it before starting a new operation.`
-    );
-  }
-
-  archiveCurrent(data);
-
-  const operationId = `move_${Date.now()}`;
-  const chunks = [];
-
-  for (let i = 0; i < uids.length; i += CHUNK_SIZE) {
-    chunks.push({
-      index: chunks.length,
-      uids: uids.slice(i, i + CHUNK_SIZE),
-      fingerprints: [],
-      status: 'pending',
-      copiedAt: null,
-      verifiedAt: null,
-      deletedAt: null,
-      failureReason: null
-    });
-  }
-
-  data.current = {
-    operationId,
-    startedAt: new Date().toISOString(),
-    updatedAt: new Date().toISOString(),
-    source,
-    target,
-    totalUids: uids.length,
-    status: 'in_progress',
-    phase: 'copying',
-    verifiedAt: null,
-    deletedAt: null,
-    allFingerprints: null,
-    chunks,
-    summary: {
-      chunksComplete: 0,
-      emailsMoved: 0,
-      emailsPending: uids.length,
-      emailsFailed: 0
-    }
-  };
-
-  writeManifest(data);
-  return data.current;
-}
-
-function updateChunk(index, updates) {
-  updateManifest((data) => {
-    if (!data.current) return; // guard: operation already archived
-    const chunk = data.current.chunks[index];
-    if (!chunk) return; // guard: chunk index out of range
-    Object.assign(chunk, updates);
-
-    let moved = 0, failed = 0, pending = 0;
-    for (const c of data.current.chunks) {
-      if (c.status === 'complete') moved += c.uids.length;
-      else if (c.status === 'failed') failed += c.uids.length;
-      else pending += c.uids.length;
-    }
-    data.current.summary = {
-      chunksComplete: data.current.chunks.filter(c => c.status === 'complete').length,
-      emailsMoved: moved,
-      emailsPending: pending,
-      emailsFailed: failed
-    };
-  });
-}
-
-function updateOperationPhase(phase, extraFields = {}) {
-  updateManifest((data) => {
-    if (!data.current) return;
-    data.current.phase = phase;
-    Object.assign(data.current, extraFields);
-  });
-}
-
-function completeOperation() {
-  const data = readManifest();
-  if (!data.current) return;
-  data.current.status = 'complete';
-  data.current.updatedAt = new Date().toISOString();
-  archiveCurrent(data);
-  writeManifest(data);
-}
-
-function failOperation(reason) {
-  const data = readManifest();
-  if (!data.current) return;
-  data.current.status = 'failed';
-  data.current.failureReason = reason;
-  data.current.updatedAt = new Date().toISOString();
-  archiveCurrent(data);
-  writeManifest(data);
-}
-
-function formatOperation(op) {
-  return {
-    operationId: op.operationId,
-    status: op.status,
-    phase: op.phase ?? null,
-    source: op.source,
-    target: op.target,
-    startedAt: op.startedAt,
-    updatedAt: op.updatedAt,
-    verifiedAt: op.verifiedAt ?? null,
-    deletedAt: op.deletedAt ?? null,
-    summary: op.summary,
-    failedChunks: op.chunks.filter(c => c.status === 'failed').map(c => ({
-      index: c.index,
-      uids: c.uids.length,
-      reason: c.failureReason
-    }))
-  };
-}
-
-function summarizeOp(op) {
-  return {
-    operationId: op.operationId,
-    status: op.status,
-    source: op.source,
-    target: op.target,
-    startedAt: op.startedAt,
-    moved: op.summary.emailsMoved,
-    failed: op.summary.emailsFailed,
-    total: op.totalUids
-  };
-}
-
-// ─── Fingerprinting ───────────────────────────────────────────────────────────
-
-function buildFingerprint(msg) {
-  const messageId = msg.envelope?.messageId ?? null;
-  const sender = msg.envelope?.from?.[0]?.address ?? '';
-  const date = msg.envelope?.date ? new Date(msg.envelope.date).toISOString() : '';
-  const subject = msg.envelope?.subject ?? '';
-  const fallback = [sender, date, subject].join('|');
-  return { uid: msg.uid, messageId, fallback };
-}
-
-function fingerprintToKey(fp) {
-  return fp.messageId ?? fp.fallback;
-}
-
-// ─── Transient error detection ────────────────────────────────────────────────
-
-function isTransient(err) {
-  const msg = err.message ?? '';
-  return msg.includes('ECONNRESET') ||
-    msg.includes('ECONNREFUSED') ||
-    msg.includes('ETIMEDOUT') ||
-    msg.includes('EPIPE') ||
-    msg.includes('socket hang up') ||
-    msg.includes('Connection not available') ||
-    msg.includes('BAD') ||
-    msg.includes('NO ');
-}
-
-async function withRetry(label, fn, maxAttempts = 3) {
-  let lastErr;
-  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-    try {
-      return await fn();
-    } catch (err) {
-      lastErr = err;
-      if (!isTransient(err) || attempt === maxAttempts) throw err;
-      const delay = attempt * 2000;
-      process.stderr.write(`[retry] ${label} failed (attempt ${attempt}/${maxAttempts}): ${err.message} — retrying in ${delay}ms\n`);
-      await new Promise(r => setTimeout(r, delay));
-    }
-  }
-  throw lastErr;
-}
-
-// ─── Per-operation timeouts ───────────────────────────────────────────────────
-
-const COPY_CHUNK_DELAY_MS = 500; // ms between COPY chunks — mitigates iCloud copy throttling
-
-const TIMEOUT = {
-  METADATA:   15_000,
-  FETCH:      30_000,
-  SCAN:       60_000,
-  BULK_OP:    60_000,
-  CHUNK:     300_000,
-  SINGLE:     15_000,
-  VERIFY_ALL: 120_000, // full envelope scan for all N emails
-  DELETE_ALL: 600_000, // flag all + single UID EXPUNGE (measured up to 521s at 5k)
-};
-
-function withTimeout(label, ms, fn) {
-  let timer;
-  return Promise.race([
-    fn().finally(() => clearTimeout(timer)),
-    new Promise((_, reject) => {
-      timer = setTimeout(() => {
-        process.stderr.write(`[timeout] ${label} timed out after ${ms / 1000}s\n`);
-        reject(new Error(`${label} timed out after ${ms / 1000}s`));
-      }, ms);
-    })
-  ]);
-}
-
-// ─── Move logging ─────────────────────────────────────────────────────────────
-
-function elapsed(startMs) {
-  return ((Date.now() - startMs) / 1000).toFixed(1) + 's';
-}
-
-function moveLog(chunkIndex, msg) {
-  process.stderr.write(`[move] chunk ${chunkIndex}: ${msg}\n`);
-}
-
-// ─── Verification (v3: envelope scan first, Message-ID fallback) ──────────────
-// Strategy: one bulk FETCH of recent envelopes in the target is far faster than
-// N individual SEARCH commands. We use envelope scan as the primary check, then
-// only fall back to per-email Message-ID SEARCH for the few that didn't match
-// (which can happen if the envelope fingerprint differs slightly between source
-// and target, e.g. date normalization).
-
-async function verifyByEnvelopeScan(client, fingerprints, chunkIndex, knownTotal = null) {
-  if (fingerprints.length === 0) return { missing: [], found: 0 };
-
-  const t0 = Date.now();
-  const total = knownTotal ?? (await client.status(client.mailbox.path, { messages: true })).messages;
-  const fetchCount = Math.min(total, fingerprints.length + 150);
-  const start = Math.max(1, total - fetchCount + 1);
-  const range = `${start}:${total}`;
-
-  const targetKeys = new Set();
-  let scanned = 0;
-  for await (const msg of client.fetch(range, { envelope: true })) {
-    const fp = buildFingerprint(msg);
-    targetKeys.add(fingerprintToKey(fp));
-    scanned++;
-  }
-
-  const missing = [];
-  for (const fp of fingerprints) {
-    if (!targetKeys.has(fingerprintToKey(fp))) missing.push(fp);
-  }
-
-  moveLog(chunkIndex, `envelope scan: ${scanned} scanned, ${fingerprints.length - missing.length}/${fingerprints.length} matched (${elapsed(t0)})`);
-  return { missing, found: fingerprints.length - missing.length };
-}
-
-async function verifyByMessageId(client, fingerprints, chunkIndex) {
-  if (fingerprints.length === 0) return { missing: [], verified: 0 };
-
-  const t0 = Date.now();
-  const missing = [];
-  let verified = 0;
-
-  for (const fp of fingerprints) {
-    if (!fp.messageId) {
-      // No Message-ID — can't verify this way, count as missing
-      missing.push(fp);
-      continue;
-    }
-    const uids = (await client.search({ header: ['Message-ID', fp.messageId] }, { uid: true })) ?? [];
-    if (uids.length === 0) {
-      missing.push(fp);
-    } else {
-      verified++;
-    }
-    // Progress logging every 25 emails
-    const checked = verified + missing.length;
-    if (checked % 25 === 0) {
-      moveLog(chunkIndex, `Message-ID fallback: ${checked}/${fingerprints.length} checked (${verified} found, ${missing.length} missing, ${elapsed(t0)})`);
-    }
-  }
-
-  moveLog(chunkIndex, `Message-ID fallback: ${verified}/${fingerprints.length} verified, ${missing.length} still missing (${elapsed(t0)})`);
-  return { missing, verified };
-}
-
-async function verifyInTarget(targetClient, fingerprints, chunkIndex, knownTotal = null) {
-  // Primary: fast envelope scan (one FETCH command)
-  const { missing: afterScan } = await verifyByEnvelopeScan(targetClient, fingerprints, chunkIndex, knownTotal);
-
-  if (afterScan.length === 0) {
-    return { verified: true, missing: [], found: fingerprints.length, expected: fingerprints.length };
-  }
-
-  if (afterScan.length > 200) {
-    moveLog(chunkIndex, `${afterScan.length} unmatched after envelope scan — too many for Message-ID fallback, treating as failed`);
-    return { verified: false, missing: afterScan, found: fingerprints.length - afterScan.length, expected: fingerprints.length };
-  }
-
-  // Secondary: Message-ID search only for the ones envelope scan missed
-  moveLog(chunkIndex, `${afterScan.length} unmatched after envelope scan — trying Message-ID search`);
-  const withMessageId = afterScan.filter(fp => fp.messageId);
-  const noMessageId = afterScan.filter(fp => !fp.messageId);
-
-  if (withMessageId.length > 0) {
-    const { missing: stillMissing } = await verifyByMessageId(targetClient, withMessageId, chunkIndex);
-    const allMissing = [...stillMissing, ...noMessageId];
-    return {
-      verified: allMissing.length === 0,
-      missing: allMissing,
-      found: fingerprints.length - allMissing.length,
-      expected: fingerprints.length
-    };
-  }
-
-  // No Message-IDs to try — whatever envelope scan missed is truly missing
-  return {
-    verified: noMessageId.length === 0,
-    missing: noMessageId,
-    found: fingerprints.length - noMessageId.length,
-    expected: fingerprints.length
-  };
-}
-
-// ─── Option B phase helpers ────────────────────────────────────────────────────
-
-// Phase 1: Copy all chunks to target without deleting.
