nothumanallowed 15.1.43 → 15.1.45

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "15.1.43",
+  "version": "15.1.45",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '15.1.43';
+export const VERSION = '15.1.45';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/email.mjs

@@ -416,6 +416,42 @@ export function register(router) {
     } catch (e) { sendError(res, 500, e.message); }
   });
 
+  // POST /api/imap/test — dry-run connection test (no DB writes).
+  // Body: { imap_host, imap_port, smtp_host, smtp_port, username, password,
+  //         email_address, from_name, sendTest? }
+  // Returns: { imap: {ok, secure, ...}, smtp: {ok, secure, sent, messageId, ...} }
+  // The UI uses this for the "Test connection" / "Send test email" buttons
+  // before persisting an account — same UX as Outlook / Thunderbird.
+  router.post('/api/imap/test', async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      const creds = {
+        imap_host: body.imap_host,
+        imap_port: body.imap_port,
+        smtp_host: body.smtp_host,
+        smtp_port: body.smtp_port,
+        username: body.username,
+        password: body.password,
+        email_address: body.email_address,
+        from_name: body.from_name,
+      };
+      const out = { imap: null, smtp: null };
+      try {
+        const { testImapConnection } = await import('../../services/email-imap.mjs');
+        out.imap = await testImapConnection(creds);
+      } catch (e) {
+        out.imap = { ok: false, error: e.message };
+      }
+      try {
+        const { testSmtpConnection } = await import('../../services/email-smtp.mjs');
+        out.smtp = await testSmtpConnection(creds, { sendTest: !!body.sendTest });
+      } catch (e) {
+        out.smtp = { ok: false, error: e.message };
+      }
+      sendJSON(res, 200, out);
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
   // POST /api/imap/sync  (body: { accountId, force })
   router.post('/api/imap/sync', async (req, res) => {
     try {

package/src/services/email-imap.mjs

@@ -57,9 +57,13 @@ function notifyIdle(accountId, folder) {
   for (const h of idleHandlers) { try { h(accountId, folder); } catch {} }
 }
 
-function createImapClient(label, creds, accountId) {
+function createImapClient(label, creds, accountId, secureOverride) {
   const port = parseInt(creds.imap_port, 10) || 993;
-  const isSecure = port === 993 || port === 465;
+  // Default heuristic: 993/465 use implicit TLS, anything else uses STARTTLS.
+  // `secureOverride` lets the auto-fallback path force the opposite mode.
+  const isSecure = typeof secureOverride === 'boolean'
+    ? secureOverride
+    : (port === 993 || port === 465);
   const client = new ImapFlow({
     host: creds.imap_host,
     port,
@@ -68,6 +72,10 @@ function createImapClient(label, creds, accountId) {
     logger: false,
     clientInfo: { name: 'NHA-Mail', version: '1.0.0' },
     emitLogs: false,
+    // Bounded timeouts so a misconfigured server doesn't hang the UI.
+    connectionTimeout: 15000,
+    greetingTimeout: 10000,
+    socketTimeout: 60000,
     tls: { rejectUnauthorized: false }, // always set — safe for self-signed certs too
   });
   client.on('error', (err) => {
@@ -77,19 +85,92 @@ function createImapClient(label, creds, accountId) {
   return client;
 }
 
-export async function getImapClient(accountId) {
+// Match the most common "wrong TLS mode" failure modes from ImapFlow / node
+// tls. Errors can surface as cleartext OpenSSL output ("wrong version
+// number"), as ImapFlow strings ("Failed to receive greeting"), or as plain
+// socket errors when the server closed the connection mid-handshake.
+function _looksLikeTlsMismatch(err) {
+  const msg = (err && err.message ? err.message : String(err)).toLowerCase();
+  return /(greeting|tls|ssl|wrong\s*version|version\s*number|protocol|enotconn|econnreset|epipe|handshake|record_header|tlsany|alert|cert|disconnected|connection\s*closed)/i.test(msg);
+}
+
+// Per-account memory of which TLS mode worked last time. This avoids paying
+// the fallback cost on every sync once we've discovered the correct mode for
+// a given server, and ensures the cached `syncClients` entry stays usable.
+const lastGoodSecure = new Map();   // accountId → boolean
+
+export async function getImapClient(accountId, override) {
   const existing = syncClients.get(accountId);
-  if (existing?.usable) return existing;
+  if (existing?.usable && override === undefined) return existing;
   if (existing) { syncClients.delete(accountId); try { await existing.logout(); } catch {} }
 
