openmates 0.11.0-alpha.7 → 0.11.0-alpha.9

package/dist/{chunk-T77MVTFX.js → chunk-QJE5DL63.js}

@@ -1,3 +1,7 @@
+import {
+  uploadFile
+} from "./chunk-SFTCIVE2.js";
+
 // src/client.ts
 import { randomUUID } from "crypto";
 import { platform as platform2, release } from "os";
@@ -87,6 +91,16 @@ async function decryptWithAesGcmCombined(encryptedWithIvB64, rawKeyBytes) {
     return null;
   }
 }
+async function deriveEmailEncryptionKeyB64(email, emailSaltB64) {
+  const encoder = new TextEncoder();
+  const emailBytes = encoder.encode(email);
+  const saltBytes = base64ToBytes(emailSaltB64);
+  const combined = new Uint8Array(emailBytes.length + saltBytes.length);
+  combined.set(emailBytes);
+  combined.set(saltBytes, emailBytes.length);
+  const hashBuffer = await cryptoApi.subtle.digest("SHA-256", toArrayBuffer(combined));
+  return bytesToBase64(new Uint8Array(hashBuffer));
+}
 async function decryptBytesWithAesGcm(encryptedWithIvB64, rawKeyBytes) {
   try {
     const combined = base64ToBytes(encryptedWithIvB64);
@@ -186,6 +200,23 @@ var OpenMatesHttpClient = class {
   async patch(path, body, headers = {}) {
     return this.request("PATCH", path, body, headers);
   }
+  async getBinary(path, headers = {}) {
+    const url = `${this.apiUrl}${path.startsWith("/") ? path : `/${path}`}`;
+    const requestHeaders = {
+      Accept: "application/pdf,application/octet-stream",
+      ...headers
+    };
+    const cookieHeader = this.formatCookieHeader();
+    if (cookieHeader) requestHeaders.Cookie = cookieHeader;
+    const response = await fetch(url, { method: "GET", headers: requestHeaders });
+    this.captureCookies(response);
+    return {
+      ok: response.ok,
+      status: response.status,
+      data: new Uint8Array(await response.arrayBuffer()),
+      headers: response.headers
+    };
+  }
   async request(method, path, body, headers = {}) {
     const url = `${this.apiUrl}${path.startsWith("/") ? path : `/${path}`}`;
     const requestHeaders = {
@@ -533,6 +564,18 @@ function saveSession(session) {
   } else if (result.type === "plaintext") {
     onDisk.masterKeyExportedB64 = session.masterKeyExportedB64;
   }
+  if (session.emailEncryptionKeyB64) {
+    const emailKeyResult = storeMasterKey(
+      session.emailEncryptionKeyB64,
+      `${session.hashedEmail}:email`
+    );
+    onDisk.emailEncryptionKeyStorage = emailKeyResult.type;
+    if (emailKeyResult.type === "encrypted") {
+      onDisk.emailEncryptionKeyEncrypted = emailKeyResult.encryptedData;
+    } else if (emailKeyResult.type === "plaintext") {
+      onDisk.emailEncryptionKeyB64 = session.emailEncryptionKeyB64;
+    }
+  }
   writeJsonFile(filePath, onDisk);
   if (result.type !== "plaintext") {
     process.stderr.write("Decrypting data...\n");
@@ -543,17 +586,19 @@ function loadSession() {
   const onDisk = readJsonFile(filePath);
   if (!onDisk) return null;
   let masterKey = null;
+  let emailEncryptionKey = null;
   if (!onDisk.masterKeyStorage) {
     masterKey = onDisk.masterKeyExportedB64 ?? null;
     if (masterKey) {
-      const session = buildSession(onDisk, masterKey);
+      emailEncryptionKey = getEmailEncryptionKeyFromDisk(onDisk);
+      const session = buildSession(onDisk, masterKey, emailEncryptionKey);
       try {
         saveSession(session);
         process.stderr.write("Decrypting data...\n");
       } catch {
       }
     }
-    return masterKey ? buildSession(onDisk, masterKey) : null;
+    return masterKey ? buildSession(onDisk, masterKey, getEmailEncryptionKeyFromDisk(onDisk)) : null;
   }
   switch (onDisk.masterKeyStorage) {
     case "keychain":
@@ -577,7 +622,7 @@ function loadSession() {
     );
     return null;
   }
-  return buildSession(onDisk, masterKey);
+  return buildSession(onDisk, masterKey, getEmailEncryptionKeyFromDisk(onDisk));
 }
 function clearSession() {
   const filePath = join(ensureStateDir(), "session.json");
@@ -585,17 +630,36 @@ function clearSession() {
   if (onDisk?.masterKeyStorage) {
     deleteMasterKey(onDisk.masterKeyStorage, onDisk.hashedEmail);
   }
+  if (onDisk?.emailEncryptionKeyStorage) {
+    deleteMasterKey(onDisk.emailEncryptionKeyStorage, `${onDisk.hashedEmail}:email`);
+  }
   if (existsSync2(filePath)) {
     rmSync(filePath);
   }
 }
-function buildSession(onDisk, masterKey) {
+function getEmailEncryptionKeyFromDisk(onDisk) {
+  if (!onDisk.emailEncryptionKeyStorage) return onDisk.emailEncryptionKeyB64 ?? null;
+  switch (onDisk.emailEncryptionKeyStorage) {
+    case "keychain":
+      return retrieveMasterKey("keychain", `${onDisk.hashedEmail}:email`);
+    case "encrypted":
+      return retrieveMasterKey(
+        "encrypted",
+        `${onDisk.hashedEmail}:email`,
+        onDisk.emailEncryptionKeyEncrypted
+      );
+    case "plaintext":
+      return onDisk.emailEncryptionKeyB64 ?? null;
+  }
+}
+function buildSession(onDisk, masterKey, emailEncryptionKey) {
   return {
     apiUrl: onDisk.apiUrl,
     sessionId: onDisk.sessionId,
     wsToken: onDisk.wsToken,
     cookies: onDisk.cookies,
     masterKeyExportedB64: masterKey,
+    emailEncryptionKeyB64: emailEncryptionKey,
     hashedEmail: onDisk.hashedEmail,
     userEmailSalt: onDisk.userEmailSalt,
     createdAt: onDisk.createdAt,
@@ -1807,6 +1871,7 @@ var OpenMatesClient = class _OpenMatesClient {
       authorizerDeviceName: complete.data.authorizer_device_name ?? null,
       autoLogoutMinutes: complete.data.auto_logout_minutes ?? null
     };
+    await this.hydrateEmailEncryptionKey(session);
     saveSession(session);
   }
   async whoAmI() {
@@ -2767,6 +2832,124 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     return response.data;
   }
+  async listInvoices() {
+    this.requireSession();
+    const response = await this.http.get(
+      "/v1/payments/invoices",
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch invoices (HTTP ${response.status})`);
+    }
+    return { invoices: response.data.invoices ?? [] };
+  }
+  async downloadInvoice(invoiceId) {
