surface-cli 0.3.4 → 0.4.0

package/dist/providers/imap/auth.test.js

@@ -0,0 +1,36 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { imapAuthTestHooks } from "./auth.js";
+function account() {
+    return {
+        account_id: "acc_imap",
+        name: "imap",
+        provider: "imap",
+        transport: "imap-smtp",
+        email: "surface@example.com",
+        created_at: "2026-06-03T12:00:00.000Z",
+        updated_at: "2026-06-03T12:00:00.000Z",
+    };
+}
+test("failing password-command errors are redacted", () => {
+    const command = `${process.execPath} -e "console.error('DO_NOT_LEAK_SECRET'); process.exit(7)"`;
+    let thrown;
+    try {
+        imapAuthTestHooks.resolvePassword({ passwordCommand: command }, account());
+    }
+    catch (error) {
+        thrown = error;
+    }
+    assert.ok(thrown instanceof Error);
+    assert.equal(thrown.message, "IMAP/SMTP password command failed.");
+    assert.doesNotMatch(thrown.message, /DO_NOT_LEAK_SECRET/);
+    assert.doesNotMatch(thrown.message, /process\.exit/);
+    assert.doesNotMatch(thrown.message, new RegExp(process.execPath.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")));
+});
+test("direct password source returns the password flag value", () => {
+    assert.equal(imapAuthTestHooks.resolvePassword({ password: "mailbox-secret" }, account()), "mailbox-secret");
+});
+test("password sources are mutually exclusive", () => {
+    assert.throws(() => imapAuthTestHooks.resolvePassword({ password: "mailbox-secret", passwordEnv: "SURFACE_GMX_PASSWORD" }, account()), /exactly one of --password, --password-env, --password-file, or --password-command/);
+});
+//# sourceMappingURL=auth.test.js.map

package/dist/providers/imap/auth.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.test.js","sourceRoot":"","sources":["../../../src/providers/imap/auth.test.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,IAAI,MAAM,WAAW,CAAC;AAI7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAE9C,SAAS,OAAO;IACd,OAAO;QACL,UAAU,EAAE,UAAU;QACtB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,WAAW;QACtB,KAAK,EAAE,qBAAqB;QAC5B,UAAU,EAAE,0BAA0B;QACtC,UAAU,EAAE,0BAA0B;KACvC,CAAC;AACJ,CAAC;AAED,IAAI,CAAC,8CAA8C,EAAE,GAAG,EAAE;IACxD,MAAM,OAAO,GAAG,GAAG,OAAO,CAAC,QAAQ,4DAA4D,CAAC;IAEhG,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,iBAAiB,CAAC,eAAe,CAAC,EAAE,eAAe,EAAE,OAAO,EAAsB,EAAE,OAAO,EAAE,CAAC,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,KAAK,CAAC;IACjB,CAAC;IAED,MAAM,CAAC,EAAE,CAAC,MAAM,YAAY,KAAK,CAAC,CAAC;IACnC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,oCAAoC,CAAC,CAAC;IACnE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;IAC1D,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IACrD,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;AAC3G,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,wDAAwD,EAAE,GAAG,EAAE;IAClE,MAAM,CAAC,KAAK,CACV,iBAAiB,CAAC,eAAe,CAAC,EAAE,QAAQ,EAAE,gBAAgB,EAAsB,EAAE,OAAO,EAAE,CAAC,EAChG,gBAAgB,CACjB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,yCAAyC,EAAE,GAAG,EAAE;IACnD,MAAM,CAAC,MAAM,CACX,GAAG,EAAE,CAAC,iBAAiB,CAAC,eAAe,CACrC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,WAAW,EAAE,sBAAsB,EAAsB,EACvF,OAAO,EAAE,CACV,EACD,mFAAmF,CACpF,CAAC;AACJ,CAAC,CAAC,CAAC"}

package/dist/providers/index.js

@@ -1,7 +1,12 @@
 import { SurfaceError } from "../lib/errors.js";
 import { GmailApiAdapter } from "./gmail/adapter.js";
+import { ImapSmtpAdapter } from "./imap/adapter.js";
 import { OutlookWebPlaywrightAdapter } from "./outlook/adapter.js";
-const providers = [new GmailApiAdapter(), new OutlookWebPlaywrightAdapter()];
+const providers = [
+    new GmailApiAdapter(),
+    new OutlookWebPlaywrightAdapter(),
+    new ImapSmtpAdapter(),
+];
 export function resolveProviderAdapter(account) {