-// Returns { success, totalCopied, srcClient, errorResult }
-async function copyAllChunks(operation, srcClient, targetMailbox, sourceMailbox) {
-  let totalCopied = 0;
-
-  for (const chunk of operation.chunks) {
-    const chunkUids = chunk.uids;
-    const chunkStart = Date.now();
-    moveLog(chunk.index, `starting copy (${chunkUids.length} emails)`);
-
-    try {
-      await withTimeout(`copy chunk ${chunk.index}`, TIMEOUT.CHUNK, async () => {
-        // Step 1: fetch envelopes → fingerprints
-        let t = Date.now();
-        const envelopes = [];
-        try {
-          for await (const msg of srcClient.fetch(chunkUids, { envelope: true }, { uid: true })) {
-            envelopes.push(msg);
-          }
-        } catch (err) {
-          if (!isTransient(err)) throw err;
-          moveLog(chunk.index, `fetch envelopes failed (${err.message}), reconnecting...`);
-          srcClient = await reconnect(srcClient, sourceMailbox);
-          for await (const msg of srcClient.fetch(chunkUids, { envelope: true }, { uid: true })) {
-            envelopes.push(msg);
-          }
-        }
-        const fingerprints = envelopes.map(buildFingerprint);
-        const withMsgId = fingerprints.filter(fp => fp.messageId).length;
-        moveLog(chunk.index, `fetched ${envelopes.length} envelopes (${withMsgId} with Message-ID) (${elapsed(t)})`);
-
-        // Update in-memory chunk so verifyAllChunks can flatMap fingerprints later
-        chunk.fingerprints = fingerprints;
-        updateManifest((data) => {
-          if (!data.current) return;
-          const c = data.current.chunks[chunk.index];
-          if (!c) return;
-          c.fingerprints = fingerprints;
-        });
-
-        // Step 2: copy to target
-        t = Date.now();
-        try {
-          await srcClient.messageCopy(chunkUids, targetMailbox, { uid: true });
-        } catch (err) {
-          if (!isTransient(err)) throw err;
-          moveLog(chunk.index, `copy failed (${err.message}), reconnecting...`);
-          srcClient = await reconnect(srcClient, sourceMailbox);
-          await srcClient.messageCopy(chunkUids, targetMailbox, { uid: true });
-        }
-        moveLog(chunk.index, `copied ${chunkUids.length} emails to target (${elapsed(t)})`);
-        updateChunk(chunk.index, { status: 'copied_not_verified', copiedAt: new Date().toISOString() });
-      });
-
-      totalCopied += chunkUids.length;
-      moveLog(chunk.index, `copy complete (${elapsed(chunkStart)})`);
-    } catch (err) {
-      moveLog(chunk.index, `copy FAILED: ${err.message}`);
-      updateChunk(chunk.index, { status: 'failed', failureReason: err.message });
-      return {
-        success: false,
-        totalCopied,
-        srcClient,
-        errorResult: {
-          status: 'partial',
-          moved: 0,
-          failed: operation.totalUids,
-          message: `Copy failed on chunk ${chunk.index}: ${err.message}. No emails deleted from source. ${totalCopied} emails were copied to target but not verified — call get_move_status for details.`
-        }
-      };
-    }
-
-    // Delay between chunks to mitigate iCloud copy throttling
-    if (chunk.index < operation.chunks.length - 1) {
-      await new Promise(r => setTimeout(r, COPY_CHUNK_DELAY_MS));
-    }
-  }
-
-  return { success: true, totalCopied, srcClient, errorResult: null };
-}
-
-// Phase 2: Verify all copied emails are present in target.
-// Returns { verification, tgtClient }
-async function verifyAllChunks(tgtClient, operation, targetMailbox) {
-  const allFingerprints = operation.chunks.flatMap(c => c.fingerprints);
-
-  updateManifest((data) => {
-    if (!data.current) return;
-    data.current.allFingerprints = allFingerprints;
-  });
-
-  let tgtMb;
-  try {
-    tgtMb = await tgtClient.mailboxOpen(targetMailbox);
-  } catch (err) {
-    if (!isTransient(err)) throw err;
-    moveLog('global', `mailboxOpen failed (${err.message}), reconnecting...`);
-    tgtClient = await reconnect(tgtClient, targetMailbox);
-    tgtMb = await tgtClient.mailboxOpen(targetMailbox);
-  }
-
-  let verification;
-  try {
-    verification = await verifyInTarget(tgtClient, allFingerprints, 'global', tgtMb.exists);
-  } catch (err) {
-    if (!isTransient(err)) throw err;
-    moveLog('global', `verify failed (${err.message}), reconnecting...`);
-    tgtClient = await reconnect(tgtClient, targetMailbox);
-    verification = await verifyInTarget(tgtClient, allFingerprints, 'global');
-  }
-
-  return { verification, tgtClient };
-}
-
-// Phase 3: Delete all source emails in a single EXPUNGE.
-// Returns { srcClient }
-async function deleteAllChunks(srcClient, operation, sourceMailbox) {
-  const allUids = operation.chunks.flatMap(c => c.uids);
-  const t = Date.now();
-
-  try {
-    await srcClient.messageDelete(allUids, { uid: true });
-  } catch (err) {
-    if (!isTransient(err)) throw err;
-    moveLog('global', `delete failed (${err.message}), reconnecting...`);
-    srcClient = await reconnect(srcClient, sourceMailbox);
-    // Retry is idempotent — expunging already-gone UIDs is a no-op
-    await srcClient.messageDelete(allUids, { uid: true });
-  }
-
-  moveLog('global', `deleted ${allUids.length} from source — single EXPUNGE (${elapsed(t)})`);
-  return { srcClient };
-}
-
-// ─── Safe Move (Option B: COPY-all → VERIFY-all → single EXPUNGE) ─────────────
-
-async function safeMoveEmails(uids, sourceMailbox, targetMailbox) {
-  const operation = startOperation(sourceMailbox, targetMailbox, uids);
-  const opStart = Date.now();
-
-  process.stderr.write(`[move] starting: ${uids.length} emails, ${operation.chunks.length} chunks, ${sourceMailbox} → ${targetMailbox}\n`);
-
-  let srcClient = await openClient(sourceMailbox);
-  let tgtClient = await openClient(targetMailbox);
-
-  try {
-    // Phase 1: COPY all chunks to target (no delete yet)
-    process.stderr.write(`[move] phase 1/3: copying ${uids.length} emails in ${operation.chunks.length} chunks\n`);
-    const copyResult = await copyAllChunks(operation, srcClient, targetMailbox, sourceMailbox);
-    srcClient = copyResult.srcClient;
-
-    if (!copyResult.success) {
-      failOperation(`Copy phase failed: ${copyResult.errorResult.message}`);
-      return copyResult.errorResult;
-    }
-
-    // Phase 2: VERIFY all emails are present in target
-    process.stderr.write(`[move] phase 2/3: verifying all ${copyResult.totalCopied} emails in target\n`);
-    updateOperationPhase('verifying');
-
-    let verifyResult;
-    try {
-      verifyResult = await withTimeout('verify all', TIMEOUT.VERIFY_ALL, () =>
-        verifyAllChunks(tgtClient, operation, targetMailbox)
-      );
-      tgtClient = verifyResult.tgtClient;
-    } catch (err) {
-      moveLog('global', `verify phase FAILED: ${err.message}`);
-      failOperation(`Verify phase failed: ${err.message}`);
-      return {
-        status: 'failed',
-        moved: 0,
-        message: `Verification timed out or failed: ${err.message}. All ${copyResult.totalCopied} emails remain in source (not deleted). Call get_move_status for details.`
-      };
-    }
-
-    const { verification } = verifyResult;
-    moveLog('global', `verification: ${verification.found}/${verification.expected} confirmed`);
-
-    if (!verification.verified) {
-      moveLog('global', `FAILED: ${verification.missing.length} emails missing from target after copy`);
-      failOperation(`Verification failed: ${verification.missing.length} emails missing from target`);
-      return {
-        status: 'failed',
-        moved: 0,
-        message: `Verification failed: ${verification.missing.length} of ${verification.expected} emails did not arrive in target. Source emails untouched. Call get_move_status for details.`
-      };
-    }
-
-    updateOperationPhase('verifying', { verifiedAt: new Date().toISOString() });
-
-    // Mark all chunks as verified
-    for (const chunk of operation.chunks) {
-      updateChunk(chunk.index, { status: 'verified_not_deleted', verifiedAt: new Date().toISOString() });
-    }
-
-    // Phase 3: DELETE all source emails — single EXPUNGE
-    process.stderr.write(`[move] phase 3/3: deleting all ${uids.length} emails from source (1 EXPUNGE)\n`);
-    updateOperationPhase('deleting');
-
-    let deleteResult;
-    try {
-      deleteResult = await withTimeout('delete all', TIMEOUT.DELETE_ALL, () =>
-        deleteAllChunks(srcClient, operation, sourceMailbox)
-      );
-      srcClient = deleteResult.srcClient;
-    } catch (err) {
-      moveLog('global', `delete phase FAILED: ${err.message}`);
-      // Emails are safe in target (verified). Source may still have them.