+    return this.downloadPaymentPdf(
+      `/v1/payments/invoices/${encodeURIComponent(invoiceId)}/download`,
+      `Invoice_${invoiceId}.pdf`
+    );
+  }
+  async downloadCreditNote(invoiceId) {
+    return this.downloadPaymentPdf(
+      `/v1/payments/invoices/${encodeURIComponent(invoiceId)}/credit-note/download`,
+      `CreditNote_${invoiceId}.pdf`
+    );
+  }
+  async requestRefund(invoiceId) {
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
+    const response = await this.http.post(
+      "/v1/payments/refund",
+      { invoice_id: invoiceId, email_encryption_key: emailEncryptionKey },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Refund request failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async updateUsername(username) {
+    return this.settingsPost("user/username", { username });
+  }
+  async updateProfileImage(filePath) {
+    const { uploadProfileImage } = await import("./uploadService-3CAJXU4L.js");
+    const result = await uploadProfileImage(filePath, this.requireSession());
+    if (result.status === "rejected") {
+      throw new Error(result.detail ?? "Profile image rejected by content safety checks.");
+    }
+    if (result.status === "account_deleted") {
+      throw new Error("Account deleted due to repeated profile image policy violations.");
+    }
+    if (result.status !== "ok") {
+      throw new Error(result.detail ?? `Profile image upload failed with status '${result.status}'.`);
+    }
+    return result;
+  }
+  async getNewsletterCategories() {
+    this.requireSession();
+    const response = await this.http.get(
+      "/v1/newsletter/categories",
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch newsletter categories (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async updateNewsletterCategories(categories) {
+    this.requireSession();
+    const response = await this.http.patch(
+      "/v1/newsletter/categories",
+      { categories },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to update newsletter categories (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async subscribeNewsletter(email, language = "en", darkmode = false) {
+    const response = await this.http.post(
+      "/v1/newsletter/subscribe",
+      { email, language, darkmode },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Newsletter subscribe failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async confirmNewsletter(token) {
+    const response = await this.http.get(
+      `/v1/newsletter/confirm/${encodeURIComponent(token)}`,
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Newsletter confirmation failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async unsubscribeNewsletter(token) {
+    const response = await this.http.get(
+      `/v1/newsletter/unsubscribe/${encodeURIComponent(token)}`,
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Newsletter unsubscribe failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async updateEmailNotificationSettings(payload) {
+    const { ws } = await this.openWsClient();
+    try {
+      const ackPromise = ws.waitForMessage("email_notification_settings_ack");
+      ws.send("email_notification_settings", payload);
+      const ack = await ackPromise;
+      return ack.payload;
+    } finally {
+      ws.close();
+    }
+  }
   // -------------------------------------------------------------------------
   // Daily Inspirations
   // -------------------------------------------------------------------------
@@ -3231,6 +3414,45 @@ Required: ${schema.required.join(", ")}`
     if (path.startsWith("/")) return path;
     return `/v1/settings/${path}`;
   }
+  async downloadPaymentPdf(path, fallbackFilename) {
+    this.requireSession();
+    const response = await this.http.getBinary(path, this.getCliRequestHeaders());
+    if (!response.ok) {
+      throw new Error(`Download failed (HTTP ${response.status})`);
+    }
+    return {
+      filename: filenameFromContentDisposition(response.headers.get("content-disposition")) ?? fallbackFilename,
+      data: response.data
+    };
+  }
+  async ensureEmailEncryptionKey(session) {
+    if (session.emailEncryptionKeyB64) return session.emailEncryptionKeyB64;
+    await this.hydrateEmailEncryptionKey(session);
+    if (session.emailEncryptionKeyB64) return session.emailEncryptionKeyB64;
+    throw new Error(
+      "Email encryption key is missing. Run `openmates login` again to refresh your local encryption keys."
+    );
+  }
+  async hydrateEmailEncryptionKey(session) {
+    const response = await this.http.post(
+      "/v1/auth/session",
+      { session_id: session.sessionId },
+      this.getCliRequestHeaders()
+    );
+    const encryptedEmail = response.data.user?.encrypted_email_with_master_key;
+    if (!response.ok || !response.data.success || typeof encryptedEmail !== "string") {
+      return;
+    }
+    const email = await decryptWithAesGcmCombined(
+      encryptedEmail,
+      base64ToBytes(session.masterKeyExportedB64)
+    );
+    if (!email) return;
+    session.emailEncryptionKeyB64 = await deriveEmailEncryptionKeyB64(
+      email,
+      session.userEmailSalt
+    );
+  }
   requireSession() {
     if (!this.session) {
       throw new Error("Not logged in. Run `openmates login`.");
@@ -3606,6 +3828,15 @@ function parseNewChatSuggestionText(text) {
   const skillId = raw.slice(dashIdx + 1);
   return { body, appId, skillId };
 }
+function filenameFromContentDisposition(header2) {
+  if (!header2) return null;
+  const encoded = /filename\*=UTF-8''([^;]+)/i.exec(header2)?.[1];
+  if (encoded) return decodeURIComponent(encoded);
+  const quoted = /filename="([^"]+)"/i.exec(header2)?.[1];
+  if (quoted) return quoted;
+  const plain = /filename=([^;]+)/i.exec(header2)?.[1];
+  return plain?.trim() ?? null;
+}
 function sleep(ms) {
   return new Promise((resolve4) => setTimeout(resolve4, ms));
 }
@@ -4819,97 +5050,6 @@ function formatEmbedsForMessage(embeds) {
   return "\n" + embeds.map((e) => e.referenceBlock).join("\n");
 }
 
