nothumanallowed 15.1.44 → 15.1.46

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "15.1.44",
+  "version": "15.1.46",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '15.1.44';
+export const VERSION = '15.1.46';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/email-imap.mjs

@@ -57,13 +57,21 @@ function notifyIdle(accountId, folder) {
   for (const h of idleHandlers) { try { h(accountId, folder); } catch {} }
 }
 
-function createImapClient(label, creds, accountId, secureOverride) {
+function createImapClient(label, creds, accountId, secureOverride, opts = {}) {
   const port = parseInt(creds.imap_port, 10) || 993;
   // Default heuristic: 993/465 use implicit TLS, anything else uses STARTTLS.
   // `secureOverride` lets the auto-fallback path force the opposite mode.
   const isSecure = typeof secureOverride === 'boolean'
     ? secureOverride
     : (port === 993 || port === 465);
+  // TLS hardening configurable per attempt. The `legacy` flag drops the
+  // minimum TLS version to v1.0 — required by some old / self-hosted IMAP
+  // servers (mail.dimensione-server.it, postfix on legacy CentOS, etc.)
+  // that still refuse TLS 1.2+ ClientHello.
+  const tlsOpts = {
+    rejectUnauthorized: false,
+    ...(opts.legacy ? { minVersion: 'TLSv1', maxVersion: 'TLSv1.3' } : {}),
+  };
   const client = new ImapFlow({
     host: creds.imap_host,
     port,
@@ -72,11 +80,13 @@ function createImapClient(label, creds, accountId, secureOverride) {
     logger: false,
     clientInfo: { name: 'NHA-Mail', version: '1.0.0' },
     emitLogs: false,
-    // Bounded timeouts so a misconfigured server doesn't hang the UI.
-    connectionTimeout: 15000,
-    greetingTimeout: 10000,
-    socketTimeout: 60000,
-    tls: { rejectUnauthorized: false }, // always set — safe for self-signed certs too
+    // Generous timeouts — first sync from a slow server can take a while
+    // before it even responds with the greeting. The previous 10s was too
+    // tight for ISP-hosted mailservers with throttling on cold connections.
+    connectionTimeout: 30000,
+    greetingTimeout: 30000,
+    socketTimeout: 120000,
+    tls: tlsOpts,
   });
   client.on('error', (err) => {
     console.error(`[email:imap] ${label} error:`, err.message);
@@ -85,77 +95,129 @@ function createImapClient(label, creds, accountId, secureOverride) {
   return client;
 }
 
-// Match the most common "wrong TLS mode" failure modes from ImapFlow.
+// Match the most common "wrong TLS mode" failure modes from ImapFlow / node
+// tls. Errors can surface as cleartext OpenSSL output ("wrong version
+// number"), as ImapFlow strings ("Failed to receive greeting"), or as plain
+// socket errors when the server closed the connection mid-handshake.
 function _looksLikeTlsMismatch(err) {
   const msg = (err && err.message ? err.message : String(err)).toLowerCase();
-  return /greeting|tls|ssl|wrong version number|protocol|enotconn|econnreset|handshake/.test(msg);
+  return /(greeting|tls|ssl|wrong\s*version|version\s*number|protocol|enotconn|econnreset|epipe|handshake|record_header|tlsany|alert|cert|disconnected|connection\s*closed)/i.test(msg);
 }
 
-export async function getImapClient(accountId) {
+// Per-account memory of which TLS mode worked last time. This avoids paying
+// the fallback cost on every sync once we've discovered the correct mode for
+// a given server, and ensures the cached `syncClients` entry stays usable.
+const lastGoodSecure = new Map();   // accountId → boolean
+
+// Per-account memory of the FULL working profile, not just secure flag.
+// Some servers need legacy TLS — we don't want to re-discover that every sync.
+const lastGoodProfile = new Map(); // accountId → { secure, legacy }
+
+export async function getImapClient(accountId, override) {
   const existing = syncClients.get(accountId);
-  if (existing?.usable) return existing;
+  if (existing?.usable && override === undefined) return existing;
   if (existing) { syncClients.delete(accountId); try { await existing.logout(); } catch {} }
 
   const creds = getAccountCredentials(accountId);
   if (!creds || !creds.imap_host) throw new Error(`No IMAP credentials for account ${accountId}`);
   const label = `sync:${accountId.slice(0, 8)}`;
 
