zeroclaw_channels/

email_channel.rs

#![allow(clippy::uninlined_format_args)]
#![allow(clippy::map_unwrap_or)]
#![allow(clippy::redundant_closure_for_method_calls)]
#![allow(clippy::cast_lossless)]
#![allow(clippy::trim_split_whitespace)]
#![allow(clippy::doc_link_with_quotes)]
#![allow(clippy::doc_markdown)]
#![allow(clippy::too_many_lines)]
#![allow(clippy::unnecessary_map_or)]

use anyhow::Result;
use async_imap::Session;
use async_imap::extensions::idle::IdleResponse;
use async_imap::types::Fetch;
use async_trait::async_trait;
use futures_util::TryStreamExt;
use lettre::message::header::ContentType;
use lettre::message::{Attachment, MultiPart, SinglePart};
use lettre::transport::smtp::authentication::Credentials;
use lettre::{Message, SmtpTransport, Transport};
use mail_parser::{MessageParser, MimeHeaders};
use pulldown_cmark::{Options, Parser, html};
use rustls::{ClientConfig, RootCertStore};
use rustls_pki_types::DnsName;
use std::collections::HashSet;
use std::sync::Arc;
use std::time::{Duration, SystemTime, UNIX_EPOCH};
use tokio::net::TcpStream;
use tokio::sync::{Mutex, mpsc};
use tokio::time::{sleep, timeout};
use tokio_rustls::TlsConnector;
use tokio_rustls::client::TlsStream;
use uuid::Uuid;

use zeroclaw_api::channel::{Channel, ChannelMessage, SendMessage};

pub use zeroclaw_config::scattered_types::EmailConfig;

type ImapSession = Session<TlsStream<TcpStream>>;

/// Email channel — IMAP IDLE for instant push notifications, SMTP for outbound.
///
/// Inbound sender authorization lives in `peer_groups` in V3; this channel
/// resolves the authorized senders at message-time via [`Self::peer_resolver`]
/// rather than reading a per-channel `allowed_senders` field (it no longer
/// exists on `EmailConfig`).
pub struct EmailChannel {
    pub config: EmailConfig,
    /// The alias key under `[channels.email.<alias>]` this handle is
    /// bound to. Used to scope peer-group writes and resolver lookups.
    pub alias: String,
    /// Resolves inbound external peers from canonical state at message-time.
    /// No cache (see AGENTS.md "ABSOLUTE RULE — SINGLE SOURCE OF TRUTH").
    pub peer_resolver: Arc<dyn Fn() -> Vec<String> + Send + Sync>,
    seen_messages: Arc<Mutex<HashSet<String>>>,
}

impl EmailChannel {
    pub fn new(
        config: EmailConfig,
        alias: impl Into<String>,
        peer_resolver: Arc<dyn Fn() -> Vec<String> + Send + Sync>,
    ) -> Self {
        Self {
            config,
            alias: alias.into(),
            peer_resolver,
            seen_messages: Arc::new(Mutex::new(HashSet::new())),
        }
    }

    /// Check if a sender email is in the allowlist (peer group).
    ///
    /// Email allowlist entries support three syntaxes — preserved from
    /// the legacy `EmailConfig::allowed_senders` semantics:
    /// - `*`                wildcard, allow anyone.
    /// - `user@host`        full address, case-insensitive.
    /// - `@host` / `host`   domain match, case-insensitive.
    pub fn is_sender_allowed(&self, email: &str) -> bool {
        let peers = (self.peer_resolver)();
        Self::is_email_sender_allowed(&peers, email)
    }

    /// Pure, testable predicate that applies the email-allowlist match
    /// semantics against an already-resolved peer list.
    fn is_email_sender_allowed(peers: &[String], email: &str) -> bool {
        if peers.is_empty() {
            return false; // Empty = deny all
        }
        if peers.iter().any(|a| a == "*") {
            return true; // Wildcard = allow all
        }
        let email_lower = email.to_lowercase();
        peers.iter().any(|allowed| {
            if allowed.starts_with('@') {
                // Domain match with @ prefix: "@example.com"
                email_lower.ends_with(&allowed.to_lowercase())
            } else if allowed.contains('@') {
                // Full email address match
                allowed.eq_ignore_ascii_case(email)
            } else {
                // Domain match without @ prefix: "example.com"
                email_lower.ends_with(&format!("@{}", allowed.to_lowercase()))
            }
        })
    }

    /// Strip HTML tags from content (basic)
    pub fn strip_html(html: &str) -> String {
        let mut result = String::new();
        let mut in_tag = false;
        for ch in html.chars() {
            match ch {
                '<' => in_tag = true,
                '>' => in_tag = false,
                _ if !in_tag => result.push(ch),
                _ => {}
            }
        }
        let mut normalized = String::with_capacity(result.len());
        for word in result.split_whitespace() {
            if !normalized.is_empty() {
                normalized.push(' ');
            }
            normalized.push_str(word);
        }
        normalized
    }

    /// Extract the sender address from a parsed email
    fn extract_sender(parsed: &mail_parser::Message) -> String {
        parsed
            .from()
            .and_then(|addr| addr.first())
            .and_then(|a| a.address())
            .map(|s| s.to_string())
            .unwrap_or_else(|| "unknown".into())
    }

    /// Extract readable text from a parsed email
    fn extract_text(parsed: &mail_parser::Message) -> String {
        if let Some(text) = parsed.body_text(0) {
            return text.to_string();
        }
        if let Some(html) = parsed.body_html(0) {
            return Self::strip_html(html.as_ref());
        }
        for part in parsed.attachments() {
            let part: &mail_parser::MessagePart = part;
            if let Some(ct) = MimeHeaders::content_type(part)
                && ct.ctype() == "text"
                && let Ok(text) = std::str::from_utf8(part.contents())
            {
                let name = MimeHeaders::attachment_name(part).unwrap_or("file");
                return format!("[Attachment: {}]\n{}", name, text);
            }
        }
        "(no readable content)".to_string()
    }