     const adapter = providers.find((candidate) => candidate.provider === account.provider && candidate.transport === account.transport);
     if (!adapter) {

package/dist/providers/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAGnE,MAAM,SAAS,GAA0B,CAAC,IAAI,eAAe,EAAE,EAAE,IAAI,2BAA2B,EAAE,CAAC,CAAC;AAEpG,MAAM,UAAU,sBAAsB,CAAC,OAAoB;IACzD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAC5B,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,CACpG,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,YAAY,CACpB,uBAAuB,EACvB,yCAAyC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,SAAS,GAAG,EACjF,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAGnE,MAAM,SAAS,GAA0B;IACvC,IAAI,eAAe,EAAE;IACrB,IAAI,2BAA2B,EAAE;IACjC,IAAI,eAAe,EAAE;CACtB,CAAC;AAEF,MAAM,UAAU,sBAAsB,CAAC,OAAoB;IACzD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAC5B,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,CACpG,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,YAAY,CACpB,uBAAuB,EACvB,yCAAyC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,SAAS,GAAG,EACjF,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "surface-cli",
-  "version": "0.3.4",
-  "description": "A lean, local-first mail CLI for Gmail and Outlook with a JSON-first contract for automation.",
+  "version": "0.4.0",
+  "description": "A lean, local-first mail CLI for Gmail, Outlook, and generic IMAP with a JSON-first contract for automation.",
   "homepage": "https://github.com/VishalJ99/surface-cli",
   "repository": {
     "type": "git",
@@ -16,17 +16,20 @@
     "gmail",
     "outlook",
     "automation",
-    "openclaw"
+    "openclaw",
+    "codex",
+    "claude-code"
   ],
   "type": "module",
   "bin": {
     "surface": "dist/cli.js"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=20.19.0"
   },
   "files": [
     "dist",
+    "skills",
     "README.md"
   ],
   "scripts": {
@@ -41,6 +44,9 @@
   "dependencies": {
     "better-sqlite3": "^12.8.0",
     "commander": "^14.0.3",
+    "imapflow": "^1.3.5",
+    "mailparser": "^3.9.9",
+    "nodemailer": "^8.0.10",
     "playwright-core": "^1.55.0",
     "smol-toml": "^1.6.1",
     "ulid": "^3.0.2",
@@ -48,7 +54,9 @@
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.13",
+    "@types/mailparser": "^3.4.6",
     "@types/node": "^25.5.2",
+    "@types/nodemailer": "^8.0.0",
     "tsx": "^4.21.0",
     "typescript": "^6.0.2"
   }

package/skills/surface-cli/SKILL.md

@@ -0,0 +1,338 @@
+---
+name: surface-cli
+description: "Use the Surface mail CLI to read and act on Gmail, Outlook, and generic IMAP/SMTP mail through one JSON-first contract. Prefer this skill when you need Outlook access for school or work accounts that do not expose IMAP, or generic IMAP for providers such as GMX, plus stable refs for unread fetch, sent-message lookup, structured search, thread refresh, message read, attachments, send or draft, archive, mark read or unread, and provider-supported RSVP."
+metadata:
+  {
+    "openclaw":
+      {
+        "emoji": "📬",
+        "homepage": "https://github.com/VishalJ99/surface-cli",
+        "requires": { "bins": ["surface"] },
+        "install":
+          [
+            {
+              "id": "node",
+              "kind": "node",
+              "package": "surface-cli",
+              "bins": ["surface"],
+              "label": "Install Surface CLI (npm)",
+            },
+          ],
+      },
+  }
+---
+
+# Surface CLI
+
+Surface is a local-first mail CLI for Gmail, Outlook, and generic IMAP/SMTP. It is especially
+useful for Outlook school or work accounts that only work through the web UI, and for mail
+providers such as GMX that expose standard IMAP and SMTP settings. Surface prints
+machine-readable JSON to stdout and stores local state in `~/.surface-cli`.
