inboxer/docs/CHANGELOG.md

# Changelog

All notable changes to inBOXER will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [2026-04.5] - 2026-04-23

### Fixed
- **Settings form silently dropped fields**: JavaScript `FormData` sends `multipart/form-data`, but Go's `r.ParseForm()` doesn't handle it; replaced with `r.ParseMultipartForm()` + direct `r.MultipartForm.Value` reads
- **IMAP test connection always failed**: Exposed and raw-logged all form fields; confirmed `imap_host=imap.openxchange.eu` was sent but not parsed due to multipart issue
- **IMAPUsername not sent to worker**: Missing `IMAPUsername` field in `MailboxSettings` model, settings form, `SettingsHandler`, `TestConnectionHandler`, and worker `processUser()`
- **SMTP HELO rejected**: Custom `sendMail()` with explicit HELO hostname + STARTTLS handshake (replaced standard `smtp.SendMail`)
- **OTP/Welcome emails missing From header**: Added `From:` header to both email bodies (RFC5322 compliance required by VadeSecure)
- **Worker skipped SEEN emails**: `runSteadyState` used `FetchUnseen()` which only finds emails without `\Seen` flag; changed to `FetchBatch()` (UID range) to process ALL INBOX emails unconditionally
- **`go build .` compiled wrong entry point**: Root-level debug `*_test.go` files with `package main` caused `go build .` to compile the debug script instead of `src/cmd/main.go`; build now uses `./src/cmd` explicitly

### Added
- **7-way AI classification**: New `Notifications`, `Finance`, `Social` folders alongside `Important`, `eCommerce`, `Other`, `Spam`; updated prompt.txt with precise category descriptions
- **Guardrail in AGENTS.md**: "Never terminate sessions or kill processes" rule to prevent accidental session termination
- **Root-level folder creation**: `Important`, `eCommerce`, `Other`, `Notifications`, `Finance`, `Social`, `Spam` confirmed via IMAP LIST

### Changed
- Replaced `r.PostFormValue()` / `r.FormValue()` with `r.MultipartForm.Value` map reads for all settings fields
- Removed stale `:=` declarations that shadowed correctly parsed values with empty strings
- IMAPUsername takes priority over Email Address for IMAP login when non-empty

## [2026-04.4] - 2026-04-23

### Fixed
- **Settings page unusable**: Password field referenced nonexistent struct field (`IMAPPass` vs `IMAPPassEncrypted`), rendered blank on every page load
- **Password wiped on save**: Leaving password field blank (because it showed empty) overwrote encrypted password with empty string; now only updates when user enters a new password
- **"Test Connection" never worked**: `TestConnectionHandler` returned `"Not implemented yet"`; now performs actual IMAP connect+login using go-imap and returns success/failure JSON
- **"Process Now" was a no-op**: `ProcessNowHandler` just redirected; now signals worker to run an immediate processing cycle via new `Worker.ProcessNow()` channel
- **Dashboard showed 0 for emails processed**: Template referenced `{{ .Stats.TotalProcessed }}` but `TotalProcessed` is a separate struct field, not a map key; corrected to `{{ .TotalProcessed }}`
- **No getting-started guidance**: Dashboard now shows an info banner on first visit directing users to configure their IMAP account in Settings
- **Password field `required`**: Removed HTML5 `required` attribute so users can save other settings without re-entering their password

### Changed
- `Handler` struct now holds a `*worker.Worker` reference for `ProcessNowHandler`
- Worker initialization moved before handler creation in `main.go` to satisfy the dependency
- `Handler.NewHandler()` signature extended with `bgWorker *worker.Worker` parameter
- Settings POST handler re-reads decrypted settings after save so the form reflects the current state

### Added
- `Worker.ProcessNow()` — sends signal to `processNow` channel (buffered, capacity 1) to trigger `processAllUsers()` outside the normal poll interval
- `Worker.processNow` channel field (buffered, prevents goroutine block)
- `encoding/json` import in handlers for `TestConnectionHandler` JSON responses

## [2026-04.3] - 2026-04-23

### Added
- AI classification package (`src/internal/ai/`):
  - DeepSeek API client with chat completion requests (chat.deepseek.com API)
  - Configurable model, temperature, max tokens via `config.yaml`
  - Prompt template engine: loads `bin/prompt.txt` at runtime, substitutes `{sender}`, `{subject}`, `{body}` placeholders
  - Response parser validates folder names (Important/eCommerce/Spam/Other) and confidence scores (1-100)
  - Graceful fallback to placeholder classifier if prompt file is missing or API key unset
  - Unit tests for JSON parsing, prompt loading, and API client creation
- Email body text now fetched up to 4000 chars (from 200) for AI classification context

### Changed
- Replaced `EmailSummary.Snippet` with `EmailSummary.Body` (4000 char limit)
- Main orchestrator now initializes DeepSeek classifier and passes to worker
- Worker uses real AI classifier when available; falls back to placeholder on init failure

## [2026-04.2] - 2026-04-23

### Added
- IMAP client package (`src/internal/imap/`):
  - Secure connection management (TLS & STARTTLS) with auto-reconnect
  - Fetch unseen messages with envelope and body snippet extraction
  - Batch fetching by UID range for catch-up processing
  - Message move/copy operations (RFC 6851 UID MOVE)
  - Ensure folder existence before operations
  - Unit tests covering error paths (connection failures, not-connected scenarios)
- Background worker package (`src/internal/worker/`):
  - Steady-state mode: polls unseen emails at configurable interval
  - Catch-up mode: processes backlog in batches with cooldown
  - Per-user processing with isolated IMAP connections
  - Test mode support (logs without moving emails)
  - AI classifier interface (placeholder routes everything to "Other")
  - Graceful shutdown with signal handling
  - Unit tests for classifier and lifecycle
- Database: `GetUsersWithAutoStart()` method for worker user discovery

### Changed
- Replaced placeholder background worker with full IMAP-driven implementation
- Worker now creates target folders automatically on connect
- Email processing respects per-user poll interval and batch size

## [2026-04.1] - 2026-04-23

### Added
- Initial repository structure per `PROJECT_PLAN.md`
- Go module initialization with core dependencies (go-imap, gorm, sqlite, slog, gorilla)
- Git repository setup with remote configuration using `.env` credentials
- Basic documentation files (README, CHANGELOG, LICENSE, AGENTS.md)
- Directory hierarchy for modular packages:
  - `src/cmd/` - Main orchestrator
  - `src/internal/auth/` - OTP authentication package
  - `src/internal/imap/` - IMAP client (placeholder)
  - `src/internal/ai/` - DeepSeek AI integration (placeholder)
  - `src/internal/db/` - SQLite database with GORM models and encryption
  - `src/internal/worker/` - Background worker (placeholder)
  - `src/web/` - Web interface (templates + static)
  - `src/pkg/` - Shared utilities (config loader)
  - `bin/` - Compiled binary and configuration
- Modular authentication package:
  - OTP generation & hashing (bcrypt)
  - SMTP sender with `.env` credentials
  - Session cookie management (gorilla/sessions)
  - Database-backed OTP store
- Mobile-first frontend:
  - Responsive CSS with modern design system
  - Go HTML templates (login, verify, dashboard, settings)
  - Authentication flow (email + OTP)
- Database schema:
  - User model with OTP storage
  - Mailbox settings with encrypted passwords
  - Processed email tracking
- Configuration system:
  - YAML configuration file (`bin/config.yaml`)
  - Environment variable loading (`.env`)
  - Secret management for session encryption
- Web server with routing:
  - Gorilla mux router with middleware
  - Authentication middleware for protected routes
  - Static file serving
- Makefile with build, run, test targets
- Unit tests for authentication package