feat: BaseMail v2 — multiple basename aliases, expiry tracking, settings API

- Add basename_aliases table for multi-handle support
- New /api/settings endpoints: GET/PUT settings, POST/DELETE alias, PUT primary
- Auto-migration middleware for new tables + notification_email column
- getBasenameExpiry() on-chain lookup via nameExpires()
- Insert alias on upgrade with is_primary=1 and expiry
- GET /api/register/basenames/:address public endpoint
- Email routing: alias handles resolve to wallet's inbox
- Dashboard Settings: notification email, basename list with expiry colors,
  add/remove aliases, switch primary handle
- Landing FAQ: basename expiry explanation
- Expiry color coding: green >90d, yellow 30-90d, orange 7-30d, red <7d

Author: CloudLobster

web/src/pages/Dashboard.tsx

@@ -1835,6 +1835,41 @@ function Settings({ auth, setAuth, onUpgrade, upgrading }: { auth: AuthState; se
   const [proError, setProError] = useState('');
   const [showProConfetti, setShowProConfetti] = useState(false);
 
+  // v2: Notification email, aliases, expiry
+  const [notifEmail, setNotifEmail] = useState('');
+  const [notifSaving, setNotifSaving] = useState(false);
+  const [notifSaved, setNotifSaved] = useState(false);
+  const [aliases, setAliases] = useState<{ id: string; handle: string; basename: string; is_primary: number; expiry: number | null }[]>([]);
+  const [newAliasInput, setNewAliasInput] = useState('');
+  const [aliasAdding, setAliasAdding] = useState(false);
+  const [aliasError, setAliasError] = useState('');
+  const [aliasMsg, setAliasMsg] = useState('');
+
+  // Load settings on mount
+  useEffect(() => {
+    apiFetch('/api/settings', auth.token).then(r => r.json()).then((data: any) => {
+      if (data.notification_email) setNotifEmail(data.notification_email);
+      if (data.aliases) setAliases(data.aliases);
+    }).catch(() => {});
+  }, [auth.token]);
+
+  function getExpiryColor(expiry: number | null): string {
+    if (!expiry) return 'text-gray-400';
+    const daysLeft = (expiry - Date.now() / 1000) / 86400;
+    if (daysLeft < 0) return 'text-red-500';
+    if (daysLeft < 7) return 'text-red-400';
+    if (daysLeft < 30) return 'text-orange-400';
+    if (daysLeft < 90) return 'text-yellow-400';
+    return 'text-green-400';
+  }
+
+  function getExpiryText(expiry: number | null): string {
+    if (!expiry) return 'Unknown';
+    const daysLeft = Math.floor((expiry - Date.now() / 1000) / 86400);
+    if (daysLeft < 0) return `Expired ${Math.abs(daysLeft)}d ago`;
+    return `${daysLeft}d remaining`;
+  }
+
   const fullEmail = `${auth.handle}@basemail.ai`;
   const hasBasename = !!auth.basename && !/^0x/i.test(auth.handle!);
   const altEmail = hasBasename ? `${auth.wallet.toLowerCase()}@basemail.ai` : null;
@@ -2064,6 +2099,148 @@ function Settings({ auth, setAuth, onUpgrade, upgrading }: { auth: AuthState; se
           </div>
         </div>
 