-      failOperation(`Delete phase failed: ${err.message}`);
-      return {
-        status: 'failed',
-        moved: 0,
-        message: `Delete phase failed: ${err.message}. All ${copyResult.totalCopied} emails exist in target (verified) but may still exist in source. Call get_move_status for details.`
-      };
-    }
-
-    // Mark all chunks complete
-    const now = new Date().toISOString();
-    for (const chunk of operation.chunks) {
-      updateChunk(chunk.index, { status: 'complete', deletedAt: now });
-    }
-    updateOperationPhase('deleting', { deletedAt: now });
-    completeOperation();
-
-    process.stderr.write(`[move] COMPLETE: ${copyResult.totalCopied}/${operation.totalUids} emails moved (${elapsed(opStart)})\n`);
-    return { status: 'complete', moved: copyResult.totalCopied, total: operation.totalUids };
-  } finally {
-    await safeClose(srcClient);
-    await safeClose(tgtClient);
-  }
-}
-
-// ─── Email Functions ──────────────────────────────────────────────────────────
-
-async function fetchEmails(mailbox = 'INBOX', limit = 10, onlyUnread = false, page = 1) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  const mb = await client.mailboxOpen(mailbox);
-  const total = mb.exists;
-  const emails = [];
-
-  if (total === 0) {
-    await client.logout();
-    return { emails, page, limit, total, totalPages: 0, hasMore: false };
-  }
-
-  if (onlyUnread) {
-    const uids = (await client.search({ seen: false }, { uid: true })) ?? [];
-    const totalUnread = uids.length;
-    const skip = (page - 1) * limit;
-    const pageUids = uids.reverse().slice(skip, skip + limit);
-    for (const uid of pageUids) {
-      const msg = await client.fetchOne(uid, { envelope: true, flags: true }, { uid: true });
-      if (msg) {
-        emails.push({
-          uid,
-          subject: msg.envelope.subject,
-          from: msg.envelope.from?.[0]?.address,
-          date: msg.envelope.date,
-          flagged: msg.flags.has('\\Flagged'),
-          seen: msg.flags.has('\\Seen')
-        });
-      }
-    }
-    await client.logout();
-    return { emails, page, limit, total: totalUnread, totalPages: Math.ceil(totalUnread / limit), hasMore: (page * limit) < totalUnread };
-  }
-
-  const end = Math.max(1, total - ((page - 1) * limit));
-  const start = Math.max(1, end - limit + 1);
-  const range = `${start}:${end}`;
-
-  for await (const msg of client.fetch(range, { envelope: true, flags: true })) {
-    emails.push({
-      uid: msg.uid,
-      subject: msg.envelope.subject,
-      from: msg.envelope.from?.[0]?.address,
-      date: msg.envelope.date,
-      flagged: msg.flags.has('\\Flagged'),
-      seen: msg.flags.has('\\Seen')
-    });
-  }
-
-  await client.logout();
-  emails.reverse();
-  return { emails, page, limit, total, totalPages: Math.ceil(total / limit), hasMore: (page * limit) < total };
-}
-
-async function getInboxSummary(mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  const status = await client.status(mailbox, { messages: true, unseen: true, recent: true });
-  await client.logout();
-  return { mailbox, total: status.messages, unread: status.unseen, recent: status.recent };
-}
-
-async function getTopSenders(mailbox = 'INBOX', sampleSize = 500, maxResults = 20) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  const mb = await client.mailboxOpen(mailbox);
-  const total = mb.exists;
-  const senderCounts = {};
-  const senderDomains = {};
-
-  const end = total;
-  const start = Math.max(1, total - sampleSize + 1);
-  const range = `${start}:${end}`;
-  let count = 0;
-
-  for await (const msg of client.fetch(range, { envelope: true })) {
-    const address = msg.envelope.from?.[0]?.address;
-    if (address) {
-      senderCounts[address] = (senderCounts[address] || 0) + 1;
-      const domain = address.split('@')[1];
-      if (domain) senderDomains[domain] = (senderDomains[domain] || 0) + 1;
-    }
-    count++;
-  }
-
-  await client.logout();
-  const topAddresses = Object.entries(senderCounts).sort((a, b) => b[1] - a[1]).slice(0, maxResults).map(([address, count]) => ({ address, count }));
-  const topDomains = Object.entries(senderDomains).sort((a, b) => b[1] - a[1]).slice(0, maxResults).map(([domain, count]) => ({ domain, count }));
-  return { sampledEmails: count, topAddresses, topDomains };
-}
-
-async function getUnreadSenders(mailbox = 'INBOX', sampleSize = 500, maxResults = 20) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const uids = (await client.search({ seen: false }, { uid: true })) ?? [];
-  const recentUids = uids.reverse().slice(0, sampleSize);
-  const senderCounts = {};
-
-  if (recentUids.length === 0) {
-    await client.logout();
-    return [];
-  }
-
-  for await (const msg of client.fetch(recentUids, { envelope: true }, { uid: true })) {
-    const address = msg.envelope.from?.[0]?.address;
-    if (address) senderCounts[address] = (senderCounts[address] || 0) + 1;
-  }
-
-  await client.logout();
-  return Object.entries(senderCounts).sort((a, b) => b[1] - a[1]).slice(0, maxResults).map(([address, count]) => ({ address, count }));
-}
-
-async function getEmailsBySender(sender, mailbox = 'INBOX', limit = 10) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const uids = (await client.search({ from: sender }, { uid: true })) ?? [];
-  const total = uids.length;
-  const recentUids = uids.slice(-limit).reverse();
-  const emails = [];
-  for (const uid of recentUids) {
-    const msg = await client.fetchOne(uid, { envelope: true, flags: true }, { uid: true });
-    if (msg) {
-      emails.push({
-        uid,
-        subject: msg.envelope.subject,
-        from: msg.envelope.from?.[0]?.address,
-        date: msg.envelope.date,
-        flagged: msg.flags.has('\\Flagged'),
-        seen: msg.flags.has('\\Seen')
-      });
-    }
-  }
-  await client.logout();
-  return { total, showing: emails.length, emails };
-}
-
-async function bulkDeleteBySender(sender, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const uids = (await client.search({ from: sender }, { uid: true })) ?? [];
-  if (uids.length === 0) { await client.logout(); return { deleted: 0 }; }
-  let deleted = 0;
-  for (let i = 0; i < uids.length; i += CHUNK_SIZE) {
-    const chunk = uids.slice(i, i + CHUNK_SIZE);
-    await client.messageDelete(chunk, { uid: true });
-    deleted += chunk.length;
-  }
-  await client.logout();
-  return { deleted, sender };
-}
-
-async function markOlderThanRead(days, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const date = new Date();
-  date.setDate(date.getDate() - days);
-  const raw = await client.search({ before: date, seen: false }, { uid: true });
-  const uids = Array.isArray(raw) ? raw : [];
-  if (uids.length === 0) { await client.logout(); return { marked: 0, olderThan: date.toISOString() }; }
-  await client.messageFlagsAdd(uids, ['\\Seen'], { uid: true });
-  await client.logout();
-  return { marked: uids.length, olderThan: date.toISOString() };
-}
-
-async function bulkMoveByDomain(domain, targetMailbox, sourceMailbox = 'INBOX', dryRun = false) {
-  const result = await bulkMove({ domain }, targetMailbox, sourceMailbox, dryRun);
-  return { ...result, domain };
-}
-
-async function bulkMoveBySender(sender, targetMailbox, sourceMailbox = 'INBOX', dryRun = false) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(sourceMailbox);
-  const uids = (await client.search({ from: sender }, { uid: true })) ?? [];
-  await client.logout();
-  if (dryRun) return { dryRun: true, wouldMove: uids.length, sender, sourceMailbox, targetMailbox };
-  if (uids.length === 0) return { moved: 0 };
-  await ensureMailbox(targetMailbox);
-  const result = await safeMoveEmails(uids, sourceMailbox, targetMailbox);
-  return { ...result, sender, targetMailbox };
-}
-
-async function bulkDeleteBySubject(subject, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const uids = (await client.search({ subject }, { uid: true })) ?? [];
-  if (uids.length === 0) { await client.logout(); return { deleted: 0 }; }
-  let deleted = 0;
-  for (let i = 0; i < uids.length; i += CHUNK_SIZE) {
-    const chunk = uids.slice(i, i + CHUNK_SIZE);
-    await client.messageDelete(chunk, { uid: true });
-    deleted += chunk.length;
-  }
-  await client.logout();
-  return { deleted, subject };
-}
-
-async function deleteOlderThan(days, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const date = new Date();
-  date.setDate(date.getDate() - days);
-  const uids = (await client.search({ before: date }, { uid: true })) ?? [];
-  if (uids.length === 0) { await client.logout(); return { deleted: 0 }; }
-  let deleted = 0;
-  for (let i = 0; i < uids.length; i += CHUNK_SIZE) {
-    const chunk = uids.slice(i, i + CHUNK_SIZE);
-    await client.messageDelete(chunk, { uid: true });
-    deleted += chunk.length;
-  }
-  await client.logout();
-  return { deleted, olderThan: date.toISOString() };
-}
-
-async function getEmailsByDateRange(startDate, endDate, mailbox = 'INBOX', limit = 10) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const uids = (await client.search({ since: new Date(startDate), before: new Date(endDate) }, { uid: true })) ?? [];
-  const total = uids.length;
-  const recentUids = uids.slice(-limit).reverse();
-  const emails = [];
-  for (const uid of recentUids) {
-    const msg = await client.fetchOne(uid, { envelope: true, flags: true }, { uid: true });
-    if (msg) {
-      emails.push({
-        uid,
-        subject: msg.envelope.subject,
-        from: msg.envelope.from?.[0]?.address,
-        date: msg.envelope.date,
-        flagged: msg.flags.has('\\Flagged'),
-        seen: msg.flags.has('\\Seen')
-      });
-    }
-  }
-  await client.logout();
-  return { total, showing: emails.length, emails };
-}
-
-async function bulkMarkRead(mailbox = 'INBOX', sender = null) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const query = sender ? { from: sender, seen: false } : { seen: false };
-  const uids = (await client.search(query, { uid: true })) ?? [];
-  if (uids.length === 0) { await client.logout(); return { marked: 0 }; }
-  await client.messageFlagsAdd(uids, ['\\Seen'], { uid: true });
-  await client.logout();
-  return { marked: uids.length, sender: sender || 'all' };
-}
-
-async function bulkMarkUnread(mailbox = 'INBOX', sender = null) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const query = sender ? { from: sender, seen: true } : { seen: true };
-  const uids = (await client.search(query, { uid: true })) ?? [];
-  if (uids.length === 0) { await client.logout(); return { marked: 0 }; }
-  await client.messageFlagsRemove(uids, ['\\Seen'], { uid: true });
-  await client.logout();
-  return { marked: uids.length, sender: sender || 'all' };
-}
-
-async function bulkFlag(filters, flagged, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const query = buildQuery(filters);
-  const uids = (await client.search(query, { uid: true })) ?? [];
-  if (uids.length === 0) { await client.logout(); return { flagged: 0 }; }
-  if (flagged) {
-    await client.messageFlagsAdd(uids, ['\\Flagged'], { uid: true });
-  } else {
-    await client.messageFlagsRemove(uids, ['\\Flagged'], { uid: true });
-  }
-  await client.logout();
-  return { [flagged ? 'flagged' : 'unflagged']: uids.length, filters };
-}
-
-async function bulkFlagBySender(sender, flagged, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const raw = await client.search({ from: sender }, { uid: true });
-  const uids = Array.isArray(raw) ? raw : [];
-  if (uids.length === 0) { await client.logout(); return { [flagged ? 'flagged' : 'unflagged']: 0, sender }; }