+
+## Use This Skill When
+
+- the user wants to read or triage email from Gmail, Outlook, or an IMAP mailbox
+- the user needs a provider-neutral CLI for search, unread fetch, read, attachments, or actions
+- you need stable `thread_ref` / `message_ref` values for follow-up commands or thread watching
+
+## Prerequisites
+
+1. Surface CLI installed (`surface --help` should work)
+2. At least one configured account
+3. Valid auth for the target account
+
+Check setup:
+
+```bash
+surface account list
+surface auth status
+```
+
+If the user asks to install the Surface skill for another agent on the same machine, use:
+
+```bash
+surface skill install codex
+surface skill install claude-code
+surface skill install all
+```
+
+## Account Setup
+
+Add an account:
+
+```bash
+surface account add personal_2 --provider gmail --email you@example.com
+surface account add uni --provider outlook --email you@example.com
+surface account add gmx --provider imap --email you@gmx.com
+```
+
+For reliable `summary.needs_action`, Surface should know who the account owner is. Gmail auth can
+verify the mailbox email automatically; Outlook may need explicit human identifiers:
+
+```bash
+surface account identity set uni --email you@example.com --name "Your Name" --name-alias "FirstName"
+surface account identity show uni
+```
+
+Log in:
+
+```bash
+surface auth login personal_2
+surface auth login uni
+surface auth login gmx \
+  --imap-host imap.gmx.com --imap-port 993 --imap-security tls \
+  --smtp-host mail.gmx.com --smtp-port 587 --smtp-security starttls \
+  --username you@gmx.com \
+  --password-env SURFACE_GMX_PASSWORD
+```
+
+For GMX and similar providers, make sure IMAP/POP3 access is enabled in the
+provider web settings before logging in. Generic IMAP login does not need a
+Google Cloud project, OAuth client JSON, Microsoft Graph app registration, or a
+browser session. It does need the provider's IMAP/SMTP settings and a mailbox or
+app password. `--password <password>` is supported and treats the flag value as
+the password directly, but prefer `--password-env`, `--password-file`, or
+`--password-command` because direct CLI passwords can leak through shell
+history, process listings, terminal logs, or agent transcripts. Do not ask the
+user to paste mailbox passwords into chat or store them in the repo.
+
+Local policy lives in:
+
+```text
+~/.surface-cli/config.toml
+```
+
+Important local knobs:
+
+- `summarizer_backend`
+- `summarizer_model`
+- `writes_enabled`
+- `send_mode`
+- `test_recipients`
+- `test_account_allowlist`
+
+Summarization is opt-in and controlled by the user's local config. Do not change
+`summarizer_backend`, `summarizer_model`, or related environment variables unless the user
+explicitly asks. If an external summarizer backend is enabled, email thread content may be sent to
+the configured model provider; confirm the user accepts that privacy tradeoff before enabling or
+changing summarization.
+
+## Common Operations
+
+### List Accounts
+
+```bash
+surface account list
+surface auth status
+surface auth status personal_2
+```
+
+### Fetch Unread Threads
+
+```bash
+surface mail fetch-unread --account uni --limit 10
+surface mail fetch-unread --account personal_2 --limit 20
+surface mail fetch-unread --account uni --session sess_01... --limit 10
+```
+
+### Search Mail
+
+```bash
+surface mail search --account uni --text "invoice" --limit 10
+surface mail search --account uni --from registrar@school.edu --subject "waitlist" --limit 10
+surface mail search --account uni --session sess_01... --from registrar@school.edu --limit 10
+surface mail search --account personal_2 --mailbox inbox --label unread --text "sale" --limit 10
+surface mail search --account personal_2 --text "has:attachment newer_than:30d" --limit 5
+surface mail search --account gmx --mailbox inbox --limit 10
+```
+
+### List Sent Messages
+
+```bash
+surface mail sent --account uni
+surface mail sent --account uni --recipient person@example.com --limit 10
+surface mail sent --account uni --thread thr_01... --limit 10
+surface mail sent --account uni --session sess_01... --recipient person@example.com --limit 10
+surface mail sent --account personal_2 --limit 10
+```
+
+`sent` is message-first. Its default limit is the last 10 sent messages, not threads. Each returned
+message includes `message_ref` and `thread_ref`; use `surface mail thread get <thread_ref>
+--refresh` when you need the full conversation around a sent message.