    /// Extract binary attachments from a parsed email as MediaAttachment entries.
    fn extract_attachments(
        &self,
        parsed: &mail_parser::Message,
    ) -> Vec<zeroclaw_api::media::MediaAttachment> {
        let mut attachments = Vec::new();
        let mut total_size = 0;

        for part in parsed.attachments() {
            let part: &mail_parser::MessagePart = part;
            let ct = MimeHeaders::content_type(part);
            let mime_str =
                ct.map(|c| format!("{}/{}", c.ctype(), c.subtype().unwrap_or("octet-stream")));

            // Skip text parts — already handled by extract_text()
            if let Some(ref m) = mime_str
                && m.starts_with("text/")
            {
                continue;
            }

            let data = part.contents().to_vec();
            if data.is_empty() {
                continue;
            }

            // Check size limit
            total_size += data.len();
            if total_size > self.config.max_attachment_bytes {
                ::zeroclaw_log::record!(
                    WARN,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note)
                        .with_outcome(::zeroclaw_log::EventOutcome::Unknown),
                    &format!(
                        "Attachment size limit exceeded ({} bytes), dropping remaining attachments",
                        self.config.max_attachment_bytes
                    )
                );
                break;
            }

            let file_name = MimeHeaders::attachment_name(part)
                .unwrap_or("attachment")
                .to_string();

            attachments.push(zeroclaw_api::media::MediaAttachment {
                file_name,
                data,
                mime_type: mime_str,
            });
        }
        attachments
    }

    /// Connect to IMAP server with TLS and authenticate
    async fn connect_imap(&self) -> Result<ImapSession> {
        let addr = format!("{}:{}", self.config.imap_host, self.config.imap_port);
        ::zeroclaw_log::record!(
            DEBUG,
            ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
            &format!("Connecting to IMAP server at {}", addr)
        );

        // Connect TCP
        let tcp = TcpStream::connect(&addr).await?;

        // Establish TLS using rustls
        let certs = RootCertStore {
            roots: webpki_roots::TLS_SERVER_ROOTS.into(),
        };
        let config = ClientConfig::builder()
            .with_root_certificates(certs)
            .with_no_client_auth();
        let tls_stream: TlsConnector = Arc::new(config).into();
        let sni: DnsName = self.config.imap_host.clone().try_into()?;
        let stream = tls_stream.connect(sni.into(), tcp).await?;

        // Create IMAP client
        let client = async_imap::Client::new(stream);

        // Login
        let session = client
            .login(&self.config.username, &self.config.password)
            .await
            .map_err(|(e, _)| {
                ::zeroclaw_log::record!(
                    ERROR,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Fail)
                        .with_outcome(::zeroclaw_log::EventOutcome::Failure)
                        .with_attrs(::serde_json::json!({
                            "phase": "imap_login",
                            "error": format!("{}", e),
                        })),
                    "email: IMAP login failed"
                );
                anyhow::Error::msg(format!("IMAP login failed: {}", e))
            })?;

        ::zeroclaw_log::record!(
            DEBUG,
            ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
            "IMAP login successful"
        );
        Ok(session)
    }

    /// Maximum number of messages fetched per IMAP round-trip.
    /// Bounds peak memory when the mailbox has a large unseen backlog.
    const MAX_FETCH_BATCH: usize = 10;

    /// Fetch and process unseen messages from the selected mailbox.
    ///
    /// UIDs are fetched in chunks of [`Self::MAX_FETCH_BATCH`] to bound the
    /// number of message bodies (and any audio attachments) held in memory at
    /// once. Each chunk is marked `\Seen` immediately after fetch so that
    /// successfully retrieved messages are not re-fetched if a later chunk fails.
    async fn fetch_unseen(&self, session: &mut ImapSession) -> Result<Vec<ParsedEmail>> {
        // Search for unseen messages
        let uids = session.uid_search("UNSEEN").await?;
        if uids.is_empty() {
            return Ok(Vec::new());
        }

        ::zeroclaw_log::record!(
            DEBUG,
            ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
            &format!("Found {} unseen messages", uids.len())
        );

        let uid_list: Vec<u32> = uids.into_iter().collect();
        let mut results = Vec::new();

        for chunk in uid_list.chunks(Self::MAX_FETCH_BATCH) {
            let uid_set: String = chunk
                .iter()
                .map(|u| u.to_string())
                .collect::<Vec<_>>()
                .join(",");

            // Fetch message bodies for this chunk
            let messages = session.uid_fetch(&uid_set, "RFC822").await?;
            let messages: Vec<Fetch> = messages.try_collect().await?;

            for msg in messages {
                let uid = msg.uid.unwrap_or(0);
                if let Some(body) = msg.body()
                    && let Some(parsed) = MessageParser::default().parse(body)
                {
                    let sender = Self::extract_sender(&parsed);
                    let subject = parsed.subject().unwrap_or("(no subject)").to_string();
                    let body_text = Self::extract_text(&parsed);
                    let content = format!("Subject: {}\n\n{}", subject, body_text);
                    let msg_id = parsed
                        .message_id()
                        .map(|s| s.to_string())
                        .unwrap_or_else(|| format!("gen-{}", Uuid::new_v4()));

                    #[allow(clippy::cast_sign_loss)]
                    let ts = parsed
                        .date()
                        .map(|d| {
                            let naive = chrono::NaiveDate::from_ymd_opt(
                                d.year as i32,
                                u32::from(d.month),
                                u32::from(d.day),
                            )
                            .and_then(|date| {
                                date.and_hms_opt(
                                    u32::from(d.hour),
                                    u32::from(d.minute),
                                    u32::from(d.second),
                                )
                            });
                            naive.map_or(0, |n| n.and_utc().timestamp() as u64)
                        })
                        .unwrap_or_else(|| {
                            SystemTime::now()
                                .duration_since(UNIX_EPOCH)
                                .map(|d| d.as_secs())
                                .unwrap_or(0)
                        });

                    let attachments = self.extract_attachments(&parsed);

                    results.push(ParsedEmail {
                        _uid: uid,
                        msg_id,
                        sender,
                        subject,
                        content,
                        timestamp: ts,
                        attachments,
                    });
                }
            }

