decodingtrust-agent-sdk 0.2.3__tar.gz → 0.2.6__tar.gz

{decodingtrust_agent_sdk-0.2.3/decodingtrust_agent_sdk.egg-info → decodingtrust_agent_sdk-0.2.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: decodingtrust-agent-sdk
-Version: 0.2.3
+Version: 0.2.6
 Summary: DecodingTrust Agent Platform (DTap) — A controllable and interactive red-teaming platform for AI agents
 Author-email: DTap Team <zhaorun@uchicago.edu>
 License:                                  Apache License

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6}/agent/claudesdk/src/agent.py

@@ -3,6 +3,7 @@ import shutil
 import tempfile
 import uuid
 from datetime import datetime
+from pathlib import Path
 from typing import Dict, Any, Optional, List, Union
 
 from claude_agent_sdk import (
@@ -70,9 +71,25 @@ class ClaudeSDKAgent(Agent):
         # Skill injection temp directory
         self._skill_temp_dir: Optional[str] = None
 
-        # Per-instance Claude Code home. 
+        # Per-instance Claude Code home.
         self._claude_home: str = tempfile.mkdtemp(prefix="claude-home-")
 
+        # Seed the isolated home with the user's OAuth credentials so that,
+        # when ANTHROPIC_API_KEY is unset, the spawned `claude` CLI authenticates
+        # via the logged-in subscription (Max/Pro) instead of reporting
+        # "Not logged in". CLAUDE_CONFIG_DIR points the CLI at this temp home, so
+        # without this copy it can't find ~/.claude/.credentials.json. The temp
+        # home (and this copy) is removed when the agent is cleaned up.
+        # No-op when API-key billing is used or no credentials file exists.
+        _src_creds = Path.home() / ".claude" / ".credentials.json"
+        if _src_creds.is_file():
+            try:
+                _dst_creds = Path(self._claude_home) / ".credentials.json"
+                shutil.copy2(_src_creds, _dst_creds)
+                os.chmod(_dst_creds, 0o600)
+            except OSError as e:
+                print(f"[WARNING] Could not seed Claude subscription credentials: {e}")
+
         # Claude SDK client for multi-turn conversations
         self._client: Optional[ClaudeSDKClient] = None
         self._options: Optional[ClaudeAgentOptions] = None

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6/decodingtrust_agent_sdk.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: decodingtrust-agent-sdk
-Version: 0.2.3
+Version: 0.2.6
 Summary: DecodingTrust Agent Platform (DTap) — A controllable and interactive red-teaming platform for AI agents
 Author-email: DTap Team <zhaorun@uchicago.edu>
 License:                                  Apache License

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6}/decodingtrust_agent_sdk.egg-info/SOURCES.txt

@@ -304,6 +304,8 @@ dt_arena/utils/bigquery/__init__.py
 dt_arena/utils/bigquery/helpers.py
 dt_arena/utils/calendar/__init__.py
 dt_arena/utils/calendar/helpers.py
+dt_arena/utils/chase/__init__.py
+dt_arena/utils/chase/helpers.py
 dt_arena/utils/customer_service/__init__.py
 dt_arena/utils/customer_service/cs_env_client.py
 dt_arena/utils/customer_service/helpers.py
@@ -338,6 +340,8 @@ dt_arena/utils/paypal/__init__.py
 dt_arena/utils/paypal/helpers.py
 dt_arena/utils/research/__init__.py
 dt_arena/utils/research/helpers.py
+dt_arena/utils/robinhood/__init__.py
+dt_arena/utils/robinhood/helpers.py
 dt_arena/utils/salesforce/__init__.py
 dt_arena/utils/salesforce/helpers.py
 dt_arena/utils/slack/__init__.py

