github/OpenArchiver
1
1
Fork 0
mirror of https://github.com/LogicLabs-OU/OpenArchiver.git synced 2026-04-06 00:31:57 +02:00
Code Issues 161 Packages Projects Releases Wiki Activity

Compare commits

base: github:user-api-key
Branches Tags
github:main github:gh-pages github:v0.5.1-dev github:v0.4.3-release github:ee-legalhold github:ee-retention github:v0.4.3-dev github:wayneshn-patch-1 github:v0.4.3-pre github:v0.4.2-fix github:v0.4.2-dev github:v0.4.1-dev github:mailbox-processing-opt github:v0.4.0-fix github:ee-init github:docs-ocr github:v0.3.x-fixes github:issue-templates github:security-update github:create-funding-yml github:display-versions github:attachment-ocr github:docs github:user-api-key github:demo-mode github:v0.3.0 github:system-settings github:wip github:CLA-v2 github:role-based-access github:dev
github:v0.5.0 github:v0.4.2 github:v0.4.1 github:v0.4.0 github:v0.3.4 github:v0.3.3 github:v0.3.2 github:v0.3.1 github:v0.3.0 github:v0.2.1 github:v0.2.0 github:v0.1.2 github:v0.1.1 github:v0.1.0
...
compare: github:main
Branches Tags
github:gh-pages github:main github:v0.5.1-dev github:v0.4.3-release github:ee-legalhold github:ee-retention github:v0.4.3-dev github:wayneshn-patch-1 github:v0.4.3-pre github:v0.4.2-fix github:v0.4.2-dev github:v0.4.1-dev github:mailbox-processing-opt github:v0.4.0-fix github:ee-init github:docs-ocr github:v0.3.x-fixes github:issue-templates github:security-update github:create-funding-yml github:display-versions github:attachment-ocr github:docs github:user-api-key github:demo-mode github:v0.3.0 github:system-settings github:wip github:CLA-v2 github:role-based-access github:dev
github:v0.5.0 github:v0.4.2 github:v0.4.1 github:v0.4.0 github:v0.3.4 github:v0.3.3 github:v0.3.2 github:v0.3.1 github:v0.3.0 github:v0.2.1 github:v0.2.0 github:v0.1.2 github:v0.1.1 github:v0.1.0

38 Commits
user-api-k ... main

Author SHA1 Message Date
Wei S.
0c42b30c9e V0.5.1 dev (#341) 
* OpenAPI root url fix

* Journaling OSS setup

* feat: add preserve-original-file mode for email ingestion for GoBD compliance

- Add `preserveOriginalFile` option to ingestion sources and connectors
- Stream original EML/MBOX/PST emails to temp files instead of holding
  full buffers in memory, reducing memory allocation during ingestion
- Skip attachment binary extraction and EML re-serialization when
  preserve mode is enabled; use raw file on disk as source of truth
- Update `EmailObject` to use `tempFilePath` instead of in-memory `eml`
  buffer across all connectors (EML, MBOX, PST)
- Add new database migration (0032) for `preserve_original_file` column
- Add frontend UI toggle with tooltip (tippy.js) for the new option
- Replace console.warn calls with structured pino logger in connectors

* add isjournaled property to archived_email

* feat(ingestion): add unmerge ingestion source functionality

Introduces the ability to detach a child ingestion source from its
merge group, making it a standalone root source. Changes include:

- Add `unmerge` controller method with auth and error handling
- Add POST `/v1/ingestion-sources/{id}/unmerge` route with OpenAPI docs
- Implement `IngestionService.unmerge` backend logic
- Add unmerge UI action and handler in the frontend ingestion view
- Fix bulk delete to also remove children of deleted root sources
- Update docs with new API operation and merging sources user guide

* code formatting

* Database migration file for enum `partially_active`

* Error handling improvement
 2026-03-30 22:29:03 +02:00
Wei S.
e5e119528f V0.5.0 release (#335) 
* adding exports to backend package, page icons update

* Integrity report PDF generation

* Fixed inline attachment images not displaying in the email preview by modifying `EmailPreview.svelte`.
The email HTML references embedded images via `cid:` URIs (e.g., `src="cid:ii_19c6d5f8d5eee7bd6d91"`), but the component never resolved those `cid:` references to actual image data, even though `postal-mime` already parses inline attachments with their `contentId` and binary `content`.
The `emailHtml` derived value now calls `resolveContentIdReferences()` before rendering, so inline/embedded images display correctly in the iframe preview.

* feat: strip non-inline attachments from EML before storage

Add nodemailer dependency and emlUtils helper to remove non-inline
attachments from .eml buffers during ingestion. This avoids
double-storing attachment data since attachments are already stored
separately.

* upload error handing for file based ingestion

* Use Postgres for sync session management

* Google workspace / MS 365 duplicate check, avoid extra API call when previous ingestion fails

* OpenAPI specs for API docs

* code formatting

* ran duplicate check for IMAP import, optimize message listing

* Version update
 2026-03-20 13:14:41 +01:00
Wei S.
20ef9a42ae Legal hold + retention label (#334) 2026-03-12 22:36:35 +01:00
Wei S.
81b87b4b7e Retention policy (#329) 
* Retention policy schema/types

* schema generate

* retention policy (backend/frontend)
 2026-03-09 18:31:38 +01:00
Wei S.
b5f95760f4 schema generation files (#326) 
* Retention policy schema/types

* schema generate
 2026-03-07 01:19:29 +01:00
Wei S.
85000ad82b Retention policy schema/types (#325) 2026-03-07 01:16:14 +01:00
Wei S.
c5672d0f81 V0.4.3 dev (#324) 
* feat(types): update license types and prepare @open-archiver/types for public publish

- Add `LicensePingRequest` and `LicensePingResponse` interfaces for the license server ping endpoint
- Update `LicenseStatusPayload` to include `lastCheckedAt` and `planSeats` fields, and change status from `REVOKED` to `INVALID`
- Update `ConsolidatedLicenseStatus` to reflect `INVALID` status and add `lastCheckedAt`
- Bump `@open-archiver/types` version from 0.1.0 to 0.1.2, set license to MIT, make package public, and add `files` field

* update license types
 2026-03-06 13:29:42 +01:00
Wei S.
9b303c963e feat(types): update license types and prepare @open-archiver/types for public publish (#320) 
- Add `LicensePingRequest` and `LicensePingResponse` interfaces for the license server ping endpoint
- Update `LicenseStatusPayload` to include `lastCheckedAt` and `planSeats` fields, and change status from `REVOKED` to `INVALID`
- Update `ConsolidatedLicenseStatus` to reflect `INVALID` status and add `lastCheckedAt`
- Bump `@open-archiver/types` version from 0.1.0 to 0.1.2, set license to MIT, make package public, and add `files` field
 2026-03-02 13:50:37 +01:00
Wei S.
9228f64221 Update demo user (#318) 
Updated section headers and improved grammar in the README.
 2026-02-27 13:22:57 +01:00
Wei S.
481a5ce6f9 Job tab dark theme fix, demo mode (#317) 2026-02-27 12:58:25 +01:00
Wei S.
3434e8d6ef v0.4.2-fix: improve ingestion error handling and error messages (#312) 
* fix(backend): improve ingestion error handling and error messages

This commit introduces a "force delete" mechanism for Ingestion Sources and improves error messages for file-based connectors.

Changes:
- Update `IngestionService.delete` to accept a `force` flag, bypassing the `checkDeletionEnabled` check.
- Use `force` deletion when rolling back failed ingestion source creations (e.g., decryption errors or connection failures) to ensure cleanup even if deletion is globally disabled.
- Enhance error messages in `EMLConnector`, `MboxConnector`, and `PSTConnector` to distinguish between missing local files and failed uploads, providing more specific feedback to the user.

* feat(ingestion): optimize duplicate handling and fix race conditions in Google Workspace

- Implement fast duplicate check (by Message-ID) to skip full content download for existing emails in Google Workspace and IMAP connectors.
- Fix race condition in Google Workspace initial import by capturing `historyId` before listing messages, ensuring no data loss for incoming mail during import.
 2026-02-24 18:10:32 +01:00
Wei S.
7dac3b2bfd V0.4.2 (#310) 
* fix(api): correct API key generation and proxy handling

This commit resolves an issue where generating a new API key would fail. The root cause was improper handling of POST request bodies in the frontend proxy server.

- Refactored `ApiKeyController` methods to use arrow functions to ensure correct `this` binding.

* User profile/account page, change password, API

* docs(api): update ingestion source provider values

Update the `CreateIngestionSourceDto` documentation in `ingestion.md` to reflect the current set of supported providers.

* updating tag

* feat: add REDIS_USER env variable (#172)

* feat: add REDIS_USER env variable

fixes #171

* add proper type for bullmq config

* Bulgarian UI language strings added (backend+frontend) (#194)

* Bulgarian UI Support added

* BG language UI support - Create translation.json

* update redis config logic

* Update Bulgarian language setting, register language

* Allow specifying local file path for mbox/eml/pst (#214)

* Add agents AI doc

* Allow local file path for Mbox file ingestion


---------

Co-authored-by: Wei S. <5291640+wayneshn@users.noreply.github.com>

* feat(ingestion): add local file path support and optimize EML processing

- Frontend: Updated IngestionSourceForm to allow toggling between "Upload File" and "Local File Path" for PST, EML, and Mbox providers.
- Frontend: Added logic to clear irrelevant form data when switching import methods.
- Frontend: Added English translations for new form fields.
- Backend: Refactored EMLConnector to stream ZIP entries using yauzl instead of extracting the full archive to disk, significantly improving efficiency for large archives.
- Docs: Updated API documentation and User Guides (PST, EML, Mbox) to clarify "Local File Path" usage, specifically within Docker environments.

* docs: add meilisearch dumpless upgrade guide and snapshot config

Update `docker-compose.yml` to include the `MEILI_SCHEDULE_SNAPSHOT` environment variable, defaulting to 86400 seconds (24 hours), enabling periodic data snapshots for easier recovery. Shout out to @morph027 for the inspiration!

Additionally, update the Meilisearch upgrade documentation to include an experimental "dumpless" upgrade guide while marking the previous method as the standard recommended process.

* build(coolify): enable daily snapshots for meilisearch

Configure the Meilisearch service in `open-archiver.yml` to create snapshots every 86400 seconds (24 hours) by setting the `MEILI_SCHEDULE_SNAPSHOT` environment variable.

---------

Co-authored-by: Antonia Schwennesen <53372671+zophiana@users.noreply.github.com>
Co-authored-by: IT Creativity + Art Team <admin@it-playground.net>
Co-authored-by: Jan Berdajs <mrbrdo@gmail.com>
 2026-02-23 21:25:44 +01:00
albanobattistella
cf121989ae Update Italian linguage (#278) 2026-01-18 15:28:20 +01:00
Wei S.
2df5c9240d V0.4.1 dev (#276) 
* fix(api): correct API key generation and proxy handling

This commit resolves an issue where generating a new API key would fail. The root cause was improper handling of POST request bodies in the frontend proxy server.

- Refactored `ApiKeyController` methods to use arrow functions to ensure correct `this` binding.

* User profile/account page, change password, API

* docs(api): update ingestion source provider values

Update the `CreateIngestionSourceDto` documentation in `ingestion.md` to reflect the current set of supported providers.

* updating tag
 2026-01-17 13:21:01 +01:00
Wei S.
24afd13858 V0.4.1: API key generation fix, change password, account profile (#273) 
* fix(api): correct API key generation and proxy handling

This commit resolves an issue where generating a new API key would fail. The root cause was improper handling of POST request bodies in the frontend proxy server.

- Refactored `ApiKeyController` methods to use arrow functions to ensure correct `this` binding.

* User profile/account page, change password, API

* docs(api): update ingestion source provider values

Update the `CreateIngestionSourceDto` documentation in `ingestion.md` to reflect the current set of supported providers.
 2026-01-17 02:46:27 +02:00
Wei S.
c2006dfa94 V0.4 fix 2 (#210) 
* formatting code

* Remove uninstalled packages

* fix(imap): Improve IMAP connection stability and error handling

This commit refactors the IMAP connector to enhance connection management, error handling, and overall stability during email ingestion.

The `isConnected` flag has been removed in favor of relying directly on the `client.usable` property from the `imapflow` library. This simplifies the connection logic and avoids state synchronization issues.

The `connect` method now re-creates the client instance if it's not usable, ensuring a fresh connection after errors or disconnects. The retry mechanism (`withRetry`) has been updated to no longer manually reset the connection state, as the `connect` method now handles this automatically on the next attempt.

Additionally, a minor bug in the `sync-cycle-finished` processor has been fixed. The logic for merging sync states from successful jobs has been simplified and correctly typed, preventing potential runtime errors when no successful jobs are present.

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-10-29 12:59:19 +01:00
Wei S.
399059a773 V0.4 fix 2 (#207) 
* formatting code

* Remove uninstalled packages

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-10-28 13:39:09 +01:00
Wei S.
0cff788656 formatting code (#206) 
Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-10-28 13:35:53 +01:00
Wei S.
ddb4d56107 V0.4.0 fix (#205) 
* Jobs page responsive fix

* feat(ingestion): Refactor email indexing into a dedicated background job

This commit refactors the email indexing process to improve the performance and reliability of the ingestion pipeline.

Previously, email indexing was performed synchronously within the mailbox processing job. This could lead to timeouts and failed ingestion cycles if the indexing step was slow or encountered errors.

To address this, the indexing logic has been moved into a separate, dedicated background job queue (`indexingQueue`). Now, the mailbox processor simply adds a batch of emails to this queue. A separate worker then processes the indexing job asynchronously.

This decoupling makes the ingestion process more robust:
- It prevents slow indexing from blocking or failing the entire mailbox sync.
- It allows for better resource management and scalability by handling indexing in a dedicated process.
- It improves error handling, as a failed indexing job can be retried independently without affecting the main ingestion flow.

Additionally, this commit includes minor documentation updates and removes a premature timeout in the PDF text extraction helper that was causing issues.

* remove uninstalled packages

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-10-28 13:19:56 +01:00
Wei S.
42b0f6e5f1 V0.4.0 fix (#204) 
* Jobs page responsive fix

* feat(ingestion): Refactor email indexing into a dedicated background job

This commit refactors the email indexing process to improve the performance and reliability of the ingestion pipeline.

Previously, email indexing was performed synchronously within the mailbox processing job. This could lead to timeouts and failed ingestion cycles if the indexing step was slow or encountered errors.

To address this, the indexing logic has been moved into a separate, dedicated background job queue (`indexingQueue`). Now, the mailbox processor simply adds a batch of emails to this queue. A separate worker then processes the indexing job asynchronously.

This decoupling makes the ingestion process more robust:
- It prevents slow indexing from blocking or failing the entire mailbox sync.
- It allows for better resource management and scalability by handling indexing in a dedicated process.
- It improves error handling, as a failed indexing job can be retried independently without affecting the main ingestion flow.

Additionally, this commit includes minor documentation updates and removes a premature timeout in the PDF text extraction helper that was causing issues.

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-10-28 13:14:43 +01:00
Wei S.
6e1ebbbfd7 v0.4 init: File encryption, integrity report, deletion protection, job monitoring (#187) 
* open-core setup, adding enterprise package

* enterprise: Audit log API, UI

* Audit-log docs

* feat: Integrity report, allowing users to verify the integrity of archived emails and their attachments.

- When an email is archived, Open Archiver calculates a unique cryptographic signature (a SHA256 hash) for the email's raw `.eml` file and for each of its attachments. These signatures are stored in the database alongside the email's metadata.
- The integrity check feature recalculates these signatures for the stored files and compares them to the original signatures stored in the database. This process allows you to verify that the content of your archived emails has not been altered, corrupted, or tampered with since the moment they were archived.
- Add docs of Integrity report

* Update Docker-compose.yml to use bind mount for Open Archiver data.
Fix API rate-limiter warning about trust proxy

* File encryption support

* Scope attachment deduplication to ingestion source

Previously, attachment deduplication was handled globally by enforcing a unique constraint on the content hash (contentHashSha256) in the `attachments` table. This caused an issue where an attachment from one ingestion source would be incorrectly linked if the same attachment was processed by a different source.

This commit refactors the deduplication logic to be scoped on a per-ingestion-source basis.

Changes:
-   **Schema:** The `attachments` table schema has been updated to include a nullable `ingestionSourceId` column. A composite unique index has been added on `(ingestionSourceId, contentHashSha256)` to enforce per-source uniqueness. The `ingestionSourceId` is nullable to ensure backward compatibility with existing databases.
-   **Ingestion Logic:** The `IngestionService` has been updated to provide the `ingestionSourceId` when inserting attachment records. The `onConflictDoUpdate` clause now targets the new composite key, ensuring that attachments are only considered duplicates if they have the same hash and originate from the same ingestion source.

* Scope attachment deduplication to ingestion source

Previously, attachment deduplication was handled globally by enforcing a unique constraint on the content hash (contentHashSha256) in the `attachments` table. This caused an issue where an attachment from one ingestion source would be incorrectly linked if the same attachment was processed by a different source.

This commit refactors the deduplication logic to be scoped on a per-ingestion-source basis.

Changes:
-   **Schema:** The `attachments` table schema has been updated to include a nullable `ingestionSourceId` column. A composite unique index has been added on `(ingestionSourceId, contentHashSha256)` to enforce per-source uniqueness. The `ingestionSourceId` is nullable to ensure backward compatibility with existing databases.
-   **Ingestion Logic:** The `IngestionService` has been updated to provide the `ingestionSourceId` when inserting attachment records. The `onConflictDoUpdate` clause now targets the new composite key, ensuring that attachments are only considered duplicates if they have the same hash and originate from the same ingestion source.

* Add option to disable deletions

This commit introduces a new feature that allows admins to disable the deletion of emails and ingestion sources for the entire instance. This is a critical feature for compliance and data retention, as it prevents accidental or unauthorized deletions.

Changes:
-   **Configuration**: Added an `ENABLE_DELETION` environment variable. If this variable is not set to `true`, all deletion operations will be disabled.
-   **Deletion Guard**: A centralized `checkDeletionEnabled` guard has been implemented to enforce this setting at both the controller and service levels, ensuring a robust and secure implementation.
-   **Documentation**: The installation guide has been updated to include the new `ENABLE_DELETION` environment variable and its behavior.
-   **Refactor**: The `IngestionService`'s `create` method was refactored to remove unnecessary calls to the `delete` method, simplifying the code and improving its robustness.

* Adding position for menu items

* feat(docker): Fix CORS errors

This commit fixes CORS errors when running the app in Docker by introducing the `APP_URL` environment variable. A CORS policy is set up for the backend to only allow origin from the `APP_URL`.

Key changes include:
- New `APP_URL` and `ORIGIN` environment variables have been added to properly configure CORS and the SvelteKit adapter, making the application's public URL easily configurable.
- Dockerfiles are updated to copy the entrypoint script, Drizzle config, and migration files into the final image.
- Documentation and example files (`.env.example`, `docker-compose.yml`) have been updated to reflect these changes.

* feat(attachments): De-duplicate attachment content by content hash

This commit refactors attachment handling to allow multiple emails within the same ingestion source to reference attachments with identical content (same hash).

Changes:
- The unique index on the `attachments` table has been changed to a non-unique index to permit duplicate hash/source pairs.
- The ingestion logic is updated to first check for an existing attachment with the same hash and source. If found, it reuses the existing record; otherwise, it creates a new one. This maintains storage de-duplication.
- The email deletion logic is improved to be more robust. It now correctly removes the email-attachment link before checking if the attachment record and its corresponding file can be safely deleted.

* Not filtering our Trash folder

* feat(backend): Add BullMQ dashboard for job monitoring

This commit introduces a web-based UI for monitoring and managing background jobs using Bullmq.

Key changes:
- A new `/api/v1/jobs` endpoint is created, serving the Bull Board dashboard. Access is restricted to authenticated administrators.
- All BullMQ queue definitions (`ingestion`, `indexing`, `sync-scheduler`) have been centralized into a new `packages/backend/src/jobs/queues.ts` file.
- Workers and services now import queue instances from this central file, improving code organization and removing redundant queue instantiations.

* Add `ALL_INCLUSIVE_ARCHIVE` environment variable to disable jun filtering

* Using BSL license

* frontend: Responsive design for menu bar, pagination

* License service/module

* Remove demoMode logic

* Formatting code

* Remove enterprise packages

* Fix package.json in packages

* Search page responsive fix

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-10-24 17:11:05 +02:00
Wei S.
1e048fdbc1 Update package.json 2025-09-26 17:06:40 +02:00
Wei S.
b71dd55e25 add OCR docs (#144) 
Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-26 12:09:23 +02:00
Wei S.
d372ef7566 Feat: Tika Integration and Batch Indexing (#132) 
* Feat/tika integration (#94)

* feat(Tika) Integration von Tika zur Textextraktion

* feat(Tika) Integration of Apache Tika for text extraction

* feat(Tika): Complete Tika integration with text extraction and docker-compose setup

- Add Tika service to docker-compose.yml
- Implement text sanitization and document validation
- Improve batch processing with concurrency control

* fix(comments) translated comments into english
fix(docker) removed ports (only used for testing)

* feat(indexing): Implement batch indexing for Meilisearch

This change introduces batch processing for indexing emails into Meilisearch to significantly improve performance and throughput during ingestion. This change is based on the batch processing method previously contributed by @axeldunkel.

Previously, each email was indexed individually, resulting in a high number of separate API calls. This approach was inefficient, especially for large mailboxes.

The `processMailbox` queue worker now accumulates emails into a batch before sending them to the `IndexingService`. The service then uses the `addDocuments` Meilisearch API endpoint to index the entire batch in a single request, reducing network overhead and improving indexing speed.

A new environment variable, `MEILI_INDEXING_BATCH`, has been added to make the batch size configurable, with a default of 500.

Additionally, this commit includes minor refactoring:
- The `TikaService` has been moved to its own dedicated file.
- The `PendingEmail` type has been moved to the shared `@open-archiver/types` package.

* chore(jobs): make continuous sync job scheduling idempotent

Adds a static `jobId` to the repeatable 'schedule-continuous-sync' job.

This prevents duplicate jobs from being scheduled if the server restarts. By providing a unique ID, the queue will update the existing repeatable job instead of creating a new one, ensuring the sync runs only at the configured frequency.

---------

Co-authored-by: axeldunkel <53174090+axeldunkel@users.noreply.github.com>
Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-26 11:34:32 +02:00
Wei S.
e9a65f9672 feat: Add Mbox ingestion (#117) 
This commit introduces two major features:

1.  **Mbox File Ingestion:**
    Users can now ingest emails from Mbox files (`.mbox`). A new Mbox connector has been implemented on the backend, and the user interface has been updated to support creating Mbox ingestion sources. Documentation for this new provider has also been added.

Additionally, this commit includes new documentation for upgrading and migrating Open Archiver.

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-16 20:30:22 +03:00
Wei S.
ce3f379b7a Update issue templates (#110) 2025-09-14 16:25:13 +03:00
Wei S.
37a778cb6d chore(deps): Update dependencies across packages (#105) 
This commit updates several dependencies in the frontend and backend packages.

- **Backend:**
  - Upgrades `xlsx` to version `0.20.3` by pointing to the official CDN URL. This ensures usage of the community edition with a permissive license.
  - Removes the unused `bull-board` development dependency.

- **Frontend:**
  - Upgrades `@sveltejs/kit` from `^2.16.0` to `^2.38.1` to stay current with the latest features and fixes.

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-11 22:07:35 +03:00
Wei S.
26a760b232 Create FUNDING.yml (#102) 2025-09-10 17:09:13 +03:00
Wei S.
6be0774bc4 Display versions: Add new version notification in footer (#101) 
* feat: Add new version notification in footer

This commit implements a system to check for new application versions and notify the user.

On page load, the server-side code now fetches the latest release from the GitHub repository API. It uses `semver` to compare the current application version with the latest release tag.

If a newer version is available, an alert is displayed in the footer with a link to the release page. The current application version is also now displayed in the footer. The version check is cached for one hour to minimize API requests.

* Modify version notification

* current version 0.3.1

* Resolve conflicts

* Code formatting

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-10 12:09:12 +03:00
Wei S.
4a23f8f29f feat: Add new version notification in footer (#99) 
This commit implements a system to check for new application versions and notify the user.

On page load, the server-side code now fetches the latest release from the GitHub repository API. It uses `semver` to compare the current application version with the latest release tag.

If a newer version is available, an alert is displayed in the footer with a link to the release page. The current application version is also now displayed in the footer. The version check is cached for one hour to minimize API requests.

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-09 23:36:35 +03:00
albanobattistella
074256ed59 Update it.json (#90) 2025-09-07 23:44:08 +03:00
Wei S.
7d178d786b Docs: code formatting (#92) 
* Adding rate limiting docs

* update rate limiting docs

* Resolve conflict

* Code formatting

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-06 18:06:59 +03:00
Wei S.
4b11cd931a Docs: update rate limiting docs (#91) 
* Adding rate limiting docs

* update rate limiting docs

* Resolve conflict

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-06 17:56:34 +03:00
scotscotmcc
0a21ad14cd Update README.md (#89) 
fix folder in installation steps
 2025-09-06 17:38:43 +03:00
Wei S.
63d3960f79 Adding rate limiting docs (#88) 
Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-04 17:44:10 +03:00
Wei S.
85a526d1b6 User api key: JSON rate limiting message & status code (#87) 
* feat(auth): Implement API key authentication

This commit enables API access with an API key system. This change provides a better experience for programmatic access and third-party integrations.

Key changes include:
- **API Key Management:** Users can now generate, manage, and revoke persistent API keys through a new "API Keys" section in the settings UI.
- **Authentication Middleware:** API requests are now authenticated via an `X-API-KEY` header instead of the previous `Authorization: Bearer` token.
- **Backend Implementation:** Adds a new `api_keys` database table, along with corresponding services, controllers, and routes to manage the key lifecycle securely.
- **Rate Limiting:** The API rate limiter now uses the API key to identify and track requests.
- **Documentation:** The API authentication documentation has been updated to reflect the new method.

* Add configurable API rate limiting

Two new variables are added to `.env.example`:
- `RATE_LIMIT_WINDOW_MS`: The time window in milliseconds for which requests are checked (defaults to 15 minutes).
- `RATE_LIMIT_MAX_REQUESTS`: The maximum number of requests allowed from an IP within the window (defaults to 100).

The installation documentation has been updated to reflect these new configuration options.

* Disable API operation in demo mode

* Exclude public API endpoints from rate limiting

* JSON rate limiting message & status code

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-04 17:32:43 +03:00
Wei S.
52a1a11973 User api key: Exclude public API endpoints from rate limiting (#86) 
* feat(auth): Implement API key authentication

This commit enables API access with an API key system. This change provides a better experience for programmatic access and third-party integrations.

Key changes include:
- **API Key Management:** Users can now generate, manage, and revoke persistent API keys through a new "API Keys" section in the settings UI.
- **Authentication Middleware:** API requests are now authenticated via an `X-API-KEY` header instead of the previous `Authorization: Bearer` token.
- **Backend Implementation:** Adds a new `api_keys` database table, along with corresponding services, controllers, and routes to manage the key lifecycle securely.
- **Rate Limiting:** The API rate limiter now uses the API key to identify and track requests.
- **Documentation:** The API authentication documentation has been updated to reflect the new method.

* Add configurable API rate limiting

Two new variables are added to `.env.example`:
- `RATE_LIMIT_WINDOW_MS`: The time window in milliseconds for which requests are checked (defaults to 15 minutes).
- `RATE_LIMIT_MAX_REQUESTS`: The maximum number of requests allowed from an IP within the window (defaults to 100).

The installation documentation has been updated to reflect these new configuration options.

* Disable API operation in demo mode

* Exclude public API endpoints from rate limiting

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-04 17:27:57 +03:00
Wei S.
4048f47777 User api key: Disable API operation in demo mode (#85) 
* feat(auth): Implement API key authentication

This commit enables API access with an API key system. This change provides a better experience for programmatic access and third-party integrations.

Key changes include:
- **API Key Management:** Users can now generate, manage, and revoke persistent API keys through a new "API Keys" section in the settings UI.
- **Authentication Middleware:** API requests are now authenticated via an `X-API-KEY` header instead of the previous `Authorization: Bearer` token.
- **Backend Implementation:** Adds a new `api_keys` database table, along with corresponding services, controllers, and routes to manage the key lifecycle securely.
- **Rate Limiting:** The API rate limiter now uses the API key to identify and track requests.
- **Documentation:** The API authentication documentation has been updated to reflect the new method.

* Add configurable API rate limiting

Two new variables are added to `.env.example`:
- `RATE_LIMIT_WINDOW_MS`: The time window in milliseconds for which requests are checked (defaults to 15 minutes).
- `RATE_LIMIT_MAX_REQUESTS`: The maximum number of requests allowed from an IP within the window (defaults to 100).

The installation documentation has been updated to reflect these new configuration options.

* Disable API operation in demo mode

---------

Co-authored-by: Wayne <5291640+ringoinca@users.noreply.github.com>
 2025-09-04 16:56:45 +03:00
278 changed files with 51206 additions and 6036 deletions
Expand all files Collapse all files

65
.env.example
View File

@@ -4,8 +4,17 @@
NODE_ENV=development
PORT_BACKEND=4000
PORT_FRONTEND=3000
# The public-facing URL of your application. This is used by the backend to configure CORS.
APP_URL=http://localhost:3000
# This is used by the SvelteKit Node adapter to determine the server's public-facing URL.
# It should always be set to the value of APP_URL.
ORIGIN=$APP_URL
# The frequency of continuous email syncing. Default is every minutes, but you can change it to another value based on your needs.
SYNC_FREQUENCY='* * * * *'
# Set to 'true' to include Junk and Trash folders in the email archive. Defaults to false.
ALL_INCLUSIVE_ARCHIVE=false
# Number of mailbox jobs that run concurrently in the ingestion worker. Increase on servers with more RAM.
INGESTION_WORKER_CONCURRENCY=5
# --- Docker Compose Service Configuration ---
# These variables are used by docker-compose.yml to configure the services. Leave them unchanged if you use Docker services for Postgresql, Valkey (Redis) and Meilisearch. If you decide to use your own instances of these services, you can substitute them with your own connection credentials.
@@ -19,7 +28,8 @@ DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/$
# Meilisearch
MEILI_MASTER_KEY=aSampleMasterKey
MEILI_HOST=http://meilisearch:7700
# The number of emails to batch together for indexing. Defaults to 500.
MEILI_INDEXING_BATCH=500
# Redis (We use Valkey, which is Redis-compatible and open source)
@@ -28,18 +38,26 @@ REDIS_PORT=6379
REDIS_PASSWORD=defaultredispassword
# If you run Valkey service from Docker Compose, set the REDIS_TLS_ENABLED variable to false.
REDIS_TLS_ENABLED=false
# Redis username. Only required if not using the default user.
REDIS_USER=notdefaultuser
# --- Storage Settings ---
# Choose your storage backend. Valid options are 'local' or 's3'.
STORAGE_TYPE=local
# The maximum request body size to accept in bytes including while streaming. The body size can also be specified with a unit suffix for kilobytes (K), megabytes (M), or gigabytes (G). For example, 512K or 1M. Defaults to 512kb. Or the value of Infinity if you don't want any upload limit.
# The maximum request body size the SvelteKit frontend server will accept (including file uploads via streaming).
# Accepts a numeric value in bytes, or a unit suffix: K (kilobytes), M (megabytes), G (gigabytes).
# Set to 'Infinity' to remove the limit entirely (recommended for archiving large PST/Mbox files).
# Examples: 512K, 100M, 5G, Infinity. Defaults to 512K if not set.
# For very large files (multi-GB), consider using the "Local Path" ingestion option which bypasses this limit entirely.
BODY_SIZE_LIMIT=100M
# --- Local Storage Settings ---
# The path inside the container where files will be stored.
# This is mapped to a Docker volume for persistence.
# This is only used if STORAGE_TYPE is 'local'.
# This is not an optional variable, it is where the Open Archiver service stores application data. Set this even if you are using S3 storage.
# Make sure the user that runs the Open Archiver service has read and write access to this path.
# Important: It is recommended to create this path manually before installation, otherwise you may face permission and ownership problems.
STORAGE_LOCAL_ROOT_PATH=/var/data/open-archiver
# --- S3-Compatible Storage Settings ---
@@ -52,14 +70,26 @@ STORAGE_S3_REGION=
# Set to 'true' for MinIO and other non-AWS S3 services
STORAGE_S3_FORCE_PATH_STYLE=false
# --- Storage Encryption ---
# IMPORTANT: Generate a secure, random 32-byte hex string for this key.
# You can use `openssl rand -hex 32` to generate a key.
# This key is used for AES-256 encryption of files at rest.
# This is an optional variable, if not set, files will not be encrypted.
STORAGE_ENCRYPTION_KEY=
# --- Security & Authentication ---
# Enable or disable deletion of emails and ingestion sources. Defaults to false.
ENABLE_DELETION=false
# Rate Limiting
# The window in milliseconds for which API requests are checked. Defaults to 900000 (15 minutes).
RATE_LIMIT_WINDOW_MS=900000
# The window in milliseconds for which API requests are checked. Defaults to 60000 (1 minute).
RATE_LIMIT_WINDOW_MS=60000
# The maximum number of API requests allowed from an IP within the window. Defaults to 100.
RATE_LIMIT_MAX_REQUESTS=100
# JWT
# IMPORTANT: Change this to a long, random, and secret string in your .env file
JWT_SECRET=a-very-secret-key-that-you-should-change
@@ -70,3 +100,28 @@ JWT_EXPIRES_IN="7d"
# IMPORTANT: Generate a secure, random 32-byte hex string for this
# You can use `openssl rand -hex 32` to generate a key.
ENCRYPTION_KEY=
# Apache Tika Integration
# ONLY active if TIKA_URL is set
TIKA_URL=http://tika:9998
# Enterprise features (Skip this part if you are using the open-source version)
# Batch size for managing retention policy lifecycle. (This number of emails will be checked each time when retention policy scans the database. Adjust based on your system capability.)
RETENTION_BATCH_SIZE=1000
# --- SMTP Journaling (Enterprise only) ---
# The port the embedded SMTP journaling listener binds to inside the container.
# This is the port your MTA (Exchange, MS365, Postfix, etc.) will send journal reports to.
# The docker-compose.yml maps this same port on the host side by default.
SMTP_JOURNALING_PORT=2525
# The domain used to generate routing addresses for journaling sources.
# Each source gets a unique address like journal-<id>@<domain>.
# Set this to the domain/subdomain whose MX record points to this server.
SMTP_JOURNALING_DOMAIN=journal.yourdomain.com
# Maximum number of waiting jobs in the journal queue before the SMTP listener
# returns 4xx temporary failures (backpressure). The MTA will retry automatically.
JOURNAL_QUEUE_BACKPRESSURE_THRESHOLD=10000
#BullMQ worker concurrency for processing journaled emails. Increase on servers with more CPU cores.
JOURNAL_WORKER_CONCURRENCY=3

1
.github/FUNDING.yml vendored Normal file
View File

@@ -0,0 +1 @@
github: [wayneshn]

33
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,33 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: bug
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**System:**
- Open Archiver Version:
**Relevant logs:**
Any relevant logs (Redact sensitive information)
**Additional context**
Add any other context about the problem here.