-  if (flagged) {
-    await client.messageFlagsAdd(uids, ['\\Flagged'], { uid: true });
-  } else {
-    await client.messageFlagsRemove(uids, ['\\Flagged'], { uid: true });
-  }
-  await client.logout();
-  return { [flagged ? 'flagged' : 'unflagged']: uids.length, sender };
-}
-
-async function emptyTrash(dryRun = false) {
-  const t0 = Date.now();
-  const trashFolders = ['Deleted Messages', 'Trash'];
-  const client = createRateLimitedClient();
-  await client.connect();
-
-  let mailbox = null;
-  for (const folder of trashFolders) {
-    try {
-      await client.mailboxOpen(folder);
-      mailbox = folder;
-      break;
-    } catch (err) {
-      if (!err.message.includes('Mailbox does not exist') && !err.message.includes('NONEXISTENT') && !err.message.includes('does not exist')) {
-        await safeClose(client);
-        throw err;
-      }
-    }
-  }
-
-  if (!mailbox) {
-    await safeClose(client);
-    throw new Error('No trash folder found — tried: ' + trashFolders.join(', '));
-  }
-
-  const raw = await client.search({ all: true }, { uid: true });
-  const uids = Array.isArray(raw) ? raw : [];
-
-  if (dryRun) {
-    await safeClose(client);
-    return { dryRun: true, wouldDelete: uids.length, mailbox };
-  }
-
-  if (uids.length === 0) {
-    await safeClose(client);
-    return { deleted: 0, mailbox, timeTaken: ((Date.now() - t0) / 1000).toFixed(1) + 's' };
-  }
-
-  let deleted = 0;
-  for (let i = 0; i < uids.length; i += CHUNK_SIZE) {
-    const chunk = uids.slice(i, i + CHUNK_SIZE);
-    await client.messageDelete(chunk, { uid: true });
-    deleted += chunk.length;
-  }
-  await safeClose(client);
-  return { deleted, mailbox, timeTaken: ((Date.now() - t0) / 1000).toFixed(1) + 's' };
-}
-
-async function archiveOlderThan(days, targetMailbox, sourceMailbox = 'INBOX', dryRun = false) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(sourceMailbox);
-  const date = new Date();
-  date.setDate(date.getDate() - days);
-  const raw = await client.search({ before: date }, { uid: true });
-  const uids = Array.isArray(raw) ? raw : [];
-  await client.logout();
-  if (dryRun) return { dryRun: true, wouldMove: uids.length, olderThan: date.toISOString(), sourceMailbox, targetMailbox };
-  if (uids.length === 0) return { moved: 0, olderThan: date.toISOString(), sourceMailbox, targetMailbox };
-  await ensureMailbox(targetMailbox);
-  const result = await safeMoveEmails(uids, sourceMailbox, targetMailbox);
-  return { ...result, olderThan: date.toISOString(), sourceMailbox, targetMailbox };
-}
-
-async function getStorageReport(mailbox = 'INBOX', sampleSize = 100) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-
-  // Count emails by size bucket using 4x SEARCH LARGER
-  const thresholds = [10 * 1024, 100 * 1024, 1024 * 1024, 10 * 1024 * 1024];
-  const counts = [];
-  for (const thresh of thresholds) {
-    const r = await client.search({ larger: thresh }, { uid: true }).catch(() => []);
-    counts.push(Array.isArray(r) ? r.length : 0);
-  }
-
-  const buckets = [
-    { range: '10KB–100KB', count: counts[0] - counts[1] },
-    { range: '100KB–1MB', count: counts[1] - counts[2] },
-    { range: '1MB–10MB', count: counts[2] - counts[3] },
-    { range: '10MB+', count: counts[3] }
-  ];
-
-  // Sample top senders among large emails (> 100 KB)
-  const largeRaw = await client.search({ larger: 100 * 1024 }, { uid: true }).catch(() => []);
-  const largeUids = Array.isArray(largeRaw) ? largeRaw : [];
-  const sampleUids = largeUids.slice(-sampleSize);
-
-  const senderSizes = {};
-  if (sampleUids.length > 0) {
-    for await (const msg of client.fetch(sampleUids, { envelope: true, bodyStructure: true }, { uid: true })) {
-      const address = msg.envelope?.from?.[0]?.address;
-      if (address && msg.bodyStructure) {
-        senderSizes[address] = (senderSizes[address] || 0) + estimateEmailSize(msg.bodyStructure);
-      }
-    }
-  }
-
-  await client.logout();
-
-  const topSendersBySize = Object.entries(senderSizes)
-    .sort((a, b) => b[1] - a[1])
-    .slice(0, 10)
-    .map(([address, estimateBytes]) => ({ address, estimateKB: Math.round(estimateBytes / 1024) }));
-
-  const midpoints = [50, 512, 5120, 15360]; // rough KB midpoint for each bucket
-  const estimatedTotalKB = buckets.reduce((sum, b, i) => sum + b.count * midpoints[i], 0);
-
-  return {
-    mailbox,
-    buckets,
-    estimatedTotalKB,
-    topSendersBySize,
-    ...(sampleUids.length < largeUids.length && {
-      note: `Sender analysis sampled ${sampleUids.length} of ${largeUids.length} large emails (>100 KB)`
-    })
-  };
-}
-
-async function getThread(uid, mailbox = 'INBOX') {
-  const THREAD_CANDIDATE_CAP = 100;
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-
-  // Fetch target email's envelope + raw headers for threading
-  const meta = await client.fetchOne(uid, {
-    envelope: true,
-    flags: true,
-    headers: new Set(['references', 'in-reply-to'])
-  }, { uid: true });
-  if (!meta) throw new Error(`Email UID ${uid} not found`);
-
-  const targetMessageId = meta.envelope?.messageId ?? null;
-  const rawRefs = extractRawHeader(meta.headers, 'references');
-  const rawInReplyTo = extractRawHeader(meta.headers, 'in-reply-to');
-
-  // Build full reference set for this email
-  const threadRefs = new Set();
-  if (targetMessageId) threadRefs.add(targetMessageId.trim());
-  if (rawInReplyTo) threadRefs.add(rawInReplyTo.trim());
-  if (rawRefs) {
-    rawRefs.split(/\s+/).filter(s => s.startsWith('<') && s.endsWith('>')).forEach(r => threadRefs.add(r));
-  }
-
-  const normalizedSubject = stripSubjectPrefixes(meta.envelope?.subject ?? '');
-
-  // SEARCH SUBJECT for candidates (iCloud doesn't support SEARCH HEADER)
-  let candidateUids = [];
-  if (normalizedSubject) {
-    const raw = await client.search({ subject: normalizedSubject }, { uid: true });
-    candidateUids = Array.isArray(raw) ? raw : [];
-  }
-
-  const candidatesCapped = candidateUids.length > THREAD_CANDIDATE_CAP;
-  if (candidatesCapped) candidateUids = candidateUids.slice(-THREAD_CANDIDATE_CAP);
-
-  // Fetch envelopes + headers for candidates to filter by References overlap
-  const threadEmails = [];
-  if (candidateUids.length > 0) {
-    for await (const msg of client.fetch(candidateUids, {
-      envelope: true,
-      flags: true,
-      headers: new Set(['references', 'in-reply-to'])
-    }, { uid: true })) {
-      const msgId = msg.envelope?.messageId ?? null;
-      const msgRefs = extractRawHeader(msg.headers, 'references');
-      const msgInReplyTo = extractRawHeader(msg.headers, 'in-reply-to');
-
-      // Build this message's reference set
-      const msgRefSet = new Set();
-      if (msgId) msgRefSet.add(msgId.trim());
-      if (msgInReplyTo) msgRefSet.add(msgInReplyTo.trim());
-      if (msgRefs) msgRefs.split(/\s+/).filter(s => s.startsWith('<')).forEach(r => msgRefSet.add(r));
-
-      // Include if there's any Reference chain overlap
-      const hasOverlap = (msgId && threadRefs.has(msgId.trim())) ||
-        [...threadRefs].some(r => msgRefSet.has(r));
-
-      if (hasOverlap) {
-        threadEmails.push({
-          uid: msg.uid,
-          subject: msg.envelope?.subject,
-          from: msg.envelope?.from?.[0]?.address,
-          date: msg.envelope?.date,
-          seen: msg.flags?.has('\\Seen') ?? false,
-          flagged: msg.flags?.has('\\Flagged') ?? false,
-          messageId: msgId
-        });
-      }
-    }
-  }
-
-  await client.logout();
-
-  // Sort by date ascending
-  threadEmails.sort((a, b) => {
-    const da = a.date ? new Date(a.date).getTime() : 0;
-    const db = b.date ? new Date(b.date).getTime() : 0;
-    return da - db;
-  });
-
-  return {
-    uid,
-    subject: normalizedSubject || meta.envelope?.subject,
-    count: threadEmails.length,
-    emails: threadEmails,
-    ...(candidatesCapped && {
-      candidatesCapped: true,
-      note: `Subject search returned more than ${THREAD_CANDIDATE_CAP} candidates — thread results may be incomplete`
-    })
-  };
-}
-
-async function createMailbox(name) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxCreate(name);
-  await client.logout();
-  return { created: name };
-}
-
-async function renameMailbox(oldName, newName) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  try {
-    await Promise.race([
-      client.mailboxRename(oldName, newName),
-      new Promise((_, reject) =>
-        setTimeout(() => reject(new Error('rename timed out after 15s — Apple IMAP may not support renaming this folder')), 15000)
-      )
-    ]);
-  } finally {
-    try { await client.logout(); } catch { client.close(); }
-  }
-  return { renamed: { from: oldName, to: newName } };
-}
-
-async function deleteMailbox(name) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  try {
-    await Promise.race([
-      client.mailboxDelete(name),
-      new Promise((_, reject) =>
-        setTimeout(() => reject(new Error('delete timed out after 15s — Apple IMAP may not support deleting this folder')), 15000)
-      )
-    ]);
-  } finally {
-    try { await client.logout(); } catch { client.close(); }
-  }
-  return { deleted: name };
-}
-
-async function getMailboxSummary(mailbox) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  const status = await client.status(mailbox, { messages: true, unseen: true, recent: true });
-  await client.logout();
-  return { mailbox, total: status.messages, unread: status.unseen, recent: status.recent };
-}
-
-// ─── MIME body parsing helpers ────────────────────────────────────────────────
-
-function decodeTransferEncoding(buffer, encoding) {
-  const enc = (encoding || '7bit').toLowerCase().trim();
-  if (enc === 'base64') {
-    return Buffer.from(buffer.toString('ascii').replace(/\s/g, ''), 'base64');
-  }
-  if (enc === 'quoted-printable') {
-    const str = buffer.toString('binary')
-      .replace(/[\t ]+$/gm, '')
-      .replace(/=(?:\r?\n|$)/g, '');
-    const result = Buffer.alloc(str.length);
-    let pos = 0;
-    for (let i = 0; i < str.length; i++) {
-      if (str[i] === '=' && i + 2 < str.length) {
-        const hex = str.slice(i + 1, i + 3);
-        if (/^[\da-fA-F]{2}$/.test(hex)) {
-          result[pos++] = parseInt(hex, 16);
-          i += 2;
-          continue;
-        }
-      }
-      result[pos++] = str.charCodeAt(i) & 0xff;
-    }
-    return result.slice(0, pos);
-  }
-  return buffer;
-}
-
-async function decodeCharset(buffer, charset) {
-  const cs = (charset || 'utf-8').toLowerCase().trim();
-  const nativeMap = { 'utf-8': 'utf8', 'utf8': 'utf8', 'us-ascii': 'ascii',
-    'ascii': 'ascii', 'latin1': 'latin1', 'iso-8859-1': 'latin1', 'binary': 'binary' };
-  if (nativeMap[cs]) return buffer.toString(nativeMap[cs]);
-  try {
-    const { default: iconv } = await import('iconv-lite');
-    if (iconv.encodingExists(cs)) return iconv.decode(buffer, cs);
-  } catch { /* iconv unavailable */ }
-  return buffer.toString('utf8');
-}
-
-function stripHtml(html) {
-  return html
-    .replace(/<style[^>]*>[\s\S]*?<\/style>/gi, ' ')
-    .replace(/<script[^>]*>[\s\S]*?<\/script>/gi, ' ')
-    .replace(/<br\s*\/?>/gi, '\n')
-    .replace(/<\/p>/gi, '\n\n')
-    .replace(/<\/div>/gi, '\n')
-    .replace(/<\/li>/gi, '\n')
-    .replace(/<[^>]+>/g, '')
-    .replace(/&nbsp;/gi, ' ')
-    .replace(/&amp;/gi, '&')
-    .replace(/&lt;/gi, '<')
-    .replace(/&gt;/gi, '>')
-    .replace(/&quot;/gi, '"')
-    .replace(/&#(\d+);/g, (_, n) => String.fromCharCode(parseInt(n)))
-    .replace(/[ \t]+/g, ' ')
-    .replace(/\n{3,}/g, '\n\n')
-    .trim();
-}
-
-// Extract a specific header from imapflow's headers property.