            // Mark this chunk as seen before fetching the next
            let _ = session
                .uid_store(&uid_set, "+FLAGS (\\Seen)")
                .await?
                .try_collect::<Vec<_>>()
                .await;
        }

        Ok(results)
    }

    /// Run the IDLE loop, returning when a new message arrives or timeout
    /// Note: IDLE consumes the session and returns it via done()
    async fn wait_for_changes(
        &self,
        session: ImapSession,
    ) -> Result<(IdleWaitResult, ImapSession)> {
        let idle_timeout = Duration::from_secs(self.config.idle_timeout_secs);

        // Start IDLE mode - this consumes the session
        let mut idle = session.idle();
        idle.init().await?;

        ::zeroclaw_log::record!(
            DEBUG,
            ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
            "Entering IMAP IDLE mode"
        );

        // wait() returns (future, stop_source) - we only need the future
        let (wait_future, _stop_source) = idle.wait();

        // Wait for server notification or timeout
        let result = timeout(idle_timeout, wait_future).await;

        match result {
            Ok(Ok(response)) => {
                ::zeroclaw_log::record!(
                    DEBUG,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                    &format!("IDLE response: {:?}", response)
                );
                // Done with IDLE, return session to normal mode
                let session = idle.done().await?;
                let wait_result = match response {
                    IdleResponse::NewData(_) => IdleWaitResult::NewMail,
                    IdleResponse::Timeout => IdleWaitResult::Timeout,
                    IdleResponse::ManualInterrupt => IdleWaitResult::Interrupted,
                };
                Ok((wait_result, session))
            }
            Ok(Err(e)) => {
                // Try to clean up IDLE state
                let _ = idle.done().await;
                ::zeroclaw_log::record!(
                    ERROR,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Fail)
                        .with_outcome(::zeroclaw_log::EventOutcome::Failure)
                        .with_attrs(::serde_json::json!({
                            "phase": "idle_wait",
                            "error": format!("{}", e),
                        })),
                    "email: IDLE error"
                );
                Err(anyhow::Error::msg(format!("IDLE error: {}", e)))
            }
            Err(_) => {
                // Timeout - RFC 2177 recommends restarting IDLE every 29 minutes
                ::zeroclaw_log::record!(
                    DEBUG,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                    "IDLE timeout reached, will re-establish"
                );
                let session = idle.done().await?;
                Ok((IdleWaitResult::Timeout, session))
            }
        }
    }

    /// Main listen loop with automatic reconnection.
    ///
    /// Probes the server's CAPABILITY list after login and picks between:
    /// - IMAP IDLE (RFC 2177) for instant push when the server advertises it.
    /// - Periodic polling when the server does not support IDLE (e.g. seznam.cz).
    async fn listen_with_reconnect(&self, tx: mpsc::Sender<ChannelMessage>) -> Result<()> {
        let mut backoff = Duration::from_secs(1);
        let max_backoff = Duration::from_secs(60);

        loop {
            match self.run_session(&tx).await {
                Ok(()) => {
                    // Clean exit (channel closed)
                    return Ok(());
                }
                Err(e) => {
                    ::zeroclaw_log::record!(
                        ERROR,
                        ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Fail)
                            .with_outcome(::zeroclaw_log::EventOutcome::Failure),
                        &format!(
                            "IMAP session error: {}. Reconnecting in {:?}...",
                            e, backoff
                        )
                    );
                    sleep(backoff).await;
                    // Exponential backoff with cap
                    backoff = std::cmp::min(backoff * 2, max_backoff);
                }
            }
        }
    }

    /// Run a single IMAP session. Probes server capabilities and dispatches
    /// to the IDLE or polling inner loop.
    async fn run_session(&self, tx: &mpsc::Sender<ChannelMessage>) -> Result<()> {
        // Connect and authenticate
        let mut session = self.connect_imap().await?;

        // Select the mailbox
        session.select(&self.config.imap_folder).await?;

        // Probe the server's post-auth capabilities to decide IDLE vs poll.
        // RFC 3501 allows capabilities to change after authentication, so we
        // probe after login rather than before.
        let has_idle = {
            let caps = session.capabilities().await?;
            caps.has_str("IDLE")
        };

        // Drain any existing unseen messages first, regardless of mode
        self.process_unseen(&mut session, tx).await?;

        if has_idle {
            ::zeroclaw_log::record!(
                INFO,
                ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                &format!(
                    "Email channel listening on {} (IMAP IDLE, instant push)",
                    self.config.imap_folder
                )
            );
            self.run_idle_inner(session, tx).await
        } else {
            let poll_interval = Duration::from_secs(self.config.poll_interval_secs);
            ::zeroclaw_log::record!(
                INFO,
                ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                &format!(
                    "Email channel listening on {} (IMAP polling, server lacks IDLE, interval: {:?})",
                    self.config.imap_folder, poll_interval
                )
            );
            self.run_poll_inner(session, tx, poll_interval).await
        }
    }

    /// IDLE-based wait loop. Consumes and returns the session across IDLE round trips.
    async fn run_idle_inner(
        &self,
        mut session: ImapSession,
        tx: &mpsc::Sender<ChannelMessage>,
    ) -> Result<()> {
        loop {
            // Enter IDLE and wait for changes (consumes session, returns it via result)
            match self.wait_for_changes(session).await {
                Ok((IdleWaitResult::NewMail, returned_session)) => {
                    ::zeroclaw_log::record!(
                        DEBUG,
                        ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                        "New mail notification received"
                    );
                    session = returned_session;
                    self.process_unseen(&mut session, tx).await?;
                }
                Ok((IdleWaitResult::Timeout, returned_session)) => {
                    // Re-check for mail after IDLE timeout (defensive)
                    session = returned_session;
                    self.process_unseen(&mut session, tx).await?;
                }
                Ok((IdleWaitResult::Interrupted, _)) => {
                    ::zeroclaw_log::record!(
                        INFO,
                        ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                        "IDLE interrupted, exiting"
                    );
                    return Ok(());
                }
                Err(e) => {
                    // Connection likely broken, need to reconnect
                    return Err(e);
                }
            }
        }
    }