19
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@@ -0,0 +1,19 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is.
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

2
.github/workflows/docker-deployment.yml vendored
View File

@@ -35,7 +35,7 @@ jobs:
uses: docker/build-push-action@v6
with:
context: .
file: ./docker/Dockerfile
file: ./apps/open-archiver/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: logiclabshq/open-archiver:${{ steps.sha.outputs.sha }}

4
.gitignore vendored
View File

@@ -24,3 +24,7 @@ pnpm-debug.log
# Vitepress
docs/.vitepress/dist
docs/.vitepress/cache
# TS
**/tsconfig.tsbuildinfo

140
LICENSE
View File

@@ -200,23 +200,23 @@ You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
- **a)** The work must carry prominent notices stating that you modified
it, and giving a relevant date.
- **b)** The work must carry prominent notices stating that it is
released under this License and any conditions added under section 7.
This requirement modifies the requirement in section 4 to
“keep intact all notices”.
- **c)** You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
- **d)** If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
- **a)** The work must carry prominent notices stating that you modified
it, and giving a relevant date.
- **b)** The work must carry prominent notices stating that it is
released under this License and any conditions added under section 7.
This requirement modifies the requirement in section 4 to
“keep intact all notices”.
- **c)** You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
- **d)** If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
@@ -235,42 +235,42 @@ of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
- **a)** Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
- **b)** Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either **(1)** a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or **(2)** access to copy the
Corresponding Source from a network server at no charge.
- **c)** Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
- **d)** Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
- **e)** Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
- **a)** Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
- **b)** Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either **(1)** a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or **(2)** access to copy the
Corresponding Source from a network server at no charge.
- **c)** Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
- **d)** Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
- **e)** Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
@@ -344,23 +344,23 @@ Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
- **a)** Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
- **b)** Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
- **c)** Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
- **d)** Limiting the use for publicity purposes of names of licensors or
authors of the material; or
- **e)** Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
- **f)** Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
- **a)** Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
- **b)** Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
- **c)** Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
- **d)** Limiting the use for publicity purposes of names of licensors or
authors of the material; or
- **e)** Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
- **f)** Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered “further
restrictions” within the meaning of section 10. If the Program as you

29
README.md
View File

@@ -7,11 +7,11 @@
[![Redis](https://img.shields.io/badge/Redis-DC382D?style=for-the-badge&logo=redis&logoColor=white)](https://redis.io)
[![SvelteKit](https://img.shields.io/badge/SvelteKit-FF3E00?style=for-the-badge&logo=svelte&logoColor=white)](https://svelte.dev/)
**A secure, sovereign, and open-source platform for email archiving and eDiscovery.**
**A secure, sovereign, and open-source platform for email archiving.**
Open Archiver provides a robust, self-hosted solution for archiving, storing, indexing, and searching emails from major platforms, including Google Workspace (Gmail), Microsoft 365, PST files, as well as generic IMAP-enabled email inboxes. Use Open Archiver to keep a permanent, tamper-proof record of your communication history, free from vendor lock-in.
## 📸 Screenshots
## Screenshots
![Open Archiver Preview](assets/screenshots/dashboard-1.png)
_Dashboard_
@@ -22,9 +22,9 @@ _Archived emails_
![Open Archiver Preview](assets/screenshots/search.png)
_Full-text search across all your emails and attachments_
## 👨‍👩‍👧‍👦 Join our community!
## Join our community!
We are committed to build an engaging community around Open Archiver, and we are inviting all of you to join our community on Discord to get real-time support and connect with the team.
We are committed to building an engaging community around Open Archiver, and we are inviting all of you to join our community on Discord to get real-time support and connect with the team.
[![Discord](https://img.shields.io/badge/Join%20our%20Discord-7289DA?style=for-the-badge&logo=discord&logoColor=white)](https://discord.gg/MTtD7BhuTQ)
@@ -34,11 +34,11 @@ We are committed to build an engaging community around Open Archiver, and we are
Check out the live demo here: https://demo.openarchiver.com
Username: admin@local.com
Username: demo@openarchiver.com
Password: openarchiver_demo
## Key Features
## Key Features
- **Universal Ingestion**: Connect to any email provider to perform initial bulk imports and maintain continuous, real-time synchronization. Ingestion sources include:
- IMAP connection
@@ -46,15 +46,18 @@ Password: openarchiver_demo
- Microsoft 365
- PST files
- Zipped .eml files
- Mbox files
- **Secure & Efficient Storage**: Emails are stored in the standard `.eml` format. The system uses deduplication and compression to minimize storage costs. All data is encrypted at rest.
- **Secure & Efficient Storage**: Emails are stored in the standard `.eml` format. The system uses deduplication and compression to minimize storage costs. All files are encrypted at rest.
- **Pluggable Storage Backends**: Support both local filesystem storage and S3-compatible object storage (like AWS S3 or MinIO).
- **Powerful Search & eDiscovery**: A high-performance search engine indexes the full text of emails and attachments (PDF, DOCX, etc.).
- **Thread discovery**: The ability to discover if an email belongs to a thread/conversation and present the context.
- **Compliance & Retention**: Define granular retention policies to automatically manage the lifecycle of your data. Place legal holds on communications to prevent deletion during litigation (TBD).
- **Comprehensive Auditing**: An immutable audit trail logs all system activities, ensuring you have a clear record of who accessed what and when (TBD).
- **File Hash and Encryption**: Email and attachment file hash values are stored in the meta database upon ingestion, meaning any attempt to alter the file content will be identified, ensuring legal and regulatory compliance.
- - Each archived email comes with an "Integrity Report" feature that indicates if the files are original.
- **Comprehensive Auditing**: An immutable audit trail logs all system activities, ensuring you have a clear record of who accessed what and when.
## 🛠️ Tech Stack
## Tech Stack
Open Archiver is built on a modern, scalable, and maintainable technology stack:
@@ -65,7 +68,7 @@ Open Archiver is built on a modern, scalable, and maintainable technology stack:
- **Database**: PostgreSQL for metadata, user management, and audit logs
- **Deployment**: Docker Compose deployment
## 📦 Deployment
## Deployment
### Prerequisites
@@ -78,7 +81,7 @@ Open Archiver is built on a modern, scalable, and maintainable technology stack:
```bash
git clone https://github.com/LogicLabs-OU/OpenArchiver.git
cd open-archiver
cd OpenArchiver
```
2. **Configure your environment:**
@@ -101,7 +104,7 @@ Open Archiver is built on a modern, scalable, and maintainable technology stack:
4. **Access the application:**
Once the services are running, you can access the Open Archiver web interface by navigating to `http://localhost:3000` in your web browser.
## ⚙️ Data Source Configuration
## Data Source Configuration
After deploying the application, you will need to configure one or more ingestion sources to begin archiving emails. Follow our detailed guides to connect to your email provider:
@@ -109,7 +112,7 @@ After deploying the application, you will need to configure one or more ingestio
- [Connecting to Microsoft 365](https://docs.openarchiver.com/user-guides/email-providers/imap.html)
- [Connecting to a Generic IMAP Server](https://docs.openarchiver.com/user-guides/email-providers/imap.html)
## 🤝 Contributing
## Contributing
We welcome contributions from the community!

17
docker/Dockerfile → apps/open-archiver/Dockerfile
View File

@@ -1,4 +1,4 @@
# Dockerfile for Open Archiver
# Dockerfile for the OSS version of Open Archiver
ARG BASE_IMAGE=node:22-alpine
@@ -15,12 +15,13 @@ COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
COPY packages/backend/package.json ./packages/backend/
COPY packages/frontend/package.json ./packages/frontend/
COPY packages/types/package.json ./packages/types/
COPY apps/open-archiver/package.json ./apps/open-archiver/
# 1. Build Stage: Install all dependencies and build the project
FROM base AS build
COPY packages/frontend/svelte.config.js ./packages/frontend/
# Install all dependencies. Use --shamefully-hoist to create a flat node_modules structure
# Install all dependencies.
ENV PNPM_HOME="/pnpm"
RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
pnpm install --shamefully-hoist --frozen-lockfile --prod=false
@@ -28,19 +29,19 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
# Copy the rest of the source code
COPY . .
# Build all packages.
RUN pnpm build
# Build the OSS packages.
RUN pnpm build:oss
# 2. Production Stage: Install only production dependencies and copy built artifacts
FROM base AS production
# Copy built application from build stage
COPY --from=build /app/packages/backend/dist ./packages/backend/dist
COPY --from=build /app/packages/frontend/build ./packages/frontend/build
COPY --from=build /app/packages/types/dist ./packages/types/dist
COPY --from=build /app/packages/backend/drizzle.config.ts ./packages/backend/drizzle.config.ts
COPY --from=build /app/packages/backend/src/database/migrations ./packages/backend/src/database/migrations
COPY --from=build /app/packages/frontend/build ./packages/frontend/build
COPY --from=build /app/packages/types/dist ./packages/types/dist
COPY --from=build /app/apps/open-archiver/dist ./apps/open-archiver/dist
# Copy the entrypoint script and make it executable
COPY docker/docker-entrypoint.sh /usr/local/bin/
@@ -53,4 +54,4 @@ EXPOSE 3000
ENTRYPOINT ["docker-entrypoint.sh"]
# Start the application
CMD ["pnpm", "docker-start"]
CMD ["pnpm", "docker-start:oss"]

24
apps/open-archiver/index.ts Normal file
View File

@@ -0,0 +1,24 @@
import { createServer, logger } from '@open-archiver/backend';
import * as dotenv from 'dotenv';
dotenv.config();
async function start() {
// --- Environment Variable Validation ---
const { PORT_BACKEND } = process.env;
if (!PORT_BACKEND) {
throw new Error('Missing required environment variables for the backend: PORT_BACKEND.');
}
// Create the server instance (passing no modules for the default OSS version)
const app = await createServer([]);
app.listen(PORT_BACKEND, () => {
logger.info({}, `✅ Open Archiver (OSS) running on port ${PORT_BACKEND}`);
});
}
start().catch((error) => {
logger.error({ error }, 'Failed to start the server:', error);
process.exit(1);
});

18
apps/open-archiver/package.json Normal file
View File

@@ -0,0 +1,18 @@
{
"name": "open-archiver-app",
"version": "1.0.0",
"private": true,
"scripts": {
"dev": "ts-node-dev --respawn --transpile-only index.ts",
"build": "tsc",
"start": "node dist/index.js"
},
"dependencies": {
"@open-archiver/backend": "workspace:*",
"dotenv": "^17.2.0"
},
"devDependencies": {
"@types/dotenv": "^8.2.3",
"ts-node-dev": "^2.0.0"
}
}

8
apps/open-archiver/tsconfig.json Normal file
View File

@@ -0,0 +1,8 @@
{
"extends": "../../tsconfig.base.json",
"compilerOptions": {
"outDir": "dist"
},
"include": ["./**/*.ts"],
"references": [{ "path": "../../packages/backend" }]
}

BIN
assets/screenshots/integrity-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 304 KiB

BIN
assets/screenshots/job-queue.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 259 KiB

16
docker-compose.yml
View File

@@ -6,11 +6,11 @@ services:
container_name: open-archiver
restart: unless-stopped
ports:
- '3000:3000' # Frontend
- '${PORT_FRONTEND:-3000}:3000' # Frontend
env_file:
- .env
volumes:
- archiver-data:/var/data/open-archiver
- ${STORAGE_LOCAL_ROOT_PATH}:${STORAGE_LOCAL_ROOT_PATH}
depends_on:
- postgres
- valkey
@@ -42,16 +42,24 @@ services:
- open-archiver-net
meilisearch:
image: getmeili/meilisearch:v1.15
image: getmeili/meilisearch:v1.38
container_name: meilisearch
restart: unless-stopped
environment:
MEILI_MASTER_KEY: ${MEILI_MASTER_KEY:-aSampleMasterKey}
MEILI_SCHEDULE_SNAPSHOT: ${MEILI_SCHEDULE_SNAPSHOT:-86400}
volumes:
- meilidata:/meili_data
networks:
- open-archiver-net
tika:
image: apache/tika:3.2.2.0-full
container_name: tika
restart: always
networks:
- open-archiver-net
volumes:
pgdata:
driver: local
@@ -59,8 +67,6 @@ volumes:
driver: local
meilidata:
driver: local
archiver-data:
driver: local
networks:
open-archiver-net:

29
docs/.vitepress/config.mts
View File

@@ -1,4 +1,6 @@
import { defineConfig } from 'vitepress';
import { useSidebar } from 'vitepress-openapi';
import spec from '../api/openapi.json';
export default defineConfig({
head: [
@@ -6,7 +8,7 @@ export default defineConfig({
'script',
{
defer: '',
src: 'https://analytics.zenceipt.com/script.js',
src: 'https://analytics.openarchiver.com/script.js',
'data-website-id': '2c8b452e-eab5-4f82-8ead-902d8f8b976f',
},
],
@@ -33,6 +35,7 @@ export default defineConfig({
items: [
{ text: 'Get Started', link: '/' },
{ text: 'Installation', link: '/user-guides/installation' },
{ text: 'Email Integrity Check', link: '/user-guides/integrity-check' },
{
text: 'Email Providers',
link: '/user-guides/email-providers/',
@@ -52,6 +55,7 @@ export default defineConfig({
},
{ text: 'EML Import', link: '/user-guides/email-providers/eml' },
{ text: 'PST Import', link: '/user-guides/email-providers/pst' },
{ text: 'Mbox Import', link: '/user-guides/email-providers/mbox' },
],
},
{
@@ -64,6 +68,20 @@ export default defineConfig({
},
],
},
{
text: 'Upgrading and Migration',
collapsed: true,
items: [
{
text: 'Upgrading',
link: '/user-guides/upgrade-and-migration/upgrade',
},
{
text: 'Meilisearch Upgrade',
link: '/user-guides/upgrade-and-migration/meilisearch-upgrade',
},
],
},
],
},
{
@@ -71,12 +89,20 @@ export default defineConfig({
items: [
{ text: 'Overview', link: '/api/' },
{ text: 'Authentication', link: '/api/authentication' },
{ text: 'Rate Limiting', link: '/api/rate-limiting' },
{ text: 'Auth', link: '/api/auth' },
{ text: 'Archived Email', link: '/api/archived-email' },
{ text: 'Dashboard', link: '/api/dashboard' },
{ text: 'Ingestion', link: '/api/ingestion' },
{ text: 'Integrity Check', link: '/api/integrity' },
{ text: 'Search', link: '/api/search' },
{ text: 'Storage', link: '/api/storage' },
{ text: 'Upload', link: '/api/upload' },
{ text: 'Jobs', link: '/api/jobs' },
{ text: 'Users', link: '/api/users' },
{ text: 'IAM', link: '/api/iam' },
{ text: 'API Keys', link: '/api/api-keys' },
{ text: 'Settings', link: '/api/settings' },
],
},
{
@@ -84,6 +110,7 @@ export default defineConfig({
items: [
{ text: 'Overview', link: '/services/' },
{ text: 'Storage Service', link: '/services/storage-service' },
{ text: 'OCR Service', link: '/services/ocr-service' },
{
text: 'IAM Service',
items: [{ text: 'IAM Policies', link: '/services/iam-service/iam-policy' }],

19
docs/.vitepress/theme/index.ts Normal file
View File

@@ -0,0 +1,19 @@
import DefaultTheme from 'vitepress/theme';
import type { EnhanceAppContext } from 'vitepress';
import { theme, useOpenapi } from 'vitepress-openapi/client';
import 'vitepress-openapi/dist/style.css';
import spec from '../../api/openapi.json';
export default {
...DefaultTheme,
enhanceApp({ app, router, siteData }: EnhanceAppContext) {
// Delegate to DefaultTheme first
DefaultTheme.enhanceApp?.({ app, router, siteData });
// Install vitepress-openapi theme: registers i18n plugin + all OA components
theme.enhanceApp({ app, router, siteData });
// Initialize the global OpenAPI spec
useOpenapi({ spec });
},
};

19
docs/api/api-keys.md Normal file
View File

@@ -0,0 +1,19 @@
---
aside: false
---
# API Keys
Generate and manage API keys for programmatic access to the Open Archiver API. API keys are scoped to the user that created them and carry the same permissions as that user. The raw key value is only shown once at creation time.
## Generate an API Key
<OAOperation operationId="generateApiKey" />
## List API Keys
<OAOperation operationId="getApiKeys" />
## Delete an API Key
<OAOperation operationId="deleteApiKey" />

110
docs/api/archived-email.md
View File

@@ -1,107 +1,19 @@
# Archived Email Service API
---
aside: false
---
The Archived Email Service is responsible for retrieving archived emails and their details from the database and storage.
# Archived Email API
## Endpoints
Endpoints for retrieving and deleting archived emails. All endpoints require authentication and the appropriate `archive` permission.
All endpoints in this service require authentication.
## List Emails for an Ingestion Source
### GET /api/v1/archived-emails/ingestion-source/:ingestionSourceId
<OAOperation operationId="getArchivedEmails" />
Retrieves a paginated list of archived emails for a specific ingestion source.
## Get a Single Email
**Access:** Authenticated
<OAOperation operationId="getArchivedEmailById" />
#### URL Parameters
## Delete an Email
| Parameter | Type | Description |
| :------------------ | :----- | :------------------------------------------------ |
| `ingestionSourceId` | string | The ID of the ingestion source to get emails for. |
#### Query Parameters
| Parameter | Type | Description | Default |
| :-------- | :----- | :------------------------------ | :------ |
| `page` | number | The page number for pagination. | 1 |
| `limit` | number | The number of items per page. | 10 |
#### Responses
- **200 OK:** A paginated list of archived emails.
```json
{
"items": [
{
"id": "email-id",
"subject": "Test Email",
"from": "sender@example.com",
"sentAt": "2023-10-27T10:00:00.000Z",
"hasAttachments": true,
"recipients": [{ "name": "Recipient 1", "email": "recipient1@example.com" }]
}
],
"total": 100,
"page": 1,
"limit": 10
}
```
- **500 Internal Server Error:** An unexpected error occurred.
### GET /api/v1/archived-emails/:id
Retrieves a single archived email by its ID, including its raw content and attachments.
**Access:** Authenticated
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :---------------------------- |
| `id` | string | The ID of the archived email. |
#### Responses
- **200 OK:** The archived email details.
```json
{
"id": "email-id",
"subject": "Test Email",
"from": "sender@example.com",
"sentAt": "2023-10-27T10:00:00.000Z",
"hasAttachments": true,
"recipients": [{ "name": "Recipient 1", "email": "recipient1@example.com" }],
"raw": "...",
"attachments": [
{
"id": "attachment-id",
"filename": "document.pdf",
"mimeType": "application/pdf",
"sizeBytes": 12345
}
]
}
```
- **404 Not Found:** The archived email with the specified ID was not found.
- **500 Internal Server Error:** An unexpected error occurred.
## Service Methods
### `getArchivedEmails(ingestionSourceId: string, page: number, limit: number): Promise<PaginatedArchivedEmails>`
Retrieves a paginated list of archived emails from the database for a given ingestion source.
- **ingestionSourceId:** The ID of the ingestion source.
- **page:** The page number for pagination.
- **limit:** The number of items per page.
- **Returns:** A promise that resolves to a `PaginatedArchivedEmails` object.
### `getArchivedEmailById(emailId: string): Promise<ArchivedEmail | null>`
Retrieves a single archived email by its ID, including its raw content and attachments.
- **emailId:** The ID of the archived email.
- **Returns:** A promise that resolves to an `ArchivedEmail` object or `null` if not found.
<OAOperation operationId="deleteArchivedEmail" />

87
docs/api/auth.md
View File

@@ -1,84 +1,19 @@
# Auth Service API
---
aside: false
---
The Auth Service is responsible for handling user authentication, including login and token verification.
# Auth API
## Endpoints
Handles user authentication including initial setup, login, and application setup status.
### POST /api/v1/auth/login
## Setup
Authenticates a user and returns a JWT if the credentials are valid.
<OAOperation operationId="authSetup" />
**Access:** Public
## Login
**Rate Limiting:** This endpoint is rate-limited to prevent brute-force attacks.
<OAOperation operationId="authLogin" />
#### Request Body
## Check Setup Status
| Field | Type | Description |
| :--------- | :----- | :------------------------ |
| `email` | string | The user's email address. |
| `password` | string | The user's password. |
#### Responses
- **200 OK:** Authentication successful.
```json
{
"accessToken": "your.jwt.token",
"user": {
"id": "user-id",
"email": "user@example.com",
"role": "user"
}
}
```
- **400 Bad Request:** Email or password not provided.
```json
{
"message": "Email and password are required"
}
```
- **401 Unauthorized:** Invalid credentials.
```json
{
"message": "Invalid credentials"
}
```
- **500 Internal Server Error:** An unexpected error occurred.
```json
{
"message": "An internal server error occurred"
}
```
## Service Methods
### `verifyPassword(password: string, hash: string): Promise<boolean>`
Compares a plain-text password with a hashed password to verify its correctness.
- **password:** The plain-text password.
- **hash:** The hashed password to compare against.
- **Returns:** A promise that resolves to `true` if the password is valid, otherwise `false`.
### `login(email: string, password: string): Promise<LoginResponse | null>`
Handles the user login process. It finds the user by email, verifies the password, and generates a JWT upon successful authentication.
- **email:** The user's email.
- **password:** The user's password.
- **Returns:** A promise that resolves to a `LoginResponse` object containing the `accessToken` and `user` details, or `null` if authentication fails.
### `verifyToken(token: string): Promise<AuthTokenPayload | null>`
Verifies the authenticity and expiration of a JWT.
- **token:** The JWT string to verify.
- **Returns:** A promise that resolves to the token's `AuthTokenPayload` if valid, otherwise `null`.
<OAOperation operationId="authStatus" />

35
docs/api/authentication.md
View File

@@ -1,19 +1,25 @@
---
aside: false
---
# API Authentication
To access protected API endpoints, you need to include a user-generated API key in the `X-API-KEY` header of your requests.
The API supports two authentication methods. Use whichever fits your use case.
## 1. Creating an API Key
## Method 1: JWT (User Login)
You can create, manage, and view your API keys through the application's user interface.
Obtain a short-lived JWT by calling `POST /v1/auth/login` with your email and password, then pass it as a Bearer token in the `Authorization` header.
1. Navigate to **Settings > API Keys** in the dashboard.
2. Click the **"Generate API Key"** button.
3. Provide a descriptive name for your key and select an expiration period.
4. The new API key will be displayed. **Copy this key immediately and store it in a secure location. You will not be able to see it again.**
**Example:**
## 2. Making Authenticated Requests
```http
GET /api/v1/dashboard/stats
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```
Once you have your API key, you must include it in the `X-API-KEY` header of all subsequent requests to protected API endpoints.
## Method 2: API Key
Long-lived API keys are suited for automated scripts and integrations. Create one in **Settings > API Keys**, then pass it in the `X-API-KEY` header.
**Example:**
@@ -22,4 +28,13 @@ GET /api/v1/dashboard/stats
X-API-KEY: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
```
If the API key is missing, expired, or invalid, the API will respond with a `401 Unauthorized` status code.
### Creating an API Key
1. Navigate to **Settings > API Keys** in the dashboard.
2. Click **"Generate API Key"**.
3. Provide a descriptive name and select an expiration period (max 2 years).
4. Copy the key immediately — it will not be shown again.
---
If the token or API key is missing, expired, or invalid, the API responds with `401 Unauthorized`.

117
docs/api/dashboard.md
View File

@@ -1,114 +1,27 @@
# Dashboard Service API
---
aside: false
---
The Dashboard Service provides endpoints for retrieving statistics and data for the main dashboard.
# Dashboard API
## Endpoints
Aggregated statistics and summaries for the dashboard UI. Requires `read:dashboard` permission.
All endpoints in this service require authentication.
## Get Stats
### GET /api/v1/dashboard/stats
<OAOperation operationId="getDashboardStats" />
Retrieves overall statistics, including the total number of archived emails, total storage used, and the number of failed ingestions in the last 7 days.
## Get Ingestion History
**Access:** Authenticated
<OAOperation operationId="getIngestionHistory" />
#### Responses
## Get Ingestion Source Summaries
- **200 OK:** An object containing the dashboard statistics.
<OAOperation operationId="getDashboardIngestionSources" />
```json
{
"totalEmailsArchived": 12345,
"totalStorageUsed": 54321098,
"failedIngestionsLast7Days": 3
}
```
## Get Recent Syncs
### GET /api/v1/dashboard/ingestion-history
<OAOperation operationId="getRecentSyncs" />
Retrieves the email ingestion history for the last 30 days, grouped by day.
## Get Indexed Email Insights
**Access:** Authenticated
#### Responses
- **200 OK:** An object containing the ingestion history.
```json
{
"history": [
{
"date": "2023-09-27T00:00:00.000Z",
"count": 150
},
{
"date": "2023-09-28T00:00:00.000Z",
"count": 200
}
]
}
```
### GET /api/v1/dashboard/ingestion-sources
Retrieves a list of all ingestion sources along with their status and storage usage.
**Access:** Authenticated
#### Responses
- **200 OK:** An array of ingestion source objects.
```json
[
{
"id": "source-id-1",
"name": "Google Workspace",
"provider": "google",
"status": "active",
"storageUsed": 12345678
},
{
"id": "source-id-2",
"name": "Microsoft 365",
"provider": "microsoft",
"status": "error",
"storageUsed": 87654321
}
]
```
### GET /api/v1/dashboard/recent-syncs
Retrieves a list of recent synchronization jobs. (Note: This is currently a placeholder and will return an empty array).
**Access:** Authenticated
#### Responses
- **200 OK:** An empty array.
```json
[]
```
### GET /api/v1/dashboard/indexed-insights
Retrieves insights from the indexed email data, such as the top senders.
**Access:** Authenticated
#### Responses
- **200 OK:** An object containing indexed insights.
```json
{
"topSenders": [
{
"sender": "user@example.com",
"count": 42
}
]
}
```
<OAOperation operationId="getIndexedInsights" />

27
docs/api/iam.md Normal file
View File

@@ -0,0 +1,27 @@
---
aside: false
---
# IAM API
Manage Identity and Access Management roles and their CASL policy statements. Role management requires Super Admin (`manage:all`) permission. Reading roles requires `read:roles` permission.
## List All Roles
<OAOperation operationId="getRoles" />
## Create a Role
<OAOperation operationId="createRole" />
## Get a Role
<OAOperation operationId="getRoleById" />
## Update a Role
<OAOperation operationId="updateRole" />
## Delete a Role
<OAOperation operationId="deleteRole" />

4
docs/api/index.md
View File

@@ -1,3 +1,7 @@
---
aside: false
---
# API Overview
Welcome to the Open Archiver API documentation. This section provides detailed information about the available API endpoints.

165
docs/api/ingestion.md
View File

@@ -1,162 +1,43 @@
# Ingestion Service API
---
aside: false
---
The Ingestion Service manages ingestion sources, which are configurations for connecting to email providers and importing emails.
# Ingestion API
## Endpoints
Manage ingestion sources — the configured connections to email providers (Google Workspace, Microsoft 365, IMAP, and file imports). Credentials are never returned in responses.
All endpoints in this service require authentication.
## Create an Ingestion Source
### POST /api/v1/ingestion-sources
<OAOperation operationId="createIngestionSource" />
Creates a new ingestion source.
## List Ingestion Sources
**Access:** Authenticated
<OAOperation operationId="listIngestionSources" />
#### Request Body
## Get an Ingestion Source
The request body should be a `CreateIngestionSourceDto` object.
<OAOperation operationId="getIngestionSourceById" />
```typescript
interface CreateIngestionSourceDto {
name: string;
provider: 'google' | 'microsoft' | 'generic_imap';
providerConfig: IngestionCredentials;
}
```
## Update an Ingestion Source
#### Responses
<OAOperation operationId="updateIngestionSource" />
- **201 Created:** The newly created ingestion source.
- **500 Internal Server Error:** An unexpected error occurred.
## Delete an Ingestion Source
### GET /api/v1/ingestion-sources
<OAOperation operationId="deleteIngestionSource" />
Retrieves all ingestion sources.
## Trigger Initial Import
**Access:** Authenticated
<OAOperation operationId="triggerInitialImport" />
#### Responses
## Pause an Ingestion Source
- **200 OK:** An array of ingestion source objects.
- **500 Internal Server Error:** An unexpected error occurred.
<OAOperation operationId="pauseIngestionSource" />
### GET /api/v1/ingestion-sources/:id
## Force Sync
Retrieves a single ingestion source by its ID.
<OAOperation operationId="triggerForceSync" />
**Access:** Authenticated
## Unmerge an Ingestion Source
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------ |
| `id` | string | The ID of the ingestion source. |
#### Responses
- **200 OK:** The ingestion source object.
- **404 Not Found:** Ingestion source not found.
- **500 Internal Server Error:** An unexpected error occurred.
### PUT /api/v1/ingestion-sources/:id
Updates an existing ingestion source.
**Access:** Authenticated
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------ |
| `id` | string | The ID of the ingestion source. |
#### Request Body
The request body should be an `UpdateIngestionSourceDto` object.
```typescript
interface UpdateIngestionSourceDto {
name?: string;
provider?: 'google' | 'microsoft' | 'generic_imap';
providerConfig?: IngestionCredentials;
status?: 'pending_auth' | 'auth_success' | 'importing' | 'active' | 'paused' | 'error';
}
```
#### Responses
- **200 OK:** The updated ingestion source object.
- **404 Not Found:** Ingestion source not found.
- **500 Internal Server Error:** An unexpected error occurred.
### DELETE /api/v1/ingestion-sources/:id
Deletes an ingestion source and all associated data.
**Access:** Authenticated
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------ |
| `id` | string | The ID of the ingestion source. |
#### Responses
- **204 No Content:** The ingestion source was deleted successfully.
- **404 Not Found:** Ingestion source not found.
- **500 Internal Server Error:** An unexpected error occurred.
### POST /api/v1/ingestion-sources/:id/import
Triggers the initial import process for an ingestion source.
**Access:** Authenticated
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------ |
| `id` | string | The ID of the ingestion source. |
#### Responses
- **202 Accepted:** The initial import was triggered successfully.
- **404 Not Found:** Ingestion source not found.
- **500 Internal Server Error:** An unexpected error occurred.
### POST /api/v1/ingestion-sources/:id/pause
Pauses an active ingestion source.
**Access:** Authenticated
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------ |
| `id` | string | The ID of the ingestion source. |
#### Responses
- **200 OK:** The updated ingestion source object with a `paused` status.
- **404 Not Found:** Ingestion source not found.
- **500 Internal Server Error:** An unexpected error occurred.
### POST /api/v1/ingestion-sources/:id/sync
Triggers a forced synchronization for an ingestion source.
**Access:** Authenticated
#### URL Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------ |
| `id` | string | The ID of the ingestion source. |
#### Responses
- **202 Accepted:** The force sync was triggered successfully.
- **404 Not Found:** Ingestion source not found.
- **500 Internal Server Error:** An unexpected error occurred.
<OAOperation operationId="unmergeIngestionSource" />

11
docs/api/integrity.md Normal file
View File

@@ -0,0 +1,11 @@
---
aside: false
---
# Integrity Check API
Verify the SHA-256 hash of an archived email and all its attachments against the hashes stored at archival time.
## Check Email Integrity
<OAOperation operationId="checkIntegrity" />

20
docs/api/jobs.md Normal file
View File

@@ -0,0 +1,20 @@
---
aside: false
---
# Jobs API
Monitor BullMQ job queues for asynchronous tasks such as email ingestion, indexing, and sync scheduling. Requires Super Admin (`manage:all`) permission.
There are two queues:
- **`ingestion`** — handles all email ingestion and sync jobs (`initial-import`, `continuous-sync`, `process-mailbox`, `sync-cycle-finished`, `schedule-continuous-sync`)
- **`indexing`** — handles batched Meilisearch document indexing (`index-email-batch`)
## List All Queues
<OAOperation operationId="getQueues" />
## Get Jobs in a Queue
<OAOperation operationId="getQueueJobs" />

3301
docs/api/openapi.json Normal file
View File

File diff suppressed because it is too large Load Diff

55
docs/api/rate-limiting.md Normal file
View File

@@ -0,0 +1,55 @@
---
aside: false
---
# Rate Limiting
The API implements rate limiting as a security measure to protect your instance from denial-of-service (DoS) and brute-force attacks. This is a crucial feature for maintaining the security and stability of the application.
## How It Works
The rate limiter restricts the number of requests an IP address can make within a specific time frame. These limits are configurable via environment variables to suit your security needs.
By default, the limits are:
- **100 requests** per **1 minute** per IP address.
If this limit is exceeded, the API will respond with an HTTP `429 Too Many Requests` status code.
### Response Body
When an IP address is rate-limited, the API will return a JSON response with the following format:
```json
{
"status": 429,
"message": "Too many requests from this IP, please try again after 15 minutes"
}
```
## Configuration
You can customize the rate-limiting settings by setting the following environment variables in your `.env` file:
- `RATE_LIMIT_WINDOW_MS`: The time window in milliseconds. Defaults to `60000` (1 minute).
- `RATE_LIMIT_MAX_REQUESTS`: The maximum number of requests allowed per IP address within the time window. Defaults to `100`.
## Handling Rate Limits
If you are developing a client that interacts with the API, you should handle rate limiting gracefully:
1. **Check the Status Code**: Monitor for a `429` HTTP status code in responses.
2. **Implement a Retry Mechanism**: When you receive a `429` response, it is best practice to wait before retrying the request. Implementing an exponential backoff strategy is recommended.
3. **Check Headers**: The response will include the following standard headers to help you manage your request rate:
- `RateLimit-Limit`: The maximum number of requests allowed in the current window.
- `RateLimit-Remaining`: The number of requests you have left in the current window.
- `RateLimit-Reset`: The time when the rate limit window will reset, in UTC epoch seconds.
## Excluded Endpoints
Certain essential endpoints are excluded from rate limiting to ensure the application's UI remains responsive. These are:
- `/auth/status`
- `/settings/system`
These endpoints can be called as needed without affecting your rate limit count.

53
docs/api/search.md
View File

@@ -1,50 +1,11 @@
# Search Service API
---
aside: false
---
The Search Service provides an endpoint for searching indexed emails.
# Search API
## Endpoints
Full-text search over indexed archived emails, powered by Meilisearch.
All endpoints in this service require authentication.
## Search Emails
### GET /api/v1/search
Performs a search query against the indexed emails.
**Access:** Authenticated
#### Query Parameters
| Parameter | Type | Description | Default |
| :----------------- | :----- | :--------------------------------------------------------------------- | :------ |
| `keywords` | string | The search query. | |
| `page` | number | The page number for pagination. | 1 |
| `limit` | number | The number of items per page. | 10 |
| `matchingStrategy` | string | The matching strategy to use (`all` or `last`). | `last` |
| `filters` | object | Key-value pairs for filtering results (e.g., `from=user@example.com`). | |
#### Responses
- **200 OK:** A search result object.
```json
{
"hits": [
{
"id": "email-id",
"subject": "Test Email",
"from": "sender@example.com",
"_formatted": {
"subject": "<em>Test</em> Email"
}
}
],
"total": 1,
"page": 1,
"limit": 10,
"totalPages": 1,
"processingTimeMs": 5
}
```
- **400 Bad Request:** Keywords are required.
- **500 Internal Server Error:** An unexpected error occurred.
<OAOperation operationId="searchEmails" />

15
docs/api/settings.md Normal file
View File

@@ -0,0 +1,15 @@
---
aside: false
---
# Settings API
Read and update system-wide configuration. The `GET` endpoint is public. The `PUT` endpoint requires `manage:settings` permission.
## Get System Settings
<OAOperation operationId="getSystemSettings" />
## Update System Settings
<OAOperation operationId="updateSystemSettings" />

29
docs/api/storage.md
View File

@@ -1,26 +1,11 @@
# Storage Service API
---
aside: false
---
The Storage Service provides an endpoint for downloading files from the configured storage provider.
# Storage API
## Endpoints
Download files from the configured storage backend (local filesystem or S3-compatible). Requires `read:archive` permission.
All endpoints in this service require authentication.
## Download a File
### GET /api/v1/storage/download
Downloads a file from the storage.
**Access:** Authenticated
#### Query Parameters
| Parameter | Type | Description |
| :-------- | :----- | :------------------------------------------------ |
| `path` | string | The path to the file within the storage provider. |
#### Responses
- **200 OK:** The file stream.
- **400 Bad Request:** File path is required or invalid.
- **404 Not Found:** File not found.
- **500 Internal Server Error:** An unexpected error occurred.
<OAOperation operationId="downloadFile" />

11
docs/api/upload.md Normal file
View File

@@ -0,0 +1,11 @@
---
aside: false
---
# Upload API
Upload files (PST, EML, MBOX) to temporary storage before creating a file-based ingestion source. The returned `filePath` should be passed as `uploadedFilePath` in the ingestion source `providerConfig`.
## Upload a File
<OAOperation operationId="uploadFile" />

39
docs/api/users.md Normal file
View File

@@ -0,0 +1,39 @@
---
aside: false
---
# Users API
Manage user accounts. Creating, updating, and deleting users requires Super Admin (`manage:all`) permission.
## List All Users
<OAOperation operationId="getUsers" />
## Create a User
<OAOperation operationId="createUser" />
## Get a User
<OAOperation operationId="getUser" />
## Update a User
<OAOperation operationId="updateUser" />
## Delete a User
<OAOperation operationId="deleteUser" />
## Get Current User Profile
<OAOperation operationId="getProfile" />
## Update Current User Profile
<OAOperation operationId="updateProfile" />
## Update Password
<OAOperation operationId="updatePassword" />

78
docs/enterprise/audit-log/api.md Normal file
View File

@@ -0,0 +1,78 @@
# Audit Log: API Endpoints
The audit log feature exposes two API endpoints for retrieving and verifying audit log data. Both endpoints require authentication and are only accessible to users with the appropriate permissions.
## Get Audit Logs
Retrieves a paginated list of audit log entries, with support for filtering and sorting.
- **Endpoint:** `GET /api/v1/enterprise/audit-logs`
- **Method:** `GET`
- **Authentication:** Required
### Query Parameters
| Parameter | Type | Description |
| ------------ | -------- | --------------------------------------------------------------------------- |
| `page` | `number` | The page number to retrieve. Defaults to `1`. |
| `limit` | `number` | The number of entries to retrieve per page. Defaults to `20`. |
| `startDate` | `date` | The start date for the date range filter. |
| `endDate` | `date` | The end date for the date range filter. |
| `actor` | `string` | The actor identifier to filter by. |
| `actionType` | `string` | The action type to filter by (e.g., `LOGIN`, `CREATE`). |
| `sort` | `string` | The sort order for the results. Can be `asc` or `desc`. Defaults to `desc`. |
### Response Body
```json
{
"data": [
{
"id": 1,
"previousHash": null,
"timestamp": "2025-10-03T00:00:00.000Z",
"actorIdentifier": "e8026a75-b58a-4902-8858-eb8780215f82",
"actorIp": "::1",
"actionType": "LOGIN",
"targetType": "User",
"targetId": "e8026a75-b58a-4902-8858-eb8780215f82",
"details": {},
"currentHash": "..."
}
],
"meta": {
"total": 100,
"page": 1,
"limit": 20
}
}
```
## Verify Audit Log Integrity
Initiates a verification process to check the integrity of the entire audit log chain.
- **Endpoint:** `POST /api/v1/enterprise/audit-logs/verify`
- **Method:** `POST`
- **Authentication:** Required
### Response Body
**Success**
```json
{
"ok": true,
"message": "Audit log integrity verified successfully."
}
```
**Failure**
```json
{
"ok": false,
"message": "Audit log chain is broken!",
"logId": 123
}
```

31
docs/enterprise/audit-log/audit-service.md Normal file
View File

@@ -0,0 +1,31 @@
# Audit Log: Backend Implementation
The backend implementation of the audit log is handled by the `AuditService`, located in `packages/backend/src/services/AuditService.ts`. This service encapsulates all the logic for creating, retrieving, and verifying audit log entries.
## Hashing and Verification Logic
The core of the audit log's immutability lies in its hashing and verification logic.
### Hash Calculation
The `calculateHash` method is responsible for generating a SHA-256 hash of a log entry. To ensure consistency, it performs the following steps:
1. **Canonical Object Creation:** It constructs a new object with a fixed property order, ensuring that the object's structure is always the same.
2. **Timestamp Normalization:** It converts the `timestamp` to milliseconds since the epoch (`getTime()`) to avoid any precision-related discrepancies between the application and the database.
3. **Canonical Stringification:** It uses a custom `canonicalStringify` function to create a JSON string representation of the object. This function sorts the object keys, ensuring that the output is always the same, regardless of the in-memory property order.
4. **Hash Generation:** It computes a SHA-256 hash of the canonical string.
### Verification Process
The `verifyAuditLog` method is designed to be highly scalable and efficient, even with millions of log entries. It processes the logs in manageable chunks (e.g., 1000 at a time) to avoid loading the entire table into memory.
The verification process involves the following steps:
1. **Iterative Processing:** It fetches the logs in batches within a `while` loop.
2. **Chain Verification:** For each log entry, it compares the `previousHash` with the `currentHash` of the preceding log. If they do not match, the chain is broken, and the verification fails.
3. **Hash Recalculation:** It recalculates the hash of the current log entry using the same `calculateHash` method used during creation.
4. **Integrity Check:** It compares the recalculated hash with the `currentHash` stored in the database. If they do not match, the log entry has been tampered with, and the verification fails.
## Service Integration
The `AuditService` is integrated into the application through the `AuditLogModule` (`packages/enterprise/src/modules/audit-log/audit-log.module.ts`), which registers the API routes for the audit log feature. The service's `createAuditLog` method is called from various other services throughout the application to record significant events.