-// imapflow returns headers as a raw Buffer (BODY[HEADER.FIELDS ...] response bytes),
-// so we parse it as text with MIME unfolding. Falls back to .get() if it's a Map.
-function extractRawHeader(headers, name) {
-  if (!headers) return '';
-  let str;
-  if (Buffer.isBuffer(headers)) {
-    str = headers.toString();
-  } else if (typeof headers.get === 'function') {
-    return (headers.get(name) ?? '').toString().trim();
-  } else {
-    str = headers.toString();
-  }
-  // Unfold MIME-folded header values (CRLF + whitespace = continuation)
-  const unfolded = str.replace(/\r?\n[ \t]+/g, ' ');
-  return unfolded.match(new RegExp(`^${name}:\\s*(.+)`, 'im'))?.[1]?.trim() ?? '';
-}
-
-function findTextPart(node) {
-  if (!node.childNodes) {
-    if (node.type && node.type.startsWith('text/') && node.disposition !== 'attachment') {
-      return { partId: null, type: node.type, encoding: node.encoding, charset: node.parameters?.charset, size: node.size };
-    }
-    return null;
-  }
-  if (node.type === 'multipart/alternative') {
-    let plainPart = null, htmlPart = null;
-    for (const child of node.childNodes) {
-      if (child.childNodes || child.disposition === 'attachment') continue;
-      if (child.type === 'text/plain') plainPart = child;
-      else if (child.type === 'text/html') htmlPart = child;
-    }
-    const chosen = plainPart || htmlPart;
-    if (chosen) return { partId: chosen.part, type: chosen.type, encoding: chosen.encoding, charset: chosen.parameters?.charset, size: chosen.size };
-  }
-  for (const child of node.childNodes) {
-    if (child.disposition === 'attachment') continue;
-    const found = findTextPart(child);
-    if (found) return found;
-  }
-  return null;
-}
-
-function findAttachments(node, parts = []) {
-  if (node.childNodes) {
-    for (const child of node.childNodes) findAttachments(child, parts);
-  } else {
-    const filename = node.dispositionParameters?.filename ?? node.parameters?.name ?? null;
-    const isTextBody = (node.type === 'text/plain' || node.type === 'text/html') && node.disposition !== 'attachment';
-    if (node.disposition === 'attachment' || node.disposition === 'inline' || (filename && !isTextBody)) {
-      parts.push({
-        partId: node.part ?? 'TEXT',
-        filename,
-        mimeType: node.type ?? 'application/octet-stream',
-        size: node.size ?? 0,
-        encoding: node.encoding ?? '7bit',
-        disposition: node.disposition ?? 'attachment'
-      });
-    }
-  }
-  return parts;
-}
-
-function estimateEmailSize(node) {
-  if (node.childNodes) return node.childNodes.reduce((s, c) => s + estimateEmailSize(c), 0);
-  return node.size || 0;
-}
-
-function stripSubjectPrefixes(subject) {
-  if (!subject) return '';
-  return subject.replace(/^(Re:|RE:|Fwd:|FWD:|Fw:|FW:|AW:|回复:|转发:)\s*/i, '').trim();
-}
-
-// ─── Email content fetcher (MIME-aware) ───────────────────────────────────────
-
-async function getEmailContent(uid, mailbox = 'INBOX', maxChars = 8000, includeHeaders = false) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-
-  const fetchOpts = { envelope: true, flags: true, bodyStructure: true };
-  if (includeHeaders) fetchOpts.headers = new Set(['references', 'list-unsubscribe']);
-  const meta = await client.fetchOne(uid, fetchOpts, { uid: true });
-  if (!meta) {
-    await client.logout();
-    return { uid, subject: null, from: null, date: null, flags: [], body: '(email not found)' };
-  }
-
-  let body = '(body unavailable)';
-
-  try {
-    const struct = meta.bodyStructure;
-    if (!struct) throw new Error('no bodyStructure');
-
-    const textPart = findTextPart(struct);
-
-    if (!textPart) {
-      body = '(no readable text — email may be image-only or have no text parts)';
-    } else {
-      // Single-part messages use 'TEXT'; multipart use dot-notation part id (e.g. '1', '1.1')
-      const imapKey = textPart.partId ?? 'TEXT';
-
-      // For large parts, cap the fetch at 12KB to avoid downloading multi-MB newsletters
-      const fetchSpec = (textPart.size && textPart.size > 150_000)
-        ? [{ key: imapKey, start: 0, maxLength: 12_000 }]
-        : [imapKey];
-
-      const partMsg = await Promise.race([
-        client.fetchOne(uid, { bodyParts: fetchSpec }, { uid: true }),
-        new Promise((_, reject) => setTimeout(() => reject(new Error('body fetch timeout')), 10_000))
-      ]);
-
-      // bodyParts is a Map — try the key as-is, then uppercase, then lowercase
-      const partBuffer = partMsg?.bodyParts?.get(imapKey)
-        ?? partMsg?.bodyParts?.get(imapKey.toUpperCase())
-        ?? partMsg?.bodyParts?.get(imapKey.toLowerCase());
-
-      if (!partBuffer || partBuffer.length === 0) throw new Error('empty body part');
-
-      const decoded = decodeTransferEncoding(partBuffer, textPart.encoding);
-      let text = await decodeCharset(decoded, textPart.charset);
-
-      if (textPart.type === 'text/html') text = stripHtml(text);
-
-      const clampedMaxChars = Math.min(maxChars, 50_000);
-      if (text.length > clampedMaxChars) {
-        text = text.slice(0, clampedMaxChars) + `\n\n[... truncated — ${text.length.toLocaleString()} chars total]`;
-      }
-
-      body = text.trim() || '(empty body)';
-
-      if (textPart.size && textPart.size > 150_000) {
-        body += `\n\n[Note: email body is large (${Math.round(textPart.size / 1024)}KB) — showing first 12KB]`;
-      }
-    }
-  } catch {
-    // Fallback: raw source slice (original behaviour)
-    try {
-      const sourceMsg = await Promise.race([
-        client.fetchOne(uid, { source: true }, { uid: true }),
-        new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), 5_000))
-      ]);
-      if (sourceMsg?.source) {
-        const raw = sourceMsg.source.toString();
-        const bodyStart = raw.indexOf('\r\n\r\n');
-        body = '[raw fallback]\n' + (bodyStart > -1 ? raw.slice(bodyStart + 4, bodyStart + 2000) : raw.slice(0, 2000));
-      }
-    } catch { /* leave as unavailable */ }
-  }
-
-  await client.logout();
-
-  const attachments = meta.bodyStructure ? findAttachments(meta.bodyStructure) : [];
-  const result = {
-    uid: meta.uid,
-    subject: meta.envelope.subject,
-    from: meta.envelope.from?.[0]?.address,
-    date: meta.envelope.date,
-    flags: [...meta.flags],
-    attachments: {
-      count: attachments.length,
-      items: attachments.map(a => ({ partId: a.partId, filename: a.filename, mimeType: a.mimeType, size: a.size }))
-    },
-    body
-  };
-
-  if (includeHeaders) {
-    // imapflow returns headers as a raw Buffer — parse it as text
-    const rawRefs = extractRawHeader(meta.headers, 'references');
-    const rawUnsub = extractRawHeader(meta.headers, 'list-unsubscribe');
-    result.headers = {
-      to: meta.envelope.to?.map(a => a.address) ?? [],
-      cc: meta.envelope.cc?.map(a => a.address) ?? [],
-      replyTo: meta.envelope.replyTo?.[0]?.address ?? null,
-      messageId: meta.envelope.messageId ?? null,
-      inReplyTo: meta.envelope.inReplyTo ?? null,
-      references: rawRefs ? rawRefs.split(/\s+/).filter(s => s.startsWith('<')) : [],
-      listUnsubscribe: rawUnsub || null
-    };
-  }
-
-  return result;
-}
-
-async function listAttachments(uid, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const meta = await client.fetchOne(uid, { envelope: true, bodyStructure: true }, { uid: true });
-  await client.logout();
-  if (!meta) return { uid, subject: null, attachmentCount: 0, attachments: [] };
-  const attachments = meta.bodyStructure ? findAttachments(meta.bodyStructure) : [];
-  return {
-    uid: meta.uid,
-    subject: meta.envelope.subject,
-    attachmentCount: attachments.length,
-    attachments
-  };
-}
-
-async function getUnsubscribeInfo(uid, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const meta = await client.fetchOne(uid, { headers: new Set(['list-unsubscribe', 'list-unsubscribe-post']) }, { uid: true });
-  await client.logout();
-  if (!meta) return { uid, email: null, url: null, raw: null };
-  const raw = extractRawHeader(meta.headers, 'list-unsubscribe') || null;
-  if (!raw) return { uid, email: null, url: null, raw: null };
-  const email = raw.match(/<mailto:([^>]+)>/i)?.[1] ?? null;
-  const url = raw.match(/<(https?:[^>]+)>/i)?.[1] ?? null;
-  return { uid, email, url, raw };
-}
-
-async function getEmailRaw(uid, mailbox = 'INBOX') {
-  const MAX_RAW_BYTES = 1 * 1024 * 1024; // 1 MB cap
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const msg = await client.fetchOne(uid, { source: true }, { uid: true });
-  await client.logout();
-  if (!msg || !msg.source) throw new Error(`Email UID ${uid} not found`);
-  const source = msg.source;
-  const truncated = source.length > MAX_RAW_BYTES;
-  const slice = truncated ? source.slice(0, MAX_RAW_BYTES) : source;
-  return {
-    uid,
-    size: source.length,
-    truncated,
-    data: slice.toString('base64'),
-    dataEncoding: 'base64'
-  };
-}
-
-async function getAttachment(uid, partId, mailbox = 'INBOX', offset = null, length = null) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-
-  // First fetch bodyStructure to find the attachment and validate size
-  const meta = await client.fetchOne(uid, { bodyStructure: true }, { uid: true });
-  if (!meta) throw new Error(`Email UID ${uid} not found`);
-
-  const attachments = meta.bodyStructure ? findAttachments(meta.bodyStructure) : [];
-  const att = attachments.find(a => a.partId === partId);
-  if (!att) throw new Error(`Part ID "${partId}" not found in email UID ${uid}. Use list_attachments to see available parts.`);
-
-  const isPaginated = offset !== null || length !== null;
-
-  if (!isPaginated && att.size > MAX_ATTACHMENT_BYTES) {
-    await client.logout();
-    return {
-      error: `Attachment too large to download in one request (${Math.round(att.size / 1024 / 1024 * 10) / 10} MB). Use offset and length params to download in chunks (max ${MAX_ATTACHMENT_BYTES / 1024 / 1024} MB per request).`,
-      filename: att.filename,
-      mimeType: att.mimeType,
-      size: att.size,
-      totalSize: att.size
-    };
-  }
-
-  // Build fetch spec