-  // First attempt with the heuristic-derived TLS mode.
-  let client = createImapClient(label, creds, accountId);
-  try {
-    await client.connect();
-  } catch (err) {
-    // Auto-fallback: if the failure smells like a TLS-mode mismatch, retry
-    // with the opposite mode before bubbling the error up to the user. The
-    // most common case is port 993 misclassified (or a non-standard port
-    // with implicit TLS) — the second try usually succeeds.
-    if (_looksLikeTlsMismatch(err)) {
-      try { await client.logout(); } catch {}
-      const port = parseInt(creds.imap_port, 10) || 993;
-      const fallbackSecure = !(port === 993 || port === 465);
-      console.warn(`[email:imap] ${label} TLS mismatch (${err.message}). Retrying with secure=${fallbackSecure}`);
-      client = createImapClient(label, creds, accountId, fallbackSecure);
+  // Build the candidate list — up to 4 strategies, ordered most→least likely:
+  //   1. heuristic secure + modern TLS
+  //   2. opposite secure + modern TLS
+  //   3. heuristic secure + legacy TLS (TLSv1.0+)
+  //   4. opposite secure + legacy TLS
+  // If a remembered-good profile exists, prepend it so warm syncs are 1 attempt.
+  const port = parseInt(creds.imap_port, 10) || 993;
+  const heuristicSecure = port === 993 || port === 465;
+  let strategies;
+  if (typeof override === 'boolean') {
+    // Explicit override (used by the outer syncAccount retry): obey it
+    // exactly, but still try legacy TLS as a fallback within that mode.
+    strategies = [
+      { secure: override, legacy: false, why: 'override-modern' },
+      { secure: override, legacy: true,  why: 'override-legacy' },
+    ];
+  } else {
+    strategies = [
+      { secure: heuristicSecure,  legacy: false, why: 'heuristic-modern' },
+      { secure: !heuristicSecure, legacy: false, why: 'opposite-modern' },
+      { secure: heuristicSecure,  legacy: true,  why: 'heuristic-legacy' },
+      { secure: !heuristicSecure, legacy: true,  why: 'opposite-legacy' },
+    ];
+    const remembered = lastGoodProfile.get(accountId);
+    if (remembered) {
+      strategies = [
+        { secure: remembered.secure, legacy: !!remembered.legacy, why: 'remembered' },
+        ...strategies.filter(s => !(s.secure === remembered.secure && s.legacy === !!remembered.legacy)),
+      ];
+    }
+  }
+
+  const errors = [];
+  for (const s of strategies) {
+    const client = createImapClient(label, creds, accountId, s.secure, { legacy: s.legacy });
+    try {
       await client.connect();
-    } else {
-      throw err;
+      lastGoodProfile.set(accountId, { secure: s.secure, legacy: s.legacy });
+      if (s.why !== 'remembered' && s.why !== 'heuristic-modern') {
+        console.warn(`[email:imap] ${label} connected via ${s.why} (secure=${s.secure}, legacy=${s.legacy})`);
+      }
+      syncClients.set(accountId, client);
+      return client;
+    } catch (err) {
+      errors.push(`${s.why}: ${err.message.slice(0, 120)}`);
+      try { await client.logout(); } catch {}
+      // If the error is clearly NOT TLS-related (e.g. auth failure, DNS),
+      // stop trying — more TLS combos won't help.
+      if (!_looksLikeTlsMismatch(err) && !/timeout|hang/i.test(err.message)) {
+        throw err;
+      }
     }
   }
-  syncClients.set(accountId, client);
-  return client;
+  throw new Error(`IMAP connection failed after ${strategies.length} attempts:\n${errors.join('\n')}`);
 }
 