39
docs/enterprise/audit-log/guide.md Normal file
View File

@@ -0,0 +1,39 @@
# Audit Log: User Interface
The audit log user interface provides a comprehensive view of all significant events that have occurred within the Open Archiver system. It is designed to be intuitive and user-friendly, allowing administrators to easily monitor and review system activity.
## Viewing Audit Logs
The main audit log page displays a table of log entries, with the following columns:
- **Timestamp:** The date and time of the event.
- **Actor:** The identifier of the user or system process that performed the action.
- **IP Address:** The IP address from which the action was initiated.
- **Action:** The type of action performed, displayed as a color-coded badge for easy identification.
- **Target Type:** The type of resource that was affected.
- **Target ID:** The unique identifier of the affected resource.
- **Details:** A truncated preview of the event's details. The full JSON object is displayed in a pop-up card on hover.
## Filtering and Sorting
The table can be sorted by timestamp by clicking the "Timestamp" header. This allows you to view the logs in either chronological or reverse chronological order.
## Pagination
Pagination controls are available below the table, allowing you to navigate through the entire history of audit log entries.
## Verifying Log Integrity
The "Verify Log Integrity" button allows you to initiate a verification process to check the integrity of the entire audit log chain. This process recalculates the hash of each log entry and compares it to the stored hash, ensuring that the cryptographic chain is unbroken and no entries have been tampered with.
### Verification Responses
- **Success:** A success notification is displayed, confirming that the audit log integrity has been verified successfully. This means that the log chain is complete and no entries have been tampered with.
- **Failure:** An error notification is displayed, indicating that the audit log chain is broken or an entry has been tampered with. The notification will include the ID of the log entry where the issue was detected. There are two types of failures:
- **Audit log chain is broken:** This means that the `previousHash` of a log entry does not match the `currentHash` of the preceding entry. This indicates that one or more log entries may have been deleted or inserted into the chain.
- **Audit log entry is tampered!:** This means that the recalculated hash of a log entry does not match its stored `currentHash`. This indicates that the data within the log entry has been altered.
## Viewing Log Details
You can view the full details of any log entry by clicking on its row in the table. This will open a dialog containing all the information associated with the log entry, including the previous and current hashes.

27
docs/enterprise/audit-log/index.md Normal file
View File

@@ -0,0 +1,27 @@
# Audit Log
The Audit Log is an enterprise-grade feature designed to provide a complete, immutable, and verifiable record of every significant action that occurs within the Open Archiver system. Its primary purpose is to ensure compliance with strict regulatory standards, such as the German GoBD, by establishing a tamper-proof chain of evidence for all activities.
## Core Principles
To fulfill its compliance and security functions, the audit log adheres to the following core principles:
### 1. Immutability
Every log entry is cryptographically chained to the previous one. Each new entry contains a SHA-256 hash of the preceding entry's hash, creating a verifiable chain. Any attempt to alter or delete a past entry would break this chain and be immediately detectable through the verification process.
### 2. Completeness
The system is designed to log every significant event without exception. This includes not only user-initiated actions (like logins, searches, and downloads) but also automated system processes, such as data ingestion and policy-based deletions.
### 3. Attribution
Each log entry is unambiguously linked to the actor that initiated the event. This could be a specific authenticated user, an external auditor, or an automated system process. The actor's identifier and source IP address are recorded to ensure full traceability.
### 4. Clarity and Detail
Log entries are structured to be detailed and human-readable, providing sufficient context for an auditor to understand the event without needing specialized system knowledge. This includes the action performed, the target resource affected, and a JSON object with specific, contextual details of the event.
### 5. Verifiability
The integrity of the entire audit log can be verified at any time. A dedicated process iterates through the logs from the beginning, recalculating the hash of each entry and comparing it to the stored hash, ensuring the cryptographic chain is unbroken and no entries have been tampered with.

454
docs/enterprise/legal-holds/api.md Normal file
View File

@@ -0,0 +1,454 @@
# Legal Holds: API Endpoints
The legal holds feature exposes a RESTful API for managing holds and linking them to archived emails. All endpoints require authentication and appropriate permissions as specified below.
**Base URL:** `/api/v1/enterprise/legal-holds`
All endpoints also require the `LEGAL_HOLDS` feature to be enabled in the enterprise license.
---
## Hold Management Endpoints
### List All Holds
Retrieves all legal holds ordered by creation date ascending, each annotated with the count of currently linked emails.
- **Endpoint:** `GET /holds`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Response Body
```json
[
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"name": "Project Titan Litigation — 2026",
"reason": "Preservation order received 2026-01-15 re: IP dispute",
"isActive": true,
"caseId": null,
"emailCount": 4821,
"createdAt": "2026-01-15T10:30:00.000Z",
"updatedAt": "2026-01-15T10:30:00.000Z"
},
{
"id": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
"name": "SEC Investigation Q3 2025",
"reason": null,
"isActive": false,
"caseId": "c3d4e5f6-a7b8-9012-cdef-345678901234",
"emailCount": 310,
"createdAt": "2025-09-01T08:00:00.000Z",
"updatedAt": "2025-11-20T16:45:00.000Z"
}
]
```
---
### Get Hold by ID
Retrieves a single legal hold by its UUID.
- **Endpoint:** `GET /holds/:id`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ---------------------------- |
| `id` | `uuid` | The UUID of the hold to get. |
#### Response
Returns a single hold object (same shape as the list endpoint), or `404` if not found.
---
### Create Hold
Creates a new legal hold. Holds are always created in the **active** state.
- **Endpoint:** `POST /holds`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Request Body
| Field | Type | Required | Description |
| -------- | -------- | -------- | -------------------------------------------------------------- |
| `name` | `string` | Yes | Unique hold name. Max 255 characters. |
| `reason` | `string` | No | Legal basis or description for the hold. Max 2 000 characters. |
| `caseId` | `uuid` | No | Optional UUID of an `ediscovery_cases` record to link to. |
#### Example Request
```json
{
"name": "Project Titan Litigation — 2026",
"reason": "Preservation notice received from outside counsel on 2026-01-15 regarding IP dispute with ExCorp.",
"caseId": null
}
```
#### Response
- **`201 Created`** — Returns the created hold object with `emailCount: 0`.
- **`409 Conflict`** — A hold with this name already exists.
- **`422 Unprocessable Entity`** — Validation errors.
---
### Update Hold
Updates the name, reason, or `isActive` state of a hold. Only the fields provided in the request body are modified.
- **Endpoint:** `PUT /holds/:id`
- **Method:** `PUT`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `id` | `uuid` | The UUID of the hold to update. |
#### Request Body
All fields are optional. At least one must be provided.
| Field | Type | Description |
| ---------- | --------- | --------------------------------------------------- |
| `name` | `string` | New hold name. Max 255 characters. |
| `reason` | `string` | Updated reason/description. Max 2 000 characters. |
| `isActive` | `boolean` | Set to `false` to deactivate, `true` to reactivate. |
#### Example — Deactivate a Hold
```json
{
"isActive": false
}
```
#### Response
- **`200 OK`** — Returns the updated hold object.
- **`404 Not Found`** — Hold with the given ID does not exist.
- **`422 Unprocessable Entity`** — Validation errors.
> **Important:** Setting `isActive` to `false` immediately lifts deletion immunity from all emails solely protected by this hold. The next lifecycle worker cycle will evaluate those emails against retention labels and policies.
---
### Delete Hold
Permanently deletes a legal hold and (via database CASCADE) all associated `email_legal_holds` rows.
- **Endpoint:** `DELETE /holds/:id`
- **Method:** `DELETE`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `id` | `uuid` | The UUID of the hold to delete. |
#### Response
- **`204 No Content`** — Hold successfully deleted.
- **`404 Not Found`** — Hold with the given ID does not exist.
- **`409 Conflict`** — The hold is currently active. Deactivate it first by calling `PUT /holds/:id` with `{ "isActive": false }`.
> **Security note:** Active holds cannot be deleted. This requirement forces an explicit, auditable deactivation step before the hold record is removed.
---
## Bulk Operations
### Bulk Apply Hold via Search Query
Applies a legal hold to **all emails matching a Meilisearch query**. The operation is asynchronous-safe: the UI fires the request and the server processes results in pages of 1 000, so even very large result sets do not time out.
- **Endpoint:** `POST /holds/:id/bulk-apply`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------ |
| `id` | `uuid` | The UUID of the hold to apply. |
#### Request Body
| Field | Type | Required | Description |
| ------------- | -------- | -------- | ------------------------------------------------- |
| `searchQuery` | `object` | Yes | A Meilisearch query object (see structure below). |
##### `searchQuery` Object
| Field | Type | Required | Description |
| ------------------ | -------- | -------- | ------------------------------------------------------------------- |
| `query` | `string` | Yes | Full-text search string. Pass `""` to match all documents. |
| `filters` | `object` | No | Key-value filter object (e.g., `{ "from": "user@corp.com" }`). |
| `matchingStrategy` | `string` | No | Meilisearch matching strategy: `"last"`, `"all"`, or `"frequency"`. |
#### Example Request
```json
{
"searchQuery": {
"query": "Project Titan confidential",
"filters": {
"from": "john.doe@acme.com",
"startDate": "2023-01-01",
"endDate": "2025-12-31"
},
"matchingStrategy": "all"
}
}
```
#### Response Body
```json
{
"legalHoldId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"emailsLinked": 1247,
"queryUsed": {
"query": "Project Titan confidential",
"filters": {
"from": "john.doe@acme.com",
"startDate": "2023-01-01",
"endDate": "2025-12-31"
},
"matchingStrategy": "all"
}
}
```
- `emailsLinked` — The number of emails **newly** linked to the hold by this operation. Emails already linked to this hold are not counted.
- `queryUsed` — The exact query JSON that was executed, mirroring what was written to the audit log for GoBD proof of scope.
#### Response Codes
- **`200 OK`** — Operation completed. Returns `emailsLinked: 0` if no new emails matched.
- **`404 Not Found`** — Hold with the given ID does not exist.
- **`409 Conflict`** — The hold is inactive. Only active holds can receive new email links.
- **`422 Unprocessable Entity`** — Invalid request body.
---
### Release All Emails from Hold
Removes all `email_legal_holds` associations for the given hold in a single operation. The hold itself is **not** deleted.
- **Endpoint:** `POST /holds/:id/release-all`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | -------------------------------- |
| `id` | `uuid` | The UUID of the hold to release. |
#### Response Body
```json
{
"emailsReleased": 4821
}
```
#### Response Codes
- **`200 OK`** — All email associations removed. Returns `emailsReleased: 0` if the hold had no linked emails.
- **`500 Internal Server Error`** — The hold ID was not found or a database error occurred.
> **Warning:** After release, emails that were solely protected by this hold will be evaluated normally on the next lifecycle worker cycle. Emails with expired retention periods will be deleted.
---
## Per-Email Hold Endpoints
### Get Holds Applied to an Email
Returns all legal holds currently linked to a specific archived email, including both active and inactive holds.
- **Endpoint:** `GET /email/:emailId/holds`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `read:archive`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `emailId` | `uuid` | The UUID of the archived email. |
#### Response Body
Returns an empty array `[]` if no holds are applied, or an array of hold-link objects:
```json
[
{
"legalHoldId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"holdName": "Project Titan Litigation — 2026",
"isActive": true,
"appliedAt": "2026-01-15T11:00:00.000Z",
"appliedByUserId": "user-uuid-here"
},
{
"legalHoldId": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
"holdName": "SEC Investigation Q3 2025",
"isActive": false,
"appliedAt": "2025-09-05T09:15:00.000Z",
"appliedByUserId": null
}
]
```
#### Response Codes
- **`200 OK`** — Returns the array of hold-link objects (may be empty).
---
### Apply a Hold to a Specific Email
Links a single archived email to an active legal hold. The operation is idempotent — linking the same email to the same hold twice has no effect.
- **Endpoint:** `POST /email/:emailId/holds`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `emailId` | `uuid` | The UUID of the archived email. |
#### Request Body
| Field | Type | Required | Description |
| -------- | ------ | -------- | ------------------------------ |
| `holdId` | `uuid` | Yes | The UUID of the hold to apply. |
#### Example Request
```json
{
"holdId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
```
#### Response Body
Returns the hold-link object with the DB-authoritative `appliedAt` timestamp:
```json
{
"legalHoldId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"holdName": "Project Titan Litigation — 2026",
"isActive": true,
"appliedAt": "2026-01-16T14:22:00.000Z",
"appliedByUserId": "user-uuid-here"
}
```
#### Response Codes
- **`200 OK`** — Hold successfully applied (or was already applied — idempotent).
- **`404 Not Found`** — Email or hold not found.
- **`409 Conflict`** — The hold is inactive and cannot be applied to new emails.
- **`422 Unprocessable Entity`** — Invalid request body.
---
### Remove a Hold from a Specific Email
Unlinks a specific legal hold from a specific archived email. The hold itself is not modified; other emails linked to the same hold are unaffected.
- **Endpoint:** `DELETE /email/:emailId/holds/:holdId`
- **Method:** `DELETE`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `emailId` | `uuid` | The UUID of the archived email. |
| `holdId` | `uuid` | The UUID of the hold to remove. |
#### Response Body
```json
{
"message": "Hold removed from email successfully."
}
```
#### Response Codes
- **`200 OK`** — Hold link removed.
- **`404 Not Found`** — No such hold was applied to this email.
---
## Error Responses
All endpoints use the standard error response format:
```json
{
"status": "error",
"statusCode": 409,
"message": "Cannot delete an active legal hold. Deactivate it first to explicitly lift legal protection before deletion.",
"errors": null
}
```
For validation errors (`422 Unprocessable Entity`):
```json
{
"status": "error",
"statusCode": 422,
"message": "Invalid input provided.",
"errors": [
{
"field": "name",
"message": "Name is required."
}
]
}
```
---
## Validation Constraints
| Field | Constraint |
| ------------------ | ---------------------------------------- |
| Hold name | 1255 characters. |
| Reason | Max 2 000 characters. |
| `caseId` | Must be a valid UUID if provided. |
| `holdId` | Must be a valid UUID. |
| `emailId` | Must be a valid UUID. |
| Search `query` | String (may be empty `""`). |
| `matchingStrategy` | One of `"last"`, `"all"`, `"frequency"`. |

164
docs/enterprise/legal-holds/guide.md Normal file
View File

@@ -0,0 +1,164 @@
# Legal Holds: User Interface Guide
The legal holds management interface is located at **Dashboard → Compliance → Legal Holds**. It provides a complete view of all configured holds and tools for creating, applying, releasing, and deactivating them. Per-email hold controls are also available on each archived email's detail page.
## Overview
Legal holds suspend all automated and manual deletion for specific emails, regardless of any retention labels or policies that might otherwise govern them. They are the highest-priority mechanism in the data lifecycle and are intended for use by compliance officers and legal counsel responding to litigation, investigations, or audit requests.
## Holds Table
The main page displays a table of all legal holds with the following columns:
- **Name:** The hold name and its UUID displayed underneath for reference.
- **Reason:** A short excerpt of the hold's reason/description. Shows _"No reason provided"_ if omitted.
- **Emails:** A badge showing how many archived emails are currently linked to this hold.
- **Status:** A badge indicating whether the hold is:
- **Active** (red badge): The hold is currently granting deletion immunity to linked emails.
- **Inactive** (gray badge): The hold is deactivated; linked emails are no longer immune.
- **Created At:** The date the hold was created, in local date format.
- **Actions:** Dropdown menu with options depending on the hold's state (see below).
The table is sorted by creation date in ascending order.
## Creating a Hold
Click the **"Create New"** button above the table to open the creation dialog. New holds are always created in the **Active** state.
### Form Fields
- **Name** (Required): A unique, descriptive name. Maximum 255 characters.
Examples: `"Project Titan Litigation — 2026"`, `"SEC Investigation Q3 2025"`
- **Reason** (Optional): A free-text description of the legal basis for the hold. Maximum 2 000 characters. This appears in the audit log and is visible to other compliance officers.
### After Creation
The hold immediately becomes active. No emails are linked to it yet — use Bulk Apply or the individual email detail page to add emails.
## Editing a Hold
Click **Edit** from the actions dropdown to modify the hold's name or reason. The `isActive` state is changed separately via the **Activate / Deactivate** action.
## Activating and Deactivating a Hold
The **Deactivate** / **Activate** option appears inline in the actions dropdown. Changing the active state does not remove any email links — it only determines whether those links grant deletion immunity.
> **Important:** Deactivating a hold means that all emails linked _solely_ to this hold lose their deletion immunity immediately. If any such emails have an expired retention period, they will be permanently deleted on the very next lifecycle worker cycle.
## Deleting a Hold
A hold **cannot be deleted while it is active**. Attempting to delete an active hold returns a `409 Conflict` error with the message: _"Cannot delete an active legal hold. Deactivate it first..."_
To delete a hold:
1. **Deactivate** it first using the Activate/Deactivate action.
2. Click **Delete** from the actions dropdown.
3. Confirm in the dialog.
Deletion permanently removes the hold record and, via database CASCADE, all `email_legal_holds` link rows. The emails themselves are not deleted — they simply lose the protection that this hold was providing. Any other active holds on those emails continue to protect them.
## Bulk Apply
The **Bulk Apply** option (available only on active holds) opens a search dialog that lets you cast a preservation net across potentially thousands of emails in a single operation.
### Search Fields
- **Full-text query:** Keywords to match against email subject, body, and attachment content. This uses Meilisearch's full-text engine with typo tolerance.
- **From (sender):** Filter by sender email address.
- **Start date / End date:** Filter by the date range of the email's `sentAt` field.
At least one of these fields must be filled before the **Apply Hold** button becomes enabled.
### What Happens During Bulk Apply
1. The system pages through all Meilisearch results matching the query (1 000 hits per page).
2. Each hit's email ID is validated against the database to discard any stale index entries.
3. New hold links are inserted in batches of 500. Emails already linked to this hold are skipped (idempotent).
4. A success notification shows **how many emails were newly placed under the hold** (already-protected emails are not counted again).
5. The exact search query JSON is written to the audit log as GoBD proof of the scope of protection.
> **Warning:** Bulk Apply is a wide-net operation. Review your query carefully — there is no per-email confirmation step. Use the search page first to preview results before applying.
### Bulk Apply and the Audit Log
The audit log entry for a bulk apply contains:
- `action: "BulkApplyHold"`
- `searchQuery`: the exact JSON query used
- `emailsLinked`: number of emails newly linked
- `emailsAlreadyProtected`: number of emails that were already under this hold
## Release All Emails
The **Release All** option (available when the hold has at least one linked email) removes every `email_legal_holds` link for this hold in a single operation.
> **Warning:** This immediately lifts deletion immunity for all emails that were solely protected by this hold. Emails with expired retention periods will be deleted on the next lifecycle worker cycle.
A confirmation dialog is shown before the operation proceeds. On success, a notification reports how many email links were removed.
## Per-Email Hold Controls
### Viewing Holds on a Specific Email
On any archived email's detail page, the **Legal Holds** card lists all holds currently applied to that email, showing:
- Hold name and active/inactive badge
- Date the hold was applied
### Applying a Hold to a Specific Email
In the Legal Holds card, a dropdown lists all currently **active** holds. Select a hold and click **Apply**. The operation is idempotent — applying the same hold twice has no effect.
### Removing a Hold from a Specific Email
Each linked hold in the card has a **Remove** button. Clicking it removes only the link between this email and that specific hold. The hold itself remains and continues to protect other emails.
> **Note:** Removing the last active hold from an email means the email is no longer immune. If its retention period has expired, it will be deleted on the next lifecycle worker cycle.
### Delete Button Behaviour Under a Hold
The **Delete Email** button on the email detail page is not disabled in the UI, but the backend will reject the request if the email is under an active hold. An error toast is displayed: _"Deletion blocked by retention policy (Legal Hold or similar)."_
## Permissions Reference
| Operation | Required Permission |
| -------------------------------- | ------------------- |
| View holds table | `manage:all` |
| Create / edit / delete a hold | `manage:all` |
| Activate / deactivate a hold | `manage:all` |
| Bulk apply | `manage:all` |
| Release all emails from a hold | `manage:all` |
| View holds on a specific email | `read:archive` |
| Apply / remove a hold from email | `manage:all` |
## Workflow: Responding to a Litigation Notice
1. **Receive the litigation notice.** Identify the relevant custodians, date range, and keywords.
2. **Create a hold**: Navigate to Dashboard → Compliance → Legal Holds and click **Create New**. Name it descriptively (e.g., `"Doe v. Acme Corp — 2026"`). Add the legal matter reference as the reason.
3. **Bulk apply**: Click **Bulk Apply** on the new hold. Enter keywords, the custodian's email address in the **From** field, and the relevant date range. Submit.
4. **Verify**: Check the email count badge on the hold row. Review the audit log to confirm the search query was recorded.
5. **Individual additions**: If specific emails not captured by the bulk query need to be preserved, open each email's detail page and apply the hold manually.
6. **When the matter concludes**: Click **Deactivate** on the hold, then **Release All** to remove all email links, and finally **Delete** the hold record if desired.
## Troubleshooting
### Cannot Delete Hold — "Cannot delete an active legal hold"
**Cause:** The hold is still active.
**Solution:** Use the **Deactivate** option from the actions dropdown first.
### Bulk Apply Returns 0 Emails
**Cause 1:** The search query matched no documents in the Meilisearch index.
**Solution:** Verify the query in the main Search page to preview results before applying.
**Cause 2:** All Meilisearch results were stale (emails deleted from the archive before this operation).
**Solution:** This is a data state issue; the stale index entries will be cleaned up on the next index rebuild.
### Delete Email Returns an Error Instead of Deleting
**Cause:** The email is under one or more active legal holds.
**Solution:** This is expected behavior. Deactivate or remove the hold(s) from this email before deleting.
### Hold Emails Count Shows 0 After Bulk Apply
**Cause:** The `emailCount` field is fetched when the page loads. If the bulk operation was just completed, refresh the page to see the updated count.

125
docs/enterprise/legal-holds/index.md Normal file
View File

@@ -0,0 +1,125 @@
# Legal Holds
The Legal Holds feature is an enterprise-grade eDiscovery and compliance mechanism designed to prevent the spoliation (destruction) of evidence. It provides **absolute, unconditional immunity** from deletion for archived emails that are relevant to pending litigation, regulatory investigations, or audits.
## Core Principles
### 1. Absolute Immunity — Highest Precedence in the Lifecycle Pipeline
A legal hold is the final word on whether an email can be deleted. The [Lifecycle Worker](../retention-policy/lifecycle-worker.md) evaluates emails in a strict three-step precedence pipeline:
1. **Step 0 — Legal Hold** ← this feature
2. Step 1 — Retention Label
3. Step 2 — Retention Policy
If an email is linked to **at least one active** legal hold, the lifecycle worker immediately flags it as immune and stops evaluation. No retention label or policy can override this decision. The `RetentionHook` mechanism also blocks any **manual deletion** attempt from the UI — the backend will return an error before any `DELETE` SQL is issued.
### 2. Many-to-Many Relationship
A single email can be placed under multiple holds simultaneously (e.g., one hold for a litigation case and another for a regulatory investigation). The email remains immune as long as **any one** of those holds is active. Each hold-to-email link is recorded independently with its own `appliedAt` timestamp and actor attribution.
### 3. Active/Inactive State Management
Every hold has an `isActive` flag. When a legal matter concludes, the responsible officer deactivates the hold. The deactivation is instantaneous — on the very next lifecycle worker cycle, emails that were solely protected by that hold will be evaluated normally against retention labels and policies. If their retention period has already expired, they will be permanently deleted in that same cycle.
A hold **must be deactivated before it can be deleted**. This requirement forces an explicit, auditable act of lifting legal protection before the hold record can be removed from the system.
### 4. Bulk Preservation via Search Queries
The primary use case for legal holds is casting a wide preservation net quickly. The bulk-apply operation accepts a full Meilisearch query (full-text search + metadata filters such as sender, date range, etc.) and links every matching email to the hold in a single operation. The system pages through results in batches of 1 000 to handle datasets of any size without timing out the UI.
### 5. GoBD Audit Trail
Every action within the legal hold module — hold creation, modification, deactivation, deletion, email linkage, email removal, and bulk operations — is immutably recorded in the cryptographically chained `audit_logs` table. For bulk operations, the exact `SearchQuery` JSON used to cast the hold net is persisted in the audit log as proof of scope, satisfying GoBD and similar evidence-preservation requirements.
## Feature Requirements
The Legal Holds feature requires:
- An active **Enterprise license** with the `LEGAL_HOLDS` feature enabled.
- The `manage:all` permission for all hold management and bulk operations.
- The `read:archive` permission for viewing holds applied to a specific email.
- The `manage:all` permission for applying or removing a hold from an individual email.
## Use Cases
### Active Litigation Hold
Upon receiving a litigation notice, a compliance officer creates a hold named "Project Titan Litigation — 2026", applies it via a bulk query scoped to a specific custodian's emails and a date range, and immediately freezes those records. The audit log provides timestamped proof that the hold was in place from the moment of creation.
### Regulatory Investigation
A regulator requests preservation of all finance-related communications from a specific period. The officer creates a hold and uses a keyword + date-range bulk query to capture every relevant email in seconds, regardless of which users sent or received them.
### Tax Audit
Before an annual audit window, an officer applies a hold to all emails matching tax-relevant keywords. The hold is released once the audit concludes, and standard retention policies resume.
### eDiscovery Case Management
Holds can optionally be linked to an `ediscovery_cases` record (`caseId` field) to organise multiple holds under a single legal matter. This allows all holds, emails, and audit events for a case to be referenced together.
## Architecture Overview
| Component | Location | Description |
| --------------- | ---------------------------------------------------------------------- | -------------------------------------------------------------- |
| Types | `packages/types/src/retention.types.ts` | `LegalHold`, `EmailLegalHoldInfo`, `BulkApplyHoldResult` types |
| Database Schema | `packages/backend/src/database/schema/compliance.ts` | `legal_holds` and `email_legal_holds` table definitions |
| Service | `packages/enterprise/src/modules/legal-holds/LegalHoldService.ts` | All business logic for CRUD, linkage, and bulk operations |
| Controller | `packages/enterprise/src/modules/legal-holds/legal-hold.controller.ts` | Express request handlers with Zod validation |
| Routes | `packages/enterprise/src/modules/legal-holds/legal-hold.routes.ts` | Route registration with auth and feature guards |
| Module | `packages/enterprise/src/modules/legal-holds/legal-hold.module.ts` | App-startup integration and `RetentionHook` registration |
| Frontend Page | `packages/frontend/src/routes/dashboard/compliance/legal-holds/` | SvelteKit management page for holds |
| Email Detail | `packages/frontend/src/routes/dashboard/archived-emails/[id]/` | Per-email hold card in the email detail view |
| Lifecycle Guard | `packages/backend/src/hooks/RetentionHook.ts` | Static hook that blocks deletion if a hold is active |
## Data Model
### `legal_holds` Table
| Column | Type | Description |
| ------------ | -------------- | --------------------------------------------------------------------------- |
| `id` | `uuid` (PK) | Auto-generated unique identifier. |
| `name` | `varchar(255)` | Human-readable hold name. |
| `reason` | `text` | Optional description of why the hold was placed. |
| `is_active` | `boolean` | Whether the hold currently grants immunity. Defaults to `true` on creation. |
| `case_id` | `uuid` (FK) | Optional reference to an `ediscovery_cases` row. |
| `created_at` | `timestamptz` | Hold creation timestamp. |
| `updated_at` | `timestamptz` | Last modification timestamp. |
### `email_legal_holds` Join Table
| Column | Type | Description |
| -------------------- | ------------- | ----------------------------------------------------------- |
| `email_id` | `uuid` (FK) | Reference to `archived_emails.id`. Cascades on delete. |
| `legal_hold_id` | `uuid` (FK) | Reference to `legal_holds.id`. Cascades on delete. |
| `applied_at` | `timestamptz` | DB-server timestamp of when the link was created. |
| `applied_by_user_id` | `uuid` (FK) | User who applied the hold (nullable for system operations). |
The table uses a composite primary key of `(email_id, legal_hold_id)`, enforcing uniqueness at the database level. Duplicate inserts use `ON CONFLICT DO NOTHING` for idempotency.
## Integration Points
### RetentionHook (Deletion Guard)
`LegalHoldModule.initialize()` registers an async check with `RetentionHook` at application startup. `ArchivedEmailService.deleteArchivedEmail()` calls `RetentionHook.canDelete(emailId)` before any storage or database DELETE. If the email is under an active hold, the hook returns `false` and deletion is aborted with a `400 Bad Request` error. This guard is fail-safe: if the hook itself throws an error, deletion is also blocked.
### Lifecycle Worker
The lifecycle worker calls `legalHoldService.isEmailUnderActiveHold(emailId)` as the first step in its per-email evaluation loop. Immune emails are skipped immediately with a `debug`-level log entry; no further evaluation occurs.
### Audit Log
All legal hold operations generate entries in `audit_logs`:
| Action | `actionType` | `targetType` | `targetId` |
| --------------------------------- | ------------ | --------------- | -------------------- |
| Hold created | `CREATE` | `LegalHold` | hold ID |
| Hold updated / deactivated | `UPDATE` | `LegalHold` | hold ID |
| Hold deleted | `DELETE` | `LegalHold` | hold ID |
| Email linked to hold (individual) | `UPDATE` | `ArchivedEmail` | email ID |
| Email unlinked from hold | `UPDATE` | `ArchivedEmail` | email ID |
| Bulk apply via search | `UPDATE` | `LegalHold` | hold ID + query JSON |
| All emails released from hold | `UPDATE` | `LegalHold` | hold ID |
Individual email link/unlink events target `ArchivedEmail` so that a per-email audit search surfaces the complete hold history for that email.

360
docs/enterprise/retention-labels/api.md Normal file
View File

@@ -0,0 +1,360 @@
# Retention Labels: API Endpoints
The retention labels feature exposes a RESTful API for managing retention labels and applying them to individual archived emails. All endpoints require authentication and appropriate permissions as specified below.
**Base URL:** `/api/v1/enterprise/retention-policy`
All endpoints also require the `RETENTION_POLICY` feature to be enabled in the enterprise license.
---
## Label Management Endpoints
### List All Labels
Retrieves all retention labels, ordered by creation date ascending.
- **Endpoint:** `GET /labels`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Response Body
```json
[
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"name": "Legal Hold - Litigation ABC",
"description": "Extended retention for emails related to litigation ABC vs Company",
"retentionPeriodDays": 2555,
"isDisabled": false,
"createdAt": "2025-10-01T00:00:00.000Z"
},
{
"id": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
"name": "Executive Communications",
"description": null,
"retentionPeriodDays": 3650,
"isDisabled": true,
"createdAt": "2025-09-15T12:30:00.000Z"
}
]
```
---
### Get Label by ID
Retrieves a single retention label by its UUID.
- **Endpoint:** `GET /labels/:id`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ----------------------------- |
| `id` | `uuid` | The UUID of the label to get. |
#### Response Body
Returns a single label object (same shape as the list endpoint), or `404` if not found.
---
### Create Label
Creates a new retention label. The label name must be unique across the system.
- **Endpoint:** `POST /labels`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Request Body
| Field | Type | Required | Description |
| --------------------- | --------- | -------- | ----------------------------------------------------------- |
| `name` | `string` | Yes | Unique label name. Max 255 characters. |
| `description` | `string` | No | Human-readable description. Max 1000 characters. |
| `retentionPeriodDays` | `integer` | Yes | Number of days to retain emails with this label. Minimum 1. |
#### Example Request
```json
{
"name": "Financial Records - Q4 2025",
"description": "Extended retention for Q4 2025 financial correspondence per regulatory requirements",
"retentionPeriodDays": 2555
}
```
#### Response
- **`201 Created`** — Returns the created label object.
- **`409 Conflict`** — A label with this name already exists.
- **`422 Unprocessable Entity`** — Validation errors.
---
### Update Label
Updates an existing retention label. Only the fields included in the request body are modified.
- **Endpoint:** `PUT /labels/:id`
- **Method:** `PUT`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | -------------------------------- |
| `id` | `uuid` | The UUID of the label to update. |
#### Request Body
All fields from the create endpoint are accepted, and all are optional. Only provided fields are updated.
**Important:** The `retentionPeriodDays` field cannot be modified if the label is currently applied to any emails. Attempting to do so will return a `409 Conflict` error.
#### Example Request
```json
{
"name": "Financial Records - Q4 2025 (Updated)",
"description": "Updated description for Q4 2025 financial records retention"
}
```
#### Response
- **`200 OK`** — Returns the updated label object.
- **`404 Not Found`** — Label with the given ID does not exist.
- **`409 Conflict`** — Attempted to modify retention period while label is applied to emails.
- **`422 Unprocessable Entity`** — Validation errors.
---
### Delete Label
Deletes or disables a retention label depending on its usage status.
- **Endpoint:** `DELETE /labels/:id`
- **Method:** `DELETE`
- **Authentication:** Required
- **Permission:** `manage:all`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | -------------------------------- |
| `id` | `uuid` | The UUID of the label to delete. |
#### Deletion Logic
- **Hard Delete**: If the label has never been applied to any emails, it is permanently removed.
- **Soft Disable**: If the label is currently applied to one or more emails, it is marked as `isDisabled = true` instead of being deleted. This preserves the retention clock for tagged emails while preventing new applications.
#### Response Body
```json
{
"action": "deleted"
}
```
or
```json
{
"action": "disabled"
}
```
#### Response Codes
- **`200 OK`** — Label successfully deleted or disabled. Check the `action` field in the response body.
- **`404 Not Found`** — Label with the given ID does not exist.
---
## Email Label Endpoints
### Get Email's Label
Retrieves the retention label currently applied to a specific archived email.
- **Endpoint:** `GET /email/:emailId/label`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `read:archive`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `emailId` | `uuid` | The UUID of the archived email. |
#### Response Body
Returns `null` if no label is applied:
```json
null
```
Or the label information if a label is applied:
```json
{
"labelId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"labelName": "Legal Hold - Litigation ABC",
"retentionPeriodDays": 2555,
"appliedAt": "2025-10-15T14:30:00.000Z",
"appliedByUserId": "user123"
}
```
#### Response Codes
- **`200 OK`** — Returns label information or `null`.
- **`500 Internal Server Error`** — Server error during processing.
---
### Apply Label to Email
Applies a retention label to an archived email. If the email already has a label, the existing label is replaced.
- **Endpoint:** `POST /email/:emailId/label`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `delete:archive`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `emailId` | `uuid` | The UUID of the archived email. |
#### Request Body
| Field | Type | Required | Description |
| --------- | ------ | -------- | ------------------------------- |
| `labelId` | `uuid` | Yes | The UUID of the label to apply. |
#### Example Request
```json
{
"labelId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
```
#### Response Body
```json
{
"labelId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"labelName": "Legal Hold - Litigation ABC",
"retentionPeriodDays": 2555,
"appliedAt": "2025-10-15T14:30:00.000Z",
"appliedByUserId": "user123"
}
```
#### Response Codes
- **`200 OK`** — Label successfully applied.
- **`404 Not Found`** — Email or label not found.
- **`409 Conflict`** — Attempted to apply a disabled label.
- **`422 Unprocessable Entity`** — Invalid request body.
---
### Remove Label from Email
Removes the retention label from an archived email if one is applied.
- **Endpoint:** `DELETE /email/:emailId/label`
- **Method:** `DELETE`
- **Authentication:** Required
- **Permission:** `delete:archive`
#### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------- |
| `emailId` | `uuid` | The UUID of the archived email. |
#### Response Body
If a label was removed:
```json
{
"message": "Label removed successfully."
}
```
If no label was applied:
```json
{
"message": "No label was applied to this email."
}
```
#### Response Codes
- **`200 OK`** — Operation completed (regardless of whether a label was actually removed).
- **`500 Internal Server Error`** — Server error during processing.
---
## Error Responses
All endpoints use the standard error response format:
```json
{
"status": "error",
"statusCode": 404,
"message": "The requested resource could not be found.",
"errors": null
}
```
For validation errors (`422 Unprocessable Entity`):
```json
{
"status": "error",
"statusCode": 422,
"message": "Invalid input provided.",
"errors": [
{
"field": "name",
"message": "Name is required."
},
{
"field": "retentionPeriodDays",
"message": "Retention period must be at least 1 day."
}
]
}
```
## Validation Constraints
| Field | Constraint |
| ---------------- | --------------------------------- |
| Label name | 1255 characters, must be unique. |
| Description | Max 1000 characters. |
| Retention period | Positive integer (≥ 1 day). |
| Label ID (UUID) | Must be a valid UUID format. |
| Email ID (UUID) | Must be a valid UUID format. |