    /// Polling-based wait loop. Used when the server does not advertise IDLE.
    /// Sleeps for `poll_interval` between UNSEEN checks and sends a NOOP each
    /// cycle to keep the connection alive and detect drops early.
    async fn run_poll_inner(
        &self,
        mut session: ImapSession,
        tx: &mpsc::Sender<ChannelMessage>,
        poll_interval: Duration,
    ) -> Result<()> {
        loop {
            sleep(poll_interval).await;
            // NOOP both keeps the connection alive and causes the server to
            // flush any pending EXISTS/EXPUNGE updates before we search.
            session.noop().await?;
            self.process_unseen(&mut session, tx).await?;
        }
    }

    /// Fetch unseen messages and send to channel
    async fn process_unseen(
        &self,
        session: &mut ImapSession,
        tx: &mpsc::Sender<ChannelMessage>,
    ) -> Result<()> {
        let messages = self.fetch_unseen(session).await?;

        for email in messages {
            // Check allowlist
            if !self.is_sender_allowed(&email.sender) {
                ::zeroclaw_log::record!(
                    WARN,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note)
                        .with_outcome(::zeroclaw_log::EventOutcome::Unknown),
                    &format!("Blocked email from {}", email.sender)
                );
                continue;
            }

            let is_new = {
                let mut seen = self.seen_messages.lock().await;
                seen.insert(email.msg_id.clone())
            };
            if !is_new {
                continue;
            }

            let msg = ChannelMessage {
                channel_alias: Some(self.alias.clone()),
                attachments: email.attachments,
                subject: Some(email.subject),
                ..ChannelMessage::new(
                    email.msg_id,
                    email.sender.clone(),
                    email.sender,
                    email.content,
                    "email",
                    email.timestamp,
                )
            };

            if tx.send(msg).await.is_err() {
                // Channel closed, exit cleanly
                return Ok(());
            }
        }

        Ok(())
    }

    fn smtp_credentials(&self) -> Credentials {
        let user = self
            .config
            .smtp_username
            .as_deref()
            .unwrap_or(&self.config.username)
            .to_owned();
        let pass = self
            .config
            .smtp_password
            .as_deref()
            .unwrap_or(&self.config.password)
            .to_owned();
        Credentials::new(user, pass)
    }

    fn create_smtp_transport(&self) -> Result<SmtpTransport> {
        let creds = self.smtp_credentials();
        let transport = if self.config.smtp_tls {
            SmtpTransport::relay(&self.config.smtp_host)?
                .port(self.config.smtp_port)
                .credentials(creds)
                .build()
        } else {
            SmtpTransport::builder_dangerous(&self.config.smtp_host)
                .port(self.config.smtp_port)
                .credentials(creds)
                .build()
        };
        Ok(transport)
    }
}

/// Internal struct for parsed email data
struct ParsedEmail {
    _uid: u32,
    msg_id: String,
    sender: String,
    subject: String,
    content: String,
    timestamp: u64,
    attachments: Vec<zeroclaw_api::media::MediaAttachment>,
}

/// Result from waiting on IDLE
enum IdleWaitResult {
    NewMail,
    Timeout,
    Interrupted,
}

impl ::zeroclaw_api::attribution::Attributable for EmailChannel {
    fn role(&self) -> ::zeroclaw_api::attribution::Role {
        ::zeroclaw_api::attribution::Role::Channel(::zeroclaw_api::attribution::ChannelKind::Email)
    }
    fn alias(&self) -> &str {
        &self.alias
    }
}

fn markdown_to_html(md: &str) -> String {
    let mut options = Options::empty();
    options.insert(Options::ENABLE_TABLES);
    options.insert(Options::ENABLE_STRIKETHROUGH);
    let parser = Parser::new_ext(md, options);
    let mut html_output = String::new();
    html::push_html(&mut html_output, parser);
    html_output
}
#[async_trait]

impl Channel for EmailChannel {
    fn name(&self) -> &str {
        "email"
    }

    async fn send(&self, message: &SendMessage) -> Result<()> {
        // Use explicit subject if provided, otherwise fall back to legacy parsing or default
        let default_subject = self.config.default_subject.as_str();
        let (subject, body) = if let Some(ref subj) = message.subject {
            (subj.as_str(), message.content.as_str())
        } else if message.content.starts_with("Subject: ") {
            if let Some(pos) = message.content.find('\n') {
                (&message.content[9..pos], message.content[pos + 1..].trim())
            } else {
                (default_subject, message.content.as_str())
            }
        } else {
            (default_subject, message.content.as_str())
        };

        let mut builder = Message::builder()
            .from(self.config.from_address.parse()?)
            .to(message.recipient.parse()?)
            .subject(subject);
        if let Some(ref reply_id) = message.in_reply_to {
            builder = builder.in_reply_to(reply_id.clone());
        }
        let mut att_parts: Vec<(String, Vec<u8>, ContentType)> = Vec::new();
        for att in &message.attachments {
            let content_type = att
                .mime_type
                .as_deref()
                .and_then(|m| ContentType::parse(m).ok())
                .unwrap_or_else(|| {
                    ContentType::parse("application/octet-stream").expect("hardcoded MIME type")
                });
            let att_data = resolve_attachment_data(&att.file_name, &att.data)?;
            let att_name = std::path::Path::new(&att.file_name)
                .file_name()
                .and_then(|n| n.to_str())
                .unwrap_or(&att.file_name)
                .to_string();
            att_parts.push((att_name, att_data, content_type));
        }