-// src/uploadService.ts
-import { readFileSync as readFileSync4 } from "fs";
-import { basename as basename2 } from "path";
-var UPLOAD_MAX_ATTEMPTS = 3;
-var UPLOAD_RETRY_DELAY_MS = 2e3;
-function getUploadUrl(apiUrl) {
-  try {
-    const url = new URL(apiUrl);
-    if (url.hostname === "localhost") return "http://localhost:8001";
-  } catch {
-  }
-  return "https://upload.openmates.org";
-}
-function getUploadOrigin(apiUrl) {
-  try {
-    const url = new URL(apiUrl);
-    if (url.hostname === "localhost") return "http://localhost:5173";
-    if (url.hostname.startsWith("api.")) {
-      return `${url.protocol}//app.${url.hostname.slice(4)}`;
-    }
-  } catch {
-  }
-  return "https://app.openmates.org";
-}
-async function uploadFile(filePath, session) {
-  const filename = basename2(filePath);
-  const fileBytes = readFileSync4(filePath);
-  const uploadUrl = `${getUploadUrl(session.apiUrl)}/v1/upload/file`;
-  const origin = getUploadOrigin(session.apiUrl);
-  const cookies = [];
-  if (session.cookies?.auth_refresh_token) {
-    cookies.push(`auth_refresh_token=${session.cookies.auth_refresh_token}`);
-  }
-  let response;
-  let lastError;
-  for (let attempt = 1; attempt <= UPLOAD_MAX_ATTEMPTS; attempt++) {
-    try {
-      const blob = new Blob([fileBytes]);
-      const formData = new FormData();
-      formData.append("file", blob, filename);
-      response = await fetch(uploadUrl, {
-        method: "POST",
-        body: formData,
-        headers: {
-          Origin: origin,
-          ...cookies.length > 0 ? { Cookie: cookies.join("; ") } : {}
-        },
-        signal: AbortSignal.timeout(10 * 60 * 1e3)
-        // 10-minute timeout
-      });
-      break;
-    } catch (error) {
-      lastError = error;
-      if (attempt === UPLOAD_MAX_ATTEMPTS) break;
-      await new Promise((resolve4) => setTimeout(resolve4, UPLOAD_RETRY_DELAY_MS));
-    }
-  }
-  if (!response) {
-    const message = lastError instanceof Error ? lastError.message : String(lastError);
-    throw new Error(message || "Upload request failed.");
-  }
-  if (!response.ok) {
-    const status = response.status;
-    let errorMessage;
-    switch (status) {
-      case 401:
-        errorMessage = "Authentication failed. Run `openmates login` to re-authenticate.";
-        break;
-      case 413:
-        errorMessage = "File too large (maximum 100 MB).";
-        break;
-      case 415:
-        errorMessage = "Unsupported file type.";
-        break;
-      case 422: {
-        const body = await response.text().catch(() => "");
-        errorMessage = body.includes("malware") ? "File rejected: malware detected." : body.includes("content_safety") ? "File rejected: content safety violation." : `Upload validation failed: ${body}`;
-        break;
-      }
-      case 429:
-        errorMessage = "Upload rate limit exceeded. Try again in a minute.";
-        break;
-      default:
-        errorMessage = `Upload failed (HTTP ${status}).`;
-    }
-    throw new Error(errorMessage);
-  }
-  const data = await response.json();
-  return data;
-}
-
 // src/embedRenderers.ts
 var str = (v) => typeof v === "string" && v.length > 0 ? v : null;
 var DIRECT_TYPES = /* @__PURE__ */ new Set([
@@ -5959,13 +6099,13 @@ function formatTs(ts) {
 
 // src/server.ts
 import { execSync, spawn as nodeSpawn } from "child_process";
-import { copyFileSync, existsSync as existsSync5, readFileSync as readFileSync6, rmSync as rmSync3 } from "fs";
+import { copyFileSync, existsSync as existsSync5, readFileSync as readFileSync5, rmSync as rmSync3 } from "fs";
 import { createInterface as createInterface2 } from "readline";
 import { homedir as homedir5 } from "os";
 import { join as join3, resolve as resolve3 } from "path";
 