267
docs/enterprise/retention-labels/automated-tagging.md Normal file
View File

@@ -0,0 +1,267 @@
# Retention Labels: Automated Application Guide
This guide explains how to use the API to automatically apply retention labels to archived emails, enabling automated compliance and retention management workflows.
## Overview
Automated retention label application allows external systems and services to programmatically tag emails with appropriate retention labels based on content analysis, business rules, or regulatory requirements. This eliminates manual tagging for large volumes of emails while ensuring consistent retention policy enforcement.
## Common Use Cases
### 1. Financial Document Classification
**Scenario**: Automatically identify and tag financial documents (invoices, receipts, payment confirmations) with extended retention periods for regulatory compliance.
**Implementation**:
- Monitor newly ingested emails for financial keywords in subject lines or attachment names
- Apply "Financial Records" label (typically 7+ years retention) to matching emails
- Use content analysis to identify financial document types
### 2. Legal and Compliance Tagging
**Scenario**: Apply legal hold labels to emails related to ongoing litigation or regulatory investigations.
**Implementation**:
- Scan emails for legal-related keywords or specific case references
- Tag emails from/to legal departments with "Legal Hold" labels
- Apply extended retention periods to preserve evidence
### 3. Executive Communication Preservation
**Scenario**: Ensure important communications involving executive leadership are retained beyond standard policies.
**Implementation**:
- Identify emails from C-level executives (CEO, CFO, CTO, etc.)
- Apply "Executive Communications" labels with extended retention
- Preserve strategic business communications for historical reference
### 4. Data Classification Integration
**Scenario**: Integrate with existing data classification systems to apply retention labels based on content sensitivity.
**Implementation**:
- Use AI/ML classification results to determine retention requirements
- Apply labels like "Confidential", "Public", or "Restricted" with appropriate retention periods
- Automate compliance with data protection regulations
### 5. Project-Based Retention
**Scenario**: Apply specific retention periods to emails related to particular projects or contracts.
**Implementation**:
- Identify project-related emails using subject line patterns or participant lists
- Tag with project-specific labels (e.g., "Project Alpha - 5 Year Retention")
- Ensure project documentation meets contractual retention requirements
## API Workflow
### Step 1: Authentication Setup
Create an API key with appropriate permissions:
- Navigate to **Dashboard → Admin → Roles/Users**
- Create a user with `read:archive` and `delete:archive` permissions (minimum required)
- Generate an API for the newly created user
- Securely store the API key for use in automated systems
### Step 2: Identify Target Emails
Use the archived emails API to find emails that need labeling:
**Get Recent Emails**:
```
GET /api/v1/archived-emails?limit=100&sort=archivedAt:desc
```
**Search for Specific Emails**:
```
GET /api/v1/archived-emails/search?query=subject:invoice&limit=50
```
### Step 3: Check Current Label Status
Before applying a new label, verify the email's current state:
**Check Email Label**:
```
GET /api/v1/enterprise/retention-policy/email/{emailId}/label
```
This returns `null` if no label is applied, or the current label information if one exists.
### Step 4: Apply Retention Label
Apply the appropriate label to the email:
**Apply Label**:
```
POST /api/v1/enterprise/retention-policy/email/{emailId}/label
Content-Type: application/json
{
"labelId": "your-label-uuid-here"
}
```
### Step 5: Verify Application
Confirm the label was successfully applied by checking the response or making another GET request.
## Label Management
### Getting Available Labels
List all available retention labels to identify which ones to use:
```
GET /api/v1/enterprise/retention-policy/labels
```
This returns all labels with their IDs, names, retention periods, and status (enabled/disabled).
### Label Selection Strategy
- **Pre-create labels** through the UI with appropriate names and retention periods
- **Map business rules** to specific label IDs in your automation logic
- **Cache label information** to avoid repeated API calls
- **Handle disabled labels** gracefully (they cannot be applied to new emails)
## Implementation Patterns
### Pattern 1: Post-Ingestion Processing
Apply labels after emails have been fully ingested and indexed:
1. Monitor for newly ingested emails (via webhooks or polling)
2. Analyze email content and metadata
3. Determine appropriate retention label based on business rules
4. Apply the label via API
### Pattern 2: Batch Processing
Process emails in scheduled batches:
1. Query for unlabeled emails periodically (daily/weekly)
2. Process emails in manageable batches (50-100 emails)
3. Apply classification logic and labels
4. Log results for audit and monitoring
### Pattern 3: Event-Driven Tagging
React to specific events or triggers:
1. Receive notification of specific events (legal hold notice, project start, etc.)
2. Search for relevant emails based on criteria
3. Apply appropriate labels to all matching emails
4. Document the mass labeling action
## Authentication and Security
### API Key Management
- **Use dedicated API keys** for automated systems (not user accounts)
- **Assign minimal required permissions** (`delete:archive` for label application)
- **Rotate API keys regularly** as part of security best practices
- **Store keys securely** using environment variables or secret management systems
### Request Authentication
Include the API key in all requests:
```
Authorization: Bearer your-api-key-here
Content-Type: application/json
```
## Error Handling
### Common Error Scenarios
- **404 Email Not Found**: The specified email ID doesn't exist
- **404 Label Not Found**: The label ID is invalid or label has been deleted
- **409 Conflict**: Attempting to apply a disabled label
- **422 Validation Error**: Invalid request format or missing required fields
### Best Practices
- **Check response status codes** and handle errors appropriately
- **Implement retry logic** for temporary failures (5xx errors)
- **Log all operations** for audit trails and debugging
- **Continue processing** other emails even if some fail
## Performance Considerations
### Rate Limiting
- **Process emails in batches** rather than individually when possible
- **Add delays between API calls** to avoid overwhelming the server
- **Monitor API response times** and adjust batch sizes accordingly
### Efficiency Tips
- **Cache label information** to reduce API calls
- **Check existing labels** before applying new ones to avoid unnecessary operations
- **Use search API** to filter emails rather than processing all emails
- **Implement incremental processing** to handle only new or modified emails
## Monitoring and Auditing
### Logging Recommendations
- **Log all label applications** with email ID, label ID, and timestamp
- **Track success/failure rates** for monitoring system health
- **Record business rule matches** for compliance reporting
### Audit Trail
All automated label applications are recorded in the system audit log with:
- Actor identified as the API key name
- Target email and applied label details
- Timestamp of the operation
This ensures full traceability of automated retention decisions.
## Integration Examples
### Scenario: Invoice Processing System
1. **Trigger**: New email arrives with invoice attachment
2. **Analysis**: System identifies invoice keywords or attachment types
3. **Action**: Apply "Financial Records - 7 Year" label via API
4. **Result**: Email retained for regulatory compliance period
### Scenario: Legal Hold Implementation
1. **Trigger**: Legal department issues hold notice for specific matter
2. **Search**: Find all emails matching case criteria (participants, keywords, date range)
3. **Action**: Apply "Legal Hold - Matter XYZ" label to all matching emails
4. **Result**: All relevant emails preserved indefinitely
### Scenario: Data Classification Integration
1. **Trigger**: Content classification system processes new emails
2. **Analysis**: ML system categorizes email as "Confidential Financial Data"
3. **Mapping**: Business rules map category to "Financial Confidential - 10 Year" label
4. **Action**: Apply label via API
5. **Result**: Automatic compliance with data retention policies
## Getting Started
1. **Set up authentication** by creating an API key with appropriate permissions
2. **Identify your use cases** and create corresponding retention labels through the UI
3. **Test the API** with a few sample emails to understand the workflow
4. **Implement your business logic** to identify which emails need which labels
5. **Deploy your automation** with proper error handling and monitoring
6. **Monitor results** and adjust your classification rules as needed
This automated approach ensures consistent retention policy enforcement while reducing manual administrative overhead.

224
docs/enterprise/retention-labels/guide.md Normal file
View File

@@ -0,0 +1,224 @@
# Retention Labels: User Interface Guide
The retention labels management interface is located at **Dashboard → Compliance → Retention Labels**. It provides a comprehensive view of all configured labels and tools for creating, editing, deleting, and applying labels to individual archived emails.
## Overview
Retention labels provide item-level retention control, allowing administrators to override normal retention policies for specific emails with custom retention periods. This is particularly useful for legal holds, regulatory compliance, and preserving important business communications.
## Labels Table
The main page displays a table of all retention labels with the following columns:
- **Name:** The label name and its UUID displayed underneath for reference. If a description is provided, it appears below the name in smaller text.
- **Retention Period:** The number of days emails with this label are retained, displayed as "X days".
- **Status:** A badge indicating whether the label is:
- **Enabled** (green badge): The label can be applied to new emails
- **Disabled** (gray badge): The label cannot be applied to new emails but continues to govern already-labeled emails
- **Created At:** The date the label was created, displayed in local date format.
- **Actions:** Dropdown menu with Edit and Delete options for each label.
The table is sorted by creation date in ascending order by default.
## Creating a Label
Click the **"Create New"** button (with plus icon) above the table to open the creation dialog.
### Form Fields
- **Name** (Required): A unique, descriptive name for the label. Maximum 255 characters.
- **Description** (Optional): A detailed explanation of the label's purpose or usage. Maximum 1000 characters.
- **Retention Period (Days)** (Required): The number of days to retain emails with this label. Must be at least 1 day.
### Example Labels
- **Name:** "Legal Hold - Project Alpha"
**Description:** "Extended retention for emails related to ongoing litigation regarding Project Alpha intellectual property dispute"
**Retention Period:** 3650 days (10 years)
- **Name:** "Executive Communications"
**Description:** "Preserve important emails from C-level executives beyond normal retention periods"
**Retention Period:** 2555 days (7 years)
- **Name:** "Financial Records Q4 2025"
**Retention Period:** 2190 days (6 years)
### Success and Error Handling
- **Success**: The dialog closes and a green success notification appears confirming the label was created.
- **Name Conflict**: If a label with the same name already exists, an error notification will display.
- **Validation Errors**: Missing required fields or invalid values will show inline validation messages.
## Editing a Label
Click the **Edit** option from the actions dropdown on any label row to open the edit dialog.
### Editable Fields
- **Name**: Can always be modified (subject to uniqueness constraint)
- **Description**: Can always be modified
- **Retention Period**: Can only be modified if the label has never been applied to any emails
### Retention Period Restrictions
The edit dialog shows a warning message: "Retention period cannot be modified if this label is currently applied to emails." If you attempt to change the retention period for a label that's in use, the system will return a conflict error and display an appropriate error message.
This restriction prevents tampering with active retention schedules and ensures compliance integrity.
### Update Process
1. Modify the desired fields
2. Click **Save** to submit changes
3. The system validates the changes and updates the label
4. A success notification confirms the update
## Deleting a Label
Click the **Delete** option from the actions dropdown to open the deletion confirmation dialog.
### Smart Deletion Behavior
The system uses intelligent deletion logic:
#### Hard Delete
If the label has **never been applied** to any emails:
- The label is permanently removed from the system
- Success message: "Label deleted successfully"
#### Soft Disable
If the label is **currently applied** to one or more emails:
- The label is marked as "Disabled" instead of being deleted
- The label remains in the table with a "Disabled" status badge
- Existing emails keep their retention schedule based on this label
- The label cannot be applied to new emails
- Success message: "Label disabled successfully"
### Confirmation Dialog
The deletion dialog shows:
- **Title**: "Delete Retention Label"
- **Description**: Explains that this action cannot be undone and may disable the label if it's in use
- **Cancel** button to abort the operation
- **Confirm** button to proceed with deletion
## Applying Labels to Emails
Retention labels can be applied to individual archived emails through the email detail pages.
### From Email Detail Page
1. Navigate to an archived email by clicking on it from search results or the archived emails list
2. Look for the "Retention Label" section in the email metadata
3. If no label is applied, you'll see an "Apply Label" button (requires `delete:archive` permission)
4. If a label is already applied, you'll see:
- The current label name and retention period
- "Change Label" and "Remove Label" buttons
### Label Application Process
1. Click **"Apply Label"** or **"Change Label"**
2. A dropdown or dialog shows all available (enabled) labels
3. Select the desired label
4. Confirm the application
5. The system:
- Removes any existing label from the email
- Applies the new label
- Records the action in the audit log
- Updates the email's retention schedule
### One Label Per Email Rule
Each email can have at most one retention label. When you apply a new label to an email that already has a label, the previous label is automatically removed and replaced with the new one.
## Permissions Required
Different operations require different permission levels:
### Label Management
- **Create, Edit, Delete Labels**: Requires `manage:all` permission
- **View Labels Table**: Requires `manage:all` permission
### Email Label Operations
- **View Email Labels**: Requires `read:archive` permission
- **Apply/Remove Email Labels**: Requires `delete:archive` permission
## Status Indicators
### Enabled Labels (Green Badge)
- Can be applied to new emails
- Appears in label selection dropdowns
- Fully functional for all operations
### Disabled Labels (Gray Badge)
- Cannot be applied to new emails
- Does not appear in label selection dropdowns
- Continues to govern retention for already-labeled emails
- Can still be viewed and its details examined
- Results from attempting to delete a label that's currently in use
## Best Practices
### Naming Conventions
- Use descriptive names that indicate purpose: "Legal Hold - Case XYZ", "Executive - Q4 Review"
- Include time periods or case references where relevant
- Maintain consistent naming patterns across your organization
### Descriptions
- Always provide descriptions for complex or specialized labels
- Include the business reason or legal requirement driving the retention period
- Reference specific regulations, policies, or legal matters where applicable
### Retention Periods
- Consider your organization's legal and regulatory requirements
- Common periods:
- **3 years (1095 days)**: Standard business records
- **7 years (2555 days)**: Financial and tax records
- **10 years (3650 days)**: Legal holds and critical business documents
- **Permanent retention**: Use very large numbers (e.g., 36500 days = 100 years)
### Label Lifecycle
- Review labels periodically to identify unused or obsolete labels
- Disabled labels can accumulate over time - consider cleanup procedures
- Document the purpose and expected lifecycle of each label for future administrators
## Troubleshooting
### Cannot Edit Retention Period
**Problem**: Edit dialog shows retention period as locked or returns conflict error
**Cause**: The label is currently applied to one or more emails
**Solution**: Create a new label with the desired retention period instead of modifying the existing one
### Label Not Appearing in Email Application Dropdown
**Problem**: A label doesn't show up when trying to apply it to an email
**Cause**: The label is disabled
**Solution**: Check the labels table - disabled labels show a gray "Disabled" badge
### Cannot Delete Label
**Problem**: Deletion results in label being disabled instead of removed
**Cause**: The label is currently applied to emails
**Solution**: This is expected behavior to preserve retention integrity. The label can only be hard-deleted if it has never been used.
### Permission Denied Errors
**Problem**: Cannot access label management or apply labels to emails
**Cause**: Insufficient permissions
**Solution**: Contact your system administrator to verify you have the required permissions:
- `manage:all` for label management
- `delete:archive` for email label operations

117
docs/enterprise/retention-labels/index.md Normal file
View File

@@ -0,0 +1,117 @@
# Retention Labels
The Retention Labels feature is an enterprise-grade capability that provides item-level retention overrides for archived emails. Unlike retention policies which apply rules to groups of emails, retention labels are manually or programmatically applied to individual emails to override the normal retention lifecycle with specific retention periods.
## Core Principles
### 1. Item-Level Retention Override
Retention labels represent a specific, targeted retention requirement that takes precedence over any automated retention policies. When an email has a retention label applied, the label's `retentionPeriodDays` becomes the governing retention period for that email, regardless of what any retention policy would otherwise specify.
### 2. One Label Per Email
Each archived email can have at most one retention label applied at any time. Applying a new label to an email automatically removes any existing label, ensuring a clean, unambiguous retention state.
### 3. Deletion Behavior
Retention labels implement the following deletion logic:
- **Hard Delete**: If a label has never been applied to any emails, it can be completely removed from the system.
- **Soft Disable**: If a label is currently applied to one or more emails, deletion attempts result in the label being marked as `isDisabled = true`. This keeps the label-email relations but the retention label won't take effective.
- **Delete Disabled Labels**: If a label is currently applied to one or more emails, and it is disabled, a deletion request will delete the label itself and all label-email relations (remove the label from emails it is tagged with).
### 4. Immutable Retention Period
Once a retention label has been applied to any email, its `retentionPeriodDays` value becomes immutable to prevent tampering with active retention schedules. Labels can only have their retention period modified while they have zero applications.
### 5. User Attribution and Audit Trail
Every label application and removal is attributed to a specific user and recorded in the [Audit Log](../audit-log/index.md). This includes both manual UI actions and automated API operations, ensuring complete traceability of retention decisions.
### 6. Lifecycle Integration
The [Lifecycle Worker](../retention-policy/lifecycle-worker.md) gives retention labels the highest priority during email evaluation. If an email has a retention label applied, the label's retention period is used instead of any matching retention policy rules.
## Feature Requirements
The Retention Labels feature requires:
- An active **Enterprise license** with the `RETENTION_POLICY` feature enabled.
- The `manage:all` permission for administrative operations (creating, editing, deleting labels).
- The `delete:archive` permission for applying and removing labels from individual emails.
## Use Cases
### Legal Hold Alternative
Retention labels can serve as a lightweight alternative to formal legal holds by applying extended retention periods (e.g., 10+ years) to specific emails related to litigation or investigation.
### Executive Communications
Apply extended retention to emails from or to executive leadership to ensure important business communications are preserved beyond normal retention periods.
### Regulatory Exceptions
Mark specific emails that must be retained for regulatory compliance (e.g., financial records, safety incidents) with appropriate retention periods regardless of general policy rules.
### Project-Specific Retention
Apply custom retention periods to emails related to specific projects, contracts, or business initiatives that have unique preservation requirements.
## Architecture Overview
The feature is composed of the following components:
| Component | Location | Description |
| ----------------- | -------------------------------------------------------------------------------- | -------------------------------------------------------- |
| Types | `packages/types/src/retention.types.ts` | Shared TypeScript types for labels and email label info. |
| Database Schema | `packages/backend/src/database/schema/compliance.ts` | Drizzle ORM table definitions for retention labels. |
| Label Service | `packages/enterprise/src/modules/retention-policy/RetentionLabelService.ts` | CRUD operations and label application logic. |
| API Controller | `packages/enterprise/src/modules/retention-policy/retention-label.controller.ts` | Express request handlers with Zod validation. |
| API Routes | `packages/enterprise/src/modules/retention-policy/retention-policy.routes.ts` | Route registration with auth and feature guards. |
| Frontend Page | `packages/frontend/src/routes/dashboard/compliance/retention-labels/` | SvelteKit page for label management. |
| Email Integration | Individual archived email pages | Label application UI in email detail views. |
## Data Model
### Retention Labels Table
| Column | Type | Description |
| ----------------------- | -------------- | ---------------------------------------------------------------- |
| `id` | `uuid` (PK) | Auto-generated unique identifier. |
| `name` | `varchar(255)` | Human-readable label name (unique constraint). |
| `retention_period_days` | `integer` | Number of days to retain emails with this label. |
| `description` | `text` | Optional description of the label's purpose. |
| `is_disabled` | `boolean` | Whether the label is disabled (cannot be applied to new emails). |
| `created_at` | `timestamptz` | Creation timestamp. |
### Email Label Applications Table
| Column | Type | Description |
| -------------------- | ------------- | ------------------------------------------------------------- |
| `email_id` | `uuid` (FK) | Reference to the archived email. |
| `label_id` | `uuid` (FK) | Reference to the retention label. |
| `applied_at` | `timestamptz` | Timestamp when the label was applied. |
| `applied_by_user_id` | `uuid` (FK) | User who applied the label (nullable for API key operations). |
The table uses a composite primary key of `(email_id, label_id)` to enforce the one-label-per-email constraint at the database level.
## Integration Points
### Lifecycle Worker
The lifecycle worker queries the `email_retention_labels` table during email evaluation. If an email has a retention label applied, the label's `retentionPeriodDays` takes precedence over any retention policy evaluation.
### Audit Log
All retention label operations generate audit log entries:
- **Label Creation**: Action type `CREATE`, target type `RetentionLabel`
- **Label Updates**: Action type `UPDATE`, target type `RetentionLabel`
- **Label Deletion/Disabling**: Action type `DELETE` or `UPDATE`, target type `RetentionLabel`
- **Label Application**: Action type `UPDATE`, target type `ArchivedEmail`, details include label information
- **Label Removal**: Action type `UPDATE`, target type `ArchivedEmail`, details include removed label information
### Email Detail Pages
Individual archived email pages display any applied retention label and provide controls for users with appropriate permissions to apply or remove labels.

268
docs/enterprise/retention-policy/api.md Normal file
View File

@@ -0,0 +1,268 @@
# Retention Policy: API Endpoints
The retention policy feature exposes a RESTful API for managing retention policies and simulating policy evaluation against email metadata. All endpoints require authentication and the `manage:all` permission.
**Base URL:** `/api/v1/enterprise/retention-policy`
All endpoints also require the `RETENTION_POLICY` feature to be enabled in the enterprise license.
---
## List All Policies
Retrieves all retention policies, ordered by priority ascending.
- **Endpoint:** `GET /policies`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `manage:all`
### Response Body
```json
[
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"name": "Default 7-Year Retention",
"description": "Retain all emails for 7 years per regulatory requirements.",
"priority": 1,
"conditions": null,
"ingestionScope": null,
"retentionPeriodDays": 2555,
"isActive": true,
"createdAt": "2025-10-01T00:00:00.000Z",
"updatedAt": "2025-10-01T00:00:00.000Z"
}
]
```
---
## Get Policy by ID
Retrieves a single retention policy by its UUID.
- **Endpoint:** `GET /policies/:id`
- **Method:** `GET`
- **Authentication:** Required
- **Permission:** `manage:all`
### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | ------------------------------ |
| `id` | `uuid` | The UUID of the policy to get. |
### Response Body
Returns a single policy object (same shape as the list endpoint), or `404` if not found.
---
## Create Policy
Creates a new retention policy. The policy name must be unique across the system.
- **Endpoint:** `POST /policies`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
### Request Body
| Field | Type | Required | Description |
| --------------------- | ------------------- | -------- | ---------------------------------------------------------------------------------------- |
| `name` | `string` | Yes | Unique policy name. Max 255 characters. |
| `description` | `string` | No | Human-readable description. Max 1000 characters. |
| `priority` | `integer` | Yes | Positive integer. Lower values indicate higher priority. |
| `retentionPeriodDays` | `integer` | Yes | Number of days to retain matching emails. Minimum 1. |
| `actionOnExpiry` | `string` | Yes | Action to take when the retention period expires. Currently only `"delete_permanently"`. |
| `isEnabled` | `boolean` | No | Whether the policy is active. Defaults to `true`. |
| `conditions` | `RuleGroup \| null` | No | Condition rules for targeting specific emails. `null` matches all emails. |
| `ingestionScope` | `string[] \| null` | No | Array of ingestion source UUIDs to scope the policy to. `null` applies to all sources. |
#### Conditions (RuleGroup) Schema
```json
{
"logicalOperator": "AND",
"rules": [
{
"field": "sender",
"operator": "domain_match",
"value": "example.com"
},
{
"field": "subject",
"operator": "contains",
"value": "invoice"
}
]
}
```
**Supported fields:** `sender`, `recipient`, `subject`, `attachment_type`
**Supported operators:**
| Operator | Description |
| -------------- | ------------------------------------------------------------------- |
| `equals` | Exact case-insensitive match. |
| `not_equals` | Inverse of `equals`. |
| `contains` | Case-insensitive substring match. |
| `not_contains` | Inverse of `contains`. |
| `starts_with` | Case-insensitive prefix match. |
| `ends_with` | Case-insensitive suffix match. |
| `domain_match` | Matches when an email address ends with `@<value>`. |
| `regex_match` | ECMAScript regex (case-insensitive). Max pattern length: 200 chars. |
**Validation limits:**
- Maximum 50 rules per group.
- Rule `value` must be between 1 and 500 characters.
### Example Request
```json
{
"name": "Finance Department - 10 Year",
"description": "Extended retention for finance-related correspondence.",
"priority": 2,
"retentionPeriodDays": 3650,
"actionOnExpiry": "delete_permanently",
"conditions": {
"logicalOperator": "OR",
"rules": [
{
"field": "sender",
"operator": "domain_match",
"value": "finance.acme.com"
},
{
"field": "recipient",
"operator": "domain_match",
"value": "finance.acme.com"
}
]
},
"ingestionScope": ["b2c3d4e5-f6a7-8901-bcde-f23456789012"]
}
```
### Response
- **`201 Created`** — Returns the created policy object.
- **`409 Conflict`** — A policy with this name already exists.
- **`422 Unprocessable Entity`** — Validation errors.
---
## Update Policy
Updates an existing retention policy. Only the fields included in the request body are modified.
- **Endpoint:** `PUT /policies/:id`
- **Method:** `PUT`
- **Authentication:** Required
- **Permission:** `manage:all`
### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | --------------------------------- |
| `id` | `uuid` | The UUID of the policy to update. |
### Request Body
All fields from the create endpoint are accepted, and all are optional. Only provided fields are updated.
To clear conditions (make the policy match all emails), send `"conditions": null`.
To clear ingestion scope (make the policy apply to all sources), send `"ingestionScope": null`.
### Response
- **`200 OK`** — Returns the updated policy object.
- **`404 Not Found`** — Policy with the given ID does not exist.
- **`422 Unprocessable Entity`** — Validation errors.
---
## Delete Policy
Permanently deletes a retention policy. This action is irreversible.
- **Endpoint:** `DELETE /policies/:id`
- **Method:** `DELETE`
- **Authentication:** Required
- **Permission:** `manage:all`
### Path Parameters
| Parameter | Type | Description |
| --------- | ------ | --------------------------------- |
| `id` | `uuid` | The UUID of the policy to delete. |
### Response
- **`204 No Content`** — Policy successfully deleted.
- **`404 Not Found`** — Policy with the given ID does not exist.
---
## Evaluate Email (Policy Simulator)
Evaluates a set of email metadata against all active policies and returns the applicable retention period and matching policy IDs. This endpoint does not modify any data — it is a read-only simulation tool.
- **Endpoint:** `POST /policies/evaluate`
- **Method:** `POST`
- **Authentication:** Required
- **Permission:** `manage:all`
### Request Body
| Field | Type | Required | Description |
| --------------------------------- | ---------- | -------- | ---------------------------------------------------------- |
| `emailMetadata.sender` | `string` | Yes | Sender email address. Max 500 characters. |
| `emailMetadata.recipients` | `string[]` | Yes | Recipient email addresses. Max 500 entries. |
| `emailMetadata.subject` | `string` | Yes | Email subject line. Max 2000 characters. |
| `emailMetadata.attachmentTypes` | `string[]` | Yes | File extensions (e.g., `[".pdf", ".xml"]`). Max 100. |
| `emailMetadata.ingestionSourceId` | `uuid` | No | Optional ingestion source UUID for scope-aware evaluation. |
### Example Request
```json
{
"emailMetadata": {
"sender": "cfo@finance.acme.com",
"recipients": ["legal@acme.com"],
"subject": "Q4 Invoice Reconciliation",
"attachmentTypes": [".pdf", ".xlsx"],
"ingestionSourceId": "b2c3d4e5-f6a7-8901-bcde-f23456789012"
}
}
```
### Response Body
```json
{
"appliedRetentionDays": 3650,
"actionOnExpiry": "delete_permanently",
"matchingPolicyIds": [
"a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"c3d4e5f6-a7b8-9012-cdef-345678901234"
]
}
```
| Field | Type | Description |
| ---------------------- | ---------- | ------------------------------------------------------------------------------------- |
| `appliedRetentionDays` | `integer` | The longest retention period from all matching policies. `0` means no policy matched. |
| `actionOnExpiry` | `string` | The action to take on expiry. Currently always `"delete_permanently"`. |
| `matchingPolicyIds` | `string[]` | UUIDs of all policies that matched the provided metadata. |
### Response Codes
- **`200 OK`** — Evaluation completed.
- **`422 Unprocessable Entity`** — Validation errors in the request body.

93
docs/enterprise/retention-policy/guide.md Normal file
View File

@@ -0,0 +1,93 @@
# Retention Policy: User Interface
The retention policy management interface is located at **Dashboard → Compliance → Retention Policies**. It provides a comprehensive view of all configured policies and tools for creating, editing, deleting, and simulating retention rules.
## Policy Table
The main page displays a table of all retention policies with the following columns:
- **Name:** The policy name and its UUID displayed underneath for reference.
- **Priority:** The numeric priority value. Lower values indicate higher priority.
- **Retention Period:** The number of days emails matching this policy are retained before expiry.
- **Ingestion Scope:** Shows which ingestion sources the policy is restricted to. Displays "All ingestion sources" when the policy has no scope restriction, or individual source name badges when scoped.
- **Conditions:** A summary of the rule group. Displays "No conditions (matches all emails)" for policies without conditions, or "N rule(s) (AND/OR)" for policies with conditions.
- **Status:** A badge indicating whether the policy is Active or Inactive.
- **Actions:** Edit and Delete buttons for each policy.
The table is sorted by policy priority by default.
## Creating a Policy
Click the **"Create Policy"** button above the table to open the creation dialog. The form contains the following sections:
### Basic Information
- **Policy Name:** A unique, descriptive name for the policy.
- **Description:** An optional detailed description of the policy's purpose.
- **Priority:** A positive integer determining evaluation order (lower = higher priority).
- **Retention Period (Days):** The number of days to retain matching emails.
### Ingestion Scope
This section controls which ingestion sources the policy applies to:
- **"All ingestion sources" toggle:** When enabled, the policy applies to emails from all ingestion sources. This is the default.
- **Per-source checkboxes:** When the "all" toggle is disabled, individual ingestion sources can be selected. Each source displays its name and provider type as a badge.
### Condition Rules
Conditions define which emails the policy targets. If no conditions are added, the policy matches all emails (within its ingestion scope).
- **Logical Operator:** Choose **AND** (all rules must match) or **OR** (any rule must match).
- **Add Rule:** Each rule consists of:
- **Field:** The email metadata field to evaluate (`sender`, `recipient`, `subject`, or `attachment_type`).
- **Operator:** The comparison operator (see [Supported Operators](#supported-operators) below).
- **Value:** The string value to compare against.
- **Remove Rule:** Each rule has a remove button to delete it from the group.
### Supported Operators
| Operator | Display Name | Description |
| -------------- | ------------ | ---------------------------------------------------------------- |
| `equals` | Equals | Exact case-insensitive match. |
| `not_equals` | Not Equals | Inverse of equals. |
| `contains` | Contains | Case-insensitive substring match. |
| `not_contains` | Not Contains | Inverse of contains. |
| `starts_with` | Starts With | Case-insensitive prefix match. |
| `ends_with` | Ends With | Case-insensitive suffix match. |
| `domain_match` | Domain Match | Matches when an email address ends with `@<value>`. |
| `regex_match` | Regex Match | ECMAScript regular expression (case-insensitive, max 200 chars). |
### Policy Status
- **Enable Policy toggle:** Controls whether the policy is active immediately upon creation.
## Editing a Policy
Click the **Edit** button (pencil icon) on any policy row to open the edit dialog. The form is pre-populated with the policy's current values. All fields can be modified, and the same validation rules apply as during creation.
## Deleting a Policy
Click the **Delete** button (trash icon) on any policy row. A confirmation dialog appears to prevent accidental deletion. Deleting a policy is irreversible. Once deleted, the policy no longer affects the lifecycle worker's evaluation of emails.
## Policy Simulator
The **"Simulate Policy"** button opens a simulation tool that evaluates hypothetical email metadata against all active policies without making any changes.
### Simulator Input Fields
- **Sender Email:** The sender address to evaluate (e.g., `cfo@finance.acme.com`).
- **Recipients:** A comma-separated list of recipient email addresses.
- **Subject:** The email subject line.
- **Attachment Types:** A comma-separated list of file extensions (e.g., `.pdf, .xlsx`).
- **Ingestion Source:** An optional dropdown to select a specific ingestion source for scope-aware evaluation. Defaults to "All sources".
### Simulator Results
After submission, the simulator displays:
- **Applied Retention Period:** The longest retention period from all matching policies, displayed in days.
- **Action on Expiry:** The action that would be taken when the retention period expires (currently always "Permanent Deletion").
- **Matching Policies:** A list of all policy IDs (with their names) that matched the provided metadata. If no policies match, a message indicates that no matching policies were found.
The simulator is a safe, read-only tool intended for testing and verifying policy configurations before they affect live data.

55
docs/enterprise/retention-policy/index.md Normal file
View File

@@ -0,0 +1,55 @@
# Retention Policy
The Retention Policy Engine is an enterprise-grade feature that automates the lifecycle management of archived emails. It enables organizations to define time-based retention rules that determine how long archived emails are kept before they are permanently deleted, ensuring compliance with data protection regulations and internal data governance policies.
## Core Principles
### 1. Policy-Based Automation
Email deletion is never arbitrary. Every deletion is governed by one or more explicitly configured retention policies that define the retention period in days, the conditions under which the policy applies, and the action to take when an email expires. The lifecycle worker processes emails in batches on a recurring schedule, ensuring continuous enforcement without manual intervention.
### 2. Condition-Based Targeting
Policies can target specific subsets of archived emails using a flexible condition builder. Conditions are evaluated against email metadata fields (sender, recipient, subject, attachment type) using a variety of string-matching operators. Conditions within a policy are grouped using AND/OR logic, allowing precise control over which emails a policy applies to.
### 3. Ingestion Scope
Each policy can optionally be scoped to one or more ingestion sources. When an ingestion scope is set, the policy only applies to emails that were archived from those specific sources. Policies with no ingestion scope (null) apply to all emails regardless of their source.
### 4. Priority and Max-Duration-Wins
When multiple policies match a single email, the system applies **max-duration-wins** logic: the longest matching retention period is used. This ensures that if any policy requires an email to be kept longer, that requirement is honored. The priority field on each policy provides an ordering mechanism for administrative purposes and future conflict-resolution enhancements.
### 5. Full Audit Trail
Every policy lifecycle event — creation, modification, deletion, and every automated email deletion — is recorded in the immutable [Audit Log](../audit-log/index.md). Automated deletions include the IDs of the governing policies in the audit log entry, ensuring full traceability from deletion back to the rule that triggered it.
### 6. Fail-Safe Behavior
The system is designed to err on the side of caution:
- If no policy matches an email, the email is **not** deleted.
- If the lifecycle worker encounters an error processing a specific email, it logs the error and continues with the remaining emails in the batch.
- Invalid regex patterns in `regex_match` rules are treated as non-matching rather than causing failures.
## Feature Requirements
The Retention Policy Engine requires:
- An active **Enterprise license** with the `RETENTION_POLICY` feature enabled.
- The `manage:all` permission for the authenticated user to access the policy management API and UI.
## Architecture Overview
The feature is composed of the following components:
| Component | Location | Description |
| ----------------- | --------------------------------------------------------------------------------- | ------------------------------------------------------------ |
| Types | `packages/types/src/retention.types.ts` | Shared TypeScript types for policies, rules, and evaluation. |
| Database Schema | `packages/backend/src/database/schema/compliance.ts` | Drizzle ORM table definition for `retention_policies`. |
| Retention Service | `packages/enterprise/src/modules/retention-policy/RetentionService.ts` | CRUD operations and the evaluation engine. |
| API Controller | `packages/enterprise/src/modules/retention-policy/retention-policy.controller.ts` | Express request handlers with Zod validation. |
| API Routes | `packages/enterprise/src/modules/retention-policy/retention-policy.routes.ts` | Route registration with auth and feature guards. |
| Module | `packages/enterprise/src/modules/retention-policy/retention-policy.module.ts` | Enterprise module bootstrap. |
| Lifecycle Worker | `packages/enterprise/src/workers/lifecycle.worker.ts` | BullMQ worker for automated retention enforcement. |
| Frontend Page | `packages/frontend/src/routes/dashboard/compliance/retention-policies/` | SvelteKit page for policy management and simulation. |

108
docs/enterprise/retention-policy/lifecycle-worker.md Normal file
View File

@@ -0,0 +1,108 @@
# Retention Policy: Lifecycle Worker
The lifecycle worker is the automated enforcement component of the retention policy engine. It runs as a BullMQ background worker that periodically scans all archived emails, evaluates them against active retention policies, and permanently deletes emails that have exceeded their retention period.
## Location
`packages/enterprise/src/workers/lifecycle.worker.ts`
## How It Works
### Scheduling
The lifecycle worker is registered as a repeatable BullMQ cron job on the `compliance-lifecycle` queue. It is scheduled to run daily at **02:00 UTC** by default. The cron schedule is configured via:
```typescript
repeat: {
pattern: '0 2 * * *';
} // daily at 02:00 UTC
```
The `scheduleLifecycleJob()` function is called once during enterprise application startup to register the repeatable job with BullMQ.
### Batch Processing
To avoid loading the entire `archived_emails` table into memory, the worker processes emails in configurable batches:
1. **Batch size** is controlled by the `RETENTION_BATCH_SIZE` environment variable.
2. Emails are ordered by `archivedAt` ascending.
3. The worker iterates through batches using offset-based pagination until an empty batch is returned, indicating all emails have been processed.
### Per-Email Processing Flow
For each email in a batch, the worker:
1. **Extracts metadata:** Builds a `PolicyEvaluationRequest` from the email's database record:
- `sender`: The sender email address.
- `recipients`: All To, CC, and BCC recipient addresses.
- `subject`: The email subject line.
- `attachmentTypes`: File extensions (e.g., `.pdf`) extracted from attachment filenames via a join query.
- `ingestionSourceId`: The UUID of the ingestion source that archived this email.
2. **Evaluates policies:** Passes the metadata to `RetentionService.evaluateEmail()`, which returns:
- `appliedRetentionDays`: The longest matching retention period (0 if no policy matches).
- `matchingPolicyIds`: UUIDs of all matching policies.
3. **Checks for expiry:**
- If `appliedRetentionDays === 0`, no policy matched — the email is **skipped** (not deleted).
- Otherwise, the email's age is calculated from its `sentAt` date.
- If the age in days exceeds `appliedRetentionDays`, the email has expired.
4. **Deletes expired emails:** Calls `ArchivedEmailService.deleteArchivedEmail()` with:
- `systemDelete: true` — Bypasses the `ENABLE_DELETION` configuration guard so retention enforcement always works regardless of that global setting.
- `governingRule` — A string listing the matching policy IDs for the audit log entry (e.g., `"Policy IDs: abc-123, def-456"`).
5. **Logs the deletion:** A structured log entry records the email ID and its age in days.
### Error Handling
If processing a specific email fails (e.g., due to a database error or storage issue), the error is logged and the worker continues to the next email in the batch. This ensures that a single problematic email does not block the processing of the remaining emails.
If the entire job fails, BullMQ records the failure and the job ID and error are logged. Failed jobs are retained (up to 50) for debugging.
## System Actor
Automated deletions are attributed to a synthetic system actor in the audit log:
| Field | Value |
| -------- | ------------------------------- |
| ID | `system:lifecycle-worker` |
| Email | `system@open-archiver.internal` |
| Name | System Lifecycle Worker |
| Actor IP | `system` |
This well-known identifier can be filtered in the [Audit Log](../audit-log/index.md) to view all retention-based deletions.
## Audit Trail
Every email deleted by the lifecycle worker produces an audit log entry with:
- **Action type:** `DELETE`
- **Target type:** `ArchivedEmail`
- **Target ID:** The UUID of the deleted email
- **Actor:** `system:lifecycle-worker`
- **Details:** Includes `reason: "RetentionExpiration"` and `governingRule` listing the matching policy IDs
This ensures that every automated deletion is fully traceable back to the specific policies that triggered it.
## Configuration
| Environment Variable | Description | Default |
| ---------------------- | ------------------------------------------------ | ------- |
| `RETENTION_BATCH_SIZE` | Number of emails to process per batch iteration. | — |
## BullMQ Worker Settings
| Setting | Value | Description |
| ------------------ | ---------------------- | ------------------------------------------ |
| Queue name | `compliance-lifecycle` | The BullMQ queue name. |
| Job ID | `lifecycle-daily` | Stable job ID for the repeatable cron job. |
| `removeOnComplete` | Keep last 10 | Completed jobs retained for monitoring. |
| `removeOnFail` | Keep last 50 | Failed jobs retained for debugging. |
## Integration with Deletion Guard
The core `ArchivedEmailService.deleteArchivedEmail()` method includes a deletion guard controlled by the `ENABLE_DELETION` system setting. When called with `systemDelete: true`, the lifecycle worker bypasses this guard. This design ensures that:
- Manual user deletions can be disabled organization-wide via the system setting.
- Automated retention enforcement always operates regardless of that setting, because retention compliance is a legal obligation that cannot be paused by a UI toggle.

141
docs/enterprise/retention-policy/retention-service.md Normal file
View File

@@ -0,0 +1,141 @@
# Retention Policy: Backend Implementation
The backend implementation of the retention policy engine is handled by the `RetentionService`, located in `packages/enterprise/src/modules/retention-policy/RetentionService.ts`. This service encapsulates all CRUD operations for policies and the core evaluation engine that determines which policies apply to a given email.
## Database Schema
The `retention_policies` table is defined in `packages/backend/src/database/schema/compliance.ts` using Drizzle ORM:
| Column | Type | Description |
| ----------------------- | ------------------------- | ------------------------------------------------------------- |
| `id` | `uuid` (PK) | Auto-generated unique identifier. |
| `name` | `text` (unique, not null) | Human-readable policy name. |
| `description` | `text` | Optional description. |
| `priority` | `integer` (not null) | Priority for ordering. Lower = higher priority. |
| `retention_period_days` | `integer` (not null) | Number of days to retain matching emails. |
| `action_on_expiry` | `enum` (not null) | Action on expiry (`delete_permanently`). |
| `is_enabled` | `boolean` (default: true) | Whether the policy is active. |
| `conditions` | `jsonb` | Serialized `RetentionRuleGroup` or null (null = matches all). |
| `ingestion_scope` | `jsonb` | Array of ingestion source UUIDs or null (null = all sources). |
| `created_at` | `timestamptz` | Creation timestamp. |
| `updated_at` | `timestamptz` | Last update timestamp. |
## CRUD Operations
The `RetentionService` class provides the following methods:
### `createPolicy(data, actorId, actorIp)`
Inserts a new policy into the database and creates an audit log entry with action type `CREATE` and target type `RetentionPolicy`. The audit log details include the policy name, retention period, priority, action on expiry, and ingestion scope.
### `getPolicies()`
Returns all policies ordered by priority ascending. The raw database rows are mapped through `mapDbPolicyToType()`, which converts the DB column `isEnabled` to the shared type field `isActive` and normalizes date fields to ISO strings.
### `getPolicyById(id)`
Returns a single policy by UUID, or null if not found.
### `updatePolicy(id, data, actorId, actorIp)`
Partially updates a policy — only fields present in the DTO are modified. The `updatedAt` timestamp is always set to the current time. An audit log entry is created with action type `UPDATE`, recording which fields were changed.
Throws an error if the policy is not found.
### `deletePolicy(id, actorId, actorIp)`
Deletes a policy by UUID and creates an audit log entry with action type `DELETE`, recording the deleted policy's name. Returns `false` if the policy was not found.
## Evaluation Engine
The evaluation engine is the core logic that determines which policies apply to a given email. It is used by both the lifecycle worker (for automated enforcement) and the policy simulator endpoint (for testing).
### `evaluateEmail(metadata)`
This is the primary evaluation method. It accepts email metadata and returns:
- `appliedRetentionDays`: The longest matching retention period (max-duration-wins).
- `matchingPolicyIds`: UUIDs of all policies that matched.
- `actionOnExpiry`: Always `"delete_permanently"` in the current implementation.
The evaluation flow:
1. **Fetch active policies:** Queries all policies where `isEnabled = true`.
2. **Ingestion scope check:** For each policy with a non-null `ingestionScope`, the email's `ingestionSourceId` must be included in the scope array. If not, the policy is skipped.
3. **Condition evaluation:** If the policy has no conditions (`null`), it matches all emails within scope. Otherwise, the condition rule group is evaluated.
4. **Max-duration-wins:** If multiple policies match, the longest `retentionPeriodDays` is used.
5. **Zero means no match:** A return value of `appliedRetentionDays = 0` indicates no policy matched — the lifecycle worker will not delete the email.
### `_evaluateRuleGroup(group, metadata)`
Evaluates a `RetentionRuleGroup` using AND or OR logic:
- **AND:** Every rule in the group must pass.
- **OR:** At least one rule must pass.
- An empty rules array evaluates to `true`.
### `_evaluateRule(rule, metadata)`
Evaluates a single rule against the email metadata. All string comparisons are case-insensitive (both sides are lowercased before comparison). The behavior depends on the field:
| Field | Behavior |
| ----------------- | ------------------------------------------------------------------- |
| `sender` | Compares against the sender email address. |
| `recipient` | Passes if **any** recipient matches the operator. |
| `subject` | Compares against the email subject. |
| `attachment_type` | Passes if **any** attachment file extension matches (e.g., `.pdf`). |
### `_applyOperator(haystack, operator, needle)`
Applies a string-comparison operator between two pre-lowercased strings:
| Operator | Implementation |
| -------------- | ----------------------------------------------------------------------- |
| `equals` | `haystack === needle` |
| `not_equals` | `haystack !== needle` |
| `contains` | `haystack.includes(needle)` |
| `not_contains` | `!haystack.includes(needle)` |
| `starts_with` | `haystack.startsWith(needle)` |
| `ends_with` | `haystack.endsWith(needle)` |
| `domain_match` | `haystack.endsWith('@' + needle)` (auto-prepends `@` if missing) |
| `regex_match` | `new RegExp(needle, 'i').test(haystack)` with safety guards (see below) |
### Security: `regex_match` Safeguards
The `regex_match` operator includes protections against Regular Expression Denial of Service (ReDoS):
1. **Length limit:** Patterns exceeding 200 characters (`MAX_REGEX_LENGTH`) are rejected and treated as non-matching. A warning is logged.
2. **Error handling:** Invalid regex syntax is caught in a try/catch block and treated as non-matching. A warning is logged.
3. **Flags:** Only the case-insensitive flag (`i`) is used. Global and multiline flags are excluded to prevent stateful matching bugs.
## Request Validation
The `RetentionPolicyController` (`retention-policy.controller.ts`) validates all incoming requests using Zod schemas before passing data to the service:
| Constraint | Limit |
| --------------------------- | -------------------------------------------------------------- |
| Policy name | 1255 characters. |
| Description | Max 1000 characters. |
| Priority | Positive integer (≥ 1). |
| Retention period | Positive integer (≥ 1 day). |
| Rules per group | Max 50. |
| Rule value | 1500 characters. |
| Ingestion scope entries | Each must be a valid UUID. Empty arrays are coerced to `null`. |
| Evaluate — sender | Max 500 characters. |
| Evaluate — recipients | Max 500 entries, each max 500 characters. |
| Evaluate — subject | Max 2000 characters. |
| Evaluate — attachment types | Max 100 entries, each max 50 characters. |
## Module Registration
The `RetentionPolicyModule` (`retention-policy.module.ts`) implements the `ArchiverModule` interface and registers the API routes at:
```
/{api.version}/enterprise/retention-policy
```
All routes are protected by:
1. `requireAuth` — Ensures the request includes a valid authentication token.
2. `featureEnabled(OpenArchiverFeature.RETENTION_POLICY)` — Ensures the enterprise license includes the retention policy feature.
3. `requirePermission('manage', 'all')` — Ensures the user has administrative permissions.

8
docs/index.md
View File

@@ -2,13 +2,13 @@
Welcome to Open Archiver! This guide will help you get started with setting up and using the platform.
## What is Open Archiver? 🛡️
## What is Open Archiver?
**A secure, sovereign, and affordable open-source platform for email archiving and eDiscovery.**
Open Archiver provides a robust, self-hosted solution for archiving, storing, indexing, and searching emails from major platforms, including Google Workspace (Gmail), Microsoft 365, as well as generic IMAP-enabled email inboxes. Use Open Archiver to keep a permanent, tamper-proof record of your communication history, free from vendor lock-in.
## Key Features
## Key Features
- **Universal Ingestion**: Connect to Google Workspace, Microsoft 365, and standard IMAP servers to perform initial bulk imports and maintain continuous, real-time synchronization.
- **Secure & Efficient Storage**: Emails are stored in the standard `.eml` format. The system uses deduplication and compression to minimize storage costs. All data is encrypted at rest.
@@ -17,7 +17,7 @@ Open Archiver provides a robust, self-hosted solution for archiving, storing, in
- **Compliance & Retention**: Define granular retention policies to automatically manage the lifecycle of your data. Place legal holds on communications to prevent deletion during litigation (TBD).
- **Comprehensive Auditing**: An immutable audit trail logs all system activities, ensuring you have a clear record of who accessed what and when (TBD).
## Installation 🚀
## Installation
To get your own instance of Open Archiver running, follow our detailed installation guide:
@@ -31,7 +31,7 @@ After deploying the application, you will need to configure one or more ingestio
- [Connecting to Microsoft 365](./user-guides/email-providers/microsoft-365.md)
- [Connecting to a Generic IMAP Server](./user-guides/email-providers/imap.md)
## Contributing ❤️
## Contributing
We welcome contributions from the community!

289
docs/services/iam-service.md
View File

@@ -1,289 +0,0 @@
# IAM Policies
This document provides a guide to creating and managing IAM policies in Open Archiver. It is intended for developers and administrators who need to configure granular access control for users and roles.
## Policy Structure
IAM policies are defined as an array of JSON objects, where each object represents a single permission rule. The structure of a policy object is as follows:
```json
{
"action": "read" OR ["read", "create"],
"subject": "ingestion" OR ["ingestion", "dashboard"],
"conditions": {
"field_name": "value"
},
"inverted": false OR true,
}
```
- `action`: The action(s) to be performed on the subject. Can be a single string or an array of strings.
- `subject`: The resource(s) or entity on which the action is to be performed. Can be a single string or an array of strings.
- `conditions`: (Optional) A set of conditions that must be met for the permission to be granted.
- `inverted`: (Optional) When set to `true`, this inverts the rule, turning it from a "can" rule into a "cannot" rule. This is useful for creating exceptions to broader permissions.
## Actions
The following actions are available for use in IAM policies:
- `manage`: A wildcard action that grants all permissions on a subject (`create`, `read`, `update`, `delete`, `search`, `sync`).
- `create`: Allows the user to create a new resource.
- `read`: Allows the user to view a resource.
- `update`: Allows the user to modify an existing resource.
- `delete`: Allows the user to delete a resource.
- `search`: Allows the user to search for resources.
- `sync`: Allows the user to synchronize a resource.
## Subjects
The following subjects are available for use in IAM policies:
- `all`: A wildcard subject that represents all resources.
- `archive`: Represents archived emails.
- `ingestion`: Represents ingestion sources.
- `settings`: Represents system settings.
- `users`: Represents user accounts.
- `roles`: Represents user roles.
- `dashboard`: Represents the dashboard.
## Advanced Conditions with MongoDB-Style Queries
Conditions are the key to creating fine-grained access control rules. They are defined as a JSON object where each key represents a field on the subject, and the value defines the criteria for that field.
All conditions within a single rule are implicitly joined with an **AND** logic. This means that for a permission to be granted, the resource must satisfy _all_ specified conditions.
The power of this system comes from its use of a subset of [MongoDB's query language](https://www.mongodb.com/docs/manual/), which provides a flexible and expressive way to define complex rules. These rules are translated into native queries for both the PostgreSQL database (via Drizzle ORM) and the Meilisearch engine.
### Supported Operators and Examples
Here is a detailed breakdown of the supported operators with examples.
#### `$eq` (Equal)
This is the default operator. If you provide a simple key-value pair, it is treated as an equality check.
```json
// This rule...
{ "status": "active" }
// ...is equivalent to this:
{ "status": { "$eq": "active" } }
```
**Use Case**: Grant access to an ingestion source only if its status is `active`.
#### `$ne` (Not Equal)
Matches documents where the field value is not equal to the specified value.
```json
{ "provider": { "$ne": "pst_import" } }
```
**Use Case**: Allow a user to see all ingestion sources except for PST imports.
#### `$in` (In Array)
Matches documents where the field value is one of the values in the specified array.
```json
{
"id": {
"$in": ["INGESTION_ID_1", "INGESTION_ID_2"]
}
}
```
**Use Case**: Grant an auditor access to a specific list of ingestion sources.
#### `$nin` (Not In Array)
Matches documents where the field value is not one of the values in the specified array.
```json
{ "provider": { "$nin": ["pst_import", "eml_import"] } }
```
**Use Case**: Hide all manual import sources from a specific user role.
#### `$lt` / `$lte` (Less Than / Less Than or Equal)
Matches documents where the field value is less than (`$lt`) or less than or equal to (`$lte`) the specified value. This is useful for numeric or date-based comparisons.
```json
{ "sentAt": { "$lt": "2024-01-01T00:00:00.000Z" } }
```
#### `$gt` / `$gte` (Greater Than / Greater Than or Equal)
Matches documents where the field value is greater than (`$gt`) or greater than or equal to (`$gte`) the specified value.
```json
{ "sentAt": { "$lt": "2024-01-01T00:00:00.000Z" } }
```
#### `$exists`
Matches documents that have (or do not have) the specified field.
```json
// Grant access only if a 'lastSyncStatusMessage' exists
{ "lastSyncStatusMessage": { "$exists": true } }
```
## Inverted Rules: Creating Exceptions with `cannot`
By default, all rules are "can" rules, meaning they grant permissions. However, you can create a "cannot" rule by adding `"inverted": true` to a policy object. This is extremely useful for creating exceptions to broader permissions.
A common pattern is to grant broad access and then use an inverted rule to carve out a specific restriction.
**Use Case**: Grant a user access to all ingestion sources _except_ for one specific source.
This is achieved with two rules:
1. A "can" rule that grants `read` access to the `ingestion` subject.
2. An inverted "cannot" rule that denies `read` access for the specific ingestion `id`.
```json
[
{
"action": "read",
"subject": "ingestion"
},
{
"inverted": true,
"action": "read",
"subject": "ingestion",
"conditions": {
"id": "SPECIFIC_INGESTION_ID_TO_EXCLUDE"
}
}
]
```
## Policy Evaluation Logic
The system evaluates policies by combining all relevant rules for a user. The logic is simple:
- A user has permission if at least one `can` rule allows it.
- A permission is denied if a `cannot` (`"inverted": true`) rule explicitly forbids it, even if a `can` rule allows it. `cannot` rules always take precedence.
### Dynamic Policies with Placeholders
To create dynamic policies that are specific to the current user, you can use the `${user.id}` placeholder in the `conditions` object. This placeholder will be replaced with the ID of the current user at runtime.
## Special Permissions for User and Role Management
It is important to note that while `read` access to `users` and `roles` can be granted granularly, any actions that modify these resources (`create`, `update`, `delete`) are restricted to Super Admins.
A user must have the `{ "action": "manage", "subject": "all" }` permission (Typically a Super Admin role) to manage users and roles. This is a security measure to prevent unauthorized changes to user accounts and permissions.
## Policy Examples
Here are several examples based on the default roles in the system, demonstrating how to combine actions, subjects, and conditions to achieve specific access control scenarios.
### Administrator
This policy grants a user full access to all resources using wildcards.
```json
[
{
"action": "manage",
"subject": "all"
}
]
```
### End-User
This policy allows a user to view the dashboard, create new ingestion sources, and fully manage the ingestion sources they own.
```json
[
{
"action": "read",
"subject": "dashboard"
},
{
"action": "create",
"subject": "ingestion"
},
{
"action": "manage",
"subject": "ingestion",
"conditions": {
"userId": "${user.id}"
}
},
{
"action": "manage",
"subject": "archive",
"conditions": {
"ingestionSource.userId": "${user.id}" // also needs to give permission to archived emails created by the user
}
}
]
```
### Global Read-Only Auditor
This policy grants read and search access across most of the application's resources, making it suitable for an auditor who needs to view data without modifying it.
```json
[
{
"action": ["read", "search"],
"subject": ["ingestion", "archive", "dashboard", "users", "roles"]
}
]
```
### Ingestion Admin
This policy grants full control over all ingestion sources and archives, but no other resources.
```json
[
{
"action": "manage",
"subject": "ingestion"
}
]
```
### Auditor for Specific Ingestion Sources
This policy demonstrates how to grant access to a specific list of ingestion sources using the `$in` operator.
```json
[
{
"action": ["read", "search"],
"subject": "ingestion",
"conditions": {
"id": {
"$in": ["INGESTION_ID_1", "INGESTION_ID_2"]
}
}
}
]
```
### Limit Access to a Specific Mailbox
This policy grants a user access to a specific ingestion source, but only allows them to see emails belonging to a single user within that source.
This is achieved by defining two specific `can` rules: The rule grants `read` and `search` access to the `archive` subject, but the `userEmail` must match.
```json
[
{
"action": ["read", "search"],
"subject": "archive",
"conditions": {
"userEmail": "user1@example.com"
}
}
]
```

81
docs/services/job-queue.md Normal file
View File

@@ -0,0 +1,81 @@
# Job Queue Service
This document describes the architecture of the job queue system, including the sync cycle coordination mechanism and relevant configuration options.
## Architecture
The job queue system is built on [BullMQ](https://docs.bullmq.io/) backed by Redis (Valkey). Two worker processes run independently:
- **Ingestion worker** (`ingestion.worker.ts`) — processes the `ingestion` queue
- **Indexing worker** (`indexing.worker.ts`) — processes the `indexing` queue
### Queues
| Queue | Jobs | Purpose |
| ----------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `ingestion` | `schedule-continuous-sync`, `continuous-sync`, `initial-import`, `process-mailbox`, `sync-cycle-finished` | Email ingestion and sync orchestration |
| `indexing` | `index-email-batch` | Meilisearch document indexing |
### Job Flow
```
[schedule-continuous-sync] (repeating cron)
└→ [continuous-sync] (per ingestion source)
└→ [process-mailbox] × N (one per user mailbox)
└→ [index-email-batch] (batched, on indexing queue)
└→ [sync-cycle-finished] (dispatched by the last mailbox job)
```
For initial imports, `initial-import` triggers the same `process-mailbox``sync-cycle-finished` flow.
## Sync Cycle Coordination
Sync cycle completion (knowing when all mailboxes in a sync have finished) is coordinated via the `sync_sessions` PostgreSQL table rather than BullMQ's built-in flow/parent-child system.
**Why:** BullMQ's `FlowProducer` stores the entire parent/child relationship in Redis atomically. For large tenants with thousands of mailboxes, this creates large Redis writes and requires loading all child job return values into memory at once for aggregation.
**How it works:**
1. When `initial-import` or `continuous-sync` starts, it creates a `sync_sessions` row with `total_mailboxes = N`.
2. Each `process-mailbox` job atomically increments `completed_mailboxes` or `failed_mailboxes` when it finishes, and merges its `SyncState` into `ingestion_sources.sync_state` using PostgreSQL's `||` jsonb operator.
3. The job that brings `completed + failed` to equal `total` dispatches the `sync-cycle-finished` job.
4. `sync-cycle-finished` reads the aggregated results from the session row and finalizes the source status.
5. The session row is deleted after finalization.
### Session Heartbeat
Each `process-mailbox` job updates `last_activity_at` on the session every time it flushes an email batch to the indexing queue. This prevents the stale session detector from treating an actively processing large mailbox as stuck.
### Stale Session Detection
The `schedule-continuous-sync` job runs `SyncSessionService.cleanStaleSessions()` on every tick. A session is considered stale when `last_activity_at` has not been updated for 30 minutes, indicating the worker that created it has crashed before all mailbox jobs were enqueued.
When a stale session is detected:
1. The associated ingestion source is set to `status: 'error'` with a descriptive message.
2. The session row is deleted.
3. On the next scheduler tick, the source is picked up as an `error` source and a new `continuous-sync` job is dispatched.
Already-ingested emails from the partial sync are preserved. The next sync skips them via duplicate detection (`checkDuplicate()`).
## Configuration
| Environment Variable | Default | Description |
| ------------------------------ | ----------- | ----------------------------------------------------- |
| `SYNC_FREQUENCY` | `* * * * *` | Cron pattern for continuous sync scheduling |
| `INGESTION_WORKER_CONCURRENCY` | `5` | Number of `process-mailbox` jobs that run in parallel |
| `MEILI_INDEXING_BATCH` | `500` | Number of emails per `index-email-batch` job |
### Tuning `INGESTION_WORKER_CONCURRENCY`
Each `process-mailbox` job holds at most one parsed email in memory at a time during the ingestion loop. At typical email sizes (~50KB average), memory pressure per concurrent job is low. Increase this value on servers with more RAM to process multiple mailboxes in parallel and reduce total sync time.
### Tuning `MEILI_INDEXING_BATCH`
Each `index-email-batch` job loads the `.eml` file and all attachments from storage into memory for text extraction before sending to Meilisearch. Reduce this value if the indexing worker experiences memory pressure on deployments with large attachments.
## Resilience
- **Job retries:** All jobs are configured with 5 retry attempts using exponential backoff (starting at 1 second). This handles transient API failures from email providers.
- **Worker crash recovery:** BullMQ detects stalled jobs (no heartbeat within `lockDuration`) and re-queues them automatically. On retry, already-processed emails are skipped via `checkDuplicate()`.
- **Partial sync recovery:** Stale session detection handles the case where a worker crashes mid-dispatch, leaving some mailboxes never enqueued. The source is reset to `error` and the next scheduler tick retries the full sync.

96
docs/services/ocr-service.md Normal file
View File

@@ -0,0 +1,96 @@
# OCR Service
The OCR (Optical Character Recognition) and text extraction service is responsible for extracting plain text content from various file formats, such as PDFs, Office documents, and more. This is a crucial component for making email attachments searchable.
## Overview
The system employs a two-pronged approach for text extraction:
1. **Primary Extractor (Apache Tika)**: A powerful and versatile toolkit that can extract text from a wide variety of file formats. It is the recommended method for its superior performance and format support.
2. **Legacy Extractor**: A fallback mechanism that uses a combination of libraries (`pdf2json`, `mammoth`, `xlsx`) for common file types like PDF, DOCX, and XLSX. This is used when Apache Tika is not configured.
The main logic resides in `packages/backend/src/helpers/textExtractor.ts`, which decides which extraction method to use based on the application's configuration.
## Configuration
To enable the primary text extraction method, you must configure the URL of an Apache Tika server instance in your environment variables.
In your `.env` file, set the `TIKA_URL`:
```env
# .env.example
# Apache Tika Integration
# ONLY active if TIKA_URL is set
TIKA_URL=http://tika:9998
```
If `TIKA_URL` is not set, the system will automatically fall back to the legacy extraction methods. The service performs a health check on startup to verify connectivity with the Tika server.
## File Size Limits
To prevent excessive memory usage and processing time, the service imposes a general size limit on files submitted for text extraction. Files larger than the configured limit will be skipped.
- **With Apache Tika**: The maximum file size is **100MB**.
- **With Legacy Fallback**: The maximum file size is **50MB**.
## Supported File Formats
The service's ability to extract text depends on whether it's using Apache Tika or the legacy fallback methods.
### With Apache Tika
When `TIKA_URL` is configured, the service can process a vast range of file formats. Apache Tika is designed for broad compatibility and supports hundreds of file types, including but not limited to:
- Portable Document Format (PDF)
- Microsoft Office formats (DOC, DOCX, PPT, PPTX, XLS, XLSX)
- OpenDocument Formats (ODT, ODS, ODP)
- Rich Text Format (RTF)
- Plain Text (TXT, CSV, JSON, XML, HTML)
- Image formats with OCR capabilities (PNG, JPEG, TIFF)
- Archive formats (ZIP, TAR, GZ)
- Email formats (EML, MSG)
For a complete and up-to-date list, please refer to the official [Apache Tika documentation](https://tika.apache.org/3.2.3/formats.html).
### With Legacy Fallback
When Tika is not configured, text extraction is limited to the following formats:
- `application/pdf` (PDF)
- `application/vnd.openxmlformats-officedocument.wordprocessingml.document` (DOCX)
- `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet` (XLSX)
- Plain text formats such as `text/*`, `application/json`, and `application/xml`.
## Features of the Tika Integration (`OcrService`)
The `OcrService` (`packages/backend/src/services/OcrService.ts`) provides several enhancements to make text extraction efficient and robust.
### Caching
To avoid redundant processing of the same file, the service implements a simple LRU (Least Recently Used) cache.
- **Cache Key**: A SHA-256 hash of the file's buffer is used as the cache key.
- **Functionality**: If a file with the same hash is processed again, the text content is served directly from the cache, saving significant processing time.
- **Statistics**: The service keeps track of cache hits, misses, and the hit rate for performance monitoring.
### Concurrency Management (Semaphore)
Extracting text from large files can be resource-intensive. To prevent the Tika server from being overwhelmed by multiple requests for the _same file_ simultaneously (e.g., during a large import), a semaphore mechanism is used.
- **Functionality**: If a request for a specific file (identified by its hash) is already in progress, any subsequent requests for the same file will wait for the first one to complete and then use its result.
- **Benefit**: This deduplicates parallel processing efforts and reduces unnecessary load on the Tika server.
### Health Check and DNS Fallback
- **Availability Check**: The service includes a `checkTikaAvailability` method to verify that the Tika server is reachable and operational. This check is performed on application startup.
- **DNS Fallback**: For convenience in Docker environments, if the Tika URL uses the hostname `tika` (e.g., `http://tika:9998`), the service will automatically attempt a fallback to `localhost` if the initial connection fails.
## Legacy Fallback Methods
When Tika is not available, the `extractTextLegacy` function in `textExtractor.ts` handles extraction for a limited set of MIME types:
- `application/pdf`: Processed using `pdf2json`. Includes a 50MB size limit and a 5-second timeout to prevent memory issues.
- `application/vnd.openxmlformats-officedocument.wordprocessingml.document` (DOCX): Processed using `mammoth`.
- `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet` (XLSX): Processed using `xlsx`.
- Plain text formats (`text/*`, `application/json`, `application/xml`): Converted directly from the buffer.

10
docs/user-guides/email-providers/eml.md
View File

@@ -30,7 +30,15 @@ archive.zip
2. Click the **Create New** button.
3. Select **EML Import** as the provider.
4. Enter a name for the ingestion source.
5. Click the **Choose File** button and select the zip archive containing your EML files.
5. **Choose Import Method:**
- **Upload File:** Click **Choose File** and select the zip archive containing your EML files. (Best for smaller archives)
- **Local Path:** Enter the path to the zip file **inside the container**. (Best for large archives)
> **Note on Local Path:** When using Docker, the "Local Path" is relative to the container's filesystem.
>
> - **Recommended:** Place your zip file in a `temp` folder inside your configured storage directory (`STORAGE_LOCAL_ROOT_PATH`). This path is already mounted. For example, if your storage path is `/data`, put the file in `/data/temp/emails.zip` and enter `/data/temp/emails.zip` as the path.
> - **Alternative:** Mount a separate volume in `docker-compose.yml` (e.g., `- /host/path:/container/path`) and use the container path.
6. Click the **Submit** button.
OpenArchiver will then start importing the EML files from the zip archive. The ingestion process may take some time, depending on the size of the archive.

2
docs/user-guides/email-providers/index.md
View File

@@ -9,3 +9,5 @@ Choose your provider from the list below to get started:
- [Generic IMAP Server](./imap.md)
- [EML Import](./eml.md)
- [PST Import](./pst.md)
- [Mbox Import](./mbox.md)
- [Merging Ingestion Sources](./merging-sources.md)

36
docs/user-guides/email-providers/mbox.md Normal file
View File

@@ -0,0 +1,36 @@
# Mbox Ingestion
Mbox is a common format for storing email messages. This guide will walk you through the process of ingesting mbox files into OpenArchiver.
## 1. Exporting from Your Email Client
Most email clients that support mbox exports will allow you to export a folder of emails as a single `.mbox` file. Here are the general steps:
- **Mozilla Thunderbird**: Right-click on a folder, select **ImportExportTools NG**, and then choose **Export folder**.
- **Gmail**: You can use Google Takeout to export your emails in mbox format.
- **Other Clients**: Refer to your email client's documentation for instructions on how to export emails to an mbox file.
## 2. Uploading to OpenArchiver
Once you have your `.mbox` file, you can upload it to OpenArchiver through the web interface.
1. Navigate to the **Ingestion** page.
2. Click on the **New Ingestion** button.
3. Select **Mbox** as the source type.
4. **Choose Import Method:**
- **Upload File:** Upload your `.mbox` file.
- **Local Path:** Enter the path to the mbox file **inside the container**.
> **Note on Local Path:** When using Docker, the "Local Path" is relative to the container's filesystem.
>
> - **Recommended:** Place your mbox file in a `temp` folder inside your configured storage directory (`STORAGE_LOCAL_ROOT_PATH`). This path is already mounted. For example, if your storage path is `/data`, put the file in `/data/temp/emails.mbox` and enter `/data/temp/emails.mbox` as the path.
> - **Alternative:** Mount a separate volume in `docker-compose.yml` (e.g., `- /host/path:/container/path`) and use the container path.
## 3. Folder Structure
OpenArchiver will attempt to preserve the original folder structure of your emails. This is done by inspecting the following email headers:
- `X-Gmail-Labels`: Used by Gmail to store labels.
- `X-Folder`: A custom header used by some email clients like Thunderbird.
If neither of these headers is present, the emails will be ingested into the root of the archive.

105
docs/user-guides/email-providers/merging-sources.md Normal file
View File

@@ -0,0 +1,105 @@
# Merging Ingestion Sources
Merged ingestion groups let you combine multiple ingestion sources so that their emails appear unified in browsing, search, and thread views. This is useful when you want to pair a historical archive (for example, a PST or Mbox import) with a live connection, or when migrating between providers.
## Concepts
| Term | Definition |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Root source** | An ingestion source where no merge parent is set. Shown as the primary row in the Ingestions table. All emails in the group are physically owned by the root. |
| **Child source** | An ingestion source merged into a root. Acts as a fetch assistant — it connects to the provider and retrieves emails, but all data is stored under the root source. |
| **Group** | A root source and all its children. All emails from every member are stored under and owned by the root. |
The hierarchy is **flat** — only one level of nesting is supported. If you merge a source into a child, the system automatically redirects the relationship to the root.
## Root Ownership — How Storage and Data Work
This is the key design principle of merged sources:
> **Child sources are assistants. They fetch emails from their provider but never own any stored data. Every email ingested by a child is written to the root source's storage folder and assigned the root source's ID in the database.**
In practical terms:
- The storage path for every email belongs to the root: `openarchiver/{root-name}-{root-id}/emails/...`
- Every `archived_emails` database row created by a child ingestion will have `ingestionSourceId` set to the **root's ID**, not the child's.
- Attachments are also stored under the root's folder and scoped to the root's ID.
- The root's **Preserve Original File** (GoBD compliance) setting is inherited by all children in the group. A child's own `preserveOriginalFile` setting is ignored during ingestion — only the root's setting applies.
This means browsing the root source's emails will show all emails from the entire group, including those fetched by child sources, without any extra configuration.
## When to Use Merged Sources
- **Historical + live**: Import a PST archive and merge it into an active IMAP or Google Workspace connection so historical and current emails appear in one unified mailbox.
- **Provider migration**: Add a new Microsoft 365 connector and merge it with your existing Google Workspace connector during a cutover period.
- **Backfill**: Import an Mbox export and merge it with a live connection to cover a gap in the archive.
## How to Merge a New Source Into an Existing One
Merging can only be configured **at creation time**.
1. Navigate to the **Ingestions** page.
2. Click **Create New** to open the ingestion source form.
3. Fill in the provider details as usual.
4. Expand the **Advanced Options** section at the bottom of the form. This section is only visible when at least one ingestion source already exists.
5. Check **Merge into existing ingestion** and select the target root source from the dropdown.
6. Click **Submit**.
The new source will run its initial import normally. Once complete, its emails will appear alongside those of the root source — all stored under the root.
## How Emails Appear When Merged
When you browse archived emails for a root source, you see all emails in the group because they are all physically owned by the root. There is nothing to aggregate — the data is already unified at the storage and database level.
The same applies to search: filtering by a root source ID returns all emails in the group.
Threads also span the merge group. If a reply arrived via a different source than the original message, it still appears in the correct thread.
## How Syncing Works
Each source syncs **independently**. The scheduler picks up all sources with status `active` or `error`, regardless of whether they are merged.
- File-based imports (PST, EML, Mbox) finish with status `imported` and are never re-synced automatically.
- Live sources (IMAP, Google Workspace, Microsoft 365) continue their normal sync cycle.
When you trigger **Force Sync** on a root source, the system also queues a sync for all non-file-based children that are currently `active` or `error`.
## Deduplication Across the Group
When ingesting emails, duplicate detection covers the **entire merge group**. If the same email (matched by its RFC `Message-ID` header or provider-specific ID) already exists anywhere in the group, it is skipped and not stored again.
## Preserve Original File (GoBD Compliance) and Merged Sources
The **Preserve Original File** setting on the root source governs the entire group. When this setting is enabled on the root:
- All emails ingested by child sources are also stored unmodified (raw EML, no attachment stripping).
- The child's own `preserveOriginalFile` setting has no effect — the root's setting is always used.
This ensures consistent compliance behaviour across the group. If you require GoBD or SEC 17a-4 compliance for an entire merged group, enable **Preserve Original File** on the root source before adding any children.
## Editing Sources in a Group
Each source in a group can be edited independently. Expand the group row in the Ingestions table by clicking the chevron, then use the **⋮** actions menu on the specific source (root or child) you want to edit.
## Unmerging a Child Source
To detach a child from its group and make it standalone:
1. Expand the group row by clicking the chevron next to the root source name.
2. Open the **⋮** actions menu on the child source.
3. Click **Unmerge**.
The child becomes an independent root source. No email data is moved or deleted.
> **Note:** Because all emails fetched by the child were stored under the root source's ID, unmerging the child does not transfer those emails. Historical emails ingested while the source was a child remain owned by the root. Only new emails ingested after unmerging will be stored under the (now standalone) child.
## Deleting Sources in a Group
- **Deleting a root source** also deletes all its children: their configuration, and all emails, attachments, storage files, and search index entries owned by the root are all removed. Because all group emails are stored under the root, this effectively removes the entire group's archive.
- **Deleting a child source** removes only the child's configuration and sync state. Emails already ingested by the child are stored under the root and are **not** deleted.
A warning is shown in the delete confirmation dialog when a root source has children.
## Known Limitations
- **Merging existing standalone sources is not supported.** You can only merge a source into a group at creation time. To merge two existing sources, you must delete one and recreate it with the merge target selected.
- **Historical data from a child source before unmerging remains with the root.** If you unmerge a child, emails it previously ingested stay owned by the root and are not migrated to the child.

10
docs/user-guides/email-providers/pst.md
View File

@@ -15,7 +15,15 @@ To ensure a successful import, you should prepare your PST file according to the
2. Click the **Create New** button.
3. Select **PST Import** as the provider.
4. Enter a name for the ingestion source.
5. Click the **Choose File** button and select the PST file.
5. **Choose Import Method:**
- **Upload File:** Click **Choose File** and select the PST file from your computer. (Best for smaller files)
- **Local Path:** Enter the path to the PST file **inside the container**. (Best for large files)
> **Note on Local Path:** When using Docker, the "Local Path" is relative to the container's filesystem.
>
> - **Recommended:** Place your file in a `temp` folder inside your configured storage directory (`STORAGE_LOCAL_ROOT_PATH`). This path is already mounted. For example, if your storage path is `/data`, put the file in `/data/temp/archive.pst` and enter `/data/temp/archive.pst` as the path.
> - **Alternative:** Mount a separate volume in `docker-compose.yml` (e.g., `- /host/path:/container/path`) and use the container path.
6. Click the **Submit** button.
OpenArchiver will then start importing the emails from the PST file. The ingestion process may take some time, depending on the size of the file.

228
docs/user-guides/installation.md
View File

@@ -17,7 +17,22 @@ git clone https://github.com/LogicLabs-OU/OpenArchiver.git
cd OpenArchiver
```
## 2. Configure Your Environment
## 2. Create a Directory for Local Storage (Important)
Before configuring the application, you **must** create a directory on your host machine where Open Archiver will store its data (such as emails and attachments). Manually creating this directory helps prevent potential permission issues.
Foe examples, you can use this path `/var/data/open-archiver`.
Run the following commands to create the directory and set the correct permissions:
```bash
sudo mkdir -p /var/data/open-archiver
sudo chown -R $(id -u):$(id -g) /var/data/open-archiver
```
This ensures the directory is owned by your current user, which is necessary for the application to have write access. You will set this path in your `.env` file in the next step.
## 3. Configure Your Environment
The application is configured using environment variables. You'll need to create a `.env` file to store your configuration.
@@ -29,9 +44,15 @@ cp .env.example.docker .env
Now, open the `.env` file in a text editor and customize the settings.
### Important Configuration
### Key Configuration Steps
You must change the following placeholder values to secure your instance:
1. **Set the Storage Path**: Find the `STORAGE_LOCAL_ROOT_PATH` variable and set it to the path you just created.
```env
STORAGE_LOCAL_ROOT_PATH=/var/data/open-archiver
```
2. **Secure Your Instance**: You must change the following placeholder values to secure your instance:
- `POSTGRES_PASSWORD`: A strong, unique password for the database.
- `REDIS_PASSWORD`: A strong, unique password for the Valkey/Redis service.
@@ -41,6 +62,10 @@ You must change the following placeholder values to secure your instance:
```bash
openssl rand -hex 32
```
- `STORAGE_ENCRYPTION_KEY`: **(Optional but Recommended)** A 32-byte hex string for encrypting emails and attachments at rest. If this key is not provided, storage encryption will be disabled. You can generate one with:
```bash
openssl rand -hex 32
```
### Storage Configuration
@@ -65,29 +90,34 @@ Here is a complete list of environment variables available for configuration:
#### Application Settings
| Variable | Description | Default Value |
| ---------------- | ----------------------------------------------------------------------------------------------------- | ------------- |
| `NODE_ENV` | The application environment. | `development` |
| `PORT_BACKEND` | The port for the backend service. | `4000` |
| `PORT_FRONTEND` | The port for the frontend service. | `3000` |
| `SYNC_FREQUENCY` | The frequency of continuous email syncing. See [cron syntax](https://crontab.guru/) for more details. | `* * * * *` |
| Variable | Description | Default Value |
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------- |
| `NODE_ENV` | The application environment. | `development` |
| `PORT_BACKEND` | The port for the backend service. | `4000` |
| `PORT_FRONTEND` | The port for the frontend service. | `3000` |
| `APP_URL` | The public-facing URL of your application. This is used by the backend to configure CORS. | `http://localhost:3000` |
| `ORIGIN` | Used by the SvelteKit Node adapter to determine the server's public-facing URL. It should always be set to the value of `APP_URL` (e.g., `ORIGIN=$APP_URL`). | `http://localhost:3000` |
| `SYNC_FREQUENCY` | The frequency of continuous email syncing. See [cron syntax](https://crontab.guru/) for more details. | `* * * * *` |
| `ALL_INCLUSIVE_ARCHIVE` | Set to `true` to include all emails, including Junk and Trash folders, in the email archive. | `false` |
#### Docker Compose Service Configuration
These variables are used by `docker-compose.yml` to configure the services.
| Variable | Description | Default Value |
| ------------------- | ----------------------------------------------- | -------------------------------------------------------- |
| `POSTGRES_DB` | The name of the PostgreSQL database. | `open_archive` |
| `POSTGRES_USER` | The username for the PostgreSQL database. | `admin` |
| `POSTGRES_PASSWORD` | The password for the PostgreSQL database. | `password` |
| `DATABASE_URL` | The connection URL for the PostgreSQL database. | `postgresql://admin:password@postgres:5432/open_archive` |
| `MEILI_MASTER_KEY` | The master key for Meilisearch. | `aSampleMasterKey` |
| `MEILI_HOST` | The host for the Meilisearch service. | `http://meilisearch:7700` |
| `REDIS_HOST` | The host for the Valkey (Redis) service. | `valkey` |
| `REDIS_PORT` | The port for the Valkey (Redis) service. | `6379` |
| `REDIS_PASSWORD` | The password for the Valkey (Redis) service. | `defaultredispassword` |
| `REDIS_TLS_ENABLED` | Enable or disable TLS for Redis. | `false` |
| Variable | Description | Default Value |
| ---------------------- | ---------------------------------------------------- | -------------------------------------------------------- |
| `POSTGRES_DB` | The name of the PostgreSQL database. | `open_archive` |
| `POSTGRES_USER` | The username for the PostgreSQL database. | `admin` |
| `POSTGRES_PASSWORD` | The password for the PostgreSQL database. | `password` |
| `DATABASE_URL` | The connection URL for the PostgreSQL database. | `postgresql://admin:password@postgres:5432/open_archive` |
| `MEILI_MASTER_KEY` | The master key for Meilisearch. | `aSampleMasterKey` |
| `MEILI_HOST` | The host for the Meilisearch service. | `http://meilisearch:7700` |
| `MEILI_INDEXING_BATCH` | The number of emails to batch together for indexing. | `500` |
| `REDIS_HOST` | The host for the Valkey (Redis) service. | `valkey` |
| `REDIS_PORT` | The port for the Valkey (Redis) service. | `6379` |
| `REDIS_USER` | Optional Redis username if ACLs are used. | |
| `REDIS_PASSWORD` | The password for the Valkey (Redis) service. | `defaultredispassword` |
| `REDIS_TLS_ENABLED` | Enable or disable TLS for Redis. | `false` |
#### Storage Settings
@@ -95,26 +125,34 @@ These variables are used by `docker-compose.yml` to configure the services.
| ------------------------------ | ----------------------------------------------------------------------------------------------------------- | ------------------------- |
| `STORAGE_TYPE` | The storage backend to use (`local` or `s3`). | `local` |
| `BODY_SIZE_LIMIT` | The maximum request body size for uploads. Can be a number in bytes or a string with a unit (e.g., `100M`). | `100M` |
| `STORAGE_LOCAL_ROOT_PATH` | The root path for local file storage. | `/var/data/open-archiver` |
| `STORAGE_LOCAL_ROOT_PATH` | The root path for Open Archiver app data. | `/var/data/open-archiver` |
| `STORAGE_S3_ENDPOINT` | The endpoint for S3-compatible storage (required if `STORAGE_TYPE` is `s3`). | |
| `STORAGE_S3_BUCKET` | The bucket name for S3-compatible storage (required if `STORAGE_TYPE` is `s3`). | |
| `STORAGE_S3_ACCESS_KEY_ID` | The access key ID for S3-compatible storage (required if `STORAGE_TYPE` is `s3`). | |
| `STORAGE_S3_SECRET_ACCESS_KEY` | The secret access key for S3-compatible storage (required if `STORAGE_TYPE` is `s3`). | |
| `STORAGE_S3_REGION` | The region for S3-compatible storage (required if `STORAGE_TYPE` is `s3`). | |
| `STORAGE_S3_FORCE_PATH_STYLE` | Force path-style addressing for S3 (optional). | `false` |
| `STORAGE_ENCRYPTION_KEY` | A 32-byte hex string for AES-256 encryption of files at rest. If not set, files will not be encrypted. | |
#### Security & Authentication
| Variable | Description | Default Value |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
| `JWT_SECRET` | A secret key for signing JWT tokens. | `a-very-secret-key-that-you-should-change` |
| `JWT_EXPIRES_IN` | The expiration time for JWT tokens. | `7d` |
| ~~`SUPER_API_KEY`~~ (Deprecated) | An API key with super admin privileges. (The SUPER_API_KEY is deprecated since v0.3.0 after we roll out the role-based access control system.) | |
| `RATE_LIMIT_WINDOW_MS` | The window in milliseconds for which API requests are checked. | `900000` (15 minutes) |
| `RATE_LIMIT_MAX_REQUESTS` | The maximum number of API requests allowed from an IP within the window. | `100` |
| `ENCRYPTION_KEY` | A 32-byte hex string for encrypting sensitive data in the database. | |
| Variable | Description | Default Value |
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
| `ENABLE_DELETION` | Enable or disable deletion of emails and ingestion sources. If this option is not set, or is set to any value other than `true`, deletion will be disabled for the entire instance. | `false` |
| `JWT_SECRET` | A secret key for signing JWT tokens. | `a-very-secret-key-that-you-should-change` |
| `JWT_EXPIRES_IN` | The expiration time for JWT tokens. | `7d` |
| ~~`SUPER_API_KEY`~~ (Deprecated) | An API key with super admin privileges. (The SUPER_API_KEY is deprecated since v0.3.0 after we roll out the role-based access control system.) | |
| `RATE_LIMIT_WINDOW_MS` | The window in milliseconds for which API requests are checked. | `900000` (15 minutes) |
| `RATE_LIMIT_MAX_REQUESTS` | The maximum number of API requests allowed from an IP within the window. | `100` |
| `ENCRYPTION_KEY` | A 32-byte hex string for encrypting sensitive data in the database. | |
## 3. Run the Application
#### Apache Tika Integration
| Variable | Description | Default Value |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------ |
| `TIKA_URL` | Optional. The URL of an Apache Tika server for advanced text extraction from attachments. If not set, the application falls back to built-in parsers for PDF, Word, and Excel files. | `http://tika:9998` |
## 4. Run the Application
Once you have configured your `.env` file, you can start all the services using Docker Compose:
@@ -134,13 +172,15 @@ You can check the status of the running containers with:
docker compose ps
```
## 4. Access the Application
## 5. Access the Application
Once the services are running, you can access the Open Archiver web interface by navigating to `http://localhost:3000` in your web browser.
You can log in with the `ADMIN_EMAIL` and `ADMIN_PASSWORD` you configured in your `.env` file.
Upon first visit, you will be redirected to the `/setup` page where you can set up your admin account. Make sure you are the first person who accesses the instance.
## 5. Next Steps
If you are not redirected to the `/setup` page but instead see the login page, there might be something wrong with the database. Restart the service and try again.
## 6. Next Steps
After successfully deploying and logging into Open Archiver, the next step is to configure your ingestion sources to start archiving emails.
@@ -212,9 +252,9 @@ If you are using local storage to store your emails, based on your `docker-compo
Run this command to see all the volumes on your system:
```bash
docker volume ls
```
```bash
docker volume ls
```
2. **Identify the correct volume**:
@@ -224,28 +264,28 @@ Look through the list for a volume name that ends with `_archiver-data`. The par
Once you've identified the correct volume name, use it in the `inspect` command. For example:
```bash
docker volume inspect <your_volume_name_here>
```
```bash
docker volume inspect <your_volume_name_here>
```
This will give you the correct `Mountpoint` path where your data is being stored. It will look something like this (the exact path will vary depending on your system):
```json
{
"CreatedAt": "2025-07-25T11:22:19Z",
"Driver": "local",
"Labels": {
"com.docker.compose.config-hash": "---",
"com.docker.compose.project": "---",
"com.docker.compose.version": "2.38.2",
"com.docker.compose.volume": "us8wwos0o4ok4go4gc8cog84_archiver-data"
},
"Mountpoint": "/var/lib/docker/volumes/us8wwos0o4ok4go4gc8cog84_archiver-data/_data",
"Name": "us8wwos0o4ok4go4gc8cog84_archiver-data",
"Options": null,
"Scope": "local"
}
```
```json
{
"CreatedAt": "2025-07-25T11:22:19Z",
"Driver": "local",
"Labels": {
"com.docker.compose.config-hash": "---",
"com.docker.compose.project": "---",
"com.docker.compose.version": "2.38.2",
"com.docker.compose.volume": "us8wwos0o4ok4go4gc8cog84_archiver-data"
},
"Mountpoint": "/var/lib/docker/volumes/us8wwos0o4ok4go4gc8cog84_archiver-data/_data",
"Name": "us8wwos0o4ok4go4gc8cog84_archiver-data",
"Options": null,
"Scope": "local"
}
```
In this example, the data is located at `/var/lib/docker/volumes/us8wwos0o4ok4go4gc8cog84_archiver-data/_data`. You can then `cd` into that directory to see your files.
@@ -259,71 +299,43 @@ Heres how you can do it:
Open the `docker-compose.yml` file and find the `open-archiver` service. You're going to change the `volumes` section.
**Change this:**
**Change this:**
```yaml
services:
open-archiver:
# ... other config
volumes:
- archiver-data:/var/data/open-archiver
```
```yaml
services:
open-archiver:
# ... other config
volumes:
- archiver-data:/var/data/open-archiver
```
**To this:**
**To this:**
```yaml
services:
open-archiver:
# ... other config
volumes:
- ./data/open-archiver:/var/data/open-archiver
```
```yaml
services:
open-archiver:
# ... other config
volumes:
- ./data/open-archiver:/var/data/open-archiver
```
You'll also want to remove the `archiver-data` volume definition at the bottom of the file, since it's no longer needed.
**Remove this whole block:**
**Remove this whole block:**
```yaml
volumes:
# ... other volumes
archiver-data:
driver: local
```
```yaml
volumes:
# ... other volumes
archiver-data:
driver: local
```
2. **Restart your containers**:
After you've saved the changes, run the following command in your terminal to apply them. The `--force-recreate` flag will ensure the container is recreated with the new volume settings.
```bash
docker-compose up -d --force-recreate
```
After this, any new data will be saved directly into the `./data/open-archiver` folder in your project directory.
## Troubleshooting
### 403 Cross-Site POST Forbidden Error
If you are running the application behind a reverse proxy or have mapped the application to a different port (e.g., `3005:3000`), you may encounter a `403 Cross-site POST from submissions are forbidden` error when uploading files.
To resolve this, you must set the `ORIGIN` environment variable to the URL of your application. This ensures that the backend can verify the origin of requests and prevent cross-site request forgery (CSRF) attacks.
Add the following line to your `.env` file, replacing `<your_host>` and `<your_port>` with your specific values:
```bash
ORIGIN=http://<your_host>:<your_port>
```
For example, if your application is accessible at `http://localhost:3005`, you would set the variable as follows:
```bash
ORIGIN=http://localhost:3005
```
After adding the `ORIGIN` variable, restart your Docker containers for the changes to take effect:
```bash
docker-compose up -d --force-recreate
```
This will ensure that your file uploads are correctly authorized.
After this, any new data will be saved directly into the `./data/open-archiver` folder in your project directory.

37
docs/user-guides/integrity-check.md Normal file
View File

@@ -0,0 +1,37 @@
# Integrity Check
Open Archiver allows you to verify the integrity of your archived emails and their attachments. This guide explains how the integrity check works and what the results mean.
## How It Works
When an email is archived, Open Archiver calculates a unique cryptographic signature (a SHA256 hash) for the email's raw `.eml` file and for each of its attachments. These signatures are stored in the database alongside the email's metadata.
The integrity check feature recalculates these signatures for the stored files and compares them to the original signatures stored in the database. This process allows you to verify that the content of your archived emails has not been altered, corrupted, or tampered with since the moment they were archived.
## The Integrity Report
When you view an email in the Open Archiver interface, an integrity report is automatically generated and displayed. This report provides a clear, at-a-glance status for the email file and each of its attachments.
### Statuses
- **Valid (Green Badge):** A "Valid" status means that the current signature of the file matches the original signature stored in the database. This is the expected status and indicates that the file's integrity is intact.
- **Invalid (Red Badge):** An "Invalid" status means that the current signature of the file does _not_ match the original signature. This indicates that the file's content has changed since it was archived.
### Reasons for an "Invalid" Status
If a file is marked as "Invalid," you can hover over the badge to see a reason for the failure. Common reasons include:
- **Stored hash does not match current hash:** This is the most common reason and indicates that the file's content has been modified. This could be due to accidental changes, data corruption, or unauthorized tampering.
- **Could not read attachment file from storage:** This message indicates that the file could not be read from its storage location. This could be due to a storage system issue, a file permission problem, or because the file has been deleted.
## What to Do If an Integrity Check Fails
If you encounter an "Invalid" status for an email or attachment, it is important to investigate the issue. Here are some steps you can take:
1. **Check Storage:** Verify that the file exists in its storage location and that its permissions are correct.
2. **Review Audit Logs:** If you have audit logging enabled, review the logs for any unauthorized access or modifications to the file.
3. **Restore from Backup:** If you suspect data corruption, you may need to restore the affected file from a backup.
The integrity check feature is a crucial tool for ensuring the long-term reliability and trustworthiness of your email archive. By regularly monitoring the integrity of your archived data, you can be confident that your records are accurate and complete.

75
docs/user-guides/troubleshooting/cors-errors.md Normal file
View File

@@ -0,0 +1,75 @@
# Troubleshooting CORS Errors
Cross-Origin Resource Sharing (CORS) is a security feature that controls how web applications in one domain can request and interact with resources in another. If not configured correctly, you may encounter errors when performing actions like uploading files.
This guide will help you diagnose and resolve common CORS-related issues.
## Symptoms
You may be experiencing a CORS issue if you see one of the following errors in your browser's developer console or in the application's logs:
- `TypeError: fetch failed`
- `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource.`
- `Unexpected token 'C', "Cross-site"... is not valid JSON`
- A JSON error response similar to the following:
```json
{
"message": "CORS Error: This origin is not allowed.",
"requiredOrigin": "http://localhost:3000",
"receivedOrigin": "https://localhost:3000"
}
```
## Root Cause
These errors typically occur when the URL you are using to access the application in your browser does not exactly match the `APP_URL` configured in your `.env` file.
This can happen for several reasons:
- You are accessing the application via a different port.
- You are using a reverse proxy that changes the protocol (e.g., from `http` to `https`).
- The SvelteKit server, in a production build, is incorrectly guessing its public-facing URL.
## Solution
The solution is to ensure that the application's frontend and backend are correctly configured with the public-facing URL of your instance. This is done by setting two environment variables: `APP_URL` and `ORIGIN`.
1. **Open your `.env` file** in a text editor.
2. **Set `APP_URL`**: Define the `APP_URL` variable with the exact URL you use to access the application in your browser.
```env
APP_URL=http://your-domain-or-ip:3000
```
3. **Set `ORIGIN`**: The SvelteKit server requires a specific `ORIGIN` variable to correctly identify itself. This should always be set to the value of your `APP_URL`.
```env
ORIGIN=$APP_URL
```
By using `$APP_URL`, you ensure that both variables are always in sync.
### Example Configuration
If you are running the application locally on port `3000`, your configuration should look like this:
```env
APP_URL=http://localhost:3000
ORIGIN=$APP_URL
```
If your application is behind a reverse proxy and is accessible at `https://archive.mycompany.com`, your configuration should be:
```env
APP_URL=https://archive.mycompany.com
ORIGIN=$APP_URL
```
After making these changes to your `.env` file, you must restart the application for them to take effect:
```bash
docker compose up -d --force-recreate
```
This will ensure that the backend's CORS policy and the frontend server's origin are correctly aligned, resolving the errors.

141
docs/user-guides/upgrade-and-migration/meilisearch-upgrade.md Normal file
View File

@@ -0,0 +1,141 @@
# Upgrading Meilisearch
Meilisearch, the search engine used by Open Archiver, requires a manual data migration process when upgrading to a new version. This is because Meilisearch databases are only compatible with the specific version that created them.
If an Open Archiver upgrade includes a major Meilisearch version change, you will need to migrate your search index by following the process below.
## Experimental: Dumpless Upgrade
> **Warning:** This feature is currently **experimental**. We do not recommend using it for production environments until it is marked as stable. Please use the [standard migration process](#standard-migration-process-recommended) instead. Proceed with caution.
Meilisearch recently introduced an experimental "dumpless" upgrade method. This allows you to migrate the database to a new Meilisearch version without manually creating and importing a dump. However, please note that **dumpless upgrades are not currently atomic**. If the process fails, your database may become corrupted, resulting in data loss.
**Prerequisite: Create a Snapshot**
Before attempting a dumpless upgrade, you **must** take a snapshot of your instance. This ensures you have a recovery point if the upgrade fails. Learn how to create snapshots in the [official Meilisearch documentation](https://www.meilisearch.com/docs/learn/data_backup/snapshots).
### How to Enable
To perform a dumpless upgrade, you need to configure your Meilisearch instance with the experimental flag. You can do this in one of two ways:
**Option 1: Using an Environment Variable**
Add the `MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE` environment variable to your `docker-compose.yml` file for the Meilisearch service.
```yaml
services:
meilisearch:
image: getmeili/meilisearch:v1.x # The new version you want to upgrade to
environment:
- MEILI_MASTER_KEY=${MEILI_MASTER_KEY}
- MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE=true
```
**Option 2: Using a CLI Option**
Alternatively, you can pass the `--experimental-dumpless-upgrade` flag in the command section of your `docker-compose.yml`.
```yaml
services:
meilisearch:
image: getmeili/meilisearch:v1.x # The new version you want to upgrade to
command: meilisearch --experimental-dumpless-upgrade
```
After updating your configuration, restart your container:
```bash
docker compose up -d
```
Meilisearch will attempt to migrate your database to the new version automatically.
---
## Standard Migration Process (Recommended)
For self-hosted instances using Docker Compose, the recommended migration process involves creating a data dump from your current Meilisearch instance, upgrading the Docker image, and then importing that dump into the new version.
### Step 1: Create a Dump
Before upgrading, you must create a dump of your existing Meilisearch data. You can do this by sending a POST request to the `/dumps` endpoint of the Meilisearch API.
1. **Find your Meilisearch container name**:
```bash
docker compose ps
```
Look for the service name that corresponds to Meilisearch, usually `meilisearch`.
2. **Execute the dump command**:
You will need your Meilisearch Admin API key, which can be found in your `.env` file as `MEILI_MASTER_KEY`.
```bash
curl -X POST 'http://localhost:7700/dumps' \
-H "Authorization: Bearer YOUR_MEILI_MASTER_KEY"
```
This will start the dump creation process. The dump file will be created inside the `meili_data` volume used by the Meilisearch container.
3. **Monitor the dump status**:
The dump creation request returns a `taskUid`. You can use this to check the status of the dump.
For more details on dump and import, see the [official Meilisearch documentation](https://www.meilisearch.com/docs/learn/update_and_migration/updating).
### Step 2: Upgrade Your Open Archiver Instance
Once the dump is successfully created, you can proceed with the standard Open Archiver upgrade process.
1. **Pull the latest changes and Docker images**:
```bash
git pull
docker compose pull
```
2. **Stop the running services**:
```bash
docker compose down
```
### Step 3: Import the Dump
Now, you need to restart the services while telling Meilisearch to import from your dump file.
1. **Modify `docker-compose.yml`**:
You need to temporarily add the `--import-dump` flag to the Meilisearch service command. Find the `meilisearch` service in your `docker-compose.yml` and modify the `command` section.
You will need the name of your dump file. It will be a `.dump` file located in the directory mapped to `/meili_data` inside the container.
```yaml
services:
meilisearch:
# ... other service config
command:
[
'--master-key=${MEILI_MASTER_KEY}',
'--env=production',
'--import-dump=/meili_data/dumps/YOUR_DUMP_FILE.dump',
]
```
2. **Restart the services**:
```bash
docker compose up -d
```
Meilisearch will now start and import the data from the dump file. This may take some time depending on the size of your index.
### Step 4: Clean Up
Once the import is complete and you have verified that your search is working correctly, you should remove the `--import-dump` flag from your `docker-compose.yml` to prevent it from running on every startup.
1. **Remove the `--import-dump` line** from the `command` section of the `meilisearch` service in `docker-compose.yml`.
2. **Restart the services** one last time:
```bash
docker compose up -d
```
Your Meilisearch instance is now upgraded and running with your migrated data.
For more advanced scenarios or troubleshooting, please refer to the **[official Meilisearch migration guide](https://www.meilisearch.com/docs/learn/update_and_migration/updating)**.

42
docs/user-guides/upgrade-and-migration/upgrade.md Normal file
View File

@@ -0,0 +1,42 @@
# Upgrading Your Instance
This guide provides instructions for upgrading your Open Archiver instance to the latest version.
## Checking for New Versions
Open Archiver automatically checks for new versions and will display a notification in the footer of the web interface when an update is available. You can find a list of all releases and their release notes on the [GitHub Releases](https://github.com/LogicLabs-OU/OpenArchiver/releases) page.
## Upgrading Your Instance
To upgrade your Open Archiver instance, follow these steps:
1. **Pull the latest changes from the repository**:
```bash
git pull
```
2. **Pull the latest Docker images**:
```bash
docker compose pull
```
3. **Restart the services with the new images**:
```bash
docker compose up -d
```
This will restart your Open Archiver instance with the latest version of the application.
## Migrating Data
When you upgrade to a new version, database migrations are applied automatically when the application starts up. This ensures that your database schema is always up-to-date with the latest version of the application.
No manual intervention is required for database migrations.
## Upgrading Meilisearch
When an Open Archiver update includes a major version change for Meilisearch, you will need to manually migrate your search data. This process is not covered by the standard upgrade commands.
For detailed instructions, please see the [Meilisearch Upgrade Guide](./meilisearch-upgrade.md).

79
open-archiver.yml Normal file
View File

@@ -0,0 +1,79 @@
# documentation: https://openarchiver.com
# slogan: A self-hosted, open-source email archiving solution with full-text search capability.
# tags: email archiving,email,compliance,search
# logo: svgs/openarchiver.svg
# port: 3000
services:
open-archiver:
image: logiclabshq/open-archiver:latest
environment:
- SERVICE_URL_3000
- SERVICE_URL=${SERVICE_URL_3000}
- PORT_BACKEND=${PORT_BACKEND:-4000}
- PORT_FRONTEND=${PORT_FRONTEND:-3000}
- NODE_ENV=${NODE_ENV:-production}
- SYNC_FREQUENCY=${SYNC_FREQUENCY:-* * * * *}
- POSTGRES_DB=${POSTGRES_DB:-open_archive}
- POSTGRES_USER=${POSTGRES_USER:-admin}
- POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES}
- DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
- MEILI_MASTER_KEY=${SERVICE_PASSWORD_MEILISEARCH}
- MEILI_HOST=http://meilisearch:7700
- REDIS_HOST=valkey
- REDIS_PORT=6379
- REDIS_USER=default
- REDIS_PASSWORD=${SERVICE_PASSWORD_VALKEY}
- REDIS_TLS_ENABLED=false
- STORAGE_TYPE=${STORAGE_TYPE:-local}
- STORAGE_LOCAL_ROOT_PATH=${STORAGE_LOCAL_ROOT_PATH:-/var/data/open-archiver}
- BODY_SIZE_LIMIT=${BODY_SIZE_LIMIT:-100M}
- STORAGE_S3_ENDPOINT=${STORAGE_S3_ENDPOINT}
- STORAGE_S3_BUCKET=${STORAGE_S3_BUCKET}
- STORAGE_S3_ACCESS_KEY_ID=${STORAGE_S3_ACCESS_KEY_ID}
- STORAGE_S3_SECRET_ACCESS_KEY=${STORAGE_S3_SECRET_ACCESS_KEY}
- STORAGE_S3_REGION=${STORAGE_S3_REGION}
- STORAGE_S3_FORCE_PATH_STYLE=${STORAGE_S3_FORCE_PATH_STYLE:-false}
- JWT_SECRET=${SERVICE_BASE64_128_JWT}
- JWT_EXPIRES_IN=${JWT_EXPIRES_IN:-7d}
- ENCRYPTION_KEY=${SERVICE_BASE64_64_ENCRYPTIONKEY}
- RATE_LIMIT_WINDOW_MS=${RATE_LIMIT_WINDOW_MS:-60000}
- RATE_LIMIT_MAX_REQUESTS=${RATE_LIMIT_MAX_REQUESTS:-100}
volumes:
- archiver-data:/var/data/open-archiver
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_started
meilisearch:
condition: service_started
postgres:
image: postgres:17-alpine
environment:
- POSTGRES_DB=${POSTGRES_DB}
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES}
- LC_ALL=C
volumes:
- pgdata:/var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}']
interval: 10s
timeout: 20s
retries: 10
valkey:
image: valkey/valkey:8-alpine
command: valkey-server --requirepass ${SERVICE_PASSWORD_VALKEY}
volumes:
- valkeydata:/data
meilisearch:
image: getmeili/meilisearch:v1.15
environment:
- MEILI_MASTER_KEY=${SERVICE_PASSWORD_MEILISEARCH}
- MEILI_SCHEDULE_SNAPSHOT=86400
volumes:
- meilidata:/meili_data

25
package.json
View File

@@ -1,18 +1,27 @@
{
"name": "open-archiver",
"version": "0.5.1",
"private": true,
"license": "SEE LICENSE IN LICENSE file",
"scripts": {
"dev": "dotenv -- pnpm --filter \"./packages/*\" --parallel dev",
"build": "pnpm --filter \"./packages/*\" build",
"start": "dotenv -- pnpm --filter \"./packages/*\" --parallel start",
"build:oss": "pnpm --filter \"./packages/*\" --filter \"!./packages/enterprise\" --filter \"./apps/open-archiver\" build",
"build:enterprise": "cross-env VITE_ENTERPRISE_MODE=true pnpm build",
"start:oss": "dotenv -- concurrently \"node apps/open-archiver/dist/index.js\" \"pnpm --filter @open-archiver/frontend start\"",
"start:enterprise": "dotenv -- concurrently \"node apps/open-archiver-enterprise/dist/index.js\" \"pnpm --filter @open-archiver/frontend start\"",
"dev:enterprise": "cross-env VITE_ENTERPRISE_MODE=true dotenv -- pnpm --filter \"@open-archiver/*\" --filter \"open-archiver-enterprise-app\" --parallel dev & pnpm run start:workers:dev",
"dev:oss": "dotenv -- pnpm --filter \"./packages/*\" --filter \"!./packages/@open-archiver/enterprise\" --filter \"open-archiver-app\" --parallel dev & pnpm run start:workers:dev",
"build": "pnpm --filter \"./packages/*\" --filter \"./apps/*\" build",
"start": "dotenv -- pnpm --filter \"open-archiver-app\" --parallel start",
"start:workers": "dotenv -- concurrently \"pnpm --filter @open-archiver/backend start:ingestion-worker\" \"pnpm --filter @open-archiver/backend start:indexing-worker\" \"pnpm --filter @open-archiver/backend start:sync-scheduler\"",
"start:workers:dev": "dotenv -- concurrently \"pnpm --filter @open-archiver/backend start:ingestion-worker:dev\" \"pnpm --filter @open-archiver/backend start:indexing-worker:dev\" \"pnpm --filter @open-archiver/backend start:sync-scheduler:dev\"",
"db:generate": "dotenv -- pnpm --filter @open-archiver/backend db:generate",
"db:migrate": "dotenv -- pnpm --filter @open-archiver/backend db:migrate",
"db:migrate:dev": "dotenv -- pnpm --filter @open-archiver/backend db:migrate:dev",
"docker-start": "concurrently \"pnpm start:workers\" \"pnpm start\"",
"docs:dev": "vitepress dev docs --port 3009",
"docs:build": "vitepress build docs",
"docker-start:oss": "concurrently \"pnpm start:workers\" \"pnpm start:oss\"",
"docker-start:enterprise": "concurrently \"pnpm start:workers\" \"pnpm start:enterprise\"",
"docs:gen-spec": "node packages/backend/scripts/generate-openapi-spec.mjs",
"docs:dev": "pnpm docs:gen-spec && vitepress dev docs --port 3009",
"docs:build": "pnpm docs:gen-spec && vitepress build docs",
"docs:preview": "vitepress preview docs",
"format": "prettier --write .",
"lint": "prettier --check ."
@@ -22,11 +31,13 @@
"dotenv-cli": "8.0.0"
},
"devDependencies": {
"cross-env": "^10.0.0",
"prettier": "^3.6.2",
"prettier-plugin-svelte": "^3.4.0",
"prettier-plugin-tailwindcss": "^0.6.14",
"typescript": "5.8.3",
"vitepress": "^1.6.4"
"vitepress": "^1.6.4",
"vitepress-openapi": "^0.1.18"
},
"packageManager": "pnpm@10.13.1",
"engines": {

22
packages/backend/package.json
View File

@@ -2,12 +2,17 @@
"name": "@open-archiver/backend",
"version": "0.1.0",
"private": true,
"license": "SEE LICENSE IN LICENSE file",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"exports": {
".": "./dist/index.js",
"./*": "./dist/*.js"
},
"scripts": {
"dev": "ts-node-dev --respawn --transpile-only src/index.ts ",
"build": "tsc && pnpm copy-assets",
"dev": "tsc --watch",
"copy-assets": "cp -r src/locales dist/locales",
"start": "node dist/index.js",
"start:ingestion-worker": "node dist/workers/ingestion.worker.js",
"start:indexing-worker": "node dist/workers/indexing.worker.js",
"start:sync-scheduler": "node dist/jobs/schedulers/sync-scheduler.js",
@@ -31,6 +36,7 @@
"bcryptjs": "^3.0.2",
"bullmq": "^5.56.3",
"busboy": "^1.6.0",
"cors": "^2.8.5",
"cross-fetch": "^4.1.0",
"deepmerge-ts": "^7.1.5",
"dotenv": "^17.2.0",
@@ -50,6 +56,7 @@
"mammoth": "^1.9.1",
"meilisearch": "^0.51.0",
"multer": "^2.0.2",
"nodemailer": "^8.0.2",
"pdf2json": "^3.1.6",
"pg": "^8.16.3",
"pino": "^9.7.0",
@@ -58,24 +65,25 @@
"pst-extractor": "^1.11.0",
"reflect-metadata": "^0.2.2",
"sqlite3": "^5.1.7",
"tsconfig-paths": "^4.2.0",
"xlsx": "^0.18.5",
"xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",
"yauzl": "^3.2.0",
"zod": "^4.1.5"
},
"devDependencies": {
"@bull-board/api": "^6.11.0",
"@bull-board/express": "^6.11.0",
"@types/archiver": "^6.0.3",
"@types/busboy": "^1.5.4",
"@types/cors": "^2.8.19",
"@types/express": "^5.0.3",
"@types/mailparser": "^3.4.6",
"@types/microsoft-graph": "^2.40.1",
"@types/multer": "^2.0.0",
"@types/node": "^24.0.12",
"@types/nodemailer": "^7.0.11",
"@types/swagger-jsdoc": "^6.0.4",
"@types/yauzl": "^2.10.3",
"bull-board": "^2.1.3",
"swagger-jsdoc": "^6.2.8",
"ts-node-dev": "^2.0.0",
"tsconfig-paths": "^4.2.0",
"typescript": "^5.8.3"
}
}

735
packages/backend/scripts/generate-openapi-spec.mjs Normal file
View File

@@ -0,0 +1,735 @@
/**
* Generates the OpenAPI specification from swagger-jsdoc annotations in the route files.
* Outputs the spec to docs/api/openapi.json for use with vitepress-openapi.
*
* Run: node packages/backend/scripts/generate-openapi-spec.mjs
*/
import swaggerJsdoc from 'swagger-jsdoc';
import { writeFileSync, mkdirSync } from 'fs';
import { resolve, dirname } from 'path';
import { fileURLToPath } from 'url';
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const options = {
definition: {
openapi: '3.1.0',
info: {
title: 'Open Archiver API',
version: '1.0.0',
description:
'REST API for Open Archiver — an open-source email archiving platform. All authenticated endpoints require a Bearer JWT token obtained from `POST /v1/auth/login`, or an API key passed as a Bearer token.',
license: {
name: 'SEE LICENSE IN LICENSE',
url: 'https://github.com/LogicLabs-OU/OpenArchiver/blob/main/LICENSE',
},
contact: {
name: 'Open Archiver',
url: 'https://openarchiver.com',
},
},
servers: [
{
url: 'http://localhost:3000',
description: 'Local development',
},
],
// Both security schemes apply globally; individual endpoints may override
security: [{ bearerAuth: [] }, { apiKeyAuth: [] }],
components: {
securitySchemes: {
bearerAuth: {
type: 'http',
scheme: 'bearer',
bearerFormat: 'JWT',
description:
'JWT obtained from `POST /v1/auth/login`. Pass as `Authorization: Bearer <token>`.',
},
apiKeyAuth: {
type: 'apiKey',
in: 'header',
name: 'X-API-KEY',
description:
'API key generated via `POST /v1/api-keys`. Pass as `X-API-KEY: <key>`.',
},
},
responses: {
Unauthorized: {
description: 'Authentication is required or the token is invalid/expired.',
content: {
'application/json': {
schema: { $ref: '#/components/schemas/ErrorMessage' },
example: { message: 'Unauthorized' },
},
},
},
Forbidden: {
description:
'The authenticated user does not have permission to perform this action.',
content: {
'application/json': {
schema: { $ref: '#/components/schemas/ErrorMessage' },
example: { message: 'Forbidden' },
},
},
},
NotFound: {
description: 'The requested resource was not found.',
content: {
'application/json': {
schema: { $ref: '#/components/schemas/ErrorMessage' },
example: { message: 'Not found' },
},
},
},
InternalServerError: {
description: 'An unexpected error occurred on the server.',
content: {
'application/json': {
schema: { $ref: '#/components/schemas/ErrorMessage' },
example: { message: 'Internal server error' },
},
},
},
},
schemas: {
// --- Shared utility schemas ---
ErrorMessage: {
type: 'object',
properties: {
message: {
type: 'string',
description: 'Human-readable error description.',
example: 'An error occurred.',
},
},
required: ['message'],
},
MessageResponse: {
type: 'object',
properties: {
message: {
type: 'string',
example: 'Operation completed successfully.',
},
},
required: ['message'],
},
ValidationError: {
type: 'object',
properties: {
message: {
type: 'string',
example: 'Request body is invalid.',
},
errors: {
type: 'string',
description: 'Zod validation error details.',
},
},
required: ['message'],
},
// --- Auth ---
LoginResponse: {
type: 'object',
properties: {
accessToken: {
type: 'string',
description: 'JWT for authenticating subsequent requests.',
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...',
},
user: {
$ref: '#/components/schemas/User',
},
},
required: ['accessToken', 'user'],
},
// --- Users ---
User: {
type: 'object',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
first_name: { type: 'string', nullable: true, example: 'Jane' },
last_name: { type: 'string', nullable: true, example: 'Doe' },
email: {
type: 'string',
format: 'email',
example: 'jane.doe@example.com',
},
role: {
$ref: '#/components/schemas/Role',
nullable: true,
},
createdAt: { type: 'string', format: 'date-time' },
},
required: ['id', 'email', 'createdAt'],
},
// --- IAM ---
Role: {
type: 'object',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
slug: { type: 'string', nullable: true, example: 'predefined_super_admin' },
name: { type: 'string', example: 'Super Admin' },
policies: {
type: 'array',
items: { $ref: '#/components/schemas/CaslPolicy' },
},
createdAt: { type: 'string', format: 'date-time' },
updatedAt: { type: 'string', format: 'date-time' },
},
required: ['id', 'name', 'policies', 'createdAt', 'updatedAt'],
},
CaslPolicy: {
type: 'object',
description:
'An CASL-style permission policy statement. `action` and `subject` can be strings or arrays of strings. `conditions` optionally restricts access to specific resource attributes.',
properties: {
action: {
oneOf: [
{
type: 'string',
example: 'read',
},
{
type: 'array',
items: { type: 'string' },
example: ['read', 'search'],
},
],
},
subject: {
oneOf: [
{
type: 'string',
example: 'archive',
},
{
type: 'array',
items: { type: 'string' },
example: ['archive', 'ingestion'],
},
],
},
conditions: {
type: 'object',
description:
'Optional attribute-level conditions. Supports `${user.id}` interpolation.',
example: { userId: '${user.id}' },
},
},
required: ['action', 'subject'],
},
// --- API Keys ---
ApiKey: {
type: 'object',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
name: { type: 'string', example: 'CI/CD Pipeline Key' },
key: {
type: 'string',
description:
'Partial/masked key — the raw value is only available at creation time.',
example: 'oa_live_abc1...',
},
expiresAt: { type: 'string', format: 'date-time' },
createdAt: { type: 'string', format: 'date-time' },
},
required: ['id', 'name', 'expiresAt', 'createdAt'],
},
// --- Ingestion ---
SafeIngestionSource: {
type: 'object',
description: 'An ingestion source with sensitive credential fields removed.',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
name: { type: 'string', example: 'Company Google Workspace' },
provider: {
type: 'string',
enum: [
'google_workspace',
'microsoft_365',
'generic_imap',
'pst_import',
'eml_import',
'mbox_import',
],
example: 'google_workspace',
},
status: {
type: 'string',
enum: [
'active',
'paused',
'error',
'pending_auth',
'syncing',
'importing',
'auth_success',
'imported',
],
example: 'active',
},
createdAt: { type: 'string', format: 'date-time' },
updatedAt: { type: 'string', format: 'date-time' },
lastSyncStartedAt: { type: 'string', format: 'date-time', nullable: true },
lastSyncFinishedAt: { type: 'string', format: 'date-time', nullable: true },
lastSyncStatusMessage: { type: 'string', nullable: true },
},
required: ['id', 'name', 'provider', 'status', 'createdAt', 'updatedAt'],
},
CreateIngestionSourceDto: {
type: 'object',
required: ['name', 'provider', 'providerConfig'],
properties: {
name: {
type: 'string',
example: 'Company Google Workspace',
},
provider: {
type: 'string',
enum: [
'google_workspace',
'microsoft_365',
'generic_imap',
'pst_import',
'eml_import',
'mbox_import',
],
},
providerConfig: {
type: 'object',
description:
'Provider-specific configuration. See the ingestion source guides for the required fields per provider.',
example: {
serviceAccountKeyJson: '{"type":"service_account",...}',
impersonatedAdminEmail: 'admin@example.com',
},
},
},
},
UpdateIngestionSourceDto: {
type: 'object',
properties: {
name: { type: 'string' },
provider: {
type: 'string',
enum: [
'google_workspace',
'microsoft_365',
'generic_imap',
'pst_import',
'eml_import',
'mbox_import',
],
},
status: {
type: 'string',
enum: [
'active',
'paused',
'error',
'pending_auth',
'syncing',
'importing',
'auth_success',
'imported',
],
},
providerConfig: { type: 'object' },
},
},
// --- Archived Emails ---
Recipient: {
type: 'object',
properties: {
name: { type: 'string', nullable: true, example: 'John Doe' },
email: {
type: 'string',
format: 'email',
example: 'john.doe@example.com',
},
},
required: ['email'],
},
Attachment: {
type: 'object',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
filename: { type: 'string', example: 'invoice.pdf' },
mimeType: { type: 'string', nullable: true, example: 'application/pdf' },
sizeBytes: { type: 'integer', example: 204800 },
storagePath: {
type: 'string',
example: 'open-archiver/attachments/abc123.pdf',
},
},
required: ['id', 'filename', 'sizeBytes', 'storagePath'],
},
// Minimal representation of an email within a thread (returned alongside ArchivedEmail)
ThreadEmail: {
type: 'object',
properties: {
id: {
type: 'string',
description: 'ArchivedEmail ID.',
example: 'clx1y2z3a0000b4d2',
},
subject: { type: 'string', nullable: true, example: 'Re: Q4 Invoice' },
sentAt: { type: 'string', format: 'date-time' },
senderEmail: {
type: 'string',
format: 'email',
example: 'finance@vendor.com',
},
},
required: ['id', 'sentAt', 'senderEmail'],
},
ArchivedEmail: {
type: 'object',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
ingestionSourceId: { type: 'string', example: 'clx1y2z3a0000b4d2' },
userEmail: {
type: 'string',
format: 'email',
example: 'user@company.com',
},
messageIdHeader: { type: 'string', nullable: true },
sentAt: { type: 'string', format: 'date-time' },
subject: { type: 'string', nullable: true, example: 'Q4 Invoice' },
senderName: { type: 'string', nullable: true, example: 'Finance Dept' },
senderEmail: {
type: 'string',
format: 'email',
example: 'finance@vendor.com',
},
recipients: {
type: 'array',
items: { $ref: '#/components/schemas/Recipient' },
},
storagePath: { type: 'string' },
storageHashSha256: {
type: 'string',
description:
'SHA-256 hash of the raw email file, stored at archival time.',
},
sizeBytes: { type: 'integer' },
isIndexed: { type: 'boolean' },
hasAttachments: { type: 'boolean' },
isOnLegalHold: { type: 'boolean' },
archivedAt: { type: 'string', format: 'date-time' },
attachments: {
type: 'array',
items: { $ref: '#/components/schemas/Attachment' },
},
thread: {
type: 'array',
description:
'Other emails in the same thread, ordered by sentAt. Only present on single-email GET responses.',
items: { $ref: '#/components/schemas/ThreadEmail' },
},
path: { type: 'string', nullable: true },
tags: {
type: 'array',
items: { type: 'string' },
nullable: true,
},
},
required: [
'id',
'ingestionSourceId',
'userEmail',
'sentAt',
'senderEmail',
'recipients',
'storagePath',
'storageHashSha256',
'sizeBytes',
'isIndexed',
'hasAttachments',
'isOnLegalHold',
'archivedAt',
],
},
PaginatedArchivedEmails: {
type: 'object',
properties: {
items: {
type: 'array',
items: { $ref: '#/components/schemas/ArchivedEmail' },
},
total: { type: 'integer', example: 1234 },
page: { type: 'integer', example: 1 },
limit: { type: 'integer', example: 10 },
},
required: ['items', 'total', 'page', 'limit'],
},
// --- Search ---
SearchResults: {
type: 'object',
properties: {
hits: {
type: 'array',
description:
'Array of matching archived email objects, potentially with highlighted fields.',
items: { type: 'object' },
},
total: { type: 'integer', example: 42 },
page: { type: 'integer', example: 1 },
limit: { type: 'integer', example: 10 },
totalPages: { type: 'integer', example: 5 },
processingTimeMs: {
type: 'integer',
description: 'Meilisearch query processing time in milliseconds.',
example: 12,
},
},
required: ['hits', 'total', 'page', 'limit', 'totalPages', 'processingTimeMs'],
},
// --- Integrity ---
IntegrityCheckResult: {
type: 'object',
properties: {
type: {
type: 'string',
enum: ['email', 'attachment'],
description:
'Whether this result is for the email itself or one of its attachments.',
},
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
filename: {
type: 'string',
description:
'Attachment filename. Only present when `type` is `attachment`.',
example: 'invoice.pdf',
},
isValid: {
type: 'boolean',
description: 'True if the stored and computed hashes match.',
},
reason: {
type: 'string',
description: 'Human-readable explanation if `isValid` is false.',
},
storedHash: {
type: 'string',
description: 'SHA-256 hash stored at archival time.',
example: 'a3f1b2c4...',
},
computedHash: {
type: 'string',
description: 'SHA-256 hash computed during this verification run.',
example: 'a3f1b2c4...',
},
},
required: ['type', 'id', 'isValid', 'storedHash', 'computedHash'],
},
// --- Jobs ---
QueueCounts: {
type: 'object',
properties: {
active: { type: 'integer', example: 0 },
completed: { type: 'integer', example: 56 },
failed: { type: 'integer', example: 4 },
delayed: { type: 'integer', example: 0 },
waiting: { type: 'integer', example: 0 },
paused: { type: 'integer', example: 0 },
},
required: ['active', 'completed', 'failed', 'delayed', 'waiting', 'paused'],
},
QueueOverview: {
type: 'object',
properties: {
name: { type: 'string', example: 'ingestion' },
counts: { $ref: '#/components/schemas/QueueCounts' },
},
required: ['name', 'counts'],
},
Job: {
type: 'object',
properties: {
id: { type: 'string', nullable: true, example: '1' },
name: { type: 'string', example: 'initial-import' },
data: {
type: 'object',
description: 'Job payload data.',
example: { ingestionSourceId: 'clx1y2z3a0000b4d2' },
},
state: {
type: 'string',
enum: ['active', 'completed', 'failed', 'delayed', 'waiting', 'paused'],
example: 'failed',
},
failedReason: {
type: 'string',
nullable: true,
example: 'Error: Connection timed out',
},
timestamp: { type: 'integer', example: 1678886400000 },
processedOn: { type: 'integer', nullable: true, example: 1678886401000 },
finishedOn: { type: 'integer', nullable: true, example: 1678886402000 },
attemptsMade: { type: 'integer', example: 5 },
stacktrace: {
type: 'array',
items: { type: 'string' },
},
returnValue: { nullable: true },
ingestionSourceId: { type: 'string', nullable: true },
error: {
description: 'Shorthand copy of `failedReason` for easier access.',
nullable: true,
},
},
required: [
'id',
'name',
'data',
'state',
'timestamp',
'attemptsMade',
'stacktrace',
],
},
QueueDetails: {
type: 'object',
properties: {
name: { type: 'string', example: 'ingestion' },
counts: { $ref: '#/components/schemas/QueueCounts' },
jobs: {
type: 'array',
items: { $ref: '#/components/schemas/Job' },
},
pagination: {
type: 'object',
properties: {
currentPage: { type: 'integer', example: 1 },
totalPages: { type: 'integer', example: 3 },
totalJobs: { type: 'integer', example: 25 },
limit: { type: 'integer', example: 10 },
},
required: ['currentPage', 'totalPages', 'totalJobs', 'limit'],
},
},
required: ['name', 'counts', 'jobs', 'pagination'],
},
// --- Dashboard ---
DashboardStats: {
type: 'object',
properties: {
totalEmailsArchived: { type: 'integer', example: 125000 },
totalStorageUsed: {
type: 'integer',
description: 'Total storage used by all archived emails in bytes.',
example: 5368709120,
},
failedIngestionsLast7Days: {
type: 'integer',
description:
'Number of ingestion sources in error state updated in the last 7 days.',
example: 2,
},
},
},
IngestionSourceStats: {
type: 'object',
description: 'Summary of an ingestion source including its storage usage.',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
name: { type: 'string', example: 'Company Google Workspace' },
provider: { type: 'string', example: 'google_workspace' },
status: { type: 'string', example: 'active' },
storageUsed: {
type: 'integer',
description:
'Total bytes stored for emails from this ingestion source.',
example: 1073741824,
},
},
required: ['id', 'name', 'provider', 'status', 'storageUsed'],
},
RecentSync: {
type: 'object',
description: 'Summary of a recent sync session.',
properties: {
id: { type: 'string', example: 'clx1y2z3a0000b4d2' },
sourceName: { type: 'string', example: 'Company Google Workspace' },
startTime: { type: 'string', format: 'date-time' },
duration: {
type: 'integer',
description: 'Duration in milliseconds.',
example: 4500,
},
emailsProcessed: { type: 'integer', example: 120 },
status: { type: 'string', example: 'completed' },
},
required: [
'id',
'sourceName',
'startTime',
'duration',
'emailsProcessed',
'status',
],
},
IndexedInsights: {
type: 'object',
description: 'Insights derived from the search index.',
properties: {
topSenders: {
type: 'array',
items: {
type: 'object',
properties: {
sender: { type: 'string', example: 'finance@vendor.com' },
count: { type: 'integer', example: 342 },
},
required: ['sender', 'count'],
},
},
},
required: ['topSenders'],
},
// --- Settings ---
SystemSettings: {
type: 'object',
description: 'Non-sensitive system configuration values.',
properties: {
language: {
type: 'string',
enum: ['en', 'es', 'fr', 'de', 'it', 'pt', 'nl', 'ja', 'et', 'el'],
example: 'en',
description: 'Default UI language code.',
},
theme: {
type: 'string',
enum: ['light', 'dark', 'system'],
example: 'system',
description: 'Default color theme.',
},
supportEmail: {
type: 'string',
format: 'email',
nullable: true,
example: 'support@example.com',
description: 'Public-facing support email address.',
},
},
},
},
},
},
// Scan all route files for @openapi annotations
apis: [resolve(__dirname, '../src/api/routes/*.ts')],
};
const spec = swaggerJsdoc(options);
// Output to docs/ directory so VitePress can consume it
const outputPath = resolve(__dirname, '../../../docs/api/openapi.json');
mkdirSync(dirname(outputPath), { recursive: true });
writeFileSync(outputPath, JSON.stringify(spec, null, 2));
console.log(`✅ OpenAPI spec generated: ${outputPath}`);
console.log(` Paths: ${Object.keys(spec.paths ?? {}).length}, Tags: ${(spec.tags ?? []).length}`);

103
packages/backend/src/api/controllers/api-key.controller.ts
View File

@@ -1,50 +1,81 @@
import { Request, Response } from 'express';
import { ApiKeyService } from '../../services/ApiKeyService';
import { z } from 'zod';
import { UserService } from '../../services/UserService';
import { config } from '../../config';
const generateApiKeySchema = z.object({
name: z.string().min(1, 'API kay name must be more than 1 characters').max(255, 'API kay name must not be more than 255 characters'),
expiresInDays: z.number().int().positive('Only positive number is allowed').max(730, "The API key must expire within 2 years / 730 days."),
name: z
.string()
.min(1, 'API kay name must be more than 1 characters')
.max(255, 'API kay name must not be more than 255 characters'),
expiresInDays: z
.number()
.int()
.positive('Only positive number is allowed')
.max(730, 'The API key must expire within 2 years / 730 days.'),
});
export class ApiKeyController {
public async generateApiKey(req: Request, res: Response) {
try {
const { name, expiresInDays } = generateApiKeySchema.parse(req.body);
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const userId = req.user.sub;
private userService = new UserService();
public generateApiKey = async (req: Request, res: Response) => {
try {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { name, expiresInDays } = generateApiKeySchema.parse(req.body);
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const userId = req.user.sub;
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
const key = await ApiKeyService.generate(userId, name, expiresInDays);
const key = await ApiKeyService.generate(
userId,
name,
expiresInDays,
actor,
req.ip || 'unknown'
);
res.status(201).json({ key });
} catch (error) {
if (error instanceof z.ZodError) {
return res.status(400).json({ message: req.t('api.requestBodyInvalid'), errors: error.message });
}
res.status(500).json({ message: req.t('errors.internalServerError') });
}
}
res.status(201).json({ key });
} catch (error) {
if (error instanceof z.ZodError) {
return res
.status(400)
.json({ message: req.t('api.requestBodyInvalid'), errors: error.message });
}
res.status(500).json({ message: req.t('errors.internalServerError') });
}
};
public async getApiKeys(req: Request, res: Response) {
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const userId = req.user.sub;
const keys = await ApiKeyService.getKeys(userId);
public getApiKeys = async (req: Request, res: Response) => {
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const userId = req.user.sub;
const keys = await ApiKeyService.getKeys(userId);
res.status(200).json(keys);
}
res.status(200).json(keys);
};
public async deleteApiKey(req: Request, res: Response) {
const { id } = req.params;
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const userId = req.user.sub;
await ApiKeyService.deleteKey(id, userId);
public deleteApiKey = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { id } = req.params;
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const userId = req.user.sub;
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
await ApiKeyService.deleteKey(id, userId, actor, req.ip || 'unknown');
res.status(204).send({ message: req.t('apiKeys.deleteSuccess') });
}
res.status(204).send({ message: req.t('apiKeys.deleteSuccess') });
};
}

44
packages/backend/src/api/controllers/archived-email.controller.ts
View File

@@ -1,8 +1,10 @@
import { Request, Response } from 'express';
import { ArchivedEmailService } from '../../services/ArchivedEmailService';
import { config } from '../../config';
import { UserService } from '../../services/UserService';
import { checkDeletionEnabled } from '../../helpers/deletionGuard';
export class ArchivedEmailController {
private userService = new UserService();
public getArchivedEmails = async (req: Request, res: Response): Promise<Response> => {
try {
const { ingestionSourceId } = req.params;
@@ -35,8 +37,17 @@ export class ArchivedEmailController {
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const email = await ArchivedEmailService.getArchivedEmailById(id, userId);
const email = await ArchivedEmailService.getArchivedEmailById(
id,
userId,
actor,
req.ip || 'unknown'
);
if (!email) {
return res.status(404).json({ message: req.t('archivedEmail.notFound') });
}
@@ -48,12 +59,27 @@ export class ArchivedEmailController {
};
public deleteArchivedEmail = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
// Guard: return 400 if deletion is disabled in system settings before touching anything else
try {
const { id } = req.params;
await ArchivedEmailService.deleteArchivedEmail(id);
checkDeletionEnabled();
} catch (error) {
return res.status(400).json({
message: error instanceof Error ? error.message : req.t('errors.deletionDisabled'),
});
}
const { id } = req.params;
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
try {
await ArchivedEmailService.deleteArchivedEmail(id, actor, req.ip || 'unknown');
return res.status(204).send();
} catch (error) {
console.error(`Delete archived email ${req.params.id} error:`, error);
@@ -61,6 +87,10 @@ export class ArchivedEmailController {
if (error.message === 'Archived email not found') {
return res.status(404).json({ message: req.t('archivedEmail.notFound') });
}
// Retention policy / legal hold blocks are user-facing 400 errors
if (error.message.startsWith('Deletion blocked by retention policy')) {
return res.status(400).json({ message: error.message });
}
return res.status(500).json({ message: error.message });
}
return res.status(500).json({ message: req.t('errors.internalServerError') });

4
packages/backend/src/api/controllers/auth.controller.ts
View File

@@ -44,7 +44,7 @@ export class AuthController {
{ email, password, first_name, last_name },
true
);
const result = await this.#authService.login(email, password);
const result = await this.#authService.login(email, password, req.ip || 'unknown');
return res.status(201).json(result);
} catch (error) {
console.error('Setup error:', error);
@@ -60,7 +60,7 @@ export class AuthController {
}
try {
const result = await this.#authService.login(email, password);
const result = await this.#authService.login(email, password, req.ip || 'unknown');
if (!result) {
return res.status(401).json({ message: req.t('auth.login.invalidCredentials') });

10
packages/backend/src/api/controllers/iam.controller.ts
View File

@@ -3,7 +3,6 @@ import { IamService } from '../../services/IamService';
import { PolicyValidator } from '../../iam-policy/policy-validator';
import type { CaslPolicy } from '@open-archiver/types';
import { logger } from '../../config/logger';
import { config } from '../../config';
export class IamController {
#iamService: IamService;
@@ -42,9 +41,6 @@ export class IamController {
};
public createRole = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { name, policies } = req.body;
if (!name || !policies) {
@@ -69,9 +65,6 @@ export class IamController {
};
public deleteRole = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { id } = req.params;
try {
@@ -83,9 +76,6 @@ export class IamController {
};
public updateRole = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { id } = req.params;
const { name, policies } = req.body;

113
packages/backend/src/api/controllers/ingestion.controller.ts
View File

@@ -7,9 +7,11 @@ import {
SafeIngestionSource,
} from '@open-archiver/types';
import { logger } from '../../config/logger';
import { config } from '../../config';
import { UserService } from '../../services/UserService';
import { checkDeletionEnabled } from '../../helpers/deletionGuard';
export class IngestionController {
private userService = new UserService();
/**
* Converts an IngestionSource object to a safe version for client-side consumption
* by removing the credentials.
@@ -22,16 +24,22 @@ export class IngestionController {
}
public create = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
try {
const dto: CreateIngestionSourceDto = req.body;
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const newSource = await IngestionService.create(dto, userId);
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const newSource = await IngestionService.create(
dto,
userId,
actor,
req.ip || 'unknown'
);
const safeSource = this.toSafeIngestionSource(newSource);
return res.status(201).json(safeSource);
} catch (error: any) {
@@ -74,13 +82,23 @@ export class IngestionController {
};
public update = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
try {
const { id } = req.params;
const dto: UpdateIngestionSourceDto = req.body;
const updatedSource = await IngestionService.update(id, dto);
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const updatedSource = await IngestionService.update(
id,
dto,
actor,
req.ip || 'unknown'
);
const safeSource = this.toSafeIngestionSource(updatedSource);
return res.status(200).json(safeSource);
} catch (error) {
@@ -93,26 +111,31 @@ export class IngestionController {
};
public delete = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
try {
checkDeletionEnabled();
const { id } = req.params;
await IngestionService.delete(id);
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
await IngestionService.delete(id, actor, req.ip || 'unknown');
return res.status(204).send();
} catch (error) {
console.error(`Delete ingestion source ${req.params.id} error:`, error);
if (error instanceof Error && error.message === 'Ingestion source not found') {
return res.status(404).json({ message: req.t('ingestion.notFound') });
} else if (error instanceof Error) {
return res.status(400).json({ message: error.message });
}
return res.status(500).json({ message: req.t('errors.internalServerError') });
}
};
public triggerInitialImport = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
try {
const { id } = req.params;
await IngestionService.triggerInitialImport(id);
@@ -127,12 +150,22 @@ export class IngestionController {
};
public pause = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
try {
const { id } = req.params;
const updatedSource = await IngestionService.update(id, { status: 'paused' });
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const updatedSource = await IngestionService.update(
id,
{ status: 'paused' },
actor,
req.ip || 'unknown'
);
const safeSource = this.toSafeIngestionSource(updatedSource);
return res.status(200).json(safeSource);
} catch (error) {
@@ -144,13 +177,43 @@ export class IngestionController {
}
};
public triggerForceSync = async (req: Request, res: Response): Promise<Response> => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
public unmerge = async (req: Request, res: Response): Promise<Response> => {
try {
const { id } = req.params;
await IngestionService.triggerForceSync(id);
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const updatedSource = await IngestionService.unmerge(id, actor, req.ip || 'unknown');
const safeSource = this.toSafeIngestionSource(updatedSource);
return res.status(200).json(safeSource);
} catch (error) {
logger.error({ err: error }, `Unmerge ingestion source ${req.params.id} error`);
if (error instanceof Error && error.message === 'Ingestion source not found') {
return res.status(404).json({ message: req.t('ingestion.notFound') });
} else if (error instanceof Error) {
return res.status(400).json({ message: error.message });
}
return res.status(500).json({ message: req.t('errors.internalServerError') });
}
};
public triggerForceSync = async (req: Request, res: Response): Promise<Response> => {
try {
const { id } = req.params;
const userId = req.user?.sub;
if (!userId) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
const actor = await this.userService.findById(userId);
if (!actor) {
return res.status(401).json({ message: req.t('errors.unauthorized') });
}
await IngestionService.triggerForceSync(id, actor, req.ip || 'unknown');
return res.status(202).json({ message: req.t('ingestion.forceSyncTriggered') });
} catch (error) {
console.error(`Trigger force sync for ${req.params.id} error:`, error);

29
packages/backend/src/api/controllers/integrity.controller.ts Normal file
View File

@@ -0,0 +1,29 @@
import { Request, Response } from 'express';
import { IntegrityService } from '../../services/IntegrityService';
import { z } from 'zod';
const checkIntegritySchema = z.object({
id: z.string().uuid(),
});
export class IntegrityController {
private integrityService = new IntegrityService();
public checkIntegrity = async (req: Request, res: Response) => {
try {
const { id } = checkIntegritySchema.parse(req.params);
const results = await this.integrityService.checkEmailIntegrity(id);
res.status(200).json(results);
} catch (error) {
if (error instanceof z.ZodError) {
return res
.status(400)
.json({ message: req.t('api.requestBodyInvalid'), errors: error.message });
}
if (error instanceof Error && error.message === 'Archived email not found') {
return res.status(404).json({ message: req.t('errors.notFound') });
}
res.status(500).json({ message: req.t('errors.internalServerError') });
}
};
}

42
packages/backend/src/api/controllers/jobs.controller.ts Normal file
View File

@@ -0,0 +1,42 @@
import { Request, Response } from 'express';
import { JobsService } from '../../services/JobsService';
import {
IGetQueueJobsRequestParams,
IGetQueueJobsRequestQuery,
JobStatus,
} from '@open-archiver/types';
export class JobsController {
private jobsService: JobsService;
constructor() {
this.jobsService = new JobsService();
}
public getQueues = async (req: Request, res: Response) => {
try {
const queues = await this.jobsService.getQueues();
res.status(200).json({ queues });
} catch (error) {
res.status(500).json({ message: 'Error fetching queues', error });
}
};
public getQueueJobs = async (req: Request, res: Response) => {
try {
const { queueName } = req.params as unknown as IGetQueueJobsRequestParams;
const { status, page, limit } = req.query as unknown as IGetQueueJobsRequestQuery;
const pageNumber = parseInt(page, 10) || 1;
const limitNumber = parseInt(limit, 10) || 10;
const queueDetails = await this.jobsService.getQueueDetails(
queueName,
status,
pageNumber,
limitNumber
);
res.status(200).json(queueDetails);
} catch (error) {
res.status(500).json({ message: 'Error fetching queue jobs', error });
}
};
}

3
packages/backend/src/api/controllers/search.controller.ts
View File

@@ -31,7 +31,8 @@ export class SearchController {
limit: limit ? parseInt(limit as string) : 10,
matchingStrategy: matchingStrategy as MatchingStrategies,
},
userId
userId,
req.ip || 'unknown'
);
res.status(200).json(results);

17
packages/backend/src/api/controllers/settings.controller.ts
View File

@@ -1,8 +1,9 @@
import type { Request, Response } from 'express';
import { SettingsService } from '../../services/SettingsService';
import { config } from '../../config';
import { UserService } from '../../services/UserService';
const settingsService = new SettingsService();
const userService = new UserService();
export const getSystemSettings = async (req: Request, res: Response) => {
try {
@@ -17,10 +18,18 @@ export const getSystemSettings = async (req: Request, res: Response) => {
export const updateSystemSettings = async (req: Request, res: Response) => {
try {
// Basic validation can be performed here if necessary
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const updatedSettings = await settingsService.updateSystemSettings(req.body);
const actor = await userService.findById(req.user.sub);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
const updatedSettings = await settingsService.updateSystemSettings(
req.body,
actor,
req.ip || 'unknown'
);
res.status(200).json(updatedSettings);
} catch (error) {
// A more specific error could be logged here

86
packages/backend/src/api/controllers/upload.controller.ts
View File

@@ -3,22 +3,96 @@ import { StorageService } from '../../services/StorageService';
import { randomUUID } from 'crypto';
import busboy from 'busboy';
import { config } from '../../config/index';
import { logger } from '../../config/logger';
import i18next from 'i18next';
export const uploadFile = async (req: Request, res: Response) => {
const storage = new StorageService();
const bb = busboy({ headers: req.headers });
const uploads: Promise<void>[] = [];
let filePath = '';
let originalFilename = '';
let headersSent = false;
const contentLength = req.headers['content-length'];
bb.on('file', (fieldname, file, filename) => {
originalFilename = filename.filename;
logger.info({ contentLength, contentType: req.headers['content-type'] }, 'File upload started');
const sendErrorResponse = (statusCode: number, message: string) => {
if (!headersSent) {
headersSent = true;
res.status(statusCode).json({
status: 'error',
statusCode,
message,
errors: null,
});
}
};
let bb: busboy.Busboy;
try {
bb = busboy({ headers: req.headers });
} catch (err) {
const message = err instanceof Error ? err.message : i18next.t('upload.invalid_request');
logger.error({ error: message }, 'Failed to initialize file upload parser');
sendErrorResponse(400, i18next.t('upload.invalid_request'));
return;
}
bb.on('file', (fieldname, file, info) => {
originalFilename = info.filename;
const uuid = randomUUID();
filePath = `${config.storage.openArchiverFolderName}/tmp/${uuid}-${originalFilename}`;
storage.put(filePath, file);
logger.info({ filename: originalFilename, fieldname }, 'Receiving file stream');
file.on('error', (err) => {
logger.error(
{ error: err.message, filename: originalFilename },
'File stream error during upload'
);
sendErrorResponse(500, i18next.t('upload.stream_error'));
});
uploads.push(storage.put(filePath, file));
});
bb.on('finish', () => {
res.json({ filePath });
bb.on('error', (err: Error) => {
logger.error({ error: err.message }, 'Upload parsing error');
sendErrorResponse(500, i18next.t('upload.parse_error'));
});
bb.on('finish', async () => {
try {
await Promise.all(uploads);
if (!headersSent) {
headersSent = true;
logger.info(
{ filePath, filename: originalFilename },
'File upload completed successfully'
);
res.json({ filePath });
}
} catch (err) {
const message = err instanceof Error ? err.message : 'Unknown storage error';
logger.error(
{ error: message, filename: originalFilename, filePath },
'Failed to write uploaded file to storage'
);
sendErrorResponse(500, i18next.t('upload.storage_error'));
}
});
// Handle client disconnection mid-upload
req.on('error', (err) => {
logger.warn(
{ error: err.message, filename: originalFilename },
'Client connection error during upload'
);
sendErrorResponse(499, i18next.t('upload.connection_error'));
});
req.on('aborted', () => {
logger.warn({ filename: originalFilename }, 'Client aborted upload');
});
req.pipe(bb);

103
packages/backend/src/api/controllers/user.controller.ts
View File

@@ -21,27 +21,39 @@ export const getUser = async (req: Request, res: Response) => {
};
export const createUser = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { email, first_name, last_name, password, roleId } = req.body;
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const actor = await userService.findById(req.user.sub);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
const newUser = await userService.createUser(
{ email, first_name, last_name, password },
roleId
roleId,
actor,
req.ip || 'unknown'
);
res.status(201).json(newUser);
};
export const updateUser = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { email, first_name, last_name, roleId } = req.body;
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const actor = await userService.findById(req.user.sub);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
const updatedUser = await userService.updateUser(
req.params.id,
{ email, first_name, last_name },
roleId
roleId,
actor,
req.ip || 'unknown'
);
if (!updatedUser) {
return res.status(404).json({ message: req.t('user.notFound') });
@@ -50,9 +62,6 @@ export const updateUser = async (req: Request, res: Response) => {
};
export const deleteUser = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const userCountResult = await db.select({ count: sql<number>`count(*)` }).from(schema.users);
const isOnlyUser = Number(userCountResult[0].count) === 1;
@@ -61,6 +70,76 @@ export const deleteUser = async (req: Request, res: Response) => {
message: req.t('user.cannotDeleteOnlyUser'),
});
}
await userService.deleteUser(req.params.id);
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const actor = await userService.findById(req.user.sub);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
await userService.deleteUser(req.params.id, actor, req.ip || 'unknown');
res.status(204).send();
};
export const getProfile = async (req: Request, res: Response) => {
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const user = await userService.findById(req.user.sub);
if (!user) {
return res.status(404).json({ message: req.t('user.notFound') });
}
res.json(user);
};
export const updateProfile = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { email, first_name, last_name } = req.body;
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const actor = await userService.findById(req.user.sub);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
const updatedUser = await userService.updateUser(
req.user.sub,
{ email, first_name, last_name },
undefined,
actor,
req.ip || 'unknown'
);
res.json(updatedUser);
};
export const updatePassword = async (req: Request, res: Response) => {
if (config.app.isDemo) {
return res.status(403).json({ message: req.t('errors.demoMode') });
}
const { currentPassword, newPassword } = req.body;
if (!req.user || !req.user.sub) {
return res.status(401).json({ message: 'Unauthorized' });
}
const actor = await userService.findById(req.user.sub);
if (!actor) {
return res.status(401).json({ message: 'Unauthorized' });
}
try {
await userService.updatePassword(
req.user.sub,
currentPassword,
newPassword,
actor,
req.ip || 'unknown'
);
res.status(200).json({ message: 'Password updated successfully' });
} catch (e: any) {
if (e.message === 'Invalid current password') {
return res.status(400).json({ message: e.message });
}
throw e;
}
};

13
packages/backend/src/api/middleware/rateLimiter.ts
View File

@@ -1,4 +1,4 @@
import rateLimit from 'express-rate-limit';
import { rateLimit, ipKeyGenerator } from 'express-rate-limit';
import { config } from '../../config';
const windowInMinutes = Math.ceil(config.api.rateLimit.windowMs / 60000);
@@ -6,7 +6,16 @@ const windowInMinutes = Math.ceil(config.api.rateLimit.windowMs / 60000);
export const rateLimiter = rateLimit({
windowMs: config.api.rateLimit.windowMs,
max: config.api.rateLimit.max,
message: `Too many requests from this IP, please try again after ${windowInMinutes} minutes`,
keyGenerator: (req, res) => {
// Use the real IP address of the client, even if it's behind a proxy.
// `app.set('trust proxy', true)` in `server.ts`.
return ipKeyGenerator(req.ip || 'unknown');
},
message: {
status: 429,
message: `Too many requests from this IP, please try again after ${windowInMinutes} minutes`,
},
statusCode: 429,
standardHeaders: true,
legacyHeaders: false,
});

2
packages/backend/src/api/middleware/requireAuth.ts
View File

@@ -32,7 +32,7 @@ export const requireAuth = (authService: AuthService) => {
req.user = {
sub: user.id,
email: user.email,
roles: user.role ? [user.role.name] : []
roles: user.role ? [user.role.name] : [],
};
return next();
}