        let email = if self.config.html_body {
            let alt = MultiPart::alternative()
                .singlepart(SinglePart::plain(body.to_string()))
                .singlepart(SinglePart::html(markdown_to_html(body)));
            if att_parts.is_empty() {
                builder.multipart(alt)?
            } else {
                let mut mixed = MultiPart::mixed().multipart(alt);
                for (name, data, ct) in att_parts {
                    mixed = mixed.singlepart(Attachment::new(name).body(data, ct));
                }
                builder.multipart(mixed)?
            }
        } else {
            let plain = SinglePart::plain(body.to_string());
            if att_parts.is_empty() {
                builder.singlepart(plain)?
            } else {
                let mut mixed = MultiPart::mixed().singlepart(plain);
                for (name, data, ct) in att_parts {
                    mixed = mixed.singlepart(Attachment::new(name).body(data, ct));
                }
                builder.multipart(mixed)?
            }
        };

        let transport = self.create_smtp_transport()?;
        transport.send(&email)?;
        ::zeroclaw_log::record!(
            INFO,
            ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
            &format!(
                "Email sent to {} ({} attachments)",
                message.recipient,
                message.attachments.len()
            )
        );
        Ok(())
    }

    async fn listen(&self, tx: mpsc::Sender<ChannelMessage>) -> Result<()> {
        ::zeroclaw_log::record!(
            INFO,
            ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
            &format!(
                "Starting email channel on {} (IDLE preferred, polling fallback)",
                self.config.imap_folder
            )
        );
        self.listen_with_reconnect(tx).await
    }

    async fn health_check(&self) -> bool {
        // Fully async health check - attempt IMAP connection
        match timeout(Duration::from_secs(10), self.connect_imap()).await {
            Ok(Ok(mut session)) => {
                // Try to logout cleanly
                let _ = session.logout().await;
                true
            }
            Ok(Err(e)) => {
                ::zeroclaw_log::record!(
                    DEBUG,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                    &format!("Health check failed: {}", e)
                );
                false
            }
            Err(_) => {
                ::zeroclaw_log::record!(
                    DEBUG,
                    ::zeroclaw_log::Event::new(module_path!(), ::zeroclaw_log::Action::Note),
                    "Health check timed out"
                );
                false
            }
        }
    }
}

/// Resolve the byte content of an attachment for sending.
///
/// # Trust boundary
///
/// `file_name` is treated as a file-system path **only** when `data` is empty.
/// This fallback exists exclusively for internally constructed
/// [`MediaAttachment`](zeroclaw_api::media::MediaAttachment) values whose
/// bytes were intentionally omitted (e.g. created via
/// [`MediaAttachment::from_file`](zeroclaw_api::media::MediaAttachment::from_file)
/// after a round-trip through serialization).  Callers that build attachments
/// from untrusted input — user messages, HTTP request bodies, or any external
/// data source — **must** validate or constrain `file_name` before reaching
/// this function; no additional path sanitization is applied here.
///
/// Read errors are propagated rather than silently suppressed.
fn resolve_attachment_data(file_name: &str, data: &[u8]) -> anyhow::Result<Vec<u8>> {
    if data.is_empty() && std::path::Path::new(file_name).exists() {
        std::fs::read(file_name).map_err(|e| {
            anyhow::Error::msg(format!("failed to read attachment '{}': {}", file_name, e))
        })
    } else {
        Ok(data.to_vec())
    }
}

#[cfg(test)]
mod tests {
    fn default_imap_port() -> u16 {
        993
    }
    fn default_smtp_port() -> u16 {
        465
    }
    fn default_imap_folder() -> String {
        "INBOX".into()
    }
    fn default_idle_timeout() -> u64 {
        1740
    }
    fn default_true() -> bool {
        true
    }
    fn default_max_attachment_bytes() -> usize {
        25 * 1024 * 1024
    }
    use super::*;

    // -- resolve_attachment_data tests --

    #[test]
    fn resolve_attachment_data_returns_provided_bytes_when_non_empty() {
        let data = b"hello attachment".to_vec();
        let result = resolve_attachment_data("ignored.bin", &data).unwrap();
        assert_eq!(result, data);
    }

    #[test]
    fn resolve_attachment_data_falls_back_to_file_when_data_empty_and_file_exists() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("att.txt");
        std::fs::write(&path, b"file contents").unwrap();
        let result = resolve_attachment_data(path.to_str().unwrap(), &[]).unwrap();
        assert_eq!(result, b"file contents");
    }

    #[test]
    fn resolve_attachment_data_returns_empty_when_data_empty_and_file_absent() {
        // file_name does not exist on disk — should return empty vec, not error.
        // Use a temp dir to guarantee the path does not exist, rather than a
        // hard-coded /tmp path, for portability.
        let dir = tempfile::tempdir().unwrap();
        let absent = dir.path().join("does-not-exist.bin");
        let result = resolve_attachment_data(absent.to_str().unwrap(), &[]).unwrap();
        assert!(result.is_empty());
    }

    #[test]
    fn resolve_attachment_data_propagates_read_error_on_unreadable_file() {
        // Create a file, then make it unreadable (Unix only).
        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let dir = tempfile::tempdir().unwrap();
            let path = dir.path().join("locked.bin");
            std::fs::write(&path, b"secret").unwrap();
            std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o000)).unwrap();
            // Permission enforcement is not guaranteed when running as root;
            // skip rather than produce a false failure.  Reading from
            // /proc/self/status is Linux-specific but that is where this test
            // is most likely to run.  On other Unix systems the check falls
            // back to the USER env var, which is a best-effort heuristic only.
            #[cfg(target_os = "linux")]
            let is_root = std::fs::read_to_string("/proc/self/status")
                .ok()
                .and_then(|s| {
                    s.lines()
                        .find(|l| l.starts_with("Uid:"))
                        .and_then(|l| l.split_whitespace().nth(1))
                        .and_then(|uid| uid.parse::<u32>().ok())
                })
                .map(|uid| uid == 0)
                .unwrap_or(false);
            #[cfg(not(target_os = "linux"))]
            let is_root = std::env::var("USER").map(|u| u == "root").unwrap_or(false);
            if is_root {
                return;
            }
            let result = resolve_attachment_data(path.to_str().unwrap(), &[]);
            assert!(result.is_err());
        }
    }