 // src/serverConfig.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync5, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync4, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
 import { homedir as homedir4 } from "os";
 import { join as join2, resolve as resolve2 } from "path";
 var STATE_DIR = join2(homedir4(), ".openmates");
@@ -5986,7 +6126,7 @@ function loadServerConfig() {
   const filePath = join2(STATE_DIR, CONFIG_FILE);
   if (!existsSync4(filePath)) return null;
   try {
-    return JSON.parse(readFileSync5(filePath, "utf-8"));
+    return JSON.parse(readFileSync4(filePath, "utf-8"));
   } catch {
     return null;
   }
@@ -6064,7 +6204,7 @@ function requireGit() {
 }
 function hasLlmCredentials(envPath) {
   if (!existsSync5(envPath)) return false;
-  const content = readFileSync6(envPath, "utf-8");
+  const content = readFileSync5(envPath, "utf-8");
   for (const line of content.split("\n")) {
     const trimmed = line.trim();
     if (trimmed.startsWith("#") || !trimmed) continue;
@@ -7673,6 +7813,8 @@ var SETTINGS_EXECUTABLE_COMMANDS = [
   { path: ["account", "export", "manifest"], description: "Show account export manifest", examples: ["openmates settings account export manifest --json"] },
   { path: ["account", "export", "data"], description: "Fetch account export data", examples: ["openmates settings account export data --json"] },
   { path: ["account", "import-chat"], description: "Import a CLI chat export file", examples: ["openmates settings account import-chat ./chat.yml", "openmates settings account import-chat ./payload.json"] },
+  { path: ["account", "username", "set"], description: "Change account username", examples: ["openmates settings account username set alice_123"] },
+  { path: ["account", "profile-picture", "set"], description: "Upload a profile picture", examples: ["openmates settings account profile-picture set ./avatar.jpg"] },
   { path: ["account", "chats", "stats"], description: "Show chat statistics", examples: ["openmates settings account chats stats"] },
   { path: ["account", "delete", "preview"], description: "Preview account deletion impact", examples: ["openmates settings account delete preview"] },
   { path: ["account", "storage", "overview"], description: "Show storage overview", examples: ["openmates settings account storage overview"] },
@@ -7689,9 +7831,16 @@ var SETTINGS_EXECUTABLE_COMMANDS = [
   { path: ["billing", "usage", "summaries"], description: "Show usage summaries", examples: ["openmates settings billing usage summaries"] },
   { path: ["billing", "usage", "daily"], description: "Show daily usage overview", examples: ["openmates settings billing usage daily"] },
   { path: ["billing", "usage", "export"], description: "Export usage data", examples: ["openmates settings billing usage export --json"] },
+  { path: ["billing", "invoices", "list"], description: "List invoices", examples: ["openmates settings billing invoices list --json"] },
+  { path: ["billing", "invoices", "download"], description: "Download an invoice PDF", examples: ["openmates settings billing invoices download <invoice-id> --output ./invoices"] },
+  { path: ["billing", "invoices", "credit-note"], description: "Download a credit note PDF", examples: ["openmates settings billing invoices credit-note <invoice-id> --output ./invoices"] },
+  { path: ["billing", "invoices", "refund"], description: "Request a refund for an invoice", examples: ["openmates settings billing invoices refund <invoice-id> --yes"] },
   { path: ["billing", "gift-card", "redeem"], description: "Redeem a gift card", examples: ["openmates settings billing gift-card redeem ABCD-1234"] },
   { path: ["billing", "gift-card", "list"], description: "List redeemed gift cards", examples: ["openmates settings billing gift-card list"] },
   { path: ["billing", "auto-topup", "low-balance", "set"], description: "Configure low-balance auto top-up", examples: ["openmates settings billing auto-topup low-balance set --enabled true --amount 1000 --currency eur --email you@example.com"] },
+  { path: ["notifications", "status"], description: "Show notification settings", examples: ["openmates settings notifications status --json"] },
+  { path: ["notifications", "email", "set"], description: "Configure email notifications", examples: ["openmates settings notifications email set --enabled true --email you@example.com --ai-responses true --backup-reminder true --webhook-chats true"] },
+  { path: ["notifications", "backup", "set"], description: "Configure backup reminder emails", examples: ["openmates settings notifications backup set --enabled true --interval 30 --email you@example.com"] },
   { path: ["reminders", "list"], description: "List active reminders", examples: ["openmates settings reminders list"] },
   { path: ["reminders", "update"], description: "Update a reminder", examples: ["openmates settings reminders update <id> --enabled false"] },
   { path: ["reminders", "delete"], description: "Delete a reminder", examples: ["openmates settings reminders delete <id> --yes"] },
@@ -7699,12 +7848,18 @@ var SETTINGS_EXECUTABLE_COMMANDS = [
   { path: ["developers", "api-keys", "revoke"], description: "Revoke an API key", examples: ["openmates settings developers api-keys revoke <key-id> --yes"] },
   { path: ["report-issue", "create"], description: "Report an issue", examples: ['openmates settings report-issue create --title "Bug" --body "What happened"'] },
   { path: ["report-issue", "status"], description: "Show issue status", examples: ["openmates settings report-issue status <issue-id>"] },
+  { path: ["mates", "list"], description: "List available mates", examples: ["openmates settings mates list"] },
+  { path: ["mates", "info"], description: "Show mate details", examples: ["openmates settings mates info software_development"] },
+  { path: ["mates", "consent"], description: "Record mate settings consent", examples: ["openmates settings mates consent --yes"] },
+  { path: ["newsletter", "categories"], description: "Show newsletter category preferences", examples: ["openmates settings newsletter categories"] },
+  { path: ["newsletter", "categories", "set"], description: "Set newsletter category preferences", examples: ["openmates settings newsletter categories set --updates true --tips true --daily false"] },
+  { path: ["newsletter", "subscribe"], description: "Subscribe an email to the newsletter", examples: ["openmates settings newsletter subscribe you@example.com --language en"] },
+  { path: ["newsletter", "confirm"], description: "Confirm newsletter subscription token", examples: ["openmates settings newsletter confirm <token>"] },
+  { path: ["newsletter", "unsubscribe"], description: "Unsubscribe with newsletter token", examples: ["openmates settings newsletter unsubscribe <token>"] },
   { path: ["memories"], description: "Manage encrypted memories", examples: ["openmates settings memories list", `openmates settings memories create --app-id code --item-type projects --data '{"name":"OpenMates"}'`] }
 ];
 var SETTINGS_INFO_COMMANDS = [
-  { path: ["account", "username"], description: "Username management is not CLI-ready yet", webPath: "account/username", reason: "The current web flow writes encrypted profile fields; CLI support needs a dedicated encryption UX first.", examples: ["openmates settings account username --help"] },