-  let fetchSpec;
-  if (isPaginated) {
-    const start = offset ?? 0;
-    const maxLength = length ?? MAX_ATTACHMENT_BYTES;
-    fetchSpec = [{ key: partId, start, maxLength }];
-  } else {
-    fetchSpec = [partId];
-  }
-
-  // Fetch the raw body part bytes
-  const rawChunks = [];
-  for await (const msg of client.fetch({ uid }, { bodyParts: fetchSpec }, { uid: true })) {
-    const buf = msg.bodyParts?.get(partId)
-      ?? msg.bodyParts?.get(partId.toUpperCase())
-      ?? msg.bodyParts?.get(partId.toLowerCase());
-    if (buf) rawChunks.push(buf);
-  }
-  await client.logout();
-
-  if (rawChunks.length === 0) throw new Error(`No data returned for part "${partId}" of UID ${uid}`);
-
-  const raw = Buffer.concat(rawChunks);
-
-  if (isPaginated) {
-    // Paginated: return raw encoded bytes without transfer-encoding decode
-    const fetchOffset = offset ?? 0;
-    const actualLength = raw.length;
-    const hasMore = att.size ? (fetchOffset + actualLength < att.size) : false;
-    return {
-      uid, partId,
-      filename: att.filename,
-      mimeType: att.mimeType,
-      encoding: att.encoding,
-      totalSize: att.size,
-      offset: fetchOffset,
-      length: actualLength,
-      hasMore,
-      data: raw.toString('base64'),
-      dataEncoding: 'base64'
-    };
-  }
-
-  // Full download: decode transfer encoding
-  const encoding = att.encoding.toLowerCase();
-  let decoded;
-  if (encoding === 'base64') {
-    decoded = Buffer.from(raw.toString('ascii').replace(/\s/g, ''), 'base64');
-  } else if (encoding === 'quoted-printable') {
-    const qp = raw.toString('binary').replace(/=\r?\n/g, '').replace(/=([0-9A-Fa-f]{2})/g, (_, h) => String.fromCharCode(parseInt(h, 16)));
-    decoded = Buffer.from(qp, 'binary');
-  } else {
-    decoded = raw; // 7bit / 8bit / binary
-  }
-
-  return {
-    uid,
-    partId,
-    filename: att.filename,
-    mimeType: att.mimeType,
-    size: decoded.length,
-    encoding: att.encoding,
-    data: decoded.toString('base64'),
-    dataEncoding: 'base64'
-  };
-}
-
-async function flagEmail(uid, flagged, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  if (flagged) {
-    await client.messageFlagsAdd(uid, ['\\Flagged'], { uid: true });
-  } else {
-    await client.messageFlagsRemove(uid, ['\\Flagged'], { uid: true });
-  }
-  await client.logout();
-  return true;
-}
-
-async function markAsRead(uid, seen, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  if (seen) {
-    await client.messageFlagsAdd(uid, ['\\Seen'], { uid: true });
-  } else {
-    await client.messageFlagsRemove(uid, ['\\Seen'], { uid: true });
-  }
-  await client.logout();
-  return true;
-}
-
-async function deleteEmail(uid, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  await client.messageDelete(uid, { uid: true });
-  await client.logout();
-  return true;
-}
-
-async function listMailboxes() {
-  const client = createRateLimitedClient();
-  await client.connect();
-  const tree = await client.listTree();
-  const mailboxes = [];
-  function walk(items) {
-    for (const item of items) {
-      mailboxes.push({ name: item.name, path: item.path });
-      if (item.folders && item.folders.length > 0) walk(item.folders);
-    }
-  }
-  walk(tree.folders);
-  await client.logout();
-  return mailboxes;
-}
-
-async function searchEmails(query, mailbox = 'INBOX', limit = 10, filters = {}, options = {}) {
-  const { queryMode = 'or', subjectQuery, bodyQuery, fromQuery, includeSnippet = false } = options;
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-
-  // Build text query
-  let textQuery;
-  const targetedParts = [];
-  if (subjectQuery) targetedParts.push({ subject: subjectQuery });
-  if (bodyQuery) targetedParts.push({ body: bodyQuery });
-  if (fromQuery) targetedParts.push({ from: fromQuery });
+const IMAP_USER = process.env.IMAP_USER;
+const IMAP_PASSWORD = process.env.IMAP_PASSWORD;
 
-  if (targetedParts.length > 0) {
-    // Targeted field queries
-    if (queryMode === 'and') {
-      textQuery = Object.assign({}, ...targetedParts); // IMAP AND is implicit
-    } else {
-      textQuery = targetedParts.length === 1 ? targetedParts[0] : { or: targetedParts };
-    }
-  } else if (query) {
-    // Original OR across subject/from/body
-    textQuery = { or: [{ subject: query }, { from: query }, { body: query }] };
+if (!IMAP_USER || !IMAP_PASSWORD) {
+  if (process.argv.includes('--doctor')) {
+    // Doctor will handle missing credentials with friendly output
   } else {
-    textQuery = null;
-  }
-
-  const extraQuery = buildQuery(filters);
-  const hasExtra = Object.keys(extraQuery).length > 0 && !extraQuery.all;
-  const finalQuery = textQuery
-    ? (hasExtra ? { ...textQuery, ...extraQuery } : textQuery)
-    : (hasExtra ? extraQuery : { all: true });
-
-  let uids = (await client.search(finalQuery, { uid: true })) ?? [];
-  if (!Array.isArray(uids)) uids = [];
-
-  if (filters.hasAttachment) {
-    if (uids.length > ATTACHMENT_SCAN_LIMIT) {
-      await client.logout();
-      return { total: null, showing: 0, emails: [], error: `hasAttachment requires narrower filters first — ${uids.length} candidates exceeds scan limit of ${ATTACHMENT_SCAN_LIMIT}. Add from/since/before/subject filters to reduce the set.` };
-    }
-    uids = await filterUidsByAttachment(client, uids);
-  }
-
-  const emails = [];
-  const recentUids = uids.slice(-limit).reverse();
-  for (const uid of recentUids) {
-    const msg = await client.fetchOne(uid, { envelope: true, flags: true }, { uid: true });
-    if (msg) {
-      emails.push({
-        uid,
-        subject: msg.envelope.subject,
-        from: msg.envelope.from?.[0]?.address,
-        date: msg.envelope.date,
-        flagged: msg.flags.has('\\Flagged'),
-        seen: msg.flags.has('\\Seen')
-      });
-    }
-  }
-
-  // Fetch body snippets if requested (max 10 emails to avoid timeout)
-  if (includeSnippet && emails.length > 0) {
-    for (const email of emails.slice(0, 10)) {
-      try {
-        const meta = await client.fetchOne(email.uid, { bodyStructure: true }, { uid: true });
-        if (!meta?.bodyStructure) continue;
-        const textPart = findTextPart(meta.bodyStructure);
-        if (!textPart) continue;
-        const imapKey = textPart.partId ?? 'TEXT';
-        const partMsg = await client.fetchOne(email.uid, {
-          bodyParts: [{ key: imapKey, start: 0, maxLength: 400 }]
-        }, { uid: true });
-        const buf = partMsg?.bodyParts?.get(imapKey)
-          ?? partMsg?.bodyParts?.get(imapKey.toUpperCase())
-          ?? partMsg?.bodyParts?.get(imapKey.toLowerCase());
-        if (!buf) continue;
-        const decoded = decodeTransferEncoding(buf, textPart.encoding);
-        let text = await decodeCharset(decoded, textPart.charset);
-        if (textPart.type === 'text/html') text = stripHtml(text);
-        email.snippet = text.replace(/\s+/g, ' ').slice(0, 200).trim();
-      } catch { /* skip snippet on error */ }
-    }
-  }
-
-  await client.logout();
-  return { total: uids.length, showing: emails.length, emails };
-}
-
-async function moveEmail(uid, targetMailbox, sourceMailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(sourceMailbox);
-  await client.messageMove(uid, targetMailbox, { uid: true });
-  await client.logout();
-  return true;
-}
-
-function buildQuery(filters) {
-  const query = {};
-  if (filters.sender) query.from = filters.sender;
-  if (filters.domain) query.from = filters.domain.replace(/^@/, '');
-  if (filters.subject) query.subject = filters.subject;
-  if (filters.before) query.before = new Date(filters.before);
-  if (filters.since) query.since = new Date(filters.since);
-  if (filters.unread === true) query.seen = false;
-  if (filters.unread === false) query.seen = true;
-  if (filters.flagged === true) query.flagged = true;
-  if (filters.flagged === false) query.unflagged = true;
-  if (filters.larger) query.larger = filters.larger * 1024;
-  if (filters.smaller) query.smaller = filters.smaller * 1024;
-  // hasAttachment is handled as a client-side post-filter (see filterUidsByAttachment)
-  // iCloud does not support SEARCH HEADER or reliable size-based attachment detection
-  if (Object.keys(query).length === 0) query.all = true;
-  return query;
-}
-
-async function filterUidsByAttachment(client, uids) {
-  if (uids.length === 0) return [];
-  const result = [];
-  for await (const msg of client.fetch(uids, { bodyStructure: true }, { uid: true })) {
-    if (msg.bodyStructure && findAttachments(msg.bodyStructure).length > 0) {
-      result.push(msg.uid);
-    }
-  }
-  return result;
-}
-
-async function ensureMailbox(name) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  try { await client.mailboxCreate(name); } catch { /* already exists */ }
-  await client.logout();
-}
-
-async function bulkMove(filters, targetMailbox, sourceMailbox = 'INBOX', dryRun = false, limit = null) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(sourceMailbox);
-  const query = buildQuery(filters);
-  let uids = (await client.search(query, { uid: true })) ?? [];
-  if (filters.hasAttachment) {
-    if (uids.length > ATTACHMENT_SCAN_LIMIT) {
-      await client.logout();
-      return { error: `hasAttachment requires narrower filters first — ${uids.length} candidates exceeds scan limit of ${ATTACHMENT_SCAN_LIMIT}.` };
-    }
-    uids = await filterUidsByAttachment(client, uids);
-  }
-  await client.logout();
-
-  if (limit !== null) uids = uids.slice(0, limit);
-
-  if (dryRun) {
-    return { dryRun: true, wouldMove: uids.length, sourceMailbox, targetMailbox, filters };
-  }
-  if (uids.length === 0) return { moved: 0, sourceMailbox, targetMailbox };
-
-  await ensureMailbox(targetMailbox);
-  const result = await safeMoveEmails(uids, sourceMailbox, targetMailbox);
-  return { ...result, sourceMailbox, targetMailbox, filters };
-}
-
-// ─── IMPROVEMENT 3: bulk_delete now has per-chunk timeout ─────────────────────
-// Previously the chunk loop could run unbounded. Now each chunk gets a BULK_OP
-// timeout. If a single chunk hangs, we bail with a partial result instead of
-// hanging forever.