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6}/dt_arena/config/env.yaml

@@ -566,3 +566,107 @@ environments:
       BIGQUERY_GRPC_PORT:
         default: 9060
         container_port: 9060
+
+  chase:
+    docker_compose: "dt_arena/envs/chase/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${CHASE_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      CHASE_PG_PORT:
+        default: 5468
+        container_port: 5468
+      CHASE_API_PORT:
+        default: 8068
+        container_port: 8068
+      CHASE_UI_PORT:
+        default: 8069
+        container_port: 8069
+
+  robinhood:
+    docker_compose: "dt_arena/envs/robinhood/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${ROBINHOOD_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      ROBINHOOD_PG_PORT:
+        default: 5470
+        container_port: 5470
+      ROBINHOOD_API_PORT:
+        default: 8070
+        container_port: 8070
+      ROBINHOOD_UI_PORT:
+        default: 8071
+        container_port: 8071
+
+  booking:
+    docker_compose: "dt_arena/envs/booking/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${BOOKING_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      BOOKING_PG_PORT:
+        default: 5479
+        container_port: 5479
+      BOOKING_API_PORT:
+        default: 8059
+        container_port: 8059
+
+  doordash:
+    docker_compose: "dt_arena/envs/doordash/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${DOORDASH_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      DOORDASH_PG_PORT:
+        default: 5482
+        container_port: 5482
+      DOORDASH_API_PORT:
+        default: 8062
+        container_port: 8062
+
+  expedia:
+    docker_compose: "dt_arena/envs/expedia/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${EXPEDIA_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      EXPEDIA_PG_PORT:
+        default: 5478
+        container_port: 5478
+      EXPEDIA_API_PORT:
+        default: 8058
+        container_port: 8058
+
+  southwest:
+    docker_compose: "dt_arena/envs/southwest/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${SOUTHWEST_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      SOUTHWEST_PG_PORT:
+        default: 5475
+        container_port: 5475
+      SOUTHWEST_API_PORT:
+        default: 8055
+        container_port: 8055
+
+  united:
+    docker_compose: "dt_arena/envs/united/docker-compose.yml"
+    reset_endpoints:
+      api:
+        url: "http://127.0.0.1:${UNITED_API_PORT}/admin/reset"
+        method: POST
+    ports:
+      UNITED_PG_PORT:
+        default: 5476
+        container_port: 5476
+      UNITED_API_PORT:
+        default: 8056
+        container_port: 8056

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6}/dt_arena/config/injection_mcp.yaml

@@ -103,6 +103,40 @@ servers:
     transport: http
     command: ["python3", "env_injection.py"]
 
+  # Chase Environment Injection MCP Server (red-teaming)
+  - name: chase-injection
+    target_environment: chase
+    description: Chase environment injection MCP server for red-teaming (inject Zelle requests/contacts, transactions, statements)
+    path: chase/env_injection.py
+    enabled: true
+    env:
+      CHASE_ENV_INJECTION_MCP_HOST: "localhost"
+      CHASE_ENV_INJECTION_MCP_PORT: "10318"
+      CHASE_PG_HOST: "127.0.0.1"
+      CHASE_PG_PORT: "${CHASE_PG_PORT}"
+      CHASE_PG_DB: "chase_sandbox"
+      CHASE_PG_USER: "sandbox"
+      CHASE_PG_PASSWORD: "sandbox"
+    transport: http
+    command: ["python3", "env_injection.py"]
+
+  # Robinhood Environment Injection MCP Server (red-teaming)
+  - name: robinhood-injection
+    target_environment: robinhood
+    description: Robinhood environment injection MCP server for red-teaming (inject orders, positions, watchlists, notifications)
+    path: robinhood/env_injection.py
+    enabled: true
+    env:
+      ROBINHOOD_ENV_INJECTION_MCP_HOST: "localhost"
+      ROBINHOOD_ENV_INJECTION_MCP_PORT: "10317"
+      ROBINHOOD_PG_HOST: "127.0.0.1"
+      ROBINHOOD_PG_PORT: "${ROBINHOOD_PG_PORT}"
+      ROBINHOOD_PG_DB: "robinhood_sandbox"
+      ROBINHOOD_PG_USER: "sandbox"
+      ROBINHOOD_PG_PASSWORD: "sandbox"
+    transport: http
+    command: ["python3", "env_injection.py"]
+
   # Gmail Environment Injection MCP Server (red-teaming)
   - name: gmail-injection
     target_environment: gmail

