P5-PR4: HumbleFax IMAP scaffold (disabled by default) — offload blocking IMAP ops to thread; PDF-only, sanitized filenames, caps on count/MB; no PHI in logs; background start/stop hooks

Author: DMontgomery40

api/app/main.py

@@ -32,6 +32,7 @@
 from .phaxio_service import get_phaxio_service
 from .sinch_service import get_sinch_service
 from .signalwire_service import get_signalwire_service
+from .services.imap_humblefax import HumbleFaxImapWorker
 from .config_loader import load_provider_secrets
 from .providers import sinch as sinch_inbound_adapter
 from .providers import phaxio as phaxio_inbound_adapter
@@ -82,6 +83,8 @@
 # Expose phaxio_service module for tests that reference app.phaxio_service
 from . import phaxio_service as _phaxio_module  # noqa: E402
 app.phaxio_service = _phaxio_module  # type: ignore[attr-defined]
+app.state.hf_imap_worker = None  # type: ignore[attr-defined]
+app.state.hf_imap_task = None    # type: ignore[attr-defined]
 
 # Log documented credential fallbacks (no secret values)
 try:
@@ -168,6 +171,36 @@ def require_admin(x_api_key: Optional[str] = Header(default=None)):
         raise HTTPException(401, detail="Admin authentication failed")
     return info
 
+
+# ===== Phase 5: HumbleFax IMAP worker (disabled by default) =====
+@app.on_event("startup")
+async def _start_hf_imap_worker():
+    try:
+        worker = HumbleFaxImapWorker()
+        if worker.enabled and worker.configured():
+            app.state.hf_imap_worker = worker  # type: ignore[attr-defined]
+            app.state.hf_imap_task = asyncio.create_task(worker.run_forever())  # type: ignore[attr-defined]
+    except Exception:
+        # Non-fatal; worker stays disabled
+        pass
+
+
+@app.on_event("shutdown")
+async def _stop_hf_imap_worker():
+    try:
+        w = getattr(app.state, "hf_imap_worker", None)
+        t = getattr(app.state, "hf_imap_task", None)
+        if w is not None:
+            w.stop()
+        if t is not None:
+            # Give it a moment to wind down
+            try:
+                await asyncio.wait_for(t, timeout=2)
+            except Exception:
+                pass
+    except Exception:
+        pass
+
 router_cfg_v4 = APIRouter(prefix="/admin/config/v4", tags=["ConfigurationV4"], dependencies=[Depends(require_admin)])
 
 

api/app/services/imap_humblefax.py

@@ -0,0 +1,186 @@
+"""
+HumbleFax IMAP polling scaffold (Phase 5):
+
+- Disabled by default; enable with HUMBLEFAX_IMAP_ENABLED=true
+- Offloads blocking IMAP ops to a thread to avoid blocking the event loop
+- PDF-only attachments; sanitize filenames; cap count and total bytes
+- No PHI in logs; records inbound faxes with minimal canonical fields
+"""
+
+from __future__ import annotations
+
+import imaplib
+import email
+from email.message import Message
+import os
+import time
+import hashlib
+from pathlib import Path
+from typing import List, Tuple, Optional
+
+import anyio
+
+from ..config import settings
+from ..db import SessionLocal
+from ..audit import audit_event
+
+
+def _env_bool(name: str, default: bool = False) -> bool:
+    v = os.getenv(name, str(default).lower())
+    return str(v).lower() in {"1", "true", "yes", "on"}
+
+
+def _sanitize_filename(name: str) -> str:
+    base = name.replace("\\", "/").split("/")[-1]
+    # keep alnum, dash, underscore, dot
+    safe = "".join(ch for ch in base if ch.isalnum() or ch in {"-", "_", "."})
+    if not safe:
+        safe = "attachment.pdf"
+    return safe[:128]
+
+
+class HumbleFaxImapWorker:
+    def __init__(self) -> None:
+        self.enabled = _env_bool("HUMBLEFAX_IMAP_ENABLED", False)
+        self.server = os.getenv("HUMBLEFAX_IMAP_SERVER", "")
+        self.username = os.getenv("HUMBLEFAX_IMAP_USERNAME", "")
+        self.password = os.getenv("HUMBLEFAX_IMAP_PASSWORD", "")
+        self.port = int(os.getenv("HUMBLEFAX_IMAP_PORT", "993") or "993")
+        self.use_ssl = _env_bool("HUMBLEFAX_IMAP_SSL", True)
+        self.poll_seconds = max(30, int(os.getenv("HUMBLEFAX_IMAP_POLL_INTERVAL", "300") or "300"))
+        self.max_attach_count = max(1, int(os.getenv("HUMBLEFAX_IMAP_MAX_ATTACH_COUNT", "3") or "3"))
+        self.max_attach_mb = max(1, int(os.getenv("HUMBLEFAX_IMAP_MAX_ATTACH_MB", "25") or "25"))
+        self._stop = False
+
+    def configured(self) -> bool:
+        return bool(self.server and self.username and self.password)
+
+    async def run_forever(self) -> None:
+        if not self.enabled or not self.configured():
+            return
+        while not self._stop:
+            try:
+                await anyio.to_thread.run_sync(self._poll_once)
+            except Exception:
+                # Swallow errors; back off briefly
+                await anyio.sleep(5)
+            # Jittered backoff around poll interval (±10%)
+            jitter = max(1, int(self.poll_seconds * 0.1))
+            await anyio.sleep(self.poll_seconds - jitter)
+            await anyio.sleep(jitter)
+
+    def stop(self) -> None:
+        self._stop = True
+
+    def _connect(self) -> imaplib.IMAP4:
+        if self.use_ssl:
+            return imaplib.IMAP4_SSL(self.server, self.port)
+        return imaplib.IMAP4(self.server, self.port)
+
+    def _poll_once(self) -> None:
+        """Blocking IMAP poll — runs in a worker thread."""
+        try:
+            imap = self._connect()
+        except Exception:
+            return
+        try:
+            imap.login(self.username, self.password)
+            imap.select("INBOX")
+            typ, data = imap.search(None, 'UNSEEN')
+            if typ != 'OK':
+                return
+            uids = (data[0].decode().split() if data and data[0] else [])
+            for uid in uids:
+                try:
+                    self._process_message(imap, uid)
+                    # Mark seen
+                    try:
+                        imap.store(uid, '+FLAGS', '(\\Seen)')
+                    except Exception:
+                        pass
+                except Exception:
+                    # Skip on error, continue with next message
+                    continue
+        finally:
+            try:
+                imap.logout()
+            except Exception:
+                pass
+
+    def _process_message(self, imap: imaplib.IMAP4, uid: str) -> None:
+        typ, msg_data = imap.fetch(uid, '(RFC822)')
+        if typ != 'OK' or not msg_data:
+            return
+        raw = None
+        for part in msg_data:
+            if isinstance(part, tuple):
+                raw = part[1]
+                break
+        if not raw:
+            return
+        msg: Message = email.message_from_bytes(raw)
+        attach_saved = 0
+        total_bytes = 0
+        for part in msg.walk():
+            if part.get_content_disposition() != 'attachment':
+                continue
+            filename = part.get_filename() or 'attachment.pdf'
+            safe_name = _sanitize_filename(filename)
+            ctype = (part.get_content_type() or '').lower()
+            if not safe_name.lower().endswith('.pdf') and 'pdf' not in ctype:
+                continue
+            payload = part.get_payload(decode=True) or b''
+            size = len(payload)
+            # Enforce caps
+            if attach_saved >= self.max_attach_count:
+                break
+            if (total_bytes + size) > (self.max_attach_mb * 1024 * 1024):
+                break
+
+            # Persist safely into fax data dir
+            job_id = email.utils.make_msgid().strip('<>') or str(int(time.time()))
+            out_dir = Path(settings.fax_data_dir) / 'inbound' / 'humblefax'
+            out_dir.mkdir(parents=True, exist_ok=True)
+            out_path = out_dir / f"{job_id}-{safe_name}"
+            with open(out_path, 'wb') as f:
+                f.write(payload)
+            sha256_hex = hashlib.sha256(payload).hexdigest()
+
+            # Record in DB (minimal canonical fields)
+            from ..db import InboundFax  # type: ignore
+            from datetime import datetime
+            with SessionLocal() as db:
+                fx = InboundFax(
+                    id=job_id,
+                    from_number=None,
+                    to_number=None,
+                    status='received',
+                    backend='humblefax',
+                    inbound_backend='humblefax',
+                    provider_sid=uid,
+                    pages=None,
+                    size_bytes=size,
+                    sha256=sha256_hex,
+                    pdf_path=str(out_path),
+                    tiff_path=None,
+                    mailbox_label='imap',
+                    retention_until=None,
+                    pdf_token=None,
+                    pdf_token_expires_at=None,
+                    created_at=datetime.utcnow(),
+                    received_at=datetime.utcnow(),
+                    updated_at=datetime.utcnow(),
+                )
+                try:
+                    db.add(fx)
+                    db.commit()
+                except Exception:
+                    db.rollback()
+            try:
+                audit_event('inbound_received', job_id=job_id, backend='humblefax')
+            except Exception:
+                pass
+
+            attach_saved += 1
+            total_bytes += size
+

scripts/fix_build_workflow.sh

@@ -0,0 +1,157 @@
+#!/bin/bash
+# Quick fix to make build.yml work for direct pushes too
+
+echo "=== Fixing build.yml to work with direct pushes ==="
+echo ""
+echo "The build workflow currently only runs contracts on PRs."
+echo "This change will make it run on both PRs and direct pushes."
+echo ""
+
+# Create the fixed version
+cat > .github/workflows/build.yml.fixed << 'EOF'
+name: CI
+
+on:
+  pull_request:
+    paths:
+      - "api/**"
+      - "api/admin_ui/**"
+      - "config/**"
+      - ".github/workflows/**"
+      - "Dockerfile*"
+  push:
+    branches: [ "**" ]
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      api: ${{ steps.filter.outputs.api }}
+      ui:  ${{ steps.filter.outputs.ui }}
+      docs: ${{ steps.filter.outputs.docs }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            api:
+              - 'api/**'
+              - 'Dockerfile'
+            ui:
+              - 'api/admin_ui/**'
+              - 'api/admin_ui/Dockerfile'
+            docs:
+              - 'docs/**'
+              - 'config/provider_traits.json'
+
+  contracts:
+    needs: changes
+    # FIXED: Run on both PRs and pushes to auto-tunnel/development
+    if: ${{ github.event_name == 'pull_request' || (github.event_name == 'push' && (github.ref == 'refs/heads/auto-tunnel' || github.ref == 'refs/heads/development')) }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install Python deps for OpenAPI generation
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r api/requirements.txt
+      - name: Install jsonschema
+        run: |
+          python -m pip install --upgrade pip
+          pip install jsonschema
+      - name: Install ripgrep for contract greps
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ripgrep
+      - name: Validate provider traits
+        run: |
+          python scripts/ci/validate_provider_traits.py
+      - name: Generate OpenAPI (FastAPI app.openapi)
+        run: |
+          python - << 'PY'
+          import os, sys, json
+          sys.path.insert(0, 'api')
+          os.environ.setdefault('FAXBOT_TEST_MODE', 'true')
+          os.environ.setdefault('FAX_DISABLED', 'true')
+          os.environ.setdefault('DATABASE_URL', 'sqlite:///./test_openapi_ci_build.yml.db')
+          from app.main import app
+          spec = app.openapi()
+          with open('openapi.json', 'w') as f:
+              json.dump(spec, f, indent=2)
+          print('✅ Generated openapi.json')
+          PY
+      - name: Diff against pinned snapshot (if present)
+        run: |
+          if [ -f docs/pinned-openapi.json ]; then
+            echo "Pinned snapshot found. Running diff..."
+            python scripts/ci/diff_openapi.py || (echo "OpenAPI drift" && exit 1)
+          else
+            echo "No pinned snapshot at docs/pinned-openapi.json; skipping diff (green)."
+          fi
+      - name: Contract greps
+        run: bash scripts/ci/greps.sh
+
+  build-api:
+    needs: [changes, contracts]
+    if: needs.changes.outputs.api == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build API with cache
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          tags: ghcr.io/${{ toLower(github.repository_owner) }}/faxbot-api:pr-${{ github.run_id }}
+          cache-from: type=registry,ref=ghcr.io/${{ toLower(github.repository_owner) }}/faxbot-api:cache
+          cache-to:   type=registry,ref=ghcr.io/${{ toLower(github.repository_owner) }}/faxbot-api:cache,mode=max
+          build-args: |
+            BUILDKIT_INLINE_CACHE=1
+
+  build-ui:
+    needs: [changes, contracts]
+    if: needs.changes.outputs.ui == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: 'npm'
+          cache-dependency-path: api/admin_ui/package-lock.json
+      - name: Install UI deps
+        working-directory: api/admin_ui
+        run: npm ci --prefer-offline --no-audit
+      - name: Typecheck + build
+        working-directory: api/admin_ui
+        run: npm run build
+EOF
+
+echo "Fixed version created at .github/workflows/build.yml.fixed"
+echo ""
+echo "The change: contracts job will now run on:"
+echo "  - All pull requests (as before)"
+echo "  - Direct pushes to auto-tunnel branch"
+echo "  - Direct pushes to development branch"
+echo ""
+echo "To apply this fix:"
+echo "  mv .github/workflows/build.yml.fixed .github/workflows/build.yml"
+echo "  git add .github/workflows/build.yml"
+echo "  git commit -m 'fix(ci): Allow build workflow to run on direct pushes to auto-tunnel'"
+echo "  git push"