Merge upstream/main (wesm/msgvault) into fork

Merges 71 upstream commits including:
- Security fixes (command injection, path traversal, SQL injection, bounds checks)
- MCP integration with stage_deletion tool
- Windows support (installer, config paths, CI)
- NAS/Docker deployment support with HTTP API server
- Apple Mail and MBOX import commands
- FTS5 index population during sync
- Account management (remove-account, force reauth)
- Hide-deleted filter, label search, pagination fixes
- Nix flake support
- Dependency updates

Fork additions preserved:
- SQLCipher encryption (go-sqlcipher replacing mattn/go-sqlite3)
- Web UI (React/TypeScript SPA)
- iMessage sync support
- Google Voice Takeout import
- Obsidian vault export
- Backup/restore commands
- Email validation in add-account

Conflict resolution: unified on go-sqlcipher driver, combined
struct fields, kept upstream's refactored store_resolver pattern.

Author: sternryan

.dockerignore

@@ -0,0 +1,54 @@
+# Git
+.git
+.gitignore
+
+# Build artifacts
+msgvault
+mimeshootout
+bin/
+dist/
+
+# IDE/editor
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local data (should not be in image)
+*.db
+*.db-journal
+*.db-wal
+*.db-shm
+tokens/
+attachments/
+analytics/
+
+# Sensitive config files (prevent secrets in build context)
+config.toml
+client_secret*.json
+*.pem
+*.key
+
+# Documentation (exclude most .md files but keep embedded assets)
+*.md
+!cmd/msgvault/cmd/quickstart.md
+!go.mod
+LICENSE
+
+# CI/CD
+.github/
+.githooks/
+
+# Nix
+flake.nix
+flake.lock
+result
+
+# Test data
+testdata/
+*_test.go

.githooks/pre-commit

@@ -18,9 +18,9 @@ if [ -n "$UNFORMATTED" ]; then
     exit 1
 fi
 
-# Run linter
+# Run linter (only check new issues vs HEAD)
 echo "Running linter..."
-if ! golangci-lint run ./... 2>&1; then
+if ! golangci-lint run --new-from-rev=HEAD ./... 2>&1; then
     echo ""
     echo "Lint failed. Fix errors before committing."
     exit 1

.github/CODEOWNERS

@@ -0,0 +1,19 @@
+# CODEOWNERS - Require approval from repo owners for critical files
+#
+# This is a security measure to prevent unauthorized changes to:
+# - GitHub Actions workflows (could steal secrets)
+# - Go module dependencies (supply chain entry point)
+
+# All GitHub Actions workflows require owner approval
+.github/workflows/** @wesm
+
+# Security-critical configuration
+.github/CODEOWNERS @wesm
+.github/dependabot.yml @wesm
+
+# Supply chain: Go dependency changes require owner approval
+go.mod @wesm
+go.sum @wesm
+
+# Security documentation
+SECURITY.md @wesm

.github/dependabot.yml

@@ -0,0 +1,26 @@
+version: 2
+updates:
+  # Go module dependencies
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "wesm"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions dependencies (keeps pinned SHAs current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "wesm"

.github/workflows/ci.yml

@@ -9,9 +9,9 @@ jobs:
   test:
     runs-on: macos-15
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: go.mod
 
@@ -23,3 +23,43 @@ jobs:
 
       - name: Lint
         run: make lint
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+
+      - name: Vulnerability check
+        run: govulncheck -tags fts5 ./...
+
+  test-windows:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: go.mod
+
+      - name: Build
+        env:
+          CGO_ENABLED: "1"
+        run: go build -tags fts5 -o msgvault.exe ./cmd/msgvault
+
+      - name: Test
+        env:
+          CGO_ENABLED: "1"
+        run: go test -tags fts5 ./...
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: msgvault-windows-amd64
+          path: msgvault.exe
+
+  nix-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Build
+        run: nix build