   { path: ["account", "email"], description: "Email changes are web-only", webPath: "account/email", reason: "Email changes require a guided identity verification flow.", examples: ["openmates settings account email"] },
-  { path: ["account", "profile-picture"], description: "Profile picture changes are not CLI-ready yet", webPath: "account/profile-picture", reason: "The upload/update flow needs image validation and parity with the browser uploader.", examples: ["openmates settings account profile-picture"] },
   { path: ["account", "delete"], description: "Account deletion is web-only", webPath: "account/delete", reason: "Account deletion requires browser-based reauthentication and explicit confirmation.", examples: ["openmates settings account delete"] },
   { path: ["security"], description: "Security settings are web-only", webPath: "account/security", reason: "Security settings require browser APIs or high-risk reauthentication.", examples: ["openmates settings security"] },
   { path: ["security", "passkeys"], description: "Passkeys are web-only", webPath: "account/security/passkeys", reason: "Passkeys require WebAuthn browser APIs.", examples: ["openmates settings security passkeys"] },
@@ -7715,16 +7870,12 @@ var SETTINGS_INFO_COMMANDS = [
   { path: ["billing", "buy-credits"], description: "Credit purchase is web-only", webPath: "billing/buy-credits", reason: "Payment checkout must use the browser/payment provider UI.", examples: ["openmates settings billing buy-credits"] },
   { path: ["billing", "gift-card", "buy"], description: "Gift card purchase is web-only", webPath: "billing/gift-cards/buy", reason: "Payment checkout must use the browser/payment provider UI.", examples: ["openmates settings billing gift-card buy"] },
   { path: ["billing", "auto-topup", "monthly"], description: "Monthly auto top-up is web-only for now", webPath: "billing/auto-topup/monthly", reason: "Recurring payment setup needs a payment-flow audit before CLI support.", examples: ["openmates settings billing auto-topup monthly"] },
-  { path: ["billing", "invoices"], description: "Invoice management is web-only for now", webPath: "billing/invoices", reason: "Invoice download support needs auth-gated file streaming parity first.", examples: ["openmates settings billing invoices"] },
   { path: ["privacy", "personal-data"], description: "Personal data management is not CLI-ready yet", webPath: "privacy/hide-personal-data", reason: "The CLI needs a dedicated encrypted personal-data UX before exposing writes.", examples: ["openmates settings privacy personal-data"] },
-  { path: ["notifications"], description: "Notification preferences are not CLI-ready yet", webPath: "notifications", reason: "Backend preference endpoints need an audit before terminal writes are exposed.", examples: ["openmates settings notifications"] },
   { path: ["shared", "tip"], description: "Tips are web-only", webPath: "shared/tip", reason: "Payment checkout must use the browser/payment provider UI.", examples: ["openmates settings shared tip"] },
-  { path: ["mates"], description: "Mate browsing is available through mentions for now", webPath: "mates", reason: "Use @mate mentions in chat; rich mate settings remain browser-first.", examples: ["openmates mentions list --type mate"] },
   { path: ["developers", "api-keys", "create"], description: "API key creation is web-only", webPath: "developers/api-keys", reason: "API key secrets are shown once and need the browser approval flow.", examples: ["openmates settings developers api-keys create"] },
   { path: ["developers", "devices"], description: "Developer devices are web-only", webPath: "developers/devices", reason: "Device approvals and revocations are sensitive.", examples: ["openmates settings developers devices"] },
   { path: ["developers", "webhooks"], description: "Developer webhooks are not CLI-ready yet", webPath: "developers/webhooks", reason: "Webhook CRUD needs a backend/API audit before CLI support.", examples: ["openmates settings developers webhooks"] },
   { path: ["support"], description: "Support payments are web-only", webPath: "support", reason: "Payment flows must use the browser/payment provider UI.", examples: ["openmates settings support"] },
-  { path: ["newsletter"], description: "Newsletter settings are not CLI-ready yet", webPath: "newsletter", reason: "Newsletter API flow needs an audit before CLI support.", examples: ["openmates settings newsletter"] },
   { path: ["incognito", "info"], description: "Explain incognito mode", reason: "Incognito chats are sent without saving chat history. The CLI stores no incognito transcript.", examples: ['openmates chats incognito "Private question"'] },
   { path: ["server"], description: "Server admin settings are web/admin-only", webPath: "server", reason: "Use `openmates server --help` for self-hosted terminal server management.", examples: ["openmates server status"] }
 ];
@@ -7762,6 +7913,11 @@ function parseRequiredNumber(value, flag) {
   if (!Number.isFinite(parsed)) throw new Error(`Invalid ${flag}: ${value}`);
   return parsed;
 }
+function parseOptionalBoolean(value, fallback, label) {
+  if (value === void 0) return fallback;
+  if (typeof value === "boolean") return value;
+  return parseOnOff(value, label);
+}
 function parseDataOrFlags(flags, booleanFlags) {
   if (typeof flags.data === "string") return JSON.parse(flags.data);
   const body = {};
@@ -7873,6 +8029,37 @@ function parseYamlScalar(value) {
   }
   return trimmed;
 }
+async function saveDownloadedDocument(document, output) {
+  const { mkdir, writeFile } = await import("fs/promises");
+  const { join: join4, basename: basename2, dirname } = await import("path");
+  const target = typeof output === "string" ? output : ".";
+  const filename = basename2(document.filename || "document.pdf");
+  const filePath = target.endsWith(".pdf") ? target : join4(target, filename);
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, document.data);
+  return filePath;
+}
+function printMates(json) {
+  const mates = Object.entries(MATE_NAMES).map(([id, name]) => ({ id, name, mention: `@mate:${id}` }));
+  if (json) {
+    printJson2(mates);
+    return;
+  }
+  header("Mates");
+  for (const mate of mates) console.log(`${mate.id.padEnd(28)} ${mate.name.padEnd(10)} ${mate.mention}`);
+}
+function printMateInfo(mateId, json) {
+  const name = MATE_NAMES[mateId];
+  if (!name) throw new Error(`Unknown mate '${mateId}'. Run 'openmates settings mates list'.`);
+  const data = { id: mateId, name, mention: `@mate:${mateId}` };
+  if (json) {
+    printJson2(data);
+    return;
+  }
+  header(`${name} (${mateId})`);
+  console.log(`Mention: ${data.mention}`);
+  console.log(`Use: openmates chats send "${data.mention} <message>"`);
+}
 async function confirmOrExit(question) {
   const rl = await import("readline");
   const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
@@ -7957,6 +8144,18 @@ async function handleSettings(client, subcommand, rest, flags) {
     );
     return;
   }
+  if (matches(tokens, ["account", "username", "set"])) {
+    const username = rest[2];
+    if (!username) throw new Error("Missing username. Example: openmates settings account username set alice_123");