 // Dry-run connectivity test used by Settings UI (no DB writes, no persistent
-// client). Returns { ok, secure, message }.
+// client). Tries up to 4 TLS-mode combinations and returns the first that
+// works, along with which one. Errors include the full attempt log so the
+// user can paste it back to support if everything failed.
 export async function testImapConnection(creds) {
   if (!creds?.imap_host) throw new Error('imap_host required');
   if (!creds?.username || !creds?.password) throw new Error('Username and password required');
   const port = parseInt(creds.imap_port, 10) || 993;
-  const tryConnect = async (secure) => {
-    const client = createImapClient('test', creds, null, secure);
+  const heuristicSecure = port === 993 || port === 465;
+  const strategies = [
+    { secure: heuristicSecure,  legacy: false, why: 'heuristic-modern' },
+    { secure: !heuristicSecure, legacy: false, why: 'opposite-modern' },
+    { secure: heuristicSecure,  legacy: true,  why: 'heuristic-legacy' },
+    { secure: !heuristicSecure, legacy: true,  why: 'opposite-legacy' },
+  ];
+  const errors = [];
+  for (const s of strategies) {
+    const client = createImapClient('test', creds, null, s.secure, { legacy: s.legacy });
     try {
       await client.connect();
       const list = await client.list();
-      await client.logout();
-      return { ok: true, secure, folderCount: list.length };
+      try { await client.logout(); } catch {}
+      const mode = `${s.secure ? 'implicit TLS' : 'STARTTLS'}${s.legacy ? ' (legacy ≥TLSv1.0)' : ''}`;
+      return {
+        ok: true,
+        secure: s.secure,
+        legacy: s.legacy,
+        folderCount: list.length,
+        message: `Connesso con modalità: ${mode}`,
+      };
     } catch (err) {
+      errors.push(`• ${s.why}: ${err.message.slice(0, 160)}`);
       try { await client.logout(); } catch {}
-      throw err;
-    }
-  };
-  const firstSecure = port === 993 || port === 465;
-  try {
-    return await tryConnect(firstSecure);
-  } catch (err) {
-    if (_looksLikeTlsMismatch(err)) {
-      try {
-        const r = await tryConnect(!firstSecure);
-        return { ...r, message: `Fallback TLS=${!firstSecure} (heuristic was wrong for this server)` };
-      } catch (err2) {
-        throw new Error(`IMAP test failed (both TLS modes): ${err.message} / ${err2.message}`);
+      if (!_looksLikeTlsMismatch(err) && !/timeout|hang/i.test(err.message)) {
+        // Hard error (auth / DNS): bail with that exact message.
+        throw err;
       }
     }
-    throw err;
   }
+  throw new Error(`IMAP test failed dopo ${strategies.length} tentativi:\n${errors.join('\n')}`);
 }
 
 export async function closeImapClient(accountId) {
@@ -392,12 +454,25 @@ export async function syncFolder(accountId, folderPath, fullResync, limitMessage
   }
 }
 
-// First sync: cap to last 200 messages per folder to avoid blocking for minutes
-const FIRST_SYNC_LIMIT = 200;
+// Download EVERY message on the server by default. Previously capped at 200
+// to keep first-sync fast, but that surprised users who expected an Outlook-
+// style "give me my whole mailbox". The sync still streams messages
+// incrementally (headers → bodies) so the UI keeps updating, and never
+// modifies the server — only the local SQLite mirror.
+const FIRST_SYNC_LIMIT = 0;
 
 export async function syncAccount(accountId, opts = {}) {
   setSyncStatus(accountId, 'syncing', null);
+  // _retried is set by the recursion below — it forces the *opposite* TLS
+  // mode on the second attempt so we never spin twice on the same setting.
+  const tlsOverride = (typeof opts._forceSecure === 'boolean') ? opts._forceSecure : undefined;
   try {
+    // Prime the connection with the (optional) explicit TLS mode so any
+    // cached `syncClients` entry uses it for the whole sync.
+    if (tlsOverride !== undefined) {
+      await closeImapClient(accountId);
+      await getImapClient(accountId, tlsOverride);
+    }
     const folders = await listImapFolders(accountId);
     const priority = ['inbox', 'sent'];
     const toSync = [
@@ -408,17 +483,28 @@ export async function syncAccount(accountId, opts = {}) {
     let totalSynced = 0;
     for (const f of toSync) {
       try {
-        const limit = opts.full ? 0 : FIRST_SYNC_LIMIT;
+        const limit = opts.full === false ? 200 : FIRST_SYNC_LIMIT;
         const result = await syncFolder(accountId, f.path, false, limit, f.folderType);
         totalSynced += result.synced;
         console.log(`[email:sync] ${f.path}: ${result.synced} new messages (total on server: ${result.total})`);
       } catch (err) {
         console.warn(`[email:imap] Sync folder ${f.path} failed:`, err.message);
+        // Per-folder TLS mismatch propagates up so the outer catch can
+        // restart the whole sync with the opposite secure mode.
+        if (_looksLikeTlsMismatch(err) && opts._retried !== true) throw err;
       }
     }
     setSyncStatus(accountId, 'idle', null);
     return { synced: totalSynced };
   } catch (err) {
+    if (_looksLikeTlsMismatch(err) && opts._retried !== true) {
+      const port = parseInt(getAccountCredentials(accountId)?.imap_port, 10) || 993;
+      const heuristic = port === 993 || port === 465;
+      const opposite = (typeof tlsOverride === 'boolean') ? !tlsOverride : !heuristic;
+      console.warn(`[email:imap] sync ${accountId.slice(0, 8)} TLS mismatch — retrying entire sync with secure=${opposite}`);
+      await closeImapClient(accountId);
+      return syncAccount(accountId, { ...opts, _retried: true, _forceSecure: opposite });
+    }
     setSyncStatus(accountId, 'error', err.message);
     throw err;
   }