-
-async function bulkDelete(filters, sourceMailbox = 'INBOX', dryRun = false) {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(sourceMailbox);
-  const query = buildQuery(filters);
-  let uids = (await client.search(query, { uid: true })) ?? [];
-  if (filters.hasAttachment) {
-    if (uids.length > ATTACHMENT_SCAN_LIMIT) {
-      await client.logout();
-      return { error: `hasAttachment requires narrower filters first — ${uids.length} candidates exceeds scan limit of ${ATTACHMENT_SCAN_LIMIT}.` };
-    }
-    uids = await filterUidsByAttachment(client, uids);
-  }
-
-  if (dryRun) {
-    await client.logout();
-    return { dryRun: true, wouldDelete: uids.length, sourceMailbox, filters };
-  }
-  if (uids.length === 0) { await client.logout(); return { deleted: 0, sourceMailbox }; }
-
-  let deleted = 0;
-  for (let i = 0; i < uids.length; i += CHUNK_SIZE) {
-    const chunk = uids.slice(i, i + CHUNK_SIZE);
-    const chunkIndex = Math.floor(i / CHUNK_SIZE);
-    try {
-      await withTimeout(`bulk_delete chunk ${chunkIndex}`, TIMEOUT.BULK_OP, async () => {
-        await client.messageDelete(chunk, { uid: true });
-      });
-      deleted += chunk.length;
-    } catch (err) {
-      await safeClose(client);
-      return {
-        deleted,
-        failed: uids.length - deleted,
-        sourceMailbox,
-        filters,
-        error: `Chunk ${chunkIndex} failed: ${err.message}. ${deleted} deleted so far, ${uids.length - deleted} remaining.`
-      };
-    }
-  }
-  await client.logout();
-  return { deleted, sourceMailbox, filters };
-}
-
-async function countEmails(filters, mailbox = 'INBOX') {
-  const client = createRateLimitedClient();
-  await client.connect();
-  await client.mailboxOpen(mailbox);
-  const query = buildQuery(filters);
-  let uids = (await client.search(query, { uid: true })) ?? [];
-  if (filters.hasAttachment) {
-    if (uids.length > ATTACHMENT_SCAN_LIMIT) {
-      await client.logout();
-      return { count: null, candidateCount: uids.length, mailbox, filters, error: `hasAttachment requires narrower filters first — ${uids.length} candidates exceeds scan limit of ${ATTACHMENT_SCAN_LIMIT}. Add from/since/before/subject filters to reduce the set.` };
-    }
-    uids = await filterUidsByAttachment(client, uids);
-  }
-  await client.logout();
-  return { count: uids.length, mailbox, filters };
-}
-
-// ─── Session Log ──────────────────────────────────────────────────────────────
-
-function logRead() {
-  if (!existsSync(LOG_FILE)) return { steps: [], startedAt: null };
-  try {
-    return JSON.parse(readFileSync(LOG_FILE, 'utf8'));
-  } catch {
-    return { steps: [], startedAt: null };
+    process.stderr.write('Error: IMAP_USER and IMAP_PASSWORD environment variables are required\n');
+    process.exit(1);
   }
 }
 
-function logWrite(step) {
-  const log = logRead();
-  if (!log.startedAt) log.startedAt = new Date().toISOString();
-  log.steps.push({ time: new Date().toISOString(), step });
-  writeFileSync(LOG_FILE, JSON.stringify(log, null, 2));
-  return log;
-}
-
-function logClear() {
-  writeFileSync(LOG_FILE, JSON.stringify({ steps: [], startedAt: null }, null, 2));
-  return { cleared: true };
-}
-
 // ─── MCP Server ───────────────────────────────────────────────────────────────
 
 async function main() {
   const server = new Server(
-    { name: 'icloud-mail', version: '2.0.0' },
+    { name: 'icloud-mail', version: '2.3.0' },
     { capabilities: { tools: {} } }
   );
 
@@ -2479,6 +544,340 @@ async function main() {
           },
           required: ['uid']
         }
+      },
+      // ── Saved Rules ──
+      {
+        name: 'create_rule',
+        description: 'Create a saved rule that applies a specific action to emails matching a set of filters. Rules are stored persistently and can be run on demand or all at once with run_all_rules.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Unique rule name (used to run or delete the rule)' },
+            description: { type: 'string', description: 'Optional human-readable description of what the rule does' },
+            filters: {
+              type: 'object',
+              description: 'Email filters (same as bulk_move/bulk_delete filters: sender, domain, subject, before, since, unread, flagged, larger, smaller)',
+              properties: filtersSchema
+            },
+            action: {
+              type: 'object',
+              description: 'Action to apply to matching emails',
+              properties: {
+                type: { type: 'string', enum: ['move', 'delete', 'mark_read', 'mark_unread', 'flag', 'unflag'], description: 'Action type' },
+                targetMailbox: { type: 'string', description: 'Destination folder (required for move)' },
+                sourceMailbox: { type: 'string', description: 'Source mailbox (default INBOX)' }
+              },
+              required: ['type']
+            }
+          },
+          required: ['name', 'filters', 'action']
+        }
+      },
+      {
+        name: 'list_rules',
+        description: 'List all saved rules with their filters, actions, and run history.',
+        inputSchema: { type: 'object', properties: {} }
+      },
+      {
+        name: 'run_rule',
+        description: 'Run a specific saved rule by name. Use dryRun: true to preview what would be affected without making changes.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Rule name to run' },
+            dryRun: { type: 'boolean', description: 'If true, preview what would be affected without making changes' }
+          },
+          required: ['name']
+        }
+      },
+      {
+        name: 'delete_rule',
+        description: 'Delete a saved rule by name.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            name: { type: 'string', description: 'Rule name to delete' }
+          },
+          required: ['name']
+        }
+      },
+      {
+        name: 'run_all_rules',
+        description: 'Run all saved rules in sequence. Use dryRun: true to preview all rules without making changes.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            dryRun: { type: 'boolean', description: 'If true, preview all rules without making changes' }
+          }
+        }
+      },
+      // ── SMTP / Email sending ──
+      {
+        name: 'compose_email',
+        description: 'Compose and send a new email via iCloud SMTP. The From address is always your iCloud account. Supports plain text, HTML, or both (multipart/alternative).',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            to: { type: 'string', description: 'Recipient email address(es), comma-separated or array' },
+            subject: { type: 'string', description: 'Email subject' },
+            body: { type: 'string', description: 'Plain text body (used as fallback when html is also provided)' },
+            html: { type: 'string', description: 'HTML body. If provided without body, plain text is auto-generated. If provided with body, sends multipart/alternative.' },
+            cc: { type: 'string', description: 'CC recipient(s), comma-separated or array' },
+            bcc: { type: 'string', description: 'BCC recipient(s), comma-separated or array' },
+            replyTo: { type: 'string', description: 'Reply-To address override' }
+          },
+          required: ['to', 'subject']
+        }
+      },
+      {
+        name: 'reply_to_email',
+        description: 'Reply to an existing email. Automatically sets correct threading headers (In-Reply-To, References) and prefixes the subject with Re:. Supports plain text and/or HTML body.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            uid: { type: 'number', description: 'UID of the email to reply to' },
+            body: { type: 'string', description: 'Plain text reply body' },
+            html: { type: 'string', description: 'HTML reply body (auto-generates plain text fallback if body not provided)' },
+            mailbox: { type: 'string', description: 'Mailbox containing the original email (default INBOX)' },
+            replyAll: { type: 'boolean', description: 'If true, reply to all recipients (To + Cc). Default false.' },
+            cc: { type: 'string', description: 'Additional CC recipients for this reply' }
+          },
+          required: ['uid']
+        }
+      },
+      {
+        name: 'forward_email',
+        description: 'Forward an existing email to one or more recipients. Fetches the original email body and includes it as a forwarded message block. Supports plain text and/or HTML note.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            uid: { type: 'number', description: 'UID of the email to forward' },
+            to: { type: 'string', description: 'Recipient(s) to forward to, comma-separated or array' },
+            note: { type: 'string', description: 'Optional plain text note to prepend before the forwarded message' },
+            html: { type: 'string', description: 'Optional HTML note to prepend (overrides plain text note for HTML rendering)' },
+            mailbox: { type: 'string', description: 'Mailbox containing the original email (default INBOX)' },
+            cc: { type: 'string', description: 'CC recipients' }
+          },
+          required: ['uid', 'to']
+        }
+      },
+      {
+        name: 'save_draft',
+        description: 'Save a draft email to your iCloud Drafts folder without sending it. Supports plain text, HTML, or both. The draft can be edited and sent later from Mail.app or iCloud.com.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            to: { type: 'string', description: 'Intended recipient(s), comma-separated or array' },
+            subject: { type: 'string', description: 'Email subject' },
+            body: { type: 'string', description: 'Plain text body (used as fallback when html is also provided)' },
+            html: { type: 'string', description: 'HTML body. If provided without body, plain text is auto-generated. If provided with body, saves multipart/alternative.' },
+            cc: { type: 'string', description: 'CC recipient(s)' },
+            bcc: { type: 'string', description: 'BCC recipient(s)' }
+          },
+          required: ['to', 'subject']
+        }
+      },
+      // ── CardDAV / Contacts ──
+      {
+        name: 'list_contacts',
+        description: 'List contacts from iCloud Contacts. Returns names, phones, emails, and other fields.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            limit: { type: 'number', description: 'Max contacts to return (default 50)' },
+            offset: { type: 'number', description: 'Skip this many contacts (default 0, for pagination)' }
+          }
+        }
+      },
+      {
+        name: 'search_contacts',
+        description: 'Search iCloud Contacts by name, email address, or phone number.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            query: { type: 'string', description: 'Text to search for (matched against name, email, and phone)' }
+          },
+          required: ['query']
+        }
+      },
+      {
+        name: 'get_contact',
+        description: 'Get full details for a specific contact by ID. Use list_contacts or search_contacts to find a contactId.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            contactId: { type: 'string', description: 'Contact ID (UUID from list_contacts or search_contacts)' }
+          },
+          required: ['contactId']
+        }
+      },
+      {
+        name: 'create_contact',
+        description: 'Create a new contact in iCloud Contacts.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            firstName: { type: 'string', description: 'First name' },
+            lastName: { type: 'string', description: 'Last name' },
+            fullName: { type: 'string', description: 'Full display name (overrides firstName + lastName for FN field)' },
+            org: { type: 'string', description: 'Organization / company name' },
+            phone: { type: 'string', description: 'Primary phone number (shorthand for phones array)' },
+            email: { type: 'string', description: 'Primary email address (shorthand for emails array)' },
+            phones: { type: 'array', description: 'Array of phone objects: [{ number, type }] where type is cell/home/work/etc.' },
+            emails: { type: 'array', description: 'Array of email objects: [{ email, type }] where type is home/work/etc.' },