+    await printSettingsMutationResult(client.updateUsername(username), flags);
+    return;
+  }
+  if (matches(tokens, ["account", "profile-picture", "set"])) {
+    const file = rest[2];
+    if (!file) throw new Error("Missing image file. Example: openmates settings account profile-picture set ./avatar.jpg");
+    await printSettingsMutationResult(client.updateProfileImage(file), flags);
+    return;
+  }
   if (matches(tokens, ["account", "chats", "stats"])) {
     await printSettingsResult(client.settingsGet("chats"), flags);
     return;
@@ -8046,6 +8245,35 @@ async function handleSettings(client, subcommand, rest, flags) {
     await printSettingsResult(client.settingsGet("usage"), flags);
     return;
   }
+  if (matches(tokens, ["billing", "invoices", "list"])) {
+    await printSettingsResult(client.listInvoices(), flags);
+    return;
+  }
+  if (matches(tokens, ["billing", "invoices", "download"])) {
+    const invoiceId = rest[2];
+    if (!invoiceId) throw new Error("Missing invoice ID.");
+    const document = await client.downloadInvoice(invoiceId);
+    const filePath = await saveDownloadedDocument(document, flags.output);
+    if (flags.json === true) printJson2({ path: filePath, filename: document.filename });
+    else console.log(`\x1B[32m\u2713\x1B[0m Invoice saved to ${filePath}`);
+    return;
+  }
+  if (matches(tokens, ["billing", "invoices", "credit-note"])) {
+    const invoiceId = rest[2];
+    if (!invoiceId) throw new Error("Missing invoice ID.");
+    const document = await client.downloadCreditNote(invoiceId);
+    const filePath = await saveDownloadedDocument(document, flags.output);
+    if (flags.json === true) printJson2({ path: filePath, filename: document.filename });
+    else console.log(`\x1B[32m\u2713\x1B[0m Credit note saved to ${filePath}`);
+    return;
+  }
+  if (matches(tokens, ["billing", "invoices", "refund"])) {
+    const invoiceId = rest[2];
+    if (!invoiceId) throw new Error("Missing invoice ID.");
+    if (flags.yes !== true) await confirmOrExit(`Request refund for invoice ${invoiceId}? [y/N] `);
+    await printSettingsMutationResult(client.requestRefund(invoiceId), flags);
+    return;
+  }
   if (matches(tokens, ["billing", "gift-card", "redeem"]) || subcommand === "gift-card" && rest[0] === "redeem") {
     const code = matches(tokens, ["billing", "gift-card", "redeem"]) ? rest[2] : rest[1];
     if (!code) throw new Error("Missing gift card code.");
@@ -8079,6 +8307,48 @@ async function handleSettings(client, subcommand, rest, flags) {
     );
     return;
   }
+  if (matches(tokens, ["notifications", "status"])) {
+    const user = await client.whoAmI();
+    const status = {
+      enabled: user.email_notifications_enabled ?? false,
+      preferences: user.email_notification_preferences ?? {},
+      backup_reminder_interval_days: user.backup_reminder_interval_days ?? null,
+      encrypted_notification_email_configured: Boolean(user.encrypted_notification_email)
+    };
+    flags.json === true ? printJson2(status) : printGenericObject(status);
+    return;
+  }
+  if (matches(tokens, ["notifications", "email", "set"])) {
+    const enabled = parseOnOff(String(flags.enabled ?? ""), "email notifications");
+    const email = typeof flags.email === "string" ? flags.email : null;
+    if (enabled && !email) throw new Error("Provide --email when enabling email notifications.");
+    const preferences = {
+      aiResponses: parseOptionalBoolean(flags["ai-responses"], true, "AI response notifications"),
+      backupReminder: parseOptionalBoolean(flags["backup-reminder"], false, "backup reminder notifications"),
+      webhookChats: parseOptionalBoolean(flags["webhook-chats"], false, "webhook chat notifications")
+    };
+    await printSettingsMutationResult(
+      client.updateEmailNotificationSettings({ enabled, email, preferences }),
+      flags
+    );
+    return;
+  }
+  if (matches(tokens, ["notifications", "backup", "set"])) {
+    const enabled = parseOnOff(String(flags.enabled ?? ""), "backup reminders");
+    const email = typeof flags.email === "string" ? flags.email : null;
+    const interval = parseRequiredNumber(flags.interval, "--interval");
+    if (enabled && !email) throw new Error("Provide --email when enabling backup reminders.");
+    await printSettingsMutationResult(
+      client.updateEmailNotificationSettings({
+        enabled,
+        email,
+        preferences: { aiResponses: false, backupReminder: enabled },
+        backup_reminder_interval_days: interval
+      }),
+      flags
+    );
+    return;
+  }
   if (matches(tokens, ["reminders", "list"])) {
     await printSettingsResult(client.settingsGet("reminders"), flags);
     return;
@@ -8121,6 +8391,54 @@ async function handleSettings(client, subcommand, rest, flags) {
     await printSettingsResult(client.settingsGet(`issues/${id}/status`), flags);
     return;
   }
+  if (matches(tokens, ["mates", "list"])) {
+    printMates(flags.json === true);
+    return;
+  }
+  if (matches(tokens, ["mates", "info"])) {
+    const mateId = rest[1];
+    if (!mateId) throw new Error("Missing mate ID. Example: openmates settings mates info software_development");
+    printMateInfo(mateId, flags.json === true);
+    return;
+  }
+  if (matches(tokens, ["mates", "consent"])) {
+    if (flags.yes !== true) await confirmOrExit("Record consent for mate settings? [y/N] ");
+    await printSettingsMutationResult(client.settingsPost("user/consent/mates", { consent: true }), flags);
+    return;
+  }
+  if (matches(tokens, ["newsletter", "categories"]) && tokens.length === 2) {
+    await printSettingsResult(client.getNewsletterCategories(), flags);
+    return;
+  }
+  if (matches(tokens, ["newsletter", "categories", "set"])) {
+    const categories = {
+      updates_and_announcements: parseOptionalBoolean(flags.updates, true, "updates newsletter"),
+      tips_and_tricks: parseOptionalBoolean(flags.tips, true, "tips newsletter"),
+      daily_inspirations: parseOptionalBoolean(flags.daily, true, "daily inspirations newsletter")
+    };
+    await printSettingsMutationResult(client.updateNewsletterCategories(categories), flags);
+    return;
+  }
+  if (matches(tokens, ["newsletter", "subscribe"])) {
+    const email = rest[1];
+    if (!email) throw new Error("Missing email. Example: openmates settings newsletter subscribe you@example.com");
+    const language = typeof flags.language === "string" ? flags.language : "en";
+    const darkmode = parseOptionalBoolean(flags.darkmode, false, "newsletter dark mode");
+    await printSettingsMutationResult(client.subscribeNewsletter(email, language, darkmode), flags);
+    return;
+  }
+  if (matches(tokens, ["newsletter", "confirm"])) {
+    const token = rest[1];
+    if (!token) throw new Error("Missing confirmation token.");
+    await printSettingsMutationResult(client.confirmNewsletter(token), flags);
+    return;
+  }
+  if (matches(tokens, ["newsletter", "unsubscribe"])) {
+    const token = rest[1];
+    if (!token) throw new Error("Missing unsubscribe token.");
+    await printSettingsMutationResult(client.unsubscribeNewsletter(token), flags);
+    return;
+  }
   if (subcommand === "memories") {
     await handleMemories(client, rest, flags);
     return;