.github/workflows/docker.yml

@@ -0,0 +1,118 @@
+name: Docker
+
+on:
+  push:
+    branches: [main]
+    tags:
+      - 'v*'
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+      - '.github/workflows/docker.yml'
+      - 'go.mod'
+      - 'go.sum'
+      - '**/*.go'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # Only allow package writes for pushes to main/tags, not PRs
+      packages: ${{ github.event_name != 'pull_request' && 'write' || 'read' }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # latest tag for main branch
+            type=raw,value=latest,enable={{is_default_branch}}
+            # version tags (v1.2.3 -> 1.2.3, v1.2.3 -> 1.2, v1.2.3 -> 1)
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+            # sha tag for traceability
+            type=sha,prefix=sha-
+
+      - name: Prepare build args
+        id: build_args
+        run: |
+          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
+            VERSION="${GITHUB_REF#refs/tags/}"
+          else
+            VERSION="dev-$(echo $GITHUB_SHA | cut -c1-8)"
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "commit=$(echo $GITHUB_SHA | cut -c1-8)" >> $GITHUB_OUTPUT
+          echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT
+
+      - name: Build and push
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.build_args.outputs.version }}
+            COMMIT=${{ steps.build_args.outputs.commit }}
+            BUILD_DATE=${{ steps.build_args.outputs.build_date }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Test image (amd64)
+        if: github.event_name == 'pull_request'
+        run: |
+          # Build single-arch for testing
+          docker buildx build \
+            --platform linux/amd64 \
+            --load \
+            --tag msgvault:test \
+            --build-arg VERSION=test \
+            --build-arg COMMIT=$(echo $GITHUB_SHA | cut -c1-8) \
+            --build-arg BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
+            .
+
+          # Smoke test: version command
+          echo "--- Version test ---"
+          docker run --rm msgvault:test version
+
+          # Smoke test: help command
+          echo "--- Help test ---"
+          docker run --rm msgvault:test --help
+
+          # Smoke test: init-db (creates database)
+          echo "--- Init DB test ---"
+          mkdir -p /tmp/msgvault-test && chmod 777 /tmp/msgvault-test
+          docker run --rm -v /tmp/msgvault-test:/data msgvault:test init-db
+          test -f /tmp/msgvault-test/msgvault.db || { echo "FATAL: database not created"; exit 1; }
+          echo "Database created successfully"
+
+          # Cleanup
+          rm -rf /tmp/msgvault-test

.github/workflows/release.yml

@@ -32,7 +32,7 @@ jobs:
           apt-get update
           apt-get install -y gcc g++ make git curl tar gzip file binutils
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Go
         run: |
@@ -75,7 +75,7 @@ jobs:
           tar czf "$ARCHIVE" msgvault
           rm msgvault
 
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: msgvault-linux-${{ matrix.goarch }}
           path: dist/*.tar.gz
@@ -91,9 +91,9 @@ jobs:
     runs-on: ${{ matrix.runner }}
 
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: go.mod
 
@@ -136,7 +136,7 @@ jobs:
           tar czf "$ARCHIVE" msgvault
           rm msgvault
 
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: msgvault-darwin-${{ matrix.goarch }}
           path: dist/*.tar.gz
@@ -147,9 +147,9 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: go.mod
 
@@ -177,7 +177,7 @@ jobs:
           powershell -Command "Compress-Archive -Path msgvault.exe -DestinationPath '$ARCHIVE'"
           rm msgvault.exe
 
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: msgvault-windows-amd64
           path: dist/*.zip
@@ -186,9 +186,9 @@ jobs:
     needs: [build-linux, build-darwin, build-windows]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
           path: artifacts
           merge-multiple: true
@@ -259,7 +259,7 @@ jobs:
           fi
 
       - name: Create Release
-        uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           files: |
             artifacts/*.tar.gz

.gitignore

@@ -23,16 +23,24 @@ oauth_client*.json
 # Local development state
 .beads/
 .githooks/post-commit
+.githooks/post-rewrite
+.mcp.json
+
+# Python
+__pycache__/
+
+# Go caches
+.gocache/
+.gopath/
 
 # IDE
 .idea/
 .vscode/
 *.swp
 *.swo
+.projects/
 
-# Frontend
+# Claude Code
+.claude/
 web/node_modules/
 internal/web/dist/
-
-# Obsidian
-.obsidian/