+
+Use `--thread <thread_ref>` when you already know the conversation and need only the user's sent
+messages in that thread for style or consistency. `--thread` may be combined with `--recipient`.
+
+### Watching Threads And Topics
+
+Surface is the polling primitive, not the scheduler or delivery transport. If the user asks to
+watch mail, use the surrounding automation system to rerun Surface commands and surface updates to
+the user-requested destination.
+
+- For a specific thread watch, persist the `account`, `thread_ref`, and the newest known
+  message/timestamp. On each check, rerun `surface mail thread get <thread_ref> --refresh` and
+  notify only when the newest message state changes.
+- For a topic watch, establish a baseline with `search`, then use periodic `fetch-unread` checks
+  to catch new inbox arrivals and targeted `search` checks when the topic has clear `--from`,
+  `--subject`, `--mailbox`, `--label`, or `--text` filters.
+- Do not assume a delivery target. Return updates through the current agent conversation or the
+  explicit destination the user asked for.
+- Reasonable starting cadences are: 5-10 minutes for one active thread, 30-60 minutes for a
+  narrow topic watch, and 2-4 hours for inbox digests. Avoid sub-5-minute polling unless the user
+  explicitly asks for it.
+- For Outlook-heavy polling, keep concurrency modest and prefer one warm session per parallel
+  worker if several live checks will run close together.
+
+### Warm Sessions
+
+```bash
+surface session start --account uni
+surface session list
+surface session stop sess_01...
+```
+
+### Parallel Read Guidance
+
+Read-only commands may be run in parallel. Live probes passed for:
+
+- two Gmail searches on the same account
+- two cold Outlook searches on the same account
+- Gmail and Outlook searches at the same time
+- two separate Outlook warm sessions searched at the same time
+- two searches sharing one Outlook warm session
+
+For Outlook, keep concurrency modest because each cold command or warm session uses browser
+resources. If planning multiple concurrent Outlook operations, prefer one warm session per
+parallel worker. Reusing the same `--session` concurrently works in the tested case but can be
+slower due to contention.
+
+### Read One Thread
+
+```bash
+surface mail thread get thr_01...
+surface mail thread get thr_01... --refresh
+surface mail thread get thr_01... --refresh --session sess_01...
+```
+
+### Read One Message
+
+```bash
+surface mail read msg_01...
+surface mail read msg_01... --refresh
+surface mail read msg_01... --refresh --session sess_01...
+surface mail read msg_01... --mark-read
+```
+
+### Attachments
+
+```bash
+surface attachment list msg_01...
+surface attachment download msg_01... att_01...
+```
+
+### Compose And Send
+
+```bash
+surface mail send --account personal_2 --to recipient@example.com --subject "Hello" --body "Test"
+surface mail send --account personal_2 --to recipient@example.com --subject "Hello" --body "Test" --draft
+surface mail reply msg_01... --body "Thanks"
+surface mail reply msg_01... --body "Thanks" --draft
+surface mail reply-all msg_01... --body "Thanks everyone"
+surface mail forward msg_01... --to recipient@example.com --body "FYI"
+```
+
+### Mailbox Actions
+
+```bash
+surface mail archive msg_01...                  # IMAP requires an Archive/All Mail mailbox
+surface mail mark-read msg_01...
+surface mail mark-unread msg_01...
+surface mail rsvp msg_01... --response accept   # Gmail/Outlook only; IMAP returns unsupported
+```
+
+## Workflow
+
+1. Start with `surface account list` if the target account is unclear.
+2. Use `surface auth status` before assuming a provider is ready.
+3. Use `surface account identity show <account>` if `summary.needs_action` looks wrong; add
+   `--name-alias` or `--email-alias` with `surface account identity set` when the mailbox address
+   alone is not enough to identify the user in message bodies.
+4. For triage, prefer `fetch-unread` or `search` and inspect the returned thread/message refs.
+5. For style matching before drafting, run
+   `surface mail sent --account <account> --recipient <email> --limit 3` and use the returned sent
+   messages as tone/context. When replying in an existing thread, prefer
+   `surface mail sent --account <account> --thread <thread_ref> --limit 3`; use recipient matching
+   as fallback if the thread has no sent examples.
+6. If you expect several live Outlook reads in a row, start a warm session first and reuse its `session_id`.