   const creds = getAccountCredentials(accountId);
   if (!creds || !creds.imap_host) throw new Error(`No IMAP credentials for account ${accountId}`);
-  const client = createImapClient(`sync:${accountId.slice(0, 8)}`, creds, accountId);
-  await client.connect();
+  const label = `sync:${accountId.slice(0, 8)}`;
+
+  // Pick initial TLS mode: explicit override > remembered-good > port heuristic.
+  const port = parseInt(creds.imap_port, 10) || 993;
+  const heuristicSecure = port === 993 || port === 465;
+  const remembered = lastGoodSecure.get(accountId);
+  const firstSecure = (typeof override === 'boolean')
+    ? override
+    : (typeof remembered === 'boolean' ? remembered : heuristicSecure);
+
+  // First attempt.
+  let client = createImapClient(label, creds, accountId, firstSecure);
+  try {
+    await client.connect();
+    lastGoodSecure.set(accountId, firstSecure);
+  } catch (err) {
+    if (_looksLikeTlsMismatch(err) && override === undefined) {
+      try { await client.logout(); } catch {}
+      const fallbackSecure = !firstSecure;
+      console.warn(`[email:imap] ${label} TLS mismatch (${err.message.slice(0, 100)}). Retrying with secure=${fallbackSecure}`);
+      client = createImapClient(label, creds, accountId, fallbackSecure);
+      await client.connect();
+      lastGoodSecure.set(accountId, fallbackSecure);
+    } else {
+      throw err;
+    }
+  }
   syncClients.set(accountId, client);
   return client;
 }
 
+// Dry-run connectivity test used by Settings UI (no DB writes, no persistent
+// client). Returns { ok, secure, message }.
+export async function testImapConnection(creds) {
+  if (!creds?.imap_host) throw new Error('imap_host required');
+  if (!creds?.username || !creds?.password) throw new Error('Username and password required');
+  const port = parseInt(creds.imap_port, 10) || 993;
+  const tryConnect = async (secure) => {
+    const client = createImapClient('test', creds, null, secure);
+    try {
+      await client.connect();
+      const list = await client.list();
+      await client.logout();
+      return { ok: true, secure, folderCount: list.length };
+    } catch (err) {
+      try { await client.logout(); } catch {}
+      throw err;
+    }
+  };
+  const firstSecure = port === 993 || port === 465;
+  try {
+    return await tryConnect(firstSecure);
+  } catch (err) {
+    if (_looksLikeTlsMismatch(err)) {
+      try {
+        const r = await tryConnect(!firstSecure);
+        return { ...r, message: `Fallback TLS=${!firstSecure} (heuristic was wrong for this server)` };
+      } catch (err2) {
+        throw new Error(`IMAP test failed (both TLS modes): ${err.message} / ${err2.message}`);
+      }
+    }
+    throw err;
+  }
+}
+
 export async function closeImapClient(accountId) {
   const c = syncClients.get(accountId);
   if (c) { try { await c.logout(); } catch {}; syncClients.delete(accountId); }
@@ -324,12 +405,25 @@ export async function syncFolder(accountId, folderPath, fullResync, limitMessage
   }
 }
 
-// First sync: cap to last 200 messages per folder to avoid blocking for minutes
-const FIRST_SYNC_LIMIT = 200;
+// Download EVERY message on the server by default. Previously capped at 200
+// to keep first-sync fast, but that surprised users who expected an Outlook-
+// style "give me my whole mailbox". The sync still streams messages
+// incrementally (headers → bodies) so the UI keeps updating, and never
+// modifies the server — only the local SQLite mirror.
+const FIRST_SYNC_LIMIT = 0;
 
