zele 0.3.13 → 0.3.15

package/src/commands/attachment.ts

@@ -33,13 +33,11 @@ export function registerAttachmentCommands(cli: Goke) {
       )
 
       if (attachments.length === 0) {
-        out.hint('No attachments')
+        out.printList([], { summary: 'No attachments' })
         return
       }
 
-      out.printList(attachments)
-
-      out.hint(`${attachments.length} attachment(s)`)
+      out.printList(attachments, { summary: `${attachments.length} attachment(s)` })
       out.hint('Use: zele attachment get <messageId> <attachmentId>')
     })
 
@@ -63,9 +61,18 @@ export function registerAttachmentCommands(cli: Goke) {
       }
 
       const meta = msg.attachments.find((a) => a.attachmentId === attachmentId)
-      const filename = options.filename ?? meta?.filename ?? `${messageId}_${attachmentId.slice(0, 8)}`
+      const fallbackFilename = `${messageId}_${attachmentId.slice(0, 8)}`
+      const rawFilename = options.filename ?? meta?.filename
+      const filename = sanitizeFilename(rawFilename, fallbackFilename)
+
+      const outDir = path.resolve(options.outDir)
+      const outPath = path.join(outDir, filename)
 
-      const outPath = path.resolve(options.outDir, filename)
+      // Security: verify the resolved path is within the output directory
+      if (!outPath.startsWith(outDir + path.sep) && outPath !== outDir) {
+        out.error(`Security error: filename "${rawFilename}" would write outside output directory`)
+        process.exit(1)
+      }
 
       // Check if file already exists with same size (skip re-download)
       if (fs.existsSync(outPath) && meta) {
@@ -103,3 +110,39 @@ function formatSize(bytes: number): string {
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`
   return `${(bytes / (1024 * 1024)).toFixed(1)} MB`
 }
+
+/**
+ * Sanitize a filename to prevent path traversal and filesystem issues.
+ * - Strips directory components (path traversal prevention)
+ * - Removes null bytes and control characters
+ * - Replaces characters problematic on Windows/macOS/Linux
+ * - Handles Windows reserved names
+ * - Limits length to 255 characters
+ */
+function sanitizeFilename(name: string | undefined, fallback: string): string {
+  if (!name || name.trim().length === 0) return fallback
+
+  let sanitized = name
+    // Strip directory components (critical for path traversal prevention)
+    .split(/[/\\]/).pop() || ''
+    // Remove null bytes and control characters
+    .replace(/[\x00-\x1f]/g, '')
+    // Replace characters problematic across filesystems: < > : " / \ | ? *
+    .replace(/[<>:"/\\|?*]/g, '_')
+    // Trim leading/trailing spaces and dots (problematic on Windows)
+    .replace(/^[\s.]+|[\s.]+$/g, '')
+
+  // Handle Windows reserved names (CON, PRN, AUX, NUL, COM1-9, LPT1-9)
+  if (/^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$/i.test(sanitized)) {
+    sanitized = `_${sanitized}`
+  }
+
+  // Limit length (255 is common filesystem limit)
+  if (sanitized.length > 255) {
+    const ext = path.extname(sanitized)
+    const base = sanitized.slice(0, 255 - ext.length)
+    sanitized = base + ext
+  }
+
+  return sanitized.length > 0 ? sanitized : fallback
+}

package/src/commands/auth-cmd.ts

@@ -92,8 +92,7 @@ export function registerAuthCommands(cli: Goke) {
           status: 'Authenticated',
           expires: s.expiresAt?.toISOString() ?? 'unknown',
         })),
+        { summary: `${statuses.length} account(s)` },
       )
-
-      out.hint(`${statuses.length} account(s)`)
     })
 }

package/src/commands/calendar.ts

@@ -55,12 +55,11 @@ export function registerCalendarCommands(cli: Goke) {
       )
 
       if (merged.length === 0) {
-        out.hint('No calendars found')
+        out.printList([], { summary: 'No calendars found' })
         return
       }
 
-      out.printList(merged)
-      out.hint(`${merged.length} calendars`)
+      out.printList(merged, { summary: `${merged.length} calendars` })
     })
 
   // =========================================================================
@@ -175,7 +174,7 @@ export function registerCalendarCommands(cli: Goke) {
         .slice(0, max)
 
       if (merged.length === 0) {
-        out.hint('No events found')
+        out.printList([], { summary: 'No events found' })
         return
       }
 
