Merge remote-tracking branch 'upstream/main'

# Conflicts:
#	cmd/msgvault/cmd/addaccount.go
#	cmd/msgvault/cmd/root.go
#	cmd/msgvault/cmd/serve.go
#	cmd/msgvault/cmd/syncfull.go
#	go.mod
#	go.sum
#	internal/api/handlers.go
#	internal/api/handlers_test.go
#	internal/api/server.go
#	internal/oauth/oauth.go
#	internal/query/models.go
#	internal/store/store.go
#	internal/sync/sync.go

Author: sternryan

.github/workflows/release.yml

@@ -188,7 +188,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: artifacts
           merge-multiple: true
@@ -259,7 +259,7 @@ jobs:
           fi
 
       - name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           files: |
             artifacts/*.tar.gz

.gitignore

@@ -1,5 +1,6 @@
 # Go binaries
 /msgvault
+/msgvault.exe
 /mimeshootout
 
 # Database files

.roborev.toml

@@ -14,10 +14,22 @@ HTTP remote defaults, plaintext key display in interactive CLI,
 enabled=true override on account creation, and page-aligned pagination
 are documented design decisions — see code comments at each site.
 
+Remote engine query string reconstruction in buildSearchQueryString is
+intentionally simplified — phrase quoting edge cases are acceptable since
+the search parser on the server re-parses the query. Empty search queries
+sending q= is expected; the server returns empty results gracefully.
+TimeGranularity defaults to "month" when unspecified, which is correct.
+
 This is a single-user personal tool with no privilege separation, no
 setuid, no shared directories, and no multi-tenant access. Do not flag
 symlink-following, local file overwrites, or similar CWE patterns that
 require an attacker with the same privileges as the user — they already
 own everything this tool touches. Auth on loopback-only endpoints with
 no configured API key is also by design.
+
+IMAP passwords are stored on disk with restricted file permissions
+(0600), equivalent to OAuth tokens and API keys in the same data
+directory. If the data directory is compromised, the user must rotate
+their IMAP app-specific password just as they would revoke API keys.
+Do not flag plaintext IMAP password storage as a finding.
 """

CLAUDE.md

@@ -4,7 +4,9 @@
 
 When a task involves multiple steps (e.g., implement + commit + PR), complete ALL steps in sequence without stopping. If creating a branch, committing, and opening a PR, finish the entire chain.
 
-Always commit after every turn. Don't wait for the user to ask — if you made changes, commit them before responding.
+Always commit after every turn. Don't wait for the user to ask — if you made changes, commit them before responding. Do not ask "shall I commit?" or "want me to commit?" — just commit. Committing is not a destructive or risky action; it is the expected default after every change.
+
+PR descriptions should be concise and changelog-oriented: what changed, why, and how to use it. Do not include test plans, design decisions, or implementation details — those belong in specs and commit messages.
 
 ## Project Overview
 
@@ -46,17 +48,28 @@ make lint                     # Run linter
 ./msgvault init-db                                    # Initialize database
 ./msgvault add-account you@gmail.com                  # Browser OAuth
 ./msgvault add-account you@gmail.com --headless       # Device flow
+./msgvault add-account you@acme.com --oauth-app acme  # Named OAuth app
 ./msgvault sync-full you@gmail.com --limit 100        # Sync with limit
 ./msgvault sync-full you@gmail.com --after 2024-01-01 # Sync date range
 ./msgvault sync-incremental you@gmail.com             # Incremental sync
 
 # TUI and analytics
 ./msgvault tui                                        # Launch TUI
 ./msgvault tui --account you@gmail.com                # Filter by account
+./msgvault tui --local                                # Force local (override remote config)
 ./msgvault build-cache                                # Build Parquet cache
 ./msgvault build-cache --full-rebuild                 # Full rebuild
 ./msgvault stats                                      # Show archive stats
 
+# Apple Mail import
+./msgvault import-emlx                                # Auto-discover accounts
+./msgvault import-emlx ~/Library/Mail                 # Explicit mail directory
+./msgvault import-emlx --account me@gmail.com         # Specific account(s)
+./msgvault import-emlx /path/to/dir --identifier me@gmail.com  # Manual fallback
+
+# Daemon mode (NAS/server deployment)
+./msgvault serve                                      # Start HTTP API + scheduled syncs
+
 # Maintenance
 ./msgvault repair-encoding                            # Fix UTF-8 encoding issues
 ```
@@ -71,6 +84,8 @@ make lint                     # Run linter
 - `build_cache.go` - Parquet cache builder (DuckDB)
 - `repair_encoding.go` - UTF-8 encoding repair
 
+- `import_emlx.go` - Apple Mail .emlx import command
+
 ### Core (`internal/`)
 - `tui/model.go` - Bubble Tea TUI model and update logic
 - `tui/view.go` - View rendering with lipgloss styling
@@ -246,6 +261,10 @@ Override with `MSGVAULT_HOME` environment variable.
 [oauth]
 client_secrets = "/path/to/client_secret.json"
 
+# Named OAuth apps for Google Workspace orgs
+# [oauth.apps.acme]
+# client_secrets = "/path/to/acme_secret.json"
+
 [sync]
 rate_limit_qps = 5
 ```

Makefile

@@ -47,7 +47,7 @@ install:
 
 # Clean build artifacts
 clean:
-	rm -f msgvault mimeshootout
+	rm -f msgvault msgvault.exe mimeshootout
 	rm -rf bin/
 
 # Run tests

README.md

@@ -15,18 +15,19 @@ Archive a lifetime of email. Analytics and search in milliseconds, entirely offl
 
 Your messages are yours. Decades of correspondence, attachments, and history shouldn't be locked behind a web interface or an API. msgvault downloads a complete local copy and then everything runs offline. Search, analytics, and the MCP server all work against local data with no network access required.
 