+        {/* Notification Email */}
+        <div className="bg-base-gray rounded-xl p-6 border border-gray-800">
+          <h3 className="font-bold mb-4">Notification Email</h3>
+          <p className="text-gray-400 text-sm mb-4">
+            Where to send expiry reminders and important notifications. Defaults to your BaseMail address.
+          </p>
+          <div className="flex gap-2">
+            <input
+              type="email"
+              value={notifEmail}
+              onChange={(e) => { setNotifEmail(e.target.value); setNotifSaved(false); }}
+              placeholder={`${auth.handle}@basemail.ai`}
+              className="flex-1 bg-base-dark border border-gray-700 rounded-lg px-4 py-2 text-white font-mono text-sm focus:outline-none focus:border-base-blue"
+            />
+            <button
+              onClick={async () => {
+                setNotifSaving(true);
+                try {
+                  await apiFetch('/api/settings', auth.token, {
+                    method: 'PUT',
+                    body: JSON.stringify({ notification_email: notifEmail }),
+                  });
+                  setNotifSaved(true);
+                } catch {}
+                setNotifSaving(false);
+              }}
+              disabled={notifSaving}
+              className="bg-base-blue text-white px-4 py-2 rounded-lg text-sm hover:bg-blue-600 transition disabled:opacity-50"
+            >
+              {notifSaving ? 'Saving...' : notifSaved ? 'Saved!' : 'Save'}
+            </button>
+          </div>
+        </div>
+
+        {/* Your Basenames */}
+        <div className="bg-base-gray rounded-xl p-6 border border-gray-800">
+          <h3 className="font-bold mb-4">Your Basenames</h3>
+          {aliases.length > 0 ? (
+            <div className="space-y-3 mb-4">
+              {aliases.map((a) => (
+                <div key={a.handle} className="flex items-center justify-between bg-base-dark rounded-lg p-3 border border-gray-700">
+                  <div className="flex items-center gap-3">
+                    <input
+                      type="radio"
+                      name="primary-alias"
+                      checked={a.is_primary === 1}
+                      onChange={async () => {
+                        try {
+                          const res = await apiFetch('/api/settings/primary', auth.token, {
+                            method: 'PUT',
+                            body: JSON.stringify({ handle: a.handle }),
+                          });
+                          const data = await res.json() as any;
+                          if (res.ok && data.token) {
+                            setAuth({ ...auth, token: data.token, handle: data.handle, basename: data.basename });
+                            // Reload aliases
+                            const sr = await apiFetch('/api/settings', data.token);
+                            const sd = await sr.json() as any;
+                            if (sd.aliases) setAliases(sd.aliases);
+                          }
+                        } catch {}
+                      }}
+                      className="accent-blue-500"
+                    />
+                    <div>
+                      <span className="font-mono text-sm text-base-blue">{a.handle}@basemail.ai</span>
+                      {a.is_primary === 1 && <span className="ml-2 text-xs bg-blue-900/50 text-blue-300 px-2 py-0.5 rounded">Primary</span>}
+                      <div className={`text-xs mt-0.5 ${getExpiryColor(a.expiry)}`}>
+                        {a.expiry ? (
+                          <>
+                            {getExpiryText(a.expiry)}
+                            {' · '}
+                            <a href={`https://www.base.org/names/${a.handle}`} target="_blank" rel="noopener noreferrer" className="text-base-blue hover:underline">Renew</a>
+                          </>
+                        ) : (
+                          <span className="text-gray-500">Expiry unknown</span>
+                        )}
+                      </div>
+                    </div>
+                  </div>
+                  {a.is_primary !== 1 && (
+                    <button
+                      onClick={async () => {
+                        await apiFetch(`/api/settings/alias/${a.handle}`, auth.token, { method: 'DELETE' });
+                        setAliases(aliases.filter(x => x.handle !== a.handle));
+                      }}
+                      className="text-gray-500 hover:text-red-400 text-xs"
+                    >
+                      Remove
+                    </button>
+                  )}
+                </div>
+              ))}
+            </div>
+          ) : (
+            <p className="text-gray-500 text-sm mb-4">No basename aliases configured yet.</p>
+          )}
+          <div className="flex gap-2">
+            <div className="flex-1 flex items-center bg-base-dark rounded-lg border border-gray-700 px-2">
+              <input
+                type="text"
+                value={newAliasInput}
+                onChange={(e) => { setNewAliasInput(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, '')); setAliasError(''); setAliasMsg(''); }}
+                placeholder="yourname"
+                className="flex-1 bg-transparent py-2 text-white font-mono text-sm focus:outline-none"
+              />
+              <span className="text-gray-500 font-mono text-xs">.base.eth</span>
+            </div>
+            <button
+              onClick={async () => {
+                if (!newAliasInput.trim()) return;
+                setAliasAdding(true);
+                setAliasError('');
+                setAliasMsg('');
+                try {
+                  const res = await apiFetch('/api/settings/alias', auth.token, {
+                    method: 'POST',
+                    body: JSON.stringify({ basename: `${newAliasInput.trim()}.base.eth` }),
+                  });
+                  const data = await res.json() as any;
+                  if (!res.ok) throw new Error(data.error);
+                  setAliasMsg(`Added ${data.handle}@basemail.ai`);
+                  setNewAliasInput('');
+                  // Reload
+                  const sr = await apiFetch('/api/settings', auth.token);
+                  const sd = await sr.json() as any;
+                  if (sd.aliases) setAliases(sd.aliases);
+                } catch (e: any) {
+                  setAliasError(e.message || 'Failed to add alias');
+                }
+                setAliasAdding(false);
+              }}
+              disabled={aliasAdding || !newAliasInput.trim()}
+              className="bg-base-blue text-white px-4 py-2 rounded-lg text-sm hover:bg-blue-500 transition disabled:opacity-50"
+            >
+              {aliasAdding ? 'Verifying...' : 'Add'}
+            </button>
+          </div>
+          {aliasError && <p className="text-red-400 text-xs mt-2">{aliasError}</p>}
+          {aliasMsg && <p className="text-green-400 text-xs mt-2">{aliasMsg}</p>}
+        </div>
+
         <div className="bg-base-gray rounded-xl p-6 border border-gray-800">
           <h3 className="font-bold mb-4">API Token</h3>
           <p className="text-gray-400 text-sm mb-4">