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6}/dt_arena/envs/whatsapp/docker-compose-hub.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   whatsapp-pg:
-    image: postgres:14
+    image: decodingtrustagent/whatsapp:pg
     network_mode: host
     privileged: true
     security_opt:
@@ -12,18 +12,16 @@ services:
       POSTGRES_USER: sandbox
       POSTGRES_PASSWORD: sandbox
       PGPORT: ${WHATSAPP_PG_PORT:-5473}
-    volumes:
-      - ./init:/docker-entrypoint-initdb.d:ro
     healthcheck:
-      test: ["CMD-SHELL", "psql -U sandbox -d whatsapp_sandbox -c 'SELECT 1 FROM users LIMIT 1' > /dev/null 2>&1 || exit 1"]
+      test: ["CMD-SHELL", "pg_isready -U sandbox -d whatsapp_sandbox"]
       interval: 5s
       timeout: 5s
-      retries: 30
-      start_period: 60s
+      retries: 20
+      start_period: 30s
     restart: unless-stopped
 
   whatsapp-api:
-    image: decodingtrustagent/whatsapp:api-local
+    image: decodingtrustagent/whatsapp:api-latest
     network_mode: host
     privileged: true
     security_opt:
@@ -43,8 +41,6 @@ services:
       WHATSAPP_PG_USER: sandbox
       WHATSAPP_PG_PASSWORD: sandbox
       WHATSAPP_API_PORT: ${WHATSAPP_API_PORT:-8039}
-    volumes:
-      - ./api:/app:ro
     healthcheck:
       test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://127.0.0.1:$${WHATSAPP_API_PORT:-8039}/health', timeout=5)\" || exit 1"]
       interval: 5s
@@ -54,6 +50,8 @@ services:
     restart: unless-stopped
 
   whatsapp-ui:
+    security_opt:
+      - seccomp:unconfined
     image: decodingtrustagent/whatsapp:ui-latest
     network_mode: host
     restart: unless-stopped

{decodingtrust_agent_sdk-0.2.3 → decodingtrust_agent_sdk-0.2.6}/dt_arena/mcp_server/gmail/main.py

@@ -5,8 +5,14 @@ Preserves tool signature: get_gmail_content(limit:int)->str
 Also exposes list_messages, get_message, delete_all_messages, find_message for direct tooling.
 """
 import os
+import re
 import asyncio
+import base64
 import json
+import mimetypes
+import time
+import collections
+from urllib.parse import quote
 from datetime import datetime
 from typing import Any, Dict, List, Optional, Tuple
 
@@ -25,6 +31,46 @@ from email.utils import getaddresses
 MAILPIT_BASE_URL = os.getenv("MAILPIT_BASE_URL", "http://localhost:8025")
 # Use API Proxy for user-specific filtering
 API_PROXY_URL = os.getenv("API_PROXY_URL", "http://localhost:8031")
+# Base URL the *agent* can reach for download links (set to the public gateway
+# in a remote deployment); falls back to the proxy URL the MCP itself uses.
+GMAIL_PUBLIC_URL = os.getenv("GMAIL_PUBLIC_URL", API_PROXY_URL)
+
+# Base URL at which the *agent* reaches THIS MCP server (the gateway/public
+# address in a remote deployment). Attachment upload/download go through custom
+# HTTP routes on this server (below) so the agent never needs the access token —
+# the routes use the server-held token internally.
+MCP_PUBLIC_URL = os.getenv("MCP_PUBLIC_URL", "http://127.0.0.1:8840").rstrip("/")
+
+# Access control for THIS MCP (protocol + the attachment routes). When set, every
+# client must present `Authorization: Bearer <MCP_AUTH_TOKEN>`. This is the gmail
+# *agent's* credential to reach the MCP — distinct from the gmail access token,
+# which always stays server-side. Leave unset only for local/demo use.
+MCP_AUTH_TOKEN = os.getenv("MCP_AUTH_TOKEN", "")
+
+
+def _route_authorized(request) -> bool:
+    if not MCP_AUTH_TOKEN:
+        return True
+    h = request.headers.get("authorization", "")
+    tok = h[7:] if h.startswith("Bearer ") else h
+    return tok == MCP_AUTH_TOKEN
+
+# Simple per-instance rate limit on uploads, so a misbehaving/compromised agent
+# can't hammer the staging area. Tune with UPLOAD_RATE_PER_MIN.
+_UPLOAD_RATE_PER_MIN = int(os.getenv("UPLOAD_RATE_PER_MIN", "30"))
+_upload_times: "collections.deque" = collections.deque()
+
+
+def _upload_rate_ok() -> bool:
+    now = time.monotonic()
+    while _upload_times and now - _upload_times[0] > 60:
+        _upload_times.popleft()
+    if len(_upload_times) >= _UPLOAD_RATE_PER_MIN:
+        return False
+    _upload_times.append(now)
+    return True
+
+
 MAILPIT_MESSAGES_API = f"{API_PROXY_URL}/api/v1/messages"
 MAILPIT_MESSAGE_API = f"{API_PROXY_URL}/api/v1/message"
 MAILPIT_SMTP_HOST = os.getenv("MAILPIT_SMTP_HOST", "localhost")
@@ -43,8 +89,70 @@ print(f"[MCP Server] MAILPIT_SMTP_HOST: {MAILPIT_SMTP_HOST}", file=sys.stderr)
 print(f"[MCP Server] ==================", file=sys.stderr)
 sys.stderr.flush()
 