    #[test]
    fn default_smtp_port_uses_tls_port() {
        assert_eq!(default_smtp_port(), 465);
    }

    #[test]
    fn email_config_default_uses_tls_smtp_defaults() {
        let config = EmailConfig::default();
        assert_eq!(config.smtp_port, 465);
        assert!(config.smtp_tls);
    }

    #[test]
    fn default_idle_timeout_is_29_minutes() {
        assert_eq!(default_idle_timeout(), 1740);
    }

    #[test]
    fn max_fetch_batch_bounds_chunk_size() {
        let cap = EmailChannel::MAX_FETCH_BATCH;
        assert_eq!(cap, 10);

        // Under cap: single chunk
        let uids: Vec<u32> = (1..=3).collect();
        let chunks: Vec<&[u32]> = uids.chunks(cap).collect();
        assert_eq!(chunks.len(), 1);
        assert_eq!(chunks[0].len(), 3);

        // Exactly at cap: single chunk
        let uids: Vec<u32> = (1..=10).collect();
        let chunks: Vec<&[u32]> = uids.chunks(cap).collect();
        assert_eq!(chunks.len(), 1);
        assert_eq!(chunks[0].len(), 10);

        // Over cap: two chunks
        let uids: Vec<u32> = (1..=15).collect();
        let chunks: Vec<&[u32]> = uids.chunks(cap).collect();
        assert_eq!(chunks.len(), 2);
        assert_eq!(chunks[0].len(), 10);
        assert_eq!(chunks[1].len(), 5);
    }

    #[tokio::test]
    async fn seen_messages_starts_empty() {
        let channel =
            EmailChannel::new(EmailConfig::default(), "email_test_alias", empty_resolver());
        let seen = channel.seen_messages.lock().await;
        assert!(seen.is_empty());
    }

    #[tokio::test]
    async fn seen_messages_tracks_unique_ids() {
        let channel =
            EmailChannel::new(EmailConfig::default(), "email_test_alias", empty_resolver());
        let mut seen = channel.seen_messages.lock().await;

        assert!(seen.insert("first-id".to_string()));
        assert!(!seen.insert("first-id".to_string()));
        assert!(seen.insert("second-id".to_string()));
        assert_eq!(seen.len(), 2);
    }

    // EmailConfig tests

    #[test]
    fn email_config_default() {
        let config = EmailConfig::default();
        assert_eq!(config.imap_host, "");
        assert_eq!(config.imap_port, 993);
        assert_eq!(config.imap_folder, "INBOX");
        assert_eq!(config.smtp_host, "");
        assert_eq!(config.smtp_port, 465);
        assert!(config.smtp_tls);
        assert_eq!(config.username, "");
        assert_eq!(config.password, "");
        assert_eq!(config.from_address, "");
        assert_eq!(config.idle_timeout_secs, 1740);
    }

    // EmailChannel tests
    //
    // Inbound peer authorization lives in `peer_groups` in V3; the
    // channel resolves the authorized senders via a peer_resolver
    // closure provided at construction.

    fn empty_resolver() -> Arc<dyn Fn() -> Vec<String> + Send + Sync> {
        Arc::new(Vec::new)
    }

    fn resolver_from(peers: Vec<String>) -> Arc<dyn Fn() -> Vec<String> + Send + Sync> {
        Arc::new(move || peers.clone())
    }

    #[test]
    fn email_config_custom() {
        let config = EmailConfig {
            enabled: true,
            imap_host: "imap.example.com".to_string(),
            imap_port: 993,
            imap_folder: "Archive".to_string(),
            smtp_host: "smtp.example.com".to_string(),
            smtp_port: 465,
            smtp_tls: true,
            username: "user@example.com".to_string(),
            password: "pass123".to_string(),
            smtp_username: None,
            smtp_password: None,
            from_address: "bot@example.com".to_string(),
            idle_timeout_secs: 1200,
            poll_interval_secs: 60,
            default_subject: "Custom Subject".to_string(),
            max_attachment_bytes: default_max_attachment_bytes(),
            html_body: true,
            excluded_tools: vec![],
        };
        assert_eq!(config.imap_host, "imap.example.com");
        assert_eq!(config.imap_folder, "Archive");
        assert_eq!(config.idle_timeout_secs, 1200);
        assert_eq!(config.default_subject, "Custom Subject");
    }

    #[test]
    fn email_config_clone() {
        let config = EmailConfig {
            enabled: true,
            imap_host: "imap.test.com".to_string(),
            imap_port: 993,
            imap_folder: "INBOX".to_string(),
            smtp_host: "smtp.test.com".to_string(),
            smtp_port: 587,
            smtp_tls: true,
            username: "user@test.com".to_string(),
            password: "secret".to_string(),
            smtp_username: None,
            smtp_password: None,
            from_address: "bot@test.com".to_string(),
            idle_timeout_secs: 1740,
            poll_interval_secs: 60,
            default_subject: "Test Subject".to_string(),
            max_attachment_bytes: default_max_attachment_bytes(),
            html_body: true,
            excluded_tools: vec![],
        };
        let cloned = config.clone();
        assert_eq!(cloned.imap_host, config.imap_host);
        assert_eq!(cloned.smtp_port, config.smtp_port);
        assert_eq!(cloned.default_subject, config.default_subject);
    }