package/dist/chunk-SFTCIVE2.js

@@ -0,0 +1,131 @@
+// src/uploadService.ts
+import { readFileSync } from "fs";
+import { basename, extname } from "path";
+var UPLOAD_MAX_ATTEMPTS = 3;
+var UPLOAD_RETRY_DELAY_MS = 2e3;
+var PROFILE_IMAGE_MAX_SIZE_BYTES = 300 * 1024;
+function getUploadUrl(apiUrl) {
+  try {
+    const url = new URL(apiUrl);
+    if (url.hostname === "localhost") return "http://localhost:8001";
+  } catch {
+  }
+  return "https://upload.openmates.org";
+}
+function getUploadOrigin(apiUrl) {
+  try {
+    const url = new URL(apiUrl);
+    if (url.hostname === "localhost") return "http://localhost:5173";
+    if (url.hostname.startsWith("api.")) {
+      return `${url.protocol}//app.${url.hostname.slice(4)}`;
+    }
+  } catch {
+  }
+  return "https://app.openmates.org";
+}
+async function uploadFile(filePath, session) {
+  const filename = basename(filePath);
+  const fileBytes = readFileSync(filePath);
+  const uploadUrl = `${getUploadUrl(session.apiUrl)}/v1/upload/file`;
+  const origin = getUploadOrigin(session.apiUrl);
+  const cookies = [];
+  if (session.cookies?.auth_refresh_token) {
+    cookies.push(`auth_refresh_token=${session.cookies.auth_refresh_token}`);
+  }
+  let response;
+  let lastError;
+  for (let attempt = 1; attempt <= UPLOAD_MAX_ATTEMPTS; attempt++) {
+    try {
+      const blob = new Blob([fileBytes]);
+      const formData = new FormData();
+      formData.append("file", blob, filename);
+      response = await fetch(uploadUrl, {
+        method: "POST",
+        body: formData,
+        headers: {
+          Origin: origin,
+          ...cookies.length > 0 ? { Cookie: cookies.join("; ") } : {}
+        },
+        signal: AbortSignal.timeout(10 * 60 * 1e3)
+        // 10-minute timeout
+      });
+      break;
+    } catch (error) {
+      lastError = error;
+      if (attempt === UPLOAD_MAX_ATTEMPTS) break;
+      await new Promise((resolve) => setTimeout(resolve, UPLOAD_RETRY_DELAY_MS));
+    }
+  }
+  if (!response) {
+    const message = lastError instanceof Error ? lastError.message : String(lastError);
+    throw new Error(message || "Upload request failed.");
+  }
+  if (!response.ok) {
+    const status = response.status;
+    let errorMessage;
+    switch (status) {
+      case 401:
+        errorMessage = "Authentication failed. Run `openmates login` to re-authenticate.";
+        break;
+      case 413:
+        errorMessage = "File too large (maximum 100 MB).";
+        break;
+      case 415:
+        errorMessage = "Unsupported file type.";
+        break;
+      case 422: {
+        const body = await response.text().catch(() => "");
+        errorMessage = body.includes("malware") ? "File rejected: malware detected." : body.includes("content_safety") ? "File rejected: content safety violation." : `Upload validation failed: ${body}`;
+        break;
+      }
+      case 429:
+        errorMessage = "Upload rate limit exceeded. Try again in a minute.";
+        break;
+      default:
+        errorMessage = `Upload failed (HTTP ${status}).`;
+    }
+    throw new Error(errorMessage);
+  }
+  const data = await response.json();
+  return data;
+}
+function getProfileImageMime(filename) {
+  const ext = extname(filename).toLowerCase();
+  if (ext === ".jpg" || ext === ".jpeg") return "image/jpeg";
+  if (ext === ".png") return "image/png";
+  throw new Error("Profile images must be JPEG or PNG files.");
+}
+async function uploadProfileImage(filePath, session) {
+  const filename = basename(filePath);
+  const fileBytes = readFileSync(filePath);
+  const contentType = getProfileImageMime(filename);
+  if (fileBytes.byteLength > PROFILE_IMAGE_MAX_SIZE_BYTES) {
+    throw new Error("Profile image must be 300 KB or smaller. Resize/compress the image and try again.");
+  }
+  const uploadUrl = `${getUploadUrl(session.apiUrl)}/v1/upload/profile-image`;
+  const origin = getUploadOrigin(session.apiUrl);
+  const cookies = [];
+  if (session.cookies?.auth_refresh_token) {
+    cookies.push(`auth_refresh_token=${session.cookies.auth_refresh_token}`);
+  }
+  const formData = new FormData();
+  formData.append("file", new Blob([fileBytes], { type: contentType }), filename);
+  const response = await fetch(uploadUrl, {
+    method: "POST",
+    body: formData,
+    headers: {
+      Origin: origin,
+      ...cookies.length > 0 ? { Cookie: cookies.join("; ") } : {}
+    }
+  });
+  const data = await response.json().catch(() => ({}));
+  if (!response.ok && !data.status) {
+    throw new Error(data.detail ?? `Profile image upload failed (HTTP ${response.status}).`);
+  }
+  return data;
+}
+
+export {
+  uploadFile,
+  uploadProfileImage
+};