-# Create a FastMCP server
-mcp = FastMCP("Gmail Client")
+# Create a FastMCP server (token-gated when MCP_AUTH_TOKEN is set)
+_mcp_auth = None
+if MCP_AUTH_TOKEN:
+    from fastmcp.server.auth.providers.jwt import StaticTokenVerifier
+    _mcp_auth = StaticTokenVerifier({MCP_AUTH_TOKEN: {"client_id": "gmail-agent"}})
+mcp = FastMCP("Gmail Client", auth=_mcp_auth)
+
+
+@mcp.custom_route("/attachments/upload", methods=["POST"])
+async def _attachment_upload_route(request):
+    """Out-of-band file upload, hosted by the MCP server itself. The agent POSTs
+    the raw file bytes here (no token needed beyond reaching the MCP); the route
+    stages the file using the SERVER-held access token and returns an
+    attachment_id to pass to send_email. Rate-limited and size-capped."""
+    from starlette.responses import JSONResponse as _JSON
+    if not _route_authorized(request):
+        return _JSON({"error": "unauthorized"}, status_code=401)
+    if not _upload_rate_ok():
+        return _JSON({"error": "upload rate limit exceeded, slow down"}, status_code=429)
+    filename = request.query_params.get("filename", "file")
+    ctype = request.headers.get("content-type") or "application/octet-stream"
+    client = await get_http()
+    url = f"{API_PROXY_URL}/api/v1/attachments?filename={quote(filename)}"
+    headers = {"Authorization": f"Bearer {USER_ACCESS_TOKEN}", "Content-Type": ctype}
+    try:
+        r = await client.post(url, content=request.stream(), headers=headers, timeout=300.0)
+    except Exception as e:
+        return _JSON({"error": f"upstream upload failed: {e}"}, status_code=502)
+    if r.headers.get("content-type", "").startswith("application/json"):
+        return _JSON(r.json(), status_code=r.status_code)
+    return _JSON({"error": r.text[:200]}, status_code=r.status_code)
+
+
+@mcp.custom_route("/attachments/download", methods=["GET"])
+async def _attachment_download_route(request):
+    """Out-of-band file download, hosted by the MCP server. Streams a received
+    attachment back to the agent using the SERVER-held token; no token needed in
+    the URL. Query: ?msg=<message id>&part=<part id>."""
+    from starlette.responses import JSONResponse as _JSON, StreamingResponse as _Stream
+    if not _route_authorized(request):
+        return _JSON({"error": "unauthorized"}, status_code=401)
+    msg = request.query_params.get("msg")
+    part = request.query_params.get("part")
+    if not msg or not part:
+        return _JSON({"error": "msg and part query params are required"}, status_code=400)
+    client = await get_http()
+    url = f"{API_PROXY_URL}/api/v1/message/{quote(msg)}/part/{quote(part)}"
+    upstream = await client.send(
+        client.build_request("GET", url, headers={"Authorization": f"Bearer {USER_ACCESS_TOKEN}"}),
+        stream=True,
+    )
+
+    async def _body():
+        try:
+            async for chunk in upstream.aiter_bytes(65536):
+                yield chunk
+        finally:
+            await upstream.aclose()
+
+    headers = {}
+    if upstream.headers.get("content-disposition"):
+        headers["Content-Disposition"] = upstream.headers["content-disposition"]
+    return _Stream(_body(), status_code=upstream.status_code,
+                   media_type=upstream.headers.get("content-type", "application/octet-stream"), headers=headers)
 