    #[tokio::test]
    async fn email_channel_new() {
        let config = EmailConfig::default();
        let channel = EmailChannel::new(config.clone(), "email_test_alias", empty_resolver());
        assert_eq!(channel.config.imap_host, config.imap_host);

        let seen_guard = channel.seen_messages.lock().await;
        assert_eq!(seen_guard.len(), 0);
    }

    #[test]
    fn email_channel_name() {
        let channel =
            EmailChannel::new(EmailConfig::default(), "email_test_alias", empty_resolver());
        assert_eq!(channel.name(), "email");
    }

    // is_sender_allowed tests

    #[test]
    fn is_sender_allowed_empty_list_denies_all() {
        let channel =
            EmailChannel::new(EmailConfig::default(), "email_test_alias", empty_resolver());
        assert!(!channel.is_sender_allowed("anyone@example.com"));
        assert!(!channel.is_sender_allowed("user@test.com"));
    }

    #[test]
    fn is_sender_allowed_wildcard_allows_all() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["*".to_string()]),
        );
        assert!(channel.is_sender_allowed("anyone@example.com"));
        assert!(channel.is_sender_allowed("user@test.com"));
        assert!(channel.is_sender_allowed("random@domain.org"));
    }

    #[test]
    fn is_sender_allowed_specific_email() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["allowed@example.com".to_string()]),
        );
        assert!(channel.is_sender_allowed("allowed@example.com"));
        assert!(!channel.is_sender_allowed("other@example.com"));
        assert!(!channel.is_sender_allowed("allowed@other.com"));
    }

    #[test]
    fn is_sender_allowed_domain_with_at_prefix() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["@example.com".to_string()]),
        );
        assert!(channel.is_sender_allowed("user@example.com"));
        assert!(channel.is_sender_allowed("admin@example.com"));
        assert!(!channel.is_sender_allowed("user@other.com"));
    }

    #[test]
    fn is_sender_allowed_domain_without_at_prefix() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["example.com".to_string()]),
        );
        assert!(channel.is_sender_allowed("user@example.com"));
        assert!(channel.is_sender_allowed("admin@example.com"));
        assert!(!channel.is_sender_allowed("user@other.com"));
    }

    #[test]
    fn is_sender_allowed_case_insensitive() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["Allowed@Example.COM".to_string()]),
        );
        assert!(channel.is_sender_allowed("allowed@example.com"));
        assert!(channel.is_sender_allowed("ALLOWED@EXAMPLE.COM"));
        assert!(channel.is_sender_allowed("AlLoWeD@eXaMpLe.cOm"));
    }

    #[test]
    fn is_sender_allowed_multiple_senders() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec![
                "user1@example.com".to_string(),
                "user2@test.com".to_string(),
                "@allowed.com".to_string(),
            ]),
        );
        assert!(channel.is_sender_allowed("user1@example.com"));
        assert!(channel.is_sender_allowed("user2@test.com"));
        assert!(channel.is_sender_allowed("anyone@allowed.com"));
        assert!(!channel.is_sender_allowed("user3@example.com"));
    }

    #[test]
    fn is_sender_allowed_wildcard_with_specific() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["*".to_string(), "specific@example.com".to_string()]),
        );
        assert!(channel.is_sender_allowed("anyone@example.com"));
        assert!(channel.is_sender_allowed("specific@example.com"));
    }

    #[test]
    fn is_sender_allowed_empty_sender() {
        let channel = EmailChannel::new(
            EmailConfig::default(),
            "email_test_alias",
            resolver_from(vec!["@example.com".to_string()]),
        );
        assert!(!channel.is_sender_allowed(""));
        // "@example.com" ends with "@example.com" so it's allowed
        assert!(channel.is_sender_allowed("@example.com"));
    }

    // strip_html tests

    #[test]
    fn strip_html_basic() {
        assert_eq!(EmailChannel::strip_html("<p>Hello</p>"), "Hello");
        assert_eq!(EmailChannel::strip_html("<div>World</div>"), "World");
    }

    #[test]
    fn strip_html_nested_tags() {
        assert_eq!(
            EmailChannel::strip_html("<div><p>Hello <strong>World</strong></p></div>"),
            "Hello World"
        );
    }

    #[test]
    fn strip_html_multiple_lines() {
        let html = "<div>\n  <p>Line 1</p>\n  <p>Line 2</p>\n</div>";
        assert_eq!(EmailChannel::strip_html(html), "Line 1 Line 2");
    }

    #[test]
    fn strip_html_preserves_text() {
        assert_eq!(EmailChannel::strip_html("No tags here"), "No tags here");
        assert_eq!(EmailChannel::strip_html(""), "");
    }

    #[test]
    fn strip_html_handles_malformed() {
        assert_eq!(EmailChannel::strip_html("<p>Unclosed"), "Unclosed");
        // The function removes everything between < and >, so "Text>with>brackets" becomes "Textwithbrackets"
        assert_eq!(
            EmailChannel::strip_html("Text>with>brackets"),
            "Textwithbrackets"
        );
    }

    #[test]
    fn strip_html_self_closing_tags() {
        // Self-closing tags are removed but don't add spaces
        assert_eq!(EmailChannel::strip_html("Hello<br/>World"), "HelloWorld");
        assert_eq!(EmailChannel::strip_html("Text<hr/>More"), "TextMore");
    }

    #[test]
    fn strip_html_attributes_preserved() {
        assert_eq!(
            EmailChannel::strip_html("<a href=\"http://example.com\">Link</a>"),
            "Link"
        );
    }

    #[test]
    fn strip_html_multiple_spaces_collapsed() {
        assert_eq!(
            EmailChannel::strip_html("<p>Word</p>  <p>Word</p>"),
            "Word Word"
        );
    }

    #[test]
    fn strip_html_special_characters() {
        assert_eq!(
            EmailChannel::strip_html("<span>&lt;tag&gt;</span>"),
            "&lt;tag&gt;"
        );
    }