-Currently supports Gmail sync, plus offline imports from MBOX exports and Apple Mail (.emlx) directories.
+Currently supports Gmail and IMAP sync, plus offline imports from MBOX exports and Apple Mail (.emlx) directories.
 
 ## Features
 
 - **Full Gmail backup**: raw MIME, attachments, labels, and metadata
+- **IMAP sync**: archive mail from any standard IMAP server
 - **MBOX / Apple Mail import**: import email from MBOX exports or Apple Mail (.emlx) directories
-- **Interactive TUI**: drill-down analytics over your entire message history, powered by DuckDB over Parquet
+- **Interactive TUI**: drill-down analytics over your entire message history, powered by DuckDB over Parquet — connects to a remote `msgvault serve` instance or runs locally
 - **Full-text search**: FTS5 with Gmail-like query syntax (`from:`, `has:attachment`, date ranges)
 - **MCP server**: access your full archive at the speed of thought in Claude Desktop and other MCP-capable AI agents
 - **DuckDB analytics**: millisecond aggregate queries across hundreds of thousands of messages in the TUI, CLI, and MCP server
 - **Incremental sync**: History API picks up only new and changed messages
-- **Multi-account**: archive several Gmail accounts in a single database
+- **Multi-account**: archive several Gmail and IMAP accounts in a single database
 - **Resumable**: interrupted syncs resume from the last checkpoint
 - **Content-addressed attachments**: deduplicated by SHA-256
 
@@ -78,18 +79,23 @@ msgvault tui
 | Command | Description |
 |---------|-------------|
 | `init-db` | Create the database |
-| `add-account EMAIL` | Authorize a Gmail account (use `--headless` for servers) |
+| `add-account EMAIL` | Authorize a Gmail account (use `--headless` for servers) or add an IMAP account |
 | `sync-full EMAIL` | Full sync (`--limit N`, `--after`/`--before` for date ranges) |
 | `sync EMAIL` | Sync only new/changed messages |
-| `tui` | Launch the interactive TUI (`--account` to filter) |
-| `search QUERY` | Search messages (`--json` for machine output) |
+| `tui` | Launch the interactive TUI (`--account` to filter, `--local` to force local) |
+| `search QUERY` | Search messages (`--account` to filter, `--json` for machine output) |
+| `show-message ID` | View full message details (`--json` for machine output) |
 | `mcp` | Start the MCP server for AI assistant integration |
+| `serve` | Run daemon with scheduled sync and HTTP API for remote TUI |
 | `stats` | Show archive statistics |
+| `list-accounts` | List synced email accounts |
 | `verify EMAIL` | Verify archive integrity against Gmail |
 | `export-eml` | Export a message as `.eml` |
 | `import-mbox` | Import email from an MBOX export or `.zip` of MBOX files |
 | `import-emlx` | Import email from an Apple Mail directory tree |
 | `build-cache` | Rebuild the Parquet analytics cache |
+| `update` | Update msgvault to the latest version |
+| `setup` | Interactive first-run configuration wizard |
 | `repair-encoding` | Fix UTF-8 encoding issues |
 | `list-senders` / `list-domains` / `list-labels` | Explore metadata |
 
@@ -103,7 +109,8 @@ Import email from providers that offer MBOX exports or from a local Apple Mail d
 msgvault init-db
 msgvault import-mbox you@example.com /path/to/export.mbox
 msgvault import-mbox you@example.com /path/to/export.zip   # zip of MBOX files
-msgvault import-emlx you@example.com ~/Library/Mail/V10     # Apple Mail
+msgvault import-emlx                                        # auto-discover Apple Mail accounts
+msgvault import-emlx you@example.com ~/Library/Mail/V10     # explicit path
 ```
 
 ## Configuration
@@ -121,10 +128,60 @@ rate_limit_qps = 5
 
 See the [Configuration Guide](https://msgvault.io/configuration/) for all options.
 
+### Multiple OAuth Apps (Google Workspace)
+
+Some Google Workspace organizations require OAuth apps within their org.
+To use multiple OAuth apps, add named apps to `config.toml`:
+
+```toml
+[oauth]
+client_secrets = "/path/to/default_secret.json"   # for personal Gmail
+
+[oauth.apps.acme]
+client_secrets = "/path/to/acme_workspace_secret.json"
+```
+
+Then specify the app when adding accounts:
+
+```bash
+msgvault add-account you@acme.com --oauth-app acme
+msgvault add-account personal@gmail.com              # uses default
+```
+
+To switch an existing account to a different OAuth app:
+
+```bash
+msgvault add-account you@acme.com --oauth-app acme   # re-authorizes
+```
+
 ## MCP Server
 
 msgvault includes an MCP server that lets AI assistants search, analyze, and read your archived messages. Connect it to Claude Desktop or any MCP-capable agent and query your full message history conversationally. See the [MCP documentation](https://msgvault.io/usage/chat/) for setup instructions.
 
+## Daemon Mode (NAS/Server)
+
+Run msgvault as a long-running daemon for scheduled syncs and remote access:
+
+```bash
+msgvault serve
+```
+
+Configure scheduled syncs in `config.toml`:
+
+```toml
+[[accounts]]
+email = "you@gmail.com"
+schedule = "0 2 * * *"   # 2am daily (cron)
+enabled = true
+
+[server]
+api_port = 8080
+bind_addr = "0.0.0.0"
+api_key = "your-secret-key"
+```
+
+The TUI can connect to a remote server by configuring `[remote].url`. Use `--local` to force local database when remote is configured. See [docs/api.md](docs/api.md) for the HTTP API reference.
+
 ## Documentation
 
 - [Setup Guide](https://msgvault.io/guides/oauth-setup/): OAuth, first sync, headless servers