@@ -192,10 +191,8 @@ export function registerCalendarCommands(cli: Goke) {
             ...(e.calendarId && e.calendarId !== calendarId ? { calendar: e.calendarId } : {}),
           }
         }),
-        { nextPage: allResults[0]?.result.nextPageToken },
+        { nextPage: allResults[0]?.result.nextPageToken, summary: `${merged.length} events` },
       )
-
-      out.hint(`${merged.length} events`)
     })
 
   // =========================================================================

package/src/commands/draft.ts

@@ -59,7 +59,7 @@ export function registerDraftCommands(cli: Goke) {
         .slice(0, options.max)
 
       if (merged.length === 0) {
-        out.hint('No drafts found')
+        out.printList([], { summary: 'No drafts found' })
         return
       }
 
@@ -72,9 +72,8 @@ export function registerDraftCommands(cli: Goke) {
           subject: d.subject,
           date: out.formatDate(d.date),
         })),
+        { summary: `${merged.length} draft(s)` },
       )
-
-      out.hint(`${merged.length} draft(s)`)
     })
 
   // =========================================================================

package/src/commands/label.ts

@@ -40,7 +40,7 @@ export function registerLabelCommands(cli: Goke) {
       )
 
       if (merged.length === 0) {
-        out.hint('No labels found')
+        out.printList([], { summary: 'No labels found' })
         return
       }
 
@@ -58,9 +58,8 @@ export function registerLabelCommands(cli: Goke) {
           name: l.name,
           type: l.type,
         })),
+        { summary: `${merged.length} label(s)` },
       )
-
-      out.hint(`${merged.length} label(s)`)
     })
 
   // =========================================================================
@@ -168,7 +167,7 @@ export function registerLabelCommands(cli: Goke) {
       const withCounts = merged.filter((c) => c.count > 0).sort((a, b) => b.count - a.count)
 
       if (withCounts.length === 0) {
-        out.hint('All clear — no unread messages')
+        out.printList([], { summary: 'All clear — no unread messages' })
         return
       }
 
@@ -179,6 +178,7 @@ export function registerLabelCommands(cli: Goke) {
           label: c.label,
           count: c.count,
         })),
+        { summary: `${withCounts.length} label(s) with unread` },
       )
     })
 }

package/src/commands/mail.ts

@@ -6,7 +6,9 @@
 import type { Goke } from 'goke'
 import { z } from 'zod'
 import fs from 'node:fs'
+import path from 'node:path'
 import React from 'react'
+import { lookup as mimeLookup } from 'mrmime'
 import { getClients, getClient, listAccounts, login } from '../auth.js'
 import type { ThreadListResult } from '../gmail-client.js'
 import { AuthError } from '../api-utils.js'
@@ -23,19 +25,6 @@ export function registerMailCommands(cli: Goke) {
   // mail (TUI)
   // =========================================================================
 
-  cli
-    .command('mail', 'Browse emails in TUI')
-    .action(async () => {
-      const accounts = await listAccounts()
-      if (accounts.length === 0) {
-        const result = await login()
-        if (result instanceof Error) handleCommandError(result)
-      }
-
-      const { renderWithProviders } = await import('termcast')
-      const { default: Command } = await import('../mail-tui.js')
-      await renderWithProviders(React.createElement(Command))
-    })
 
   // =========================================================================
   // mail list
@@ -86,7 +75,7 @@ export function registerMailCommands(cli: Goke) {
         .slice(0, max)
 
       if (merged.length === 0) {
-        out.hint('No threads found')
+        out.printList([], { summary: 'No threads found' })
         return
       }
 
@@ -101,9 +90,8 @@ export function registerMailCommands(cli: Goke) {
           date: out.formatDate(t.date),
           messages: t.messageCount,
         })),
+        { summary: `${merged.length} threads (${folder})` },
       )
-
-      out.hint(`${merged.length} threads (${folder})`)
     })
 
   // =========================================================================
@@ -150,7 +138,7 @@ export function registerMailCommands(cli: Goke) {
         .slice(0, max)
 
       if (merged.length === 0) {
-        out.hint(`No results for "${query}"`)
+        out.printList([], { summary: `No results for "${query}"` })
         return
       }
 