    // Default function tests

    #[test]
    fn default_imap_port_returns_993() {
        assert_eq!(default_imap_port(), 993);
    }

    #[test]
    fn default_smtp_port_returns_465() {
        assert_eq!(default_smtp_port(), 465);
    }

    #[test]
    fn default_imap_folder_returns_inbox() {
        assert_eq!(default_imap_folder(), "INBOX");
    }

    #[test]
    fn default_true_returns_true() {
        assert!(default_true());
    }

    // EmailConfig serialization tests

    #[test]
    fn email_config_serialize_deserialize() {
        let config = EmailConfig {
            enabled: true,
            imap_host: "imap.example.com".to_string(),
            imap_port: 993,
            imap_folder: "INBOX".to_string(),
            smtp_host: "smtp.example.com".to_string(),
            smtp_port: 587,
            smtp_tls: true,
            username: "user@example.com".to_string(),
            password: "password123".to_string(),
            smtp_username: None,
            smtp_password: None,
            from_address: "bot@example.com".to_string(),
            idle_timeout_secs: 1740,
            poll_interval_secs: 60,
            default_subject: "Serialization Test".to_string(),
            max_attachment_bytes: default_max_attachment_bytes(),
            excluded_tools: vec![],
            html_body: true,
        };

        let json = serde_json::to_string(&config).unwrap();
        let deserialized: EmailConfig = serde_json::from_str(&json).unwrap();

        assert_eq!(deserialized.imap_host, config.imap_host);
        assert_eq!(deserialized.smtp_port, config.smtp_port);
        assert_eq!(deserialized.default_subject, config.default_subject);
    }

    #[test]
    fn email_config_deserialize_with_defaults() {
        let json = r#"{
            "imap_host": "imap.test.com",
            "smtp_host": "smtp.test.com",
            "username": "user",
            "password": "pass",
            "from_address": "bot@test.com"
        }"#;

        let config: EmailConfig = serde_json::from_str(json).unwrap();
        assert_eq!(config.imap_port, 993); // default
        assert_eq!(config.smtp_port, 465); // default
        assert!(config.smtp_tls); // default
        assert_eq!(config.idle_timeout_secs, 1740); // default
        assert_eq!(config.default_subject, "Re: Message"); // default
    }

    #[test]
    fn idle_timeout_deserializes_explicit_value() {
        let json = r#"{
            "imap_host": "imap.test.com",
            "smtp_host": "smtp.test.com",
            "username": "user",
            "password": "pass",
            "from_address": "bot@test.com",
            "idle_timeout_secs": 900
        }"#;
        let config: EmailConfig = serde_json::from_str(json).unwrap();
        assert_eq!(config.idle_timeout_secs, 900);
    }

    #[test]
    fn poll_interval_deserializes_as_independent_field() {
        // poll_interval_secs is a separate field from idle_timeout_secs —
        // used when the IMAP server does not advertise the IDLE capability.
        // Previously (pre-polling-fallback) it was a misleading serde alias
        // for idle_timeout_secs; that coupling has been removed.
        let json = r#"{
            "imap_host": "imap.test.com",
            "smtp_host": "smtp.test.com",
            "username": "user",
            "password": "pass",
            "from_address": "bot@test.com",
            "poll_interval_secs": 120
        }"#;
        let config: EmailConfig = serde_json::from_str(json).unwrap();
        assert_eq!(config.poll_interval_secs, 120);
        assert_eq!(config.idle_timeout_secs, 1740); // unchanged default
    }

    #[test]
    fn poll_interval_has_default_when_unset() {
        let json = r#"{
            "imap_host": "imap.test.com",
            "smtp_host": "smtp.test.com",
            "username": "user",
            "password": "pass",
            "from_address": "bot@test.com"
        }"#;
        let config: EmailConfig = serde_json::from_str(json).unwrap();
        assert_eq!(config.poll_interval_secs, 60);
    }

    #[test]
    fn idle_timeout_propagates_to_channel() {
        let config = EmailConfig {
            enabled: true,
            idle_timeout_secs: 600,
            ..Default::default()
        };
        let channel = EmailChannel::new(config, "email_test_alias", empty_resolver());
        assert_eq!(channel.config.idle_timeout_secs, 600);
    }

    #[test]
    fn email_config_debug_output() {
        let config = EmailConfig {
            enabled: true,
            imap_host: "imap.debug.com".to_string(),
            ..Default::default()
        };
        let debug_str = format!("{:?}", config);
        assert!(debug_str.contains("imap.debug.com"));
    }

    #[test]
    fn email_config_smtp_credentials_default_to_none() {
        let config = EmailConfig::default();
        assert!(config.smtp_username.is_none());
        assert!(config.smtp_password.is_none());
    }

    #[test]
    fn smtp_credentials_fallback_to_shared() {
        let config = EmailConfig {
            username: "shared@example.com".to_string(),
            password: "shared_pass".to_string(),
            smtp_username: None,
            smtp_password: None,
            ..Default::default()
        };
        let channel = EmailChannel::new(config, "email_test_alias", empty_resolver());
        let creds = channel.smtp_credentials();
        // Credentials doesn't expose fields directly, so round-trip via a
        // fresh construction for comparison
        let expected =
            Credentials::new("shared@example.com".to_string(), "shared_pass".to_string());
        assert_eq!(creds, expected);
    }

    #[test]
    fn smtp_credentials_uses_dedicated_fields() {
        let config = EmailConfig {
            username: "shared@example.com".to_string(),
            password: "shared_pass".to_string(),
            smtp_username: Some("smtp@example.com".to_string()),
            smtp_password: Some("smtp_pass".to_string()),
            ..Default::default()
        };
        let channel = EmailChannel::new(config, "email_test_alias", empty_resolver());
        let creds = channel.smtp_credentials();
        let expected = Credentials::new("smtp@example.com".to_string(), "smtp_pass".to_string());
        assert_eq!(creds, expected);
    }
}