web/src/pages/Landing.tsx

@@ -538,6 +538,10 @@ export default function Landing() {
             q="Is there a Pro plan?"
             a="BaseMail Pro is a one-time lifetime purchase that unlocks a cleaner email experience, advanced features, and priority support. Available in the Dashboard settings after you register."
           />
+          <FAQItem
+            q="What happens if my Basename expires?"
+            a="Basenames are leased for 1 year. We'll send you reminders before expiry. During the 90-day grace period after expiry, your email continues to work but with a warning. After the grace period, your handle reverts to your wallet address (0x...@basemail.ai) and becomes available for the new Basename owner. Your email history is preserved under your wallet. Automated handle transfer for expired names is coming soon."
+          />
         </div>
       </section>
 

worker/src/basename-lookup.ts

@@ -115,6 +115,35 @@ export async function hasBasenameNFT(address: Address): Promise<boolean> {
   }
 }
 
+/**
+ * Get expiry timestamp for a Basename from on-chain nameExpires().
+ * Returns unix timestamp or 0 on error.
+ */
+export async function getBasenameExpiry(name: string): Promise<number> {
+  try {
+    const label = name.replace(/\.base\.eth$/, '');
+    const labelhash = keccak256(toBytes(label));
+    const tokenId = BigInt(labelhash);
+
+    const client = createPublicClient({ chain: base, transport: http(BASE_RPC) });
+    const expiry = await client.readContract({
+      abi: [{
+        inputs: [{ name: 'id', type: 'uint256' }],
+        name: 'nameExpires',
+        outputs: [{ name: '', type: 'uint256' }],
+        stateMutability: 'view',
+        type: 'function',
+      }],
+      address: BASENAME_REGISTRAR,
+      functionName: 'nameExpires',
+      args: [tokenId],
+    });
+    return Number(expiry);
+  } catch {
+    return 0;
+  }
+}
+
 /**
  * Extract handle from a Basename.
  * "alice.base.eth" → "alice"

worker/src/db/schema.sql

@@ -141,6 +141,23 @@ CREATE TABLE IF NOT EXISTS sender_reputation (
 
 CREATE UNIQUE INDEX IF NOT EXISTS idx_reputation_pair ON sender_reputation(sender_handle, recipient_handle);
 
+-- ═══════════════════════════════════════════════════
+-- BaseMail v2: Basename Aliases & Multi-Handle
+-- ═══════════════════════════════════════════════════
+
+CREATE TABLE IF NOT EXISTS basename_aliases (
+  id TEXT PRIMARY KEY,
+  wallet TEXT NOT NULL,
+  handle TEXT NOT NULL,
+  basename TEXT NOT NULL,
+  is_primary INTEGER NOT NULL DEFAULT 0,
+  expiry INTEGER,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  FOREIGN KEY (wallet) REFERENCES accounts(wallet)
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_alias_handle ON basename_aliases(handle);
+CREATE INDEX IF NOT EXISTS idx_alias_wallet ON basename_aliases(wallet);
+
 -- ── QAF Scores (cached per recipient) ──
 CREATE TABLE IF NOT EXISTS qaf_scores (
     handle          TEXT PRIMARY KEY,

worker/src/email-handler.ts

@@ -39,6 +39,22 @@ export async function handleIncomingEmail(
     ).bind(handle).first<{ handle: string; webhook_url: string | null }>();
   }
 
+  // Alias fallback: check basename_aliases table
+  if (!account) {
+    try {
+      const alias = await env.DB.prepare(
+        'SELECT wallet FROM basename_aliases WHERE handle = ?'
+      ).bind(handle).first<{ wallet: string }>();
+      if (alias) {
+        account = await env.DB.prepare(
+          'SELECT handle, webhook_url FROM accounts WHERE wallet = ?'
+        ).bind(alias.wallet).first<{ handle: string; webhook_url: string | null }>();
+      }
+    } catch {
+      // basename_aliases table may not exist yet
+    }
+  }
+
   if (!account) {
     // 外部來信不預存，直接拒絕
     message.setReject(`Mailbox not found: ${toAddr}`);

worker/src/index.ts

@@ -19,6 +19,7 @@ import { waitlistRoutes } from './routes/waitlist';
 import { statsRoutes } from './routes/stats';
 import { keyRoutes } from './routes/keys';
 import { attentionRoutes } from './routes/attention';
+import { settingsRoutes } from './routes/settings';
 import { handleIncomingEmail } from './email-handler';
 
 const app = new Hono<AppBindings>();
@@ -449,6 +450,7 @@ app.route('/api/waitlist', waitlistRoutes);
 app.route('/api/stats', statsRoutes);
 app.route('/api/keys', keyRoutes);
 app.route('/api/attention', attentionRoutes);
+app.route('/api/settings', settingsRoutes);
 
 // 匯出 fetch handler (HTTP) 與 email handler (incoming mail)
 export default {

worker/src/routes/register.ts

@@ -1,7 +1,7 @@
 import { Hono } from 'hono';
 import { AppBindings } from '../types';
 import { authMiddleware, createToken } from '../auth';
-import { resolveHandle, basenameToHandle, verifyBasenameOwnership } from '../basename-lookup';
+import { resolveHandle, basenameToHandle, verifyBasenameOwnership, getBasenameExpiry, getBasenameForAddress } from '../basename-lookup';
 import { registerBasename, isBasenameAvailable, getBasenamePrice } from '../basename';
 import type { Hex, Address } from 'viem';
 import { formatEther, encodeFunctionData, namehash } from 'viem';
@@ -293,6 +293,18 @@ registerRoutes.put('/upgrade', authMiddleware(), async (c) => {
   ]);
   const migratedCount = batchResults[2]?.meta?.changes || 0;
 
+  // Insert into basename_aliases with is_primary=1
+  if (basenames) {
+    const aliasId = `alias-${Date.now().toString(36)}-${crypto.randomUUID().slice(0, 8)}`;
+    let expiry = 0;
+    try { expiry = await getBasenameExpiry(basenames); } catch {}
+    await c.env.DB.prepare(
+      `INSERT INTO basename_aliases (id, wallet, handle, basename, is_primary, expiry)
+       VALUES (?, ?, ?, ?, 1, ?)
+       ON CONFLICT(handle) DO UPDATE SET is_primary = 1, expiry = ?`
+    ).bind(aliasId, auth.wallet, newHandle, basenames, expiry || null, expiry || null).run();
+  }
+
   // 發新 token
   const secret = c.env.JWT_SECRET!;
   const newToken = await createToken({ wallet: auth.wallet, handle: newHandle }, secret);
@@ -556,6 +568,40 @@ registerRoutes.get('/buy-data/:name', async (c) => {
   }
 });
 
+/**
+ * GET /api/register/basenames/:address
+ * Public endpoint — returns Basenames owned by a wallet (via reverse resolution).
+ */
+registerRoutes.get('/basenames/:address', async (c) => {
+  const address = c.req.param('address');
+  if (!/^0x[a-fA-F0-9]{40}$/i.test(address)) {
+    return c.json({ error: 'Invalid address' }, 400);
+  }
+
+  const basename = await getBasenameForAddress(address.toLowerCase() as Address);
+  const basenames: { name: string; handle: string; expiry: number }[] = [];
+
+  if (basename) {
+    const handle = basenameToHandle(basename);
+    let expiry = 0;
+    try { expiry = await getBasenameExpiry(basename); } catch {}
+    basenames.push({ name: basename, handle, expiry });
+  }
+
+  // Also check aliases stored in DB
+  const aliases = await c.env.DB.prepare(
+    'SELECT handle, basename, expiry FROM basename_aliases WHERE wallet = ?'
+  ).bind(address.toLowerCase()).all<{ handle: string; basename: string; expiry: number | null }>();
+
+  for (const a of (aliases.results || [])) {
+    if (!basenames.find(b => b.handle === a.handle)) {
+      basenames.push({ name: a.basename, handle: a.handle, expiry: a.expiry || 0 });
+    }
+  }
+
+  return c.json({ address: address.toLowerCase(), basenames });
+});
+
 function isValidBasename(name: string): boolean {
   if (name.length < 3 || name.length > 32) return false;
   return /^[a-z0-9][a-z0-9_-]*[a-z0-9]$/.test(name);