+7. For a thread watch, use `surface mail thread get <thread_ref> --refresh` and compare the newest
+   message state against the stored prior observation before notifying.
+8. For a topic watch, start with `search` to set the baseline, then use `fetch-unread` for new
+   inbox arrivals plus targeted `search` when the watch has narrow filters.
+9. Read only the messages you need with `surface mail read <message_ref>`.
+10. For passive watching, do not mutate read state. If the user explicitly asks you to triage unread
+   mail and write safety is enabled, marking handled messages read after reporting is acceptable
+   unless the user asks to keep them unread.
+11. Act using refs from Surface output. Do not rely on array positions from previous JSON.
+
+## Important Rules
+
+- Surface outputs JSON on stdout. Parse it instead of scraping terminal text.
+- Use `message_ref` and `thread_ref` for follow-up commands.
+- `search` accepts structured filters for sender, subject, mailbox, and labels in addition to raw `--text`.
+- `session start` is the explicit opt-in path for warm Outlook read sessions. In v1, `--session` is supported on `search`, `fetch-unread`, `thread get --refresh`, and `read`.
+- `thread get --refresh` is the thread-level live refresh path for automations that watch a specific conversation.
+- `read` is cache-first by default. Use `--refresh` when you need live provider state.
+- the first session-backed Outlook query still pays mailbox setup cost; the main win is faster follow-on live reads in the same mailbox session
+- `read` does not download attachments. Use `surface attachment download`.
+- Generic IMAP reads raw MIME directly and does not need webmail "show images" or "trust sender"
+  UI. Remote images are not fetched; message body text, links, and MIME attachments still work.
+- `fetch-unread` and `search` do not mutate mailbox state.
+- passive watching should stay read-only; do not mark watched mail read unless the user explicitly asks
+- if the user asks for unread triage rather than passive watching, `mark-read` or `read --mark-read`
+  is acceptable only after reporting and only when local write safety allows it
+- watcher notifications should go to the user-requested destination; do not invent a session,
+  channel, or DM target
+- `--draft` is the safe compose path when you do not need to send immediately.
+
+## Provider Notes
+
+- Gmail and Outlook both support read, search, unread fetch, attachments, send/reply/forward,
+  archive, mark-read, mark-unread, RSVP, and `--draft`.
+- Generic IMAP/SMTP supports read, search, unread fetch, attachments, sent lookup,
+  send/reply/reply-all/forward, drafts, mark-read, and mark-unread. Archive works only when the
+  account exposes an Archive or All Mail style mailbox. RSVP is not supported for generic IMAP.
+- Public CLI send-with-attachment/upload flags are not supported yet. Receive-side attachment
+  list/download is supported.
+- Generic IMAP does not expose a reliable cross-folder conversation ID. Replies return the created
+  Sent or Draft refs and include `in_reply_to_message_ref`; use `sent --recipient` or `sent
+  --thread` for sent-message lookup.
+- Gmail RSVP requires Google Calendar API access on the authenticated account. If RSVP returns a
+  reauth error, re-run `surface auth login <account>`.
+
+## Safety
+
+- Respect local write-safety policy from `~/.surface-cli/config.toml` and any `SURFACE_*` env vars.
+- Do not send mail unless write safety is enabled locally.
+- Prefer the configured sink recipients from local config; do not invent recipients.
+- For send-like tests, use `--draft` unless the task explicitly requires a live send.
+- When testing live sends, only send to recipients already configured locally for safe testing.
+
+## Examples
+
+```bash
+surface account list
+surface auth status
+surface auth status gmx
+surface session start --account uni
+surface mail fetch-unread --account uni --limit 10
+surface mail search --account gmx --mailbox inbox --limit 5
+surface mail fetch-unread --account uni --session sess_01... --limit 10
+surface mail search --account personal_2 --from alerts@example.com --subject 'discount' --mailbox inbox --label unread --limit 5
+surface mail thread get thr_01... --refresh --session sess_01...
+surface mail read msg_01... --refresh --session sess_01...
+surface mail read msg_01... --mark-read
+surface attachment list msg_01...
+surface attachment download msg_01... att_01...
+surface mail reply msg_01... --body 'Thanks' --draft
+surface mail archive msg_01...
+```