+            addresses: { type: 'array', description: 'Array of address objects: [{ street, city, state, zip, country, type }]' },
+            birthday: { type: 'string', description: 'Birthday in YYYY-MM-DD format' },
+            note: { type: 'string', description: 'Notes / free text' },
+            url: { type: 'string', description: 'Website URL' }
+          }
+        }
+      },
+      {
+        name: 'update_contact',
+        description: 'Update an existing contact in iCloud Contacts. Only provided fields are changed; others are preserved.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            contactId: { type: 'string', description: 'Contact ID to update' },
+            firstName: { type: 'string' },
+            lastName: { type: 'string' },
+            fullName: { type: 'string' },
+            org: { type: 'string' },
+            phone: { type: 'string' },
+            email: { type: 'string' },
+            phones: { type: 'array' },
+            emails: { type: 'array' },
+            addresses: { type: 'array' },
+            birthday: { type: 'string' },
+            note: { type: 'string' },
+            url: { type: 'string' }
+          },
+          required: ['contactId']
+        }
+      },
+      {
+        name: 'delete_contact',
+        description: 'Delete a contact from iCloud Contacts permanently.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            contactId: { type: 'string', description: 'Contact ID to delete' }
+          },
+          required: ['contactId']
+        }
+      },
+      // ── CalDAV / Calendar ──
+      {
+        name: 'list_calendars',
+        description: 'List all calendars in iCloud Calendar (e.g. Personal, Work, LSAT PREP). Returns calendarId, name, and supported event types.',
+        inputSchema: { type: 'object', properties: {} }
+      },
+      {
+        name: 'list_events',
+        description: 'List events in a specific iCloud calendar within a date range. Use list_calendars first to get a calendarId.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            calendarId: { type: 'string', description: 'Calendar ID from list_calendars' },
+            since: { type: 'string', description: 'Start of range (YYYY-MM-DD, default: 30 days ago)' },
+            before: { type: 'string', description: 'End of range (YYYY-MM-DD, default: 30 days ahead)' },
+            limit: { type: 'number', description: 'Max events to return (default 50)' }
+          },
+          required: ['calendarId']
+        }
+      },
+      {
+        name: 'get_event',
+        description: 'Get full details of a specific calendar event by its ID.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            calendarId: { type: 'string', description: 'Calendar ID containing the event' },
+            eventId: { type: 'string', description: 'Event ID (UUID from list_events or search_events)' }
+          },
+          required: ['calendarId', 'eventId']
+        }
+      },
+      {
+        name: 'create_event',
+        description: 'Create a new event in an iCloud calendar. For all-day events use allDay:true and YYYY-MM-DD for start/end.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            calendarId: { type: 'string', description: 'Calendar ID to add the event to' },
+            summary: { type: 'string', description: 'Event title' },
+            start: { type: 'string', description: 'Start date/time — ISO 8601 (e.g. 2026-03-15T10:00:00) or YYYY-MM-DD for all-day' },
+            end: { type: 'string', description: 'End date/time — ISO 8601 or YYYY-MM-DD. Defaults to 1 hour after start.' },
+            timezone: { type: 'string', description: 'IANA timezone (e.g. America/New_York). Use "UTC" or omit for UTC.' },
+            allDay: { type: 'boolean', description: 'True for all-day event (uses DATE values, no time)' },
+            description: { type: 'string', description: 'Event description / notes' },
+            location: { type: 'string', description: 'Event location' },
+            recurrence: { type: 'string', description: 'iCal RRULE string (e.g. FREQ=WEEKLY;BYDAY=MO,WE,FR)' },
+            status: { type: 'string', description: 'Event status: CONFIRMED, TENTATIVE, or CANCELLED' },
+            reminder: { type: 'number', description: 'Alert this many minutes before the event (default 30, set to 0 to disable)' }
+          },
+          required: ['calendarId', 'summary', 'start']
+        }
+      },
+      {
+        name: 'update_event',
+        description: 'Update an existing calendar event. Only provided fields are changed; others are preserved.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            calendarId: { type: 'string', description: 'Calendar ID containing the event' },
+            eventId: { type: 'string', description: 'Event ID to update' },
+            summary: { type: 'string' },
+            start: { type: 'string' },
+            end: { type: 'string' },
+            timezone: { type: 'string' },
+            allDay: { type: 'boolean' },
+            description: { type: 'string' },
+            location: { type: 'string' },
+            recurrence: { type: 'string' },
+            status: { type: 'string' },
+            reminder: { type: 'number', description: 'Alert minutes before event (0 to disable)' }
+          },
+          required: ['calendarId', 'eventId']
+        }
+      },
+      {
+        name: 'delete_event',
+        description: 'Delete a calendar event permanently from iCloud Calendar.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            calendarId: { type: 'string', description: 'Calendar ID containing the event' },
+            eventId: { type: 'string', description: 'Event ID to delete' }
+          },
+          required: ['calendarId', 'eventId']
+        }
+      },
+      {
+        name: 'search_events',
+        description: 'Search for events by title/summary across all calendars within an optional date range.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            query: { type: 'string', description: 'Text to search for in event titles' },
+            since: { type: 'string', description: 'Start of search range (YYYY-MM-DD, default: 1 year ago)' },
+            before: { type: 'string', description: 'End of search range (YYYY-MM-DD, default: 1 year ahead)' }
+          },
+          required: ['query']
+        }
+      },
+      // ── Smart extraction ──
+      {
+        name: 'suggest_event_from_email',
+        description: 'Fetch an email and return its content formatted for calendar event extraction. After calling this tool, extract the event fields from the returned content (pay attention to _dateAnchor for resolving relative dates like "Tuesday"), present a summary to the user for confirmation, then call create_event. No API key required.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            uid: { type: 'number', description: 'Email UID to extract event from' },
+            mailbox: { type: 'string', description: 'Mailbox containing the email (default INBOX)' }
+          },
+          required: ['uid']
+        }
       }
     ]
   }));
@@ -2587,6 +986,104 @@ async function main() {
         result = logRead();
       } else if (name === 'log_clear') {
         result = logClear();
+      // ── Saved rules (synchronous CRUD; run_rule/run_all_rules use internal chunk timeouts) ──
+      } else if (name === 'create_rule') {
+        result = createRule(args.name, args.filters || {}, args.action, args.description || '');
+      } else if (name === 'list_rules') {
+        result = listRules();
+      } else if (name === 'delete_rule') {
+        result = deleteRule(args.name);
+      } else if (name === 'run_rule') {
+        result = await runRule(args.name, args.dryRun || false);
+      } else if (name === 'run_all_rules') {
+        result = await runAllRules(args.dryRun || false);
+      // ── SMTP (email sending — uses SCAN tier 60s for two-phase fetch+send) ──
+      } else if (name === 'compose_email') {
+        result = await withTimeout('compose_email', TIMEOUT.SCAN, () =>
+          composeEmail(args.to, args.subject, args.body, { html: args.html, cc: args.cc, bcc: args.bcc, replyTo: args.replyTo })
+        );
+      } else if (name === 'reply_to_email') {
+        const origEmail = await withTimeout('get_email_for_reply', TIMEOUT.FETCH, () =>
+          getEmailContent(args.uid, args.mailbox || 'INBOX', 5000, true)
+        );
+        result = await withTimeout('reply_to_email', TIMEOUT.FETCH, () =>
+          replyToEmail(origEmail, args.body, { html: args.html, replyAll: args.replyAll || false, cc: args.cc })
+        );
+      } else if (name === 'forward_email') {
+        const origEmail = await withTimeout('get_email_for_forward', TIMEOUT.FETCH, () =>
+          getEmailContent(args.uid, args.mailbox || 'INBOX', 5000, false)
+        );
+        result = await withTimeout('forward_email', TIMEOUT.FETCH, () =>
+          forwardEmail(origEmail, args.to, args.note || '', { html: args.html, cc: args.cc })
+        );
+      } else if (name === 'save_draft') {
+        result = await withTimeout('save_draft', TIMEOUT.FETCH, () =>
+          saveDraft(args.to, args.subject, args.body, { html: args.html, cc: args.cc, bcc: args.bcc })
+        );
+      // ── CardDAV / Contacts (FETCH tier 30s) ──
+      } else if (name === 'list_contacts') {
+        result = await withTimeout('list_contacts', TIMEOUT.FETCH, () =>
+          listContacts(args.limit || 50, args.offset || 0)
+        );
+      } else if (name === 'search_contacts') {
+        result = await withTimeout('search_contacts', TIMEOUT.FETCH, () =>
+          searchContacts(args.query)
+        );
+      } else if (name === 'get_contact') {
+        result = await withTimeout('get_contact', TIMEOUT.FETCH, () =>
+          getContact(args.contactId)
+        );
+      } else if (name === 'create_contact') {
+        const { contactId: _ignore, ...fields } = args;
+        result = await withTimeout('create_contact', TIMEOUT.FETCH, () =>
+          createContact(fields)
+        );
+      } else if (name === 'update_contact') {
+        const { contactId, ...fields } = args;
+        result = await withTimeout('update_contact', TIMEOUT.FETCH, () =>
+          updateContact(contactId, fields)
+        );
+      } else if (name === 'delete_contact') {
+        result = await withTimeout('delete_contact', TIMEOUT.SINGLE, () =>
+          deleteContact(args.contactId)
+        );
+      // ── CalDAV / Calendar (FETCH tier 30s) ──
+      } else if (name === 'list_calendars') {
+        result = await withTimeout('list_calendars', TIMEOUT.FETCH, () =>
+          listCalendars()
+        );
+      } else if (name === 'list_events') {
+        result = await withTimeout('list_events', TIMEOUT.FETCH, () =>
+          listEvents(args.calendarId, args.since || null, args.before || null, args.limit || 50)
+        );
+      } else if (name === 'get_event') {
+        result = await withTimeout('get_event', TIMEOUT.FETCH, () =>
+          getEvent(args.calendarId, args.eventId)
+        );
+      } else if (name === 'create_event') {
+        const { calendarId, ...fields } = args;
+        result = await withTimeout('create_event', TIMEOUT.FETCH, () =>
+          createEvent(calendarId, fields)
+        );
+      } else if (name === 'update_event') {
+        const { calendarId, eventId, ...fields } = args;
+        result = await withTimeout('update_event', TIMEOUT.FETCH, () =>
+          updateEvent(calendarId, eventId, fields)
+        );
+      } else if (name === 'delete_event') {
+        result = await withTimeout('delete_event', TIMEOUT.SINGLE, () =>
+          deleteEvent(args.calendarId, args.eventId)
+        );
+      } else if (name === 'search_events') {
+        result = await withTimeout('search_events', TIMEOUT.FETCH, () =>
+          searchEvents(args.query, args.since || null, args.before || null)
+        );
+      // ── Smart extraction (SCAN tier 60s — LLM round-trip) ──
+      } else if (name === 'suggest_event_from_email') {
+        const email = await withTimeout('get_email_for_extraction', TIMEOUT.FETCH, () =>
+          getEmailContent(args.uid, args.mailbox || 'INBOX', 10000, false)
+        );
+        result = formatEmailForExtraction(email);
       } else {
         throw new Error(`Unknown tool: ${name}`);
       }