 _http_client: Optional[httpx.AsyncClient] = None
 
@@ -384,18 +492,21 @@ async def list_messages(limit: int = 50) -> str:
         
         user_email_lower = user_email.lower()
         msgs = await _fetch_messages(limit_scan=max(1, min(500, limit * 2)))
-        
+
         inbox_msgs = []
         for m in msgs:
             if len(inbox_msgs) >= limit:
                 break
-            # Check if user is in To or Cc
-            to_addrs = _addresses_from_field(m.get("To") or m.get("to"))
-            cc_addrs = _addresses_from_field(m.get("Cc") or m.get("cc"))
-            all_recipients = [a.lower() for a in to_addrs + cc_addrs]
-            if user_email_lower in all_recipients:
+            # The proxy already scopes msgs to emails this user owns, so any owned
+            # message NOT sent by the user is a received (inbox) message. This
+            # covers To, Cc AND Bcc recipients — a Bcc-only recipient appears in
+            # none of the To/Cc fields (Bcc is stripped from the delivered headers)
+            # yet still received the mail.
+            from_addrs = _addresses_from_field(m.get("From") or m.get("from"))
+            is_sender = user_email_lower in [a.lower() for a in from_addrs]
+            if not is_sender:
                 inbox_msgs.append(m)
-        
+
         return json.dumps(inbox_msgs, ensure_ascii=False)
     except Exception as e:
         return json.dumps({"error": str(e)})
@@ -669,26 +780,116 @@ async def get_message_body(id: str, prefer: Optional[str] = "auto") -> str:
         return json.dumps({"error": str(e)})
 
 
+def _extract_attachments(detail: Dict[str, Any]) -> List[Dict[str, Any]]:
+    """Normalize Mailpit's attachment metadata into a simple list."""
+    raw = detail.get("Attachments") or detail.get("attachments") or []
+    out = []
+    for a in raw:
+        out.append({
+            "part_id": a.get("PartID") or a.get("partID") or a.get("PartId") or a.get("part_id"),
+            "filename": a.get("FileName") or a.get("filename") or a.get("Filename"),
+            "content_type": a.get("ContentType") or a.get("content_type"),
+            "size": a.get("Size") or a.get("size"),
+        })
+    return out
+
+
 @mcp.tool()
 async def list_attachments(id: str) -> str:
     """List all attachments in a specific email.
-    
+
     Args:
         id: The message ID
-    
+
     Returns:
-        JSON array of attachment objects with filename, content type, and size information
+        JSON array of attachments: part_id, filename, content_type, size, and a
+        download_url. Fetch download_url out-of-band (e.g. curl) to get the file
+        without pulling its bytes through this tool; or use get_attachment().
     """
     if not id:
         return json.dumps({"error": "id is required"})
     try:
         detail = await _fetch_message_detail(id)
         atts = _extract_attachments(detail)
+        for a in atts:
+            if a.get("part_id") is not None:
+                a["download_url"] = f"{MCP_PUBLIC_URL}/attachments/download?msg={quote(id)}&part={quote(str(a['part_id']))}"
         return json.dumps(atts, ensure_ascii=False)
     except Exception as e:
         return json.dumps({"error": str(e)})
 