133
packages/backend/src/api/routes/api-key.routes.ts
View File

@@ -3,13 +3,132 @@ import { ApiKeyController } from '../controllers/api-key.controller';
import { requireAuth } from '../middleware/requireAuth';
import { AuthService } from '../../services/AuthService';
export const apiKeyRoutes = (authService: AuthService) => {
const router = Router();
const controller = new ApiKeyController();
export const apiKeyRoutes = (authService: AuthService): Router => {
const router = Router();
const controller = new ApiKeyController();
router.post('/', requireAuth(authService), controller.generateApiKey);
router.get('/', requireAuth(authService), controller.getApiKeys);
router.delete('/:id', requireAuth(authService), controller.deleteApiKey);
/**
* @openapi
* /v1/api-keys:
* post:
* summary: Generate an API key
* description: >
* Generates a new API key for the authenticated user. The raw key value is only returned once at creation time.
* The key name must be between 1255 characters. Expiry is required and must be within 730 days (2 years).
* Disabled in demo mode.
* operationId: generateApiKey
* tags:
* - API Keys
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* required:
* - name
* - expiresInDays
* properties:
* name:
* type: string
* minLength: 1
* maxLength: 255
* example: "CI/CD Pipeline Key"
* expiresInDays:
* type: integer
* minimum: 1
* maximum: 730
* example: 90
* responses:
* '201':
* description: API key created. The raw `key` value is only shown once.
* content:
* application/json:
* schema:
* type: object
* properties:
* key:
* type: string
* description: The raw API key. Store this securely — it will not be shown again.
* example: "oa_live_abc123..."
* '400':
* description: Validation error (name too short/long, expiry out of range).
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ValidationError'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* description: Disabled in demo mode.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '500':
* $ref: '#/components/responses/InternalServerError'
* get:
* summary: List API keys
* description: Returns all API keys belonging to the currently authenticated user. The raw key value is not included.
* operationId: getApiKeys
* tags:
* - API Keys
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: List of API keys (without raw key values).
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/ApiKey'
* '401':
* $ref: '#/components/responses/Unauthorized'
*/
router.post('/', requireAuth(authService), controller.generateApiKey);
router.get('/', requireAuth(authService), controller.getApiKeys);
return router;
/**
* @openapi
* /v1/api-keys/{id}:
* delete:
* summary: Delete an API key
* description: Permanently revokes and deletes an API key by ID. Only the owning user can delete their own keys. Disabled in demo mode.
* operationId: deleteApiKey
* tags:
* - API Keys
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* description: The ID of the API key to delete.
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '204':
* description: API key deleted. No content returned.
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* description: Disabled in demo mode.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.delete('/:id', requireAuth(authService), controller.deleteApiKey);
return router;
};

114
packages/backend/src/api/routes/archived-email.routes.ts
View File

@@ -13,12 +13,126 @@ export const createArchivedEmailRouter = (
// Secure all routes in this module
router.use(requireAuth(authService));
/**
* @openapi
* /v1/archived-emails/ingestion-source/{ingestionSourceId}:
* get:
* summary: List archived emails for an ingestion source
* description: Returns a paginated list of archived emails belonging to the specified ingestion source. Requires `read:archive` permission.
* operationId: getArchivedEmails
* tags:
* - Archived Emails
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: ingestionSourceId
* in: path
* required: true
* description: The ID of the ingestion source to retrieve emails for.
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* - name: page
* in: query
* required: false
* description: Page number for pagination.
* schema:
* type: integer
* default: 1
* example: 1
* - name: limit
* in: query
* required: false
* description: Number of items per page.
* schema:
* type: integer
* default: 10
* example: 10
* responses:
* '200':
* description: Paginated list of archived emails.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/PaginatedArchivedEmails'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get(
'/ingestion-source/:ingestionSourceId',
requirePermission('read', 'archive'),
archivedEmailController.getArchivedEmails
);
/**
* @openapi
* /v1/archived-emails/{id}:
* get:
* summary: Get a single archived email
* description: Retrieves the full details of a single archived email by ID, including attachments and thread. Requires `read:archive` permission.
* operationId: getArchivedEmailById
* tags:
* - Archived Emails
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* description: The ID of the archived email.
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '200':
* description: Archived email details.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ArchivedEmail'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
* delete:
* summary: Delete an archived email
* description: Permanently deletes an archived email by ID. Deletion must be enabled in system settings and the email must not be on legal hold. Requires `delete:archive` permission.
* operationId: deleteArchivedEmail
* tags:
* - Archived Emails
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* description: The ID of the archived email to delete.
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '204':
* description: Email deleted successfully. No content returned.
* '400':
* description: Deletion is disabled in system settings, or the email is blocked by a retention policy / legal hold.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get(
'/:id',
requirePermission('read', 'archive'),

136
packages/backend/src/api/routes/auth.routes.ts
View File

@@ -5,23 +5,141 @@ export const createAuthRouter = (authController: AuthController): Router => {
const router = Router();
/**
* @route POST /api/v1/auth/setup
* @description Creates the initial administrator user.
* @access Public
* @openapi
* /v1/auth/setup:
* post:
* summary: Initial setup
* description: Creates the initial administrator user. Can only be called once when no users exist.
* operationId: authSetup
* tags:
* - Auth
* security: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* required:
* - email
* - password
* - first_name
* - last_name
* properties:
* email:
* type: string
* format: email
* example: admin@example.com
* password:
* type: string
* format: password
* example: "securepassword123"
* first_name:
* type: string
* example: Admin
* last_name:
* type: string
* example: User
* responses:
* '201':
* description: Admin user created and logged in successfully.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/LoginResponse'
* '400':
* description: All fields are required.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '403':
* description: Setup has already been completed (users already exist).
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post('/setup', authController.setup);
/**
* @route POST /api/v1/auth/login
* @description Authenticates a user and returns a JWT.
* @access Public
* @openapi
* /v1/auth/login:
* post:
* summary: Login
* description: Authenticates a user with email and password and returns a JWT access token.
* operationId: authLogin
* tags:
* - Auth
* security: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* required:
* - email
* - password
* properties:
* email:
* type: string
* format: email
* example: user@example.com
* password:
* type: string
* format: password
* example: "securepassword123"
* responses:
* '200':
* description: Authentication successful.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/LoginResponse'
* '400':
* description: Email and password are required.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* description: Invalid credentials.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post('/login', authController.login);
/**
* @route GET /api/v1/auth/status
* @description Checks if the application has been set up.
* @access Public
* @openapi
* /v1/auth/status:
* get:
* summary: Check setup status
* description: Returns whether the application has been set up (i.e., whether an admin user exists).
* operationId: authStatus
* tags:
* - Auth
* security: []
* responses:
* '200':
* description: Setup status returned.
* content:
* application/json:
* schema:
* type: object
* properties:
* needsSetup:
* type: boolean
* description: True if no admin user exists and setup is required.
* example: false
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/status', authController.status);

142
packages/backend/src/api/routes/dashboard.routes.ts
View File

@@ -9,26 +9,168 @@ export const createDashboardRouter = (authService: AuthService): Router => {
router.use(requireAuth(authService));
/**
* @openapi
* /v1/dashboard/stats:
* get:
* summary: Get dashboard stats
* description: Returns high-level statistics including total archived emails, total storage used, and failed ingestions in the last 7 days. Requires `read:dashboard` permission.
* operationId: getDashboardStats
* tags:
* - Dashboard
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: Dashboard statistics.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/DashboardStats'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.get(
'/stats',
requirePermission('read', 'dashboard', 'dashboard.permissionRequired'),
dashboardController.getStats
);
/**
* @openapi
* /v1/dashboard/ingestion-history:
* get:
* summary: Get ingestion history
* description: Returns time-series data of email ingestion counts for the last 30 days. Requires `read:dashboard` permission.
* operationId: getIngestionHistory
* tags:
* - Dashboard
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: Ingestion history wrapped in a `history` array.
* content:
* application/json:
* schema:
* type: object
* properties:
* history:
* type: array
* items:
* type: object
* properties:
* date:
* type: string
* format: date-time
* description: Truncated to day precision (UTC).
* count:
* type: integer
* required:
* - history
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.get(
'/ingestion-history',
requirePermission('read', 'dashboard', 'dashboard.permissionRequired'),
dashboardController.getIngestionHistory
);
/**
* @openapi
* /v1/dashboard/ingestion-sources:
* get:
* summary: Get ingestion source summaries
* description: Returns a summary list of ingestion sources with their storage usage. Requires `read:dashboard` permission.
* operationId: getDashboardIngestionSources
* tags:
* - Dashboard
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: List of ingestion source summaries.
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/IngestionSourceStats'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.get(
'/ingestion-sources',
requirePermission('read', 'dashboard', 'dashboard.permissionRequired'),
dashboardController.getIngestionSources
);
/**
* @openapi
* /v1/dashboard/recent-syncs:
* get:
* summary: Get recent sync activity
* description: Returns the most recent sync sessions across all ingestion sources. Requires `read:dashboard` permission.
* operationId: getRecentSyncs
* tags:
* - Dashboard
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: List of recent sync sessions.
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/RecentSync'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.get(
'/recent-syncs',
requirePermission('read', 'dashboard', 'dashboard.permissionRequired'),
dashboardController.getRecentSyncs
);
/**
* @openapi
* /v1/dashboard/indexed-insights:
* get:
* summary: Get indexed email insights
* description: Returns top-sender statistics from the search index. Requires `read:dashboard` permission.
* operationId: getIndexedInsights
* tags:
* - Dashboard
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: Indexed email insights.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/IndexedInsights'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.get(
'/indexed-insights',
requirePermission('read', 'dashboard', 'dashboard.permissionRequired'),

190
packages/backend/src/api/routes/iam.routes.ts
View File

@@ -10,16 +10,116 @@ export const createIamRouter = (iamController: IamController, authService: AuthS
router.use(requireAuth(authService));
/**
* @route GET /api/v1/iam/roles
* @description Gets all roles.
* @access Private
* @openapi
* /v1/iam/roles:
* get:
* summary: List all roles
* description: Returns all IAM roles. If predefined roles do not yet exist, they are created automatically. Requires `read:roles` permission.
* operationId: getRoles
* tags:
* - IAM
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: List of roles.
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/Role'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/roles', requirePermission('read', 'roles'), iamController.getRoles);
/**
* @openapi
* /v1/iam/roles/{id}:
* get:
* summary: Get a role
* description: Returns a single IAM role by ID. Requires `read:roles` permission.
* operationId: getRoleById
* tags:
* - IAM
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '200':
* description: Role details.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/Role'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/roles/:id', requirePermission('read', 'roles'), iamController.getRoleById);
/**
* Only super admin has the ability to modify existing roles or create new roles.
* @openapi
* /v1/iam/roles:
* post:
* summary: Create a role
* description: Creates a new IAM role with the given name and CASL policies. Requires `manage:all` (Super Admin) permission.
* operationId: createRole
* tags:
* - IAM
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* required:
* - name
* - policies
* properties:
* name:
* type: string
* example: "Compliance Officer"
* policies:
* type: array
* items:
* $ref: '#/components/schemas/CaslPolicy'
* responses:
* '201':
* description: Role created.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/Role'
* '400':
* description: Missing fields or invalid policy.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post(
'/roles',
@@ -27,12 +127,94 @@ export const createIamRouter = (iamController: IamController, authService: AuthS
iamController.createRole
);
/**
* @openapi
* /v1/iam/roles/{id}:
* delete:
* summary: Delete a role
* description: Permanently deletes an IAM role. Requires `manage:all` (Super Admin) permission.
* operationId: deleteRole
* tags:
* - IAM
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '204':
* description: Role deleted. No content returned.
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.delete(
'/roles/:id',
requirePermission('manage', 'all', 'iam.requiresSuperAdminRole'),
iamController.deleteRole
);
/**
* @openapi
* /v1/iam/roles/{id}:
* put:
* summary: Update a role
* description: Updates the name or policies of an IAM role. Requires `manage:all` (Super Admin) permission.
* operationId: updateRole
* tags:
* - IAM
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* properties:
* name:
* type: string
* example: "Senior Compliance Officer"
* policies:
* type: array
* items:
* $ref: '#/components/schemas/CaslPolicy'
* responses:
* '200':
* description: Updated role.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/Role'
* '400':
* description: No update fields provided or invalid policy.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.put(
'/roles/:id',
requirePermission('manage', 'all', 'iam.requiresSuperAdminRole'),

292
packages/backend/src/api/routes/ingestion.routes.ts
View File

@@ -13,29 +13,321 @@ export const createIngestionRouter = (
// Secure all routes in this module
router.use(requireAuth(authService));
/**
* @openapi
* /v1/ingestion-sources:
* post:
* summary: Create an ingestion source
* description: Creates a new ingestion source and validates the connection. Returns the created source without credentials. Requires `create:ingestion` permission.
* operationId: createIngestionSource
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/CreateIngestionSourceDto'
* responses:
* '201':
* description: Ingestion source created successfully.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SafeIngestionSource'
* '400':
* description: Invalid input or connection test failed.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* get:
* summary: List ingestion sources
* description: Returns all ingestion sources accessible to the authenticated user. Credentials are excluded from the response. Requires `read:ingestion` permission.
* operationId: listIngestionSources
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: Array of ingestion sources.
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/SafeIngestionSource'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post('/', requirePermission('create', 'ingestion'), ingestionController.create);
router.get('/', requirePermission('read', 'ingestion'), ingestionController.findAll);
/**
* @openapi
* /v1/ingestion-sources/{id}:
* get:
* summary: Get an ingestion source
* description: Returns a single ingestion source by ID. Credentials are excluded. Requires `read:ingestion` permission.
* operationId: getIngestionSourceById
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '200':
* description: Ingestion source details.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SafeIngestionSource'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
* put:
* summary: Update an ingestion source
* description: Updates configuration for an existing ingestion source. Requires `update:ingestion` permission.
* operationId: updateIngestionSource
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* requestBody:
* required: true
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/UpdateIngestionSourceDto'
* responses:
* '200':
* description: Updated ingestion source.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SafeIngestionSource'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
* delete:
* summary: Delete an ingestion source
* description: Permanently deletes an ingestion source. Deletion must be enabled in system settings. Requires `delete:ingestion` permission.
* operationId: deleteIngestionSource
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '204':
* description: Ingestion source deleted. No content returned.
* '400':
* description: Deletion disabled or constraint error.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/:id', requirePermission('read', 'ingestion'), ingestionController.findById);
router.put('/:id', requirePermission('update', 'ingestion'), ingestionController.update);
router.delete('/:id', requirePermission('delete', 'ingestion'), ingestionController.delete);
/**
* @openapi
* /v1/ingestion-sources/{id}/import:
* post:
* summary: Trigger initial import
* description: Enqueues an initial import job for the ingestion source. This imports all historical emails. Requires `create:ingestion` permission.
* operationId: triggerInitialImport
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '202':
* description: Initial import job accepted and queued.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/MessageResponse'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post(
'/:id/import',
requirePermission('create', 'ingestion'),
ingestionController.triggerInitialImport
);
/**
* @openapi
* /v1/ingestion-sources/{id}/pause:
* post:
* summary: Pause an ingestion source
* description: Sets the ingestion source status to `paused`, stopping continuous sync. Requires `update:ingestion` permission.
* operationId: pauseIngestionSource
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '200':
* description: Ingestion source paused. Returns the updated source.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SafeIngestionSource'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post('/:id/pause', requirePermission('update', 'ingestion'), ingestionController.pause);
/**
* @openapi
* /v1/ingestion-sources/{id}/sync:
* post:
* summary: Force sync
* description: Triggers an out-of-schedule continuous sync for the ingestion source. Requires `sync:ingestion` permission.
* operationId: triggerForceSync
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '202':
* description: Force sync job accepted and queued.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/MessageResponse'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post(
'/:id/sync',
requirePermission('sync', 'ingestion'),
ingestionController.triggerForceSync
);
/**
* @openapi
* /v1/ingestion-sources/{id}/unmerge:
* post:
* summary: Unmerge a child ingestion source
* description: Detaches a child source from its merge group, making it a standalone root source. Requires `update:ingestion` permission.
* operationId: unmergeIngestionSource
* tags:
* - Ingestion
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* responses:
* '200':
* description: Source unmerged. Returns the updated source.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SafeIngestionSource'
* '400':
* description: Source is not merged into another source.
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
*/
router.post(
'/:id/unmerge',
requirePermission('update', 'ingestion'),
ingestionController.unmerge
);
return router;
};

59
packages/backend/src/api/routes/integrity.routes.ts Normal file
View File

@@ -0,0 +1,59 @@
import { Router } from 'express';
import { IntegrityController } from '../controllers/integrity.controller';
import { requireAuth } from '../middleware/requireAuth';
import { requirePermission } from '../middleware/requirePermission';
import { AuthService } from '../../services/AuthService';
export const integrityRoutes = (authService: AuthService): Router => {
const router = Router();
const controller = new IntegrityController();
router.use(requireAuth(authService));
/**
* @openapi
* /v1/integrity/{id}:
* get:
* summary: Check email integrity
* description: Verifies the SHA-256 hash of an archived email and all its attachments against the hashes stored at archival time. Returns per-item integrity results. Requires `read:archive` permission.
* operationId: checkIntegrity
* tags:
* - Integrity
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* description: UUID of the archived email to verify.
* schema:
* type: string
* format: uuid
* example: "550e8400-e29b-41d4-a716-446655440000"
* responses:
* '200':
* description: Integrity check results for the email and its attachments.
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/IntegrityCheckResult'
* '400':
* description: Invalid UUID format.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ValidationError'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/:id', requirePermission('read', 'archive'), controller.checkIntegrity);
return router;
};

135
packages/backend/src/api/routes/jobs.routes.ts Normal file
View File

@@ -0,0 +1,135 @@
import { Router } from 'express';
import { JobsController } from '../controllers/jobs.controller';
import { requireAuth } from '../middleware/requireAuth';
import { requirePermission } from '../middleware/requirePermission';
import { AuthService } from '../../services/AuthService';
export const createJobsRouter = (authService: AuthService): Router => {
const router = Router();
const jobsController = new JobsController();
router.use(requireAuth(authService));
/**
* @openapi
* /v1/jobs/queues:
* get:
* summary: List all queues
* description: Returns all BullMQ job queues and their current job counts broken down by status. Requires `manage:all` (Super Admin) permission.
* operationId: getQueues
* tags:
* - Jobs
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: List of queue overviews.
* content:
* application/json:
* schema:
* type: object
* properties:
* queues:
* type: array
* items:
* $ref: '#/components/schemas/QueueOverview'
* example:
* queues:
* - name: ingestion
* counts:
* active: 0
* completed: 56
* failed: 4
* delayed: 3
* waiting: 0
* paused: 0
* - name: indexing
* counts:
* active: 0
* completed: 0
* failed: 0
* delayed: 0
* waiting: 0
* paused: 0
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get(
'/queues',
requirePermission('manage', 'all', 'user.requiresSuperAdminRole'),
jobsController.getQueues
);
/**
* @openapi
* /v1/jobs/queues/{queueName}:
* get:
* summary: Get jobs in a queue
* description: Returns a paginated list of jobs within a specific queue, filtered by status. Requires `manage:all` (Super Admin) permission.
* operationId: getQueueJobs
* tags:
* - Jobs
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: queueName
* in: path
* required: true
* description: The name of the queue (e.g. `ingestion` or `indexing`).
* schema:
* type: string
* example: ingestion
* - name: status
* in: query
* required: false
* description: Filter jobs by status.
* schema:
* type: string
* enum: [active, completed, failed, delayed, waiting, paused]
* default: failed
* - name: page
* in: query
* required: false
* schema:
* type: integer
* default: 1
* - name: limit
* in: query
* required: false
* schema:
* type: integer
* default: 10
* responses:
* '200':
* description: Detailed view of the queue including paginated jobs.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/QueueDetails'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '404':
* description: Queue not found.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get(
'/queues/:queueName',
requirePermission('manage', 'all', 'user.requiresSuperAdminRole'),
jobsController.getQueueJobs
);
return router;
};

62
packages/backend/src/api/routes/search.routes.ts
View File

@@ -12,6 +12,68 @@ export const createSearchRouter = (
router.use(requireAuth(authService));
/**
* @openapi
* /v1/search:
* get:
* summary: Search archived emails
* description: Performs a full-text search across indexed archived emails using Meilisearch. Requires `search:archive` permission.
* operationId: searchEmails
* tags:
* - Search
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: keywords
* in: query
* required: true
* description: The search query string.
* schema:
* type: string
* example: "invoice Q4"
* - name: page
* in: query
* required: false
* description: Page number for pagination.
* schema:
* type: integer
* default: 1
* example: 1
* - name: limit
* in: query
* required: false
* description: Number of results per page.
* schema:
* type: integer
* default: 10
* example: 10
* - name: matchingStrategy
* in: query
* required: false
* description: Meilisearch matching strategy. `last` returns results containing at least one keyword; `all` requires all keywords; `frequency` sorts by keyword frequency.
* schema:
* type: string
* enum: [last, all, frequency]
* default: last
* responses:
* '200':
* description: Search results.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SearchResults'
* '400':
* description: Keywords parameter is required.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/', requirePermission('search', 'archive'), searchController.search);
return router;

50
packages/backend/src/api/routes/settings.routes.ts
View File

@@ -7,10 +7,56 @@ import { AuthService } from '../../services/AuthService';
export const createSettingsRouter = (authService: AuthService): Router => {
const router = Router();
// Public route to get non-sensitive settings. settings read should not be scoped with a permission because all end users need the settings data in the frontend. However, for sensitive settings data, we need to add a new permission subject to limit access. So this route should only expose non-sensitive settings data.
/**
* @returns SystemSettings
* @openapi
* /v1/settings/system:
* get:
* summary: Get system settings
* description: >
* Returns non-sensitive system settings such as language, timezone, and feature flags.
* This endpoint is public — no authentication required. Sensitive settings are never exposed.
* operationId: getSystemSettings
* tags:
* - Settings
* responses:
* '200':
* description: Current system settings.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SystemSettings'
* '500':
* $ref: '#/components/responses/InternalServerError'
* put:
* summary: Update system settings
* description: Updates system settings. Requires `manage:settings` permission.
* operationId: updateSystemSettings
* tags:
* - Settings
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SystemSettings'
* responses:
* '200':
* description: Updated system settings.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/SystemSettings'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
// Public route to get non-sensitive settings. All end users need the settings data in the frontend.
router.get('/system', settingsController.getSystemSettings);
// Protected route to update settings

54
packages/backend/src/api/routes/storage.routes.ts
View File

@@ -13,6 +13,60 @@ export const createStorageRouter = (
// Secure all routes in this module
router.use(requireAuth(authService));
/**
* @openapi
* /v1/storage/download:
* get:
* summary: Download a stored file
* description: >
* Downloads a file from the configured storage backend (local filesystem or S3-compatible).
* The path is sanitized to prevent directory traversal attacks.
* Requires `read:archive` permission.
* operationId: downloadFile
* tags:
* - Storage
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: path
* in: query
* required: true
* description: The relative storage path of the file to download.
* schema:
* type: string
* example: "open-archiver/emails/abc123.eml"
* responses:
* '200':
* description: The file content as a binary stream. The `Content-Disposition` header is set to trigger a browser download.
* headers:
* Content-Disposition:
* description: Attachment filename.
* schema:
* type: string
* example: 'attachment; filename="abc123.eml"'
* content:
* application/octet-stream:
* schema:
* type: string
* format: binary
* '400':
* description: File path is required or invalid.
* content:
* text/plain:
* schema:
* type: string
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* description: File not found in storage.
* content:
* text/plain:
* schema:
* type: string
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.get('/download', requirePermission('read', 'archive'), storageController.downloadFile);
return router;

49
packages/backend/src/api/routes/upload.routes.ts
View File

@@ -9,6 +9,55 @@ export const createUploadRouter = (authService: AuthService): Router => {
router.use(requireAuth(authService));
/**
* @openapi
* /v1/upload:
* post:
* summary: Upload a file
* description: >
* Uploads a file (PST, EML, MBOX, or other) to temporary storage for subsequent use in an ingestion source.
* Returns the storage path, which should be passed as `uploadedFilePath` when creating a file-based ingestion source.
* Requires `create:ingestion` permission.
* operationId: uploadFile
* tags:
* - Upload
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* multipart/form-data:
* schema:
* type: object
* properties:
* file:
* type: string
* format: binary
* description: The file to upload.
* responses:
* '200':
* description: File uploaded successfully. Returns the storage path.
* content:
* application/json:
* schema:
* type: object
* properties:
* filePath:
* type: string
* description: The storage path of the uploaded file. Use this as `uploadedFilePath` when creating a file-based ingestion source.
* example: "open-archiver/tmp/uuid-filename.pst"
* '400':
* description: Invalid multipart request.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '500':
* $ref: '#/components/responses/InternalServerError'
*/
router.post('/', requirePermission('create', 'ingestion'), uploadFile);
return router;

307
packages/backend/src/api/routes/user.routes.ts
View File

@@ -9,12 +9,235 @@ export const createUserRouter = (authService: AuthService): Router => {
router.use(requireAuth(authService));
/**
* @openapi
* /v1/users:
* get:
* summary: List all users
* description: Returns all user accounts in the system. Requires `read:users` permission.
* operationId: getUsers
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: List of users.
* content:
* application/json:
* schema:
* type: array
* items:
* $ref: '#/components/schemas/User'
* '401':
* $ref: '#/components/responses/Unauthorized'
*/
router.get('/', requirePermission('read', 'users'), userController.getUsers);
/**
* @openapi
* /v1/users/profile:
* get:
* summary: Get current user profile
* description: Returns the profile of the currently authenticated user.
* operationId: getProfile
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* responses:
* '200':
* description: Current user's profile.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/User'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
* patch:
* summary: Update current user profile
* description: Updates the email, first name, or last name of the currently authenticated user. Disabled in demo mode.
* operationId: updateProfile
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* properties:
* email:
* type: string
* format: email
* first_name:
* type: string
* last_name:
* type: string
* responses:
* '200':
* description: Updated user profile.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/User'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* description: Disabled in demo mode.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
*/
router.get('/profile', userController.getProfile);
router.patch('/profile', userController.updateProfile);
/**
* @openapi
* /v1/users/profile/password:
* post:
* summary: Update password
* description: Updates the password of the currently authenticated user. The current password must be provided for verification. Disabled in demo mode.
* operationId: updatePassword
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* required:
* - currentPassword
* - newPassword
* properties:
* currentPassword:
* type: string
* format: password
* newPassword:
* type: string
* format: password
* responses:
* '200':
* description: Password updated successfully.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/MessageResponse'
* '400':
* description: Current password is incorrect.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* description: Disabled in demo mode.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
*/
router.post('/profile/password', userController.updatePassword);
/**
* @openapi
* /v1/users/{id}:
* get:
* summary: Get a user
* description: Returns a single user by ID. Requires `read:users` permission.
* operationId: getUser
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '200':
* description: User details.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/User'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '404':
* $ref: '#/components/responses/NotFound'
*/
router.get('/:id', requirePermission('read', 'users'), userController.getUser);
/**
* Only super admin has the ability to modify existing users or create new users.
* @openapi
* /v1/users:
* post:
* summary: Create a user
* description: Creates a new user account and optionally assigns a role. Requires `manage:all` (Super Admin) permission.
* operationId: createUser
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* required:
* - email
* - first_name
* - last_name
* - password
* properties:
* email:
* type: string
* format: email
* example: jane.doe@example.com
* first_name:
* type: string
* example: Jane
* last_name:
* type: string
* example: Doe
* password:
* type: string
* format: password
* example: "securepassword123"
* roleId:
* type: string
* description: Optional role ID to assign to the user.
* example: "clx1y2z3a0000b4d2"
* responses:
* '201':
* description: User created.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/User'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.post(
'/',
@@ -22,12 +245,94 @@ export const createUserRouter = (authService: AuthService): Router => {
userController.createUser
);
/**
* @openapi
* /v1/users/{id}:
* put:
* summary: Update a user
* description: Updates a user's email, name, or role assignment. Requires `manage:all` (Super Admin) permission.
* operationId: updateUser
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* requestBody:
* required: true
* content:
* application/json:
* schema:
* type: object
* properties:
* email:
* type: string
* format: email
* first_name:
* type: string
* last_name:
* type: string
* roleId:
* type: string
* responses:
* '200':
* description: Updated user.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/User'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
* '404':
* $ref: '#/components/responses/NotFound'
*/
router.put(
'/:id',
requirePermission('manage', 'all', 'user.requiresSuperAdminRole'),
userController.updateUser
);
/**
* @openapi
* /v1/users/{id}:
* delete:
* summary: Delete a user
* description: Permanently deletes a user. Cannot delete the last remaining user. Requires `manage:all` (Super Admin) permission.
* operationId: deleteUser
* tags:
* - Users
* security:
* - bearerAuth: []
* - apiKeyAuth: []
* parameters:
* - name: id
* in: path
* required: true
* schema:
* type: string
* example: "clx1y2z3a0000b4d2"
* responses:
* '204':
* description: User deleted. No content returned.
* '400':
* description: Cannot delete the only remaining user.
* content:
* application/json:
* schema:
* $ref: '#/components/schemas/ErrorMessage'
* '401':
* $ref: '#/components/responses/Unauthorized'
* '403':
* $ref: '#/components/responses/Forbidden'
*/
router.delete(
'/:id',
requirePermission('manage', 'all', 'user.requiresSuperAdminRole'),

169
packages/backend/src/api/server.ts Normal file
View File

@@ -0,0 +1,169 @@
import express, { Express } from 'express';
import cors from 'cors';
import dotenv from 'dotenv';
import { AuthController } from './controllers/auth.controller';
import { IngestionController } from './controllers/ingestion.controller';
import { ArchivedEmailController } from './controllers/archived-email.controller';
import { StorageController } from './controllers/storage.controller';
import { SearchController } from './controllers/search.controller';
import { IamController } from './controllers/iam.controller';
import { createAuthRouter } from './routes/auth.routes';
import { createIamRouter } from './routes/iam.routes';
import { createIngestionRouter } from './routes/ingestion.routes';
import { createArchivedEmailRouter } from './routes/archived-email.routes';
import { createStorageRouter } from './routes/storage.routes';
import { createSearchRouter } from './routes/search.routes';
import { createDashboardRouter } from './routes/dashboard.routes';
import { createUploadRouter } from './routes/upload.routes';
import { createUserRouter } from './routes/user.routes';
import { createSettingsRouter } from './routes/settings.routes';
import { apiKeyRoutes } from './routes/api-key.routes';
import { integrityRoutes } from './routes/integrity.routes';
import { createJobsRouter } from './routes/jobs.routes';
import { AuthService } from '../services/AuthService';
import { AuditService } from '../services/AuditService';
import { UserService } from '../services/UserService';
import { IamService } from '../services/IamService';
import { StorageService } from '../services/StorageService';
import { SearchService } from '../services/SearchService';
import { SettingsService } from '../services/SettingsService';
import i18next from 'i18next';
import FsBackend from 'i18next-fs-backend';
import i18nextMiddleware from 'i18next-http-middleware';
import path from 'path';
import { logger } from '../config/logger';
import { rateLimiter } from './middleware/rateLimiter';
import { config } from '../config';
import { OpenArchiverFeature } from '@open-archiver/types';
// Define the "plugin" interface
export interface ArchiverModule {
initialize: (app: Express, authService: AuthService) => Promise<void>;
name: OpenArchiverFeature;
}
export let authService: AuthService;
export async function createServer(modules: ArchiverModule[] = []): Promise<Express> {
// Load environment variables
dotenv.config();
// --- Environment Variable Validation ---
const { JWT_SECRET, JWT_EXPIRES_IN } = process.env;
if (!JWT_SECRET || !JWT_EXPIRES_IN) {
throw new Error(
'Missing required environment variables for the backend: JWT_SECRET, JWT_EXPIRES_IN.'
);
}
// --- Dependency Injection Setup ---
const auditService = new AuditService();
const userService = new UserService();
authService = new AuthService(userService, auditService, JWT_SECRET, JWT_EXPIRES_IN);
const authController = new AuthController(authService, userService);
const ingestionController = new IngestionController();
const archivedEmailController = new ArchivedEmailController();
const storageService = new StorageService();
const storageController = new StorageController(storageService);
const searchService = new SearchService();
const searchController = new SearchController();
const iamService = new IamService();
const iamController = new IamController(iamService);
const settingsService = new SettingsService();
// --- i18next Initialization ---
const initializeI18next = async () => {
const systemSettings = await settingsService.getSystemSettings();
const defaultLanguage = systemSettings?.language || 'en';
logger.info({ language: defaultLanguage }, 'Default language');
await i18next.use(FsBackend).init({
lng: defaultLanguage,
fallbackLng: defaultLanguage,
ns: ['translation'],
defaultNS: 'translation',
backend: {
loadPath: path.resolve(__dirname, '../locales/{{lng}}/{{ns}}.json'),
},
});
};
// Initialize i18next
await initializeI18next();
logger.info({}, 'i18next initialized');
// Configure the Meilisearch index on startup
logger.info({}, 'Configuring email index...');
await searchService.configureEmailIndex();
const app = express();
// --- CORS ---
app.use(
cors({
origin: process.env.APP_URL || 'http://localhost:3000',
credentials: true,
})
);
// Trust the proxy to get the real IP address of the client.
// This is important for audit logging and security.
app.set('trust proxy', true);
// --- Routes ---
const authRouter = createAuthRouter(authController);
const ingestionRouter = createIngestionRouter(ingestionController, authService);
const archivedEmailRouter = createArchivedEmailRouter(archivedEmailController, authService);
const storageRouter = createStorageRouter(storageController, authService);
const searchRouter = createSearchRouter(searchController, authService);
const dashboardRouter = createDashboardRouter(authService);
const iamRouter = createIamRouter(iamController, authService);
const uploadRouter = createUploadRouter(authService);
const userRouter = createUserRouter(authService);
const settingsRouter = createSettingsRouter(authService);
const apiKeyRouter = apiKeyRoutes(authService);
const integrityRouter = integrityRoutes(authService);
const jobsRouter = createJobsRouter(authService);
// Middleware for all other routes
app.use((req, res, next) => {
// exclude certain API endpoints from the rate limiter, for example status, system settings
const excludedPatterns = [/^\/v\d+\/auth\/status$/, /^\/v\d+\/settings\/system$/];
for (const pattern of excludedPatterns) {
if (pattern.test(req.path)) {
return next();
}
}
rateLimiter(req, res, next);
});
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
// i18n middleware
app.use(i18nextMiddleware.handle(i18next));
app.use(`/${config.api.version}/auth`, authRouter);
app.use(`/${config.api.version}/iam`, iamRouter);
app.use(`/${config.api.version}/upload`, uploadRouter);
app.use(`/${config.api.version}/ingestion-sources`, ingestionRouter);
app.use(`/${config.api.version}/archived-emails`, archivedEmailRouter);
app.use(`/${config.api.version}/storage`, storageRouter);
app.use(`/${config.api.version}/search`, searchRouter);
app.use(`/${config.api.version}/dashboard`, dashboardRouter);
app.use(`/${config.api.version}/users`, userRouter);
app.use(`/${config.api.version}/settings`, settingsRouter);
app.use(`/${config.api.version}/api-keys`, apiKeyRouter);
app.use(`/${config.api.version}/integrity`, integrityRouter);
app.use(`/${config.api.version}/jobs`, jobsRouter);
// Load all provided extension modules
for (const module of modules) {
await module.initialize(app, authService);
logger.info(`🏢 Enterprise module loaded: ${module.name}`);
}
app.get('/', (req, res) => {
res.send('Backend is running!!');
});
logger.info('✅ Core OSS modules loaded.');
return app;
}

13
packages/backend/src/config/api.ts
View File

@@ -1,8 +1,13 @@
import 'dotenv/config';
export const apiConfig = {
rateLimit: {
windowMs: process.env.RATE_LIMIT_WINDOW_MS ? parseInt(process.env.RATE_LIMIT_WINDOW_MS, 10) : 15 * 60 * 1000, // 15 minutes
max: process.env.RATE_LIMIT_MAX_REQUESTS ? parseInt(process.env.RATE_LIMIT_MAX_REQUESTS, 10) : 100, // limit each IP to 100 requests per windowMs
}
rateLimit: {
windowMs: process.env.RATE_LIMIT_WINDOW_MS
? parseInt(process.env.RATE_LIMIT_WINDOW_MS, 10)
: 1 * 60 * 1000, // 1 minutes
max: process.env.RATE_LIMIT_MAX_REQUESTS
? parseInt(process.env.RATE_LIMIT_MAX_REQUESTS, 10)
: 100, // limit each IP to 100 requests per windowMs
},
version: 'v1',
};

4
packages/backend/src/config/app.ts
View File

@@ -4,6 +4,8 @@ export const app = {
nodeEnv: process.env.NODE_ENV || 'development',
port: process.env.PORT_BACKEND ? parseInt(process.env.PORT_BACKEND, 10) : 4000,
encryptionKey: process.env.ENCRYPTION_KEY,
isDemo: process.env.IS_DEMO === 'true',
syncFrequency: process.env.SYNC_FREQUENCY || '* * * * *', //default to 1 minute
enableDeletion: process.env.ENABLE_DELETION === 'true',
allInclusiveArchive: process.env.ALL_INCLUSIVE_ARCHIVE === 'true',
isDemo: process.env.IS_DEMO === 'true',
};

3
packages/backend/src/config/index.ts
View File

@@ -1,6 +1,6 @@
import { storage } from './storage';
import { app } from './app';
import { searchConfig } from './search';
import { searchConfig, meiliConfig } from './search';
import { connection as redisConfig } from './redis';
import { apiConfig } from './api';
@@ -8,6 +8,7 @@ export const config = {
storage,
app,
search: searchConfig,
meili: meiliConfig,
redis: redisConfig,
api: apiConfig,
};

1
packages/backend/src/config/logger.ts
View File

@@ -2,6 +2,7 @@ import pino from 'pino';
export const logger = pino({
level: process.env.LOG_LEVEL || 'info',
redact: ['password'],
transport: {
target: 'pino-pretty',
options: {

7
packages/backend/src/config/redis.ts
View File

@@ -1,15 +1,20 @@
import 'dotenv/config';
import { type ConnectionOptions } from 'bullmq';
/**
* @see https://github.com/taskforcesh/bullmq/blob/master/docs/gitbook/guide/connections.md
*/
const connectionOptions: any = {
const connectionOptions: ConnectionOptions = {
host: process.env.REDIS_HOST || 'localhost',
port: (process.env.REDIS_PORT && parseInt(process.env.REDIS_PORT, 10)) || 6379,
password: process.env.REDIS_PASSWORD,
enableReadyCheck: true,
};
if (process.env.REDIS_USER) {
connectionOptions.username = process.env.REDIS_USER;
}
if (process.env.REDIS_TLS_ENABLED === 'true') {
connectionOptions.tls = {
rejectUnauthorized: false,

Some files were not shown because too many files have changed in this diff Show More