 export async function syncAccount(accountId, opts = {}) {
   setSyncStatus(accountId, 'syncing', null);
+  // _retried is set by the recursion below — it forces the *opposite* TLS
+  // mode on the second attempt so we never spin twice on the same setting.
+  const tlsOverride = (typeof opts._forceSecure === 'boolean') ? opts._forceSecure : undefined;
   try {
+    // Prime the connection with the (optional) explicit TLS mode so any
+    // cached `syncClients` entry uses it for the whole sync.
+    if (tlsOverride !== undefined) {
+      await closeImapClient(accountId);
+      await getImapClient(accountId, tlsOverride);
+    }
     const folders = await listImapFolders(accountId);
     const priority = ['inbox', 'sent'];
     const toSync = [
@@ -340,17 +434,28 @@ export async function syncAccount(accountId, opts = {}) {
     let totalSynced = 0;
     for (const f of toSync) {
       try {
-        const limit = opts.full ? 0 : FIRST_SYNC_LIMIT;
+        const limit = opts.full === false ? 200 : FIRST_SYNC_LIMIT;
         const result = await syncFolder(accountId, f.path, false, limit, f.folderType);
         totalSynced += result.synced;
         console.log(`[email:sync] ${f.path}: ${result.synced} new messages (total on server: ${result.total})`);
       } catch (err) {
         console.warn(`[email:imap] Sync folder ${f.path} failed:`, err.message);
+        // Per-folder TLS mismatch propagates up so the outer catch can
+        // restart the whole sync with the opposite secure mode.
+        if (_looksLikeTlsMismatch(err) && opts._retried !== true) throw err;
       }
     }
     setSyncStatus(accountId, 'idle', null);
     return { synced: totalSynced };
   } catch (err) {
+    if (_looksLikeTlsMismatch(err) && opts._retried !== true) {
+      const port = parseInt(getAccountCredentials(accountId)?.imap_port, 10) || 993;
+      const heuristic = port === 993 || port === 465;
+      const opposite = (typeof tlsOverride === 'boolean') ? !tlsOverride : !heuristic;
+      console.warn(`[email:imap] sync ${accountId.slice(0, 8)} TLS mismatch — retrying entire sync with secure=${opposite}`);
+      await closeImapClient(accountId);
+      return syncAccount(accountId, { ...opts, _retried: true, _forceSecure: opposite });
+    }
     setSyncStatus(accountId, 'error', err.message);
     throw err;
   }

package/src/services/email-smtp.mjs

@@ -18,9 +18,9 @@ function threadId(messageId) {
   return createHash('sha1').update(messageId).digest('hex');
 }
 
-function getTransporter(creds) {
+function getTransporter(creds, secureOverride) {
   const port = parseInt(creds.smtp_port, 10) || 587;
-  const isSecure = port === 465;
+  const isSecure = typeof secureOverride === 'boolean' ? secureOverride : (port === 465);
   return createTransport({
     host: creds.smtp_host,
     port,
@@ -33,6 +33,53 @@ function getTransporter(creds) {
   });
 }
 
+// Dry-run SMTP test used by Settings UI. Verifies auth, optionally sends a
+// real "Hello from NHA" message to the configured address. Same TLS-mode
+// auto-fallback pattern as IMAP.
+export async function testSmtpConnection(creds, { sendTest = false } = {}) {
+  if (!creds?.smtp_host) throw new Error('smtp_host required');
+  if (!creds?.username || !creds?.password) throw new Error('Username and password required');
+  const port = parseInt(creds.smtp_port, 10) || 587;
+  const firstSecure = port === 465;
+  const trySend = async (secure) => {
+    const t = getTransporter(creds, secure);
+    try {
+      await t.verify();
+      let sendInfo = null;
+      if (sendTest) {
+        const to = creds.email_address || creds.username;
+        const from = creds.from_name ? `${creds.from_name} <${creds.email_address || creds.username}>` : (creds.email_address || creds.username);
+        sendInfo = await t.sendMail({
+          from,
+          to,
+          subject: 'NHA — Email di prova',
+          text: `Questo è un messaggio di prova inviato da NotHumanAllowed (${new Date().toISOString()}).\n\nSe lo vedi, la configurazione SMTP è corretta.`,
+          html: `<p>Questo è un messaggio di prova inviato da <strong>NotHumanAllowed</strong> (${new Date().toISOString()}).</p><p>Se lo vedi, la configurazione SMTP è corretta.</p>`,
+        });
+      }
+      try { t.close(); } catch {}
+      return { ok: true, secure, sent: !!sendInfo, messageId: sendInfo?.messageId || null };
+    } catch (err) {
+      try { t.close(); } catch {}
+      throw err;
+    }
+  };
+  try {
+    return await trySend(firstSecure);
+  } catch (err) {
+    const looksTls = /greeting|tls|ssl|wrong version number|protocol|handshake/i.test(err.message || '');
+    if (looksTls) {
+      try {
+        const r = await trySend(!firstSecure);
+        return { ...r, message: `Fallback TLS=${!firstSecure} (heuristic was wrong for this server)` };
+      } catch (err2) {
+        throw new Error(`SMTP test failed (both TLS modes): ${err.message} / ${err2.message}`);
+      }
+    }
+    throw err;
+  }
+}
+
 /**
  * Send an email.
  *