 
+@mcp.tool()
+async def get_attachment(id: str, part_id: str) -> str:
+    """Download the content of an email attachment.
+
+    Args:
+        id: The message ID (from list_messages / search_messages)
+        part_id: The attachment's part id (the "part_id" from list_attachments)
+
+    Returns:
+        JSON with content_type, size, a download_url (a plain GET on this MCP
+        server, e.g. `curl "<download_url>"`, that streams the bytes — no token
+        needed), and — for small UTF-8 text — a "text" field with the decoded
+        content. Binary bytes are NOT inlined.
+    """
+    if not id or not part_id:
+        return json.dumps({"error": "id and part_id are required"})
+    try:
+        client = await get_http()
+        resp = await client.get(
+            f"{API_PROXY_URL}/api/v1/message/{id}/part/{part_id}",
+            headers=_get_auth_headers(),
+        )
+        if resp.status_code == 404:
+            return json.dumps({"error": "attachment not found"})
+        resp.raise_for_status()
+        content = resp.content
+        out = {
+            "part_id": part_id,
+            "content_type": resp.headers.get("content-type", "application/octet-stream"),
+            "size": len(content),
+            "download_url": f"{MCP_PUBLIC_URL}/attachments/download?msg={quote(id)}&part={quote(str(part_id))}",
+        }
+        if len(content) <= 200_000:
+            try:
+                out["text"] = content.decode("utf-8")
+            except Exception:
+                pass
+        return json.dumps(out, ensure_ascii=False)
+    except Exception as e:
+        return json.dumps({"error": str(e)})
+
+
+@mcp.tool()
+async def get_attachment_upload_url(filename: str = "file") -> str:
+    """Get a pre-authorized URL for uploading a local file to attach to an email.
+
+    Use this whenever you want to attach a file from your machine — it keeps the
+    file's bytes out of the tool call entirely. Three steps:
+      1. Call this with the file's name; it returns an `upload_url`.
+      2. POST the raw file bytes to that URL (it points at this MCP server, which
+         authorizes it for you — no token or extra headers needed), e.g.:
+             curl -X POST --data-binary @/path/to/file "<upload_url>"
+         The JSON response contains an `attachment_id`.
+      3. Call send_email(..., attachments=[{"attachment_id": "<that id>"}]).
+
+    Returns JSON with upload_url, method, body, a ready-to-run curl example, and
+    the next step.
+    """
+    upload_url = f"{MCP_PUBLIC_URL}/attachments/upload?filename={quote(filename)}"
+    auth_hdr = ' -H "Authorization: Bearer <your MCP token>"' if MCP_AUTH_TOKEN else ''
+    return json.dumps({
+        "upload_url": upload_url,
+        "method": "POST",
+        "body": "the raw file bytes (NOT multipart, NOT base64)",
+        "auth": ("include the same Authorization header you use to reach this MCP"
+                 if MCP_AUTH_TOKEN else "no auth header needed"),
+        "example": f'curl -X POST{auth_hdr} --data-binary @/path/to/{filename} "{upload_url}"',
+        "next_step": 'take attachment_id from the response, then send_email(attachments=[{"attachment_id": "..."}])',
+    }, ensure_ascii=False)
+
+
 @mcp.tool()
 async def send_reply(id: str,
                      body: Optional[str] = None,
@@ -879,7 +1080,8 @@ def _send_email_sync(to: Any,
                      body: Optional[str],
                      from_email: Optional[str],
                      cc: Optional[Any],
-                     bcc: Optional[Any]) -> Dict[str, Any]:
+                     bcc: Optional[Any],
+                     attachments: Optional[List[Dict[str, Any]]] = None) -> Dict[str, Any]:
     sender = from_email or "noreply@example.com"
     to_list = _normalize_recipients(to)
     cc_list = _normalize_recipients(cc)
@@ -896,6 +1098,22 @@ def _send_email_sync(to: Any,
     msg["Subject"] = subject or "Test Email"
     msg.set_content(body or "This is a test email from Mailpit MCP.")
 
+    # Attachments — the agent passes file CONTENT as base64 (the MCP is a remote
+    # HTTP service and cannot read the agent's local filesystem).
+    attached = []
+    for att in (attachments or []):
+        try:
+            raw = base64.b64decode(att.get("data", ""))
+        except Exception:
+            continue
+        ctype = att.get("content_type") or "application/octet-stream"
+        maintype, _, subtype = ctype.partition("/")
+        if not subtype:
+            maintype, subtype = "application", "octet-stream"
+        fname = att.get("filename") or "attachment"
+        msg.add_attachment(raw, maintype=maintype, subtype=subtype, filename=fname)
+        attached.append(fname)
+
     recipients: List[str] = []
     recipients.extend(to_list)
     recipients.extend(cc_list)
@@ -903,7 +1121,49 @@ def _send_email_sync(to: Any,
 