package/dist/cli.js

@@ -2,7 +2,8 @@
 import {
   getExtForLang,
   serializeToYaml
-} from "./chunk-T77MVTFX.js";
+} from "./chunk-QJE5DL63.js";
+import "./chunk-SFTCIVE2.js";
 export {
   getExtForLang,
   serializeToYaml

package/dist/index.d.ts

@@ -7,6 +7,7 @@ interface OpenMatesSession {
     wsToken: string | null;
     cookies: Record<string, string>;
     masterKeyExportedB64: string;
+    emailEncryptionKeyB64?: string | null;
     hashedEmail: string;
     userEmailSalt: string;
     createdAt: number;
@@ -293,6 +294,23 @@ interface OpenMatesClientOptions {
     apiUrl?: string;
     session?: OpenMatesSession;
 }
+interface InvoiceListItem {
+    id: string;
+    order_id?: string | null;
+    date: string;
+    amount: string;
+    credits_purchased: number;
+    filename: string;
+    is_gift_card?: boolean;
+    refunded_at?: string | null;
+    refund_status?: string | null;
+    currency?: string | null;
+    provider?: string | null;
+}
+interface DownloadedDocument {
+    filename: string;
+    data: Uint8Array;
+}
 /**
  * Derive the web app URL from the API URL so the pair token is always looked
  * up on the same backend the CLI created it on.
@@ -467,6 +485,25 @@ declare class OpenMatesClient {
         message: string;
     }>;
     listRedeemedGiftCards(): Promise<unknown>;
+    listInvoices(): Promise<{
+        invoices: InvoiceListItem[];
+    }>;
+    downloadInvoice(invoiceId: string): Promise<DownloadedDocument>;
+    downloadCreditNote(invoiceId: string): Promise<DownloadedDocument>;
+    requestRefund(invoiceId: string): Promise<unknown>;
+    updateUsername(username: string): Promise<unknown>;
+    updateProfileImage(filePath: string): Promise<unknown>;
+    getNewsletterCategories(): Promise<unknown>;
+    updateNewsletterCategories(categories: Record<string, boolean>): Promise<unknown>;
+    subscribeNewsletter(email: string, language?: string, darkmode?: boolean): Promise<unknown>;
+    confirmNewsletter(token: string): Promise<unknown>;
+    unsubscribeNewsletter(token: string): Promise<unknown>;
+    updateEmailNotificationSettings(payload: {
+        enabled: boolean;
+        email?: string | null;
+        preferences: Record<string, boolean>;
+        backup_reminder_interval_days?: number;
+    }): Promise<unknown>;
     /**
      * Fetch today's daily inspirations.
      *
@@ -600,6 +637,9 @@ declare class OpenMatesClient {
      */
     buildMentionContext(): Promise<MentionContext>;
     private normalizePath;
+    private downloadPaymentPdf;
+    private ensureEmailEncryptionKey;
+    private hydrateEmailEncryptionKey;
     private requireSession;
     private getMasterKeyBytes;
     private getValidSessionFromDisk;

package/dist/index.js

@@ -6,7 +6,8 @@ import {
   getExtForLang,
   parseNewChatSuggestionText,
   serializeToYaml
-} from "./chunk-T77MVTFX.js";
+} from "./chunk-QJE5DL63.js";
+import "./chunk-SFTCIVE2.js";
 export {
   MATE_NAMES,
   MEMORY_TYPE_REGISTRY,

package/dist/uploadService-3CAJXU4L.js

@@ -0,0 +1,8 @@
+import {
+  uploadFile,
+  uploadProfileImage
+} from "./chunk-SFTCIVE2.js";
+export {
+  uploadFile,
+  uploadProfileImage
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openmates",
-  "version": "0.11.0-alpha.7",
+  "version": "0.11.0-alpha.9",
   "description": "OpenMates CLI and SDK",
   "type": "module",
   "main": "dist/index.js",