@@ -165,9 +153,8 @@ export function registerMailCommands(cli: Goke) {
           date: out.formatDate(t.date),
           messages: t.messageCount,
         })),
+        { summary: `${merged.length} results for "${query}"` },
       )
-
-      out.hint(`${merged.length} results for "${query}"`)
     })
 
   // =========================================================================
@@ -280,6 +267,7 @@ export function registerMailCommands(cli: Goke) {
     .option('--cc <cc>', z.string().describe('CC recipients (comma-separated)'))
     .option('--bcc <bcc>', z.string().describe('BCC recipients (comma-separated)'))
     .option('--from <from>', z.string().describe('Send-as alias email'))
+    .option('--attach <attach>', z.array(z.string()).describe('File to attach (repeatable: --attach a.pdf --attach b.png)'))
     .action(async (options) => {
       if (!options.to) {
         out.error('--to is required')
@@ -308,6 +296,22 @@ export function registerMailCommands(cli: Goke) {
         process.exit(1)
       }
 
+      // Resolve attachment file paths (one file per --attach flag)
+      const attachments = options.attach
+        ? options.attach.map((filePath) => {
+            const resolved = path.resolve(filePath)
+            if (!fs.existsSync(resolved)) {
+              out.error(`Attachment not found: ${resolved}`)
+              process.exit(1)
+            }
+            return {
+              filename: path.basename(resolved),
+              mimeType: mimeLookup(resolved) ?? 'application/octet-stream',
+              content: fs.readFileSync(resolved),
+            }
+          })
+        : undefined
+
       const parseEmails = (str: string) =>
         str.split(',').map((e) => e.trim()).filter(Boolean).map((email) => ({ email }))
 
@@ -320,6 +324,7 @@ export function registerMailCommands(cli: Goke) {
         cc: options.cc ? parseEmails(options.cc) : undefined,
         bcc: options.bcc ? parseEmails(options.bcc) : undefined,
         fromEmail: options.from,
+        attachments,
       })
 
       out.printYaml(result)

package/src/db.ts

@@ -37,8 +37,12 @@ export function getPrisma(): Promise<PrismaClient> {
 }
 
 async function initializePrisma(): Promise<PrismaClient> {
+  // Create directory with restrictive permissions (owner only)
   if (!fs.existsSync(ZELE_DIR)) {
-    fs.mkdirSync(ZELE_DIR, { recursive: true })
+    fs.mkdirSync(ZELE_DIR, { recursive: true, mode: 0o700 })
+  } else {
+    // Ensure existing directory has correct permissions
+    fs.chmodSync(ZELE_DIR, 0o700)
   }
 
   const adapter = new PrismaLibSql({ url: `file:${DB_PATH}` })
@@ -54,6 +58,9 @@ async function initializePrisma(): Promise<PrismaClient> {
   // Run schema.sql — uses CREATE TABLE IF NOT EXISTS so it's idempotent
   await applySchema(prisma)
 
+  // Secure database files (owner read/write only)
+  secureDatabase()
+
   prismaInstance = prisma
   return prisma
 }
@@ -86,6 +93,24 @@ async function applySchema(prisma: PrismaClient): Promise<void> {
   }
 }
 
+/**
+ * Set restrictive permissions on database files.
+ * SQLite WAL mode creates additional -wal and -shm files that also need protection.
+ */
+function secureDatabase(): void {
+  const filesToSecure = [
+    DB_PATH,
+    `${DB_PATH}-wal`,
+    `${DB_PATH}-shm`,
+  ]
+
+  for (const filePath of filesToSecure) {
+    if (fs.existsSync(filePath)) {
+      fs.chmodSync(filePath, 0o600)
+    }
+  }
+}
+
 /**
  * Close the Prisma connection.
  */

package/src/gmail-client.ts

@@ -173,6 +173,15 @@ function sanitizeSnippet(snippet: string): string {
     .trim()
 }
 
+/**
+ * Sanitize header values to prevent CRLF injection attacks.
+ * The mimetext library does not sanitize custom header values, so newlines
+ * in In-Reply-To or References could inject arbitrary headers.
+ */
+function sanitizeHeaderValue(value: string): string {
+  return value.replace(/[\r\n]/g, ' ').trim()
+}
+
 function encodeBase64Url(data: string | Buffer) {
   const buf = typeof data === 'string' ? Buffer.from(data) : data
   return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
@@ -205,6 +214,24 @@ function gmailBoundary<T>(email: string, fn: () => Promise<T>) {
   })
 }
 
+/**
+ * Known folder names that map to Gmail system folders/labels.
+ * Used to validate custom label names and prevent query injection.
+ */
+const KNOWN_FOLDERS = new Set([
+  'inbox',
+  'sent',
+  'trash',
+  'bin',
+  'spam',
+  'drafts',
+  'draft',
+  'starred',
+  'archive',
+  'snoozed',
+  'all',
+])
+
 export class GmailClient {
   private gmail: gmail_v1.Gmail
   private labelIdCache: Record<string, string> = {}
@@ -1615,7 +1642,7 @@ export class GmailClient {
     })
 
     if (inReplyTo) {
-      msg.setHeader('In-Reply-To', inReplyTo)
+      msg.setHeader('In-Reply-To', sanitizeHeaderValue(inReplyTo))
     }
 
     if (references) {
@@ -1623,6 +1650,7 @@ export class GmailClient {
         .split(' ')
         .filter(Boolean)
         .map((ref) => {
+          ref = sanitizeHeaderValue(ref)
           if (!ref.startsWith('<')) ref = `<${ref}`
           if (!ref.endsWith('>')) ref = `${ref}>`
           return ref
@@ -1707,7 +1735,21 @@ export class GmailClient {
 
     // For non-inbox folders, use Gmail search syntax.
     // Caller-provided labelIds are preserved as additional filters.
-    switch (folder) {
+
+    // Normalize folder name to lowercase for consistent matching
+    const normalizedFolder = folder.toLowerCase()
+
+    // Validate custom label names to prevent query injection.
+    // Gmail query operators like "OR", "from:", parentheses, etc. could manipulate search results.
+    // Known folders are handled by the switch cases below; custom labels must be safe characters only.
+    // Slashes are allowed for nested labels (e.g., "work/projects").
+    if (!KNOWN_FOLDERS.has(normalizedFolder) && !/^[\w\/-]+$/.test(normalizedFolder)) {
+      throw new Error(
+        `Invalid folder/label name: "${folder}". Use alphanumeric characters, underscores, hyphens, and slashes only.`,
+      )
+    }
+
+    switch (normalizedFolder) {
       case 'sent':
         q = `in:sent ${q}`.trim()
         break
@@ -1735,8 +1777,8 @@ export class GmailClient {
         q = `in:anywhere ${q}`.trim()
         break
       default:
-        // Treat as a label name
-        q = `label:${folder} ${q}`.trim()
+        // Treat as a label name (use normalized for consistency)
+        q = `label:${normalizedFolder} ${q}`.trim()
         break
     }
 

package/src/mail-tui.test.ts

@@ -0,0 +1,170 @@
+// E2E test for the mail TUI mailbox folder switching.
+// Uses tuistory to launch the TUI via termcast dev and verify folder filter actions.
+
+import path from 'path'
+import { test, expect, afterEach } from 'vitest'
+import { launchTerminal, type TerminalSession } from 'tuistory'
+
+const PROJECT_ROOT = path.resolve(import.meta.dirname, '..')
+
+let session: TerminalSession
+
+afterEach(() => {
+  session?.close()
+})
+
+/**
+ * Navigate down in the actions panel until the cursor line contains the target text.
+ * Returns true if found, false if we hit maxSteps without finding it.
+ */
+async function navigateToAction(
+  session: TerminalSession,
+  target: string,
+  maxSteps = 25,
+): Promise<boolean> {
+  for (let i = 0; i < maxSteps; i++) {
+    const text = await session.text({ trimEnd: true })
+    // tuistory renders the cursor line with › prefix
+    const lines = text.split('\n')
+    const cursorLine = lines.find((l) => l.includes('›') && l.includes(target))
+    if (cursorLine) return true
+    await session.press('down')
+  }
+  return false
+}
+
+/**
+ * Extract just the visible portion of the actions panel overlay from a terminal snapshot.
+ * Strips the background list content and returns only action items.
+ */
+function extractActionsPanel(text: string): string {
+  const lines = text.split('\n')
+  const panelLines: string[] = []
+  let inPanel = false
+  for (const line of lines) {
+    if (line.includes('Actions') && line.includes('esc')) inPanel = true
+    if (inPanel) {
+      // Extract the content between the box-drawing borders
+      const match = line.match(/│\s*(.*?)\s*│/)
+      if (match) {
+        panelLines.push(match[1]!.trimEnd())
+      }
+    }
+    if (inPanel && line.includes('╰')) break
+  }
+  return panelLines.filter((l) => l.length > 0).join('\n')
+}
+
+test('mailbox folder filter switches between folders', async () => {
+  session = await launchTerminal({
+    command: 'termcast',
+    args: ['dev'],
+    cols: 120,
+    rows: 36,
+    cwd: PROJECT_ROOT,
+  })
+
+  // Wait for the TUI to render with inbox
+  await session.waitForText('Search', { timeout: 20000 })
+  const initialScreen = await session.text({ trimEnd: true })
+  expect(initialScreen).toContain('Search Inbox...')
+
+  // Open actions panel and navigate to "Sent" action
+  await session.press(['ctrl', 'k'])
+  await session.waitForText('Actions', { timeout: 5000 })
+
+  const foundSent = await navigateToAction(session, 'Sent')
+  expect(foundSent).toBe(true)
+
+  // Snapshot the actions panel with cursor on Sent
+  const actionsWithSent = extractActionsPanel(await session.text({ trimEnd: true }))
+  expect(actionsWithSent).toMatchInlineSnapshot(`
+    "Actions                                                          esc
+    > Search actions...
+    Copy Thread ID
+    Copy Subject
+    Copy Sender Email
+    ⌧ Trash                                                 ⌃BACKSPACE
+    Mailbox                                                             ▀
+    ✓ Inbox
+    ›○ Sent
+    ○ Starred
+    ○ Drafts
+    ↵ select   ↑↓ navigate"
+  `)
+
+  await session.press('enter')
+
+  // Verify the screen updated to Sent folder
+  await session.waitForText('Search Sent', { timeout: 15000 })
+  const sentScreen = await session.text({ trimEnd: true })
+  expect(sentScreen).toContain('Search Sent...')
+
+  // Now switch back to Inbox via actions panel
+  await session.press(['ctrl', 'k'])
+  await session.waitForText('Actions', { timeout: 5000 })
+
+  const foundInbox = await navigateToAction(session, 'Inbox')
+  expect(foundInbox).toBe(true)
+
+  // Snapshot the actions panel with cursor on Inbox (should show checkmark on Sent now)
+  const actionsWithInbox = extractActionsPanel(await session.text({ trimEnd: true }))
+  expect(actionsWithInbox).toMatchInlineSnapshot(`
+    "Actions                                                          esc
+    > Search actions...
+    Copy Thread ID
+    Copy Subject
+    Copy Sender Email
+    ⌧ Trash                                                 ⌃BACKSPACE
+    Mailbox                                                             ▀
+    ›○ Inbox
+    ✓ Sent
+    ○ Starred
+    ○ Drafts
+    ↵ select   ↑↓ navigate"
+  `)
+
+  await session.press('enter')
+
+  // Verify switched back to Inbox
+  await session.waitForText('Search Inbox', { timeout: 15000 })
+  const inboxScreen = await session.text({ trimEnd: true })
+  expect(inboxScreen).toContain('Search Inbox...')
+}, 60000)
+
+test('actions panel lists mailbox folder options', async () => {
+  session = await launchTerminal({
+    command: 'termcast',
+    args: ['dev'],
+    cols: 120,
+    rows: 36,
+    cwd: PROJECT_ROOT,
+  })
+
+  await session.waitForText('Search', { timeout: 20000 })
+
+  // Open actions panel
+  await session.press(['ctrl', 'k'])
+  await session.waitForText('Actions', { timeout: 5000 })
+
+  // Navigate down to Mailbox section
+  const foundStarred = await navigateToAction(session, 'Starred')
+  expect(foundStarred).toBe(true)
+
+  // Snapshot the Mailbox section visible in the actions panel
+  const actionsText = extractActionsPanel(await session.text({ trimEnd: true }))
+  expect(actionsText).toMatchInlineSnapshot(`
+    "Actions                                                          esc
+    > Search actions...
+    Copy Thread ID
+    Copy Subject
+    Copy Sender Email
+    ⌧ Trash                                                 ⌃BACKSPACE
+    Mailbox                                                             ▀
+    ✓ Inbox
+    ○ Sent
+    ›○ Starred
+    ○ Drafts
+    ↵ select   ↑↓ navigate"
+  `)
+}, 30000)