     with smtplib.SMTP(MAILPIT_SMTP_HOST, MAILPIT_SMTP_PORT, local_hostname="localhost") as smtp:
         smtp.send_message(msg, from_addr=sender, to_addrs=recipients)
-    return {"ok": True, "to": recipients, "from": sender, "subject": msg["Subject"]}
+    return {"ok": True, "to": recipients, "from": sender, "subject": msg["Subject"], "attachments": attached}
+
+
+async def _resolve_attachments(attachments):
+    """Resolve each attachment spec to {filename, content_type, data(base64)}.
+
+    Accepts {data: base64}, {attachment_id}, {url}, or {path} (a path readable by
+    THIS server). For attachment_id/url the bytes are fetched out-of-band so the
+    agent never has to inline a large base64 blob in the tool call.
+    """
+    out = []
+    client = await get_http()
+    for att in (attachments or []):
+        if not isinstance(att, dict):
+            continue
+        filename = att.get("filename")
+        content_type = att.get("content_type")
+        data_b64 = None
+        if att.get("data"):
+            data_b64 = att["data"]
+        elif att.get("attachment_id"):
+            r = await client.get(f"{API_PROXY_URL}/api/v1/attachments/{att['attachment_id']}", headers=_get_auth_headers())
+            r.raise_for_status()
+            data_b64 = base64.b64encode(r.content).decode()
+            content_type = content_type or r.headers.get("content-type")
+            if not filename:
+                m = re.search(r'filename="?([^"]+)"?', r.headers.get("content-disposition", ""))
+                filename = m.group(1) if m else att["attachment_id"]
+        elif att.get("url"):
+            r = await client.get(att["url"], headers=_get_auth_headers())
+            r.raise_for_status()
+            data_b64 = base64.b64encode(r.content).decode()
+            content_type = content_type or r.headers.get("content-type")
+            filename = filename or att["url"].split("?")[0].rstrip("/").split("/")[-1]
+        elif att.get("path"):
+            with open(att["path"], "rb") as f:
+                data_b64 = base64.b64encode(f.read()).decode()
+            filename = filename or os.path.basename(att["path"])
+            content_type = content_type or (mimetypes.guess_type(att["path"])[0] or "application/octet-stream")
+        if data_b64 is None:
+            continue
+        out.append({"filename": filename or "attachment", "content_type": content_type or "application/octet-stream", "data": data_b64})
+    return out
 
 
 @mcp.tool()
@@ -912,9 +1172,10 @@ async def send_email(to: Any,
                      body: Optional[str] = None,
                      from_email: Optional[str] = None,
                      cc: Optional[Any] = None,
-                     bcc: Optional[Any] = None) -> str:
+                     bcc: Optional[Any] = None,
+                     attachments: Optional[List[Dict[str, Any]]] = None) -> str:
     """Send a new email message.
-    
+
     Args:
         to: Recipient email address(es) - REQUIRED. Can be a single address or comma-separated list.
         subject: Email subject line
@@ -922,6 +1183,16 @@ async def send_email(to: Any,
         from_email: Sender email address (must match your authenticated email, auto-filled if not provided)
         cc: CC recipients (comma-separated or list)
         bcc: BCC recipients (comma-separated or list)
+        attachments: Optional list of files to attach. Each item is ONE of:
+            {"attachment_id": str}  - PREFERRED for a local file: call
+                get_attachment_upload_url(filename) first, upload the file to the
+                returned URL (e.g. with curl), then pass the attachment_id here —
+                nothing large goes through this tool call,
+            {"url": str}            - a URL the server fetches,
+            {"path": str}          - a path readable by THIS server,
+            {"filename","content_type","data"(base64)} - inline (small files only).
+            The server is remote and cannot read your local disk, so for a local
+            file upload it first and pass {attachment_id}.
     
     Returns:
         JSON object with send status including "ok", "to", "from", and "subject" fields
@@ -956,8 +1227,9 @@ async def send_email(to: Any,
                 "error": "Authentication required: You must be authenticated to send emails"
             })
         
+        resolved = await _resolve_attachments(attachments)
         result = await asyncio.to_thread(
-            _send_email_sync, to, subject, body, from_email, cc, bcc
+            _send_email_sync, to, subject, body, from_email, cc, bcc, resolved
         )
         return json.dumps(result, ensure_ascii=False)
     except Exception as e: