Skip to content

v1.0.6

Choose a tag to compare

@jiashuoz jiashuoz released this 27 Jun 00:23
bc8ce1b

Highlights

Breaking — email.received is now a metadata-only notification (#321)

email.received no longer embeds the message body (raw_message) or the raw auth_headers blob. Subscribers now fetch the full message (body + attachments + signed headers) from GET /v1/agents/{recipient}/messages/{message_id} using the message_id + recipient in the event — the same notify→fetch model client.listen() already uses. The raw auth_headers blob is replaced by a structured auth verdict ({spf, dkim, dmarc}, same shape as MessageView.auth) so agents keep their trust-decision input inline.

Why: bounds the webhook fan-out payload (no raw MIME / attachments amplified across N subscribers × retries) and stops shipping full message PII to every subscriber. Migrate any email.received consumer that read raw_message/auth_headers to the fetch model (auth is available inline).

Features & improvements

  • Envelope-encrypt DKIM private keys at rest (#322) — per-domain DKIM signing keys are now encrypted in the database.
  • Per-axis SES sending status (#309) — domains report which DNS record (DKIM vs MAIL FROM) still needs fixing, instead of an all-or-nothing rollup.
  • verify_domain detects a truncated/mismatched DKIM record (#312) — a clipped DKIM TXT now reports dkim: "mismatch" (distinct from missing) with a "re-publish the full value" hint, so it can't silently leave a domain stuck pending.
  • Forwarding carries the original message's attachments by default (#314).

Fixes

  • Inbound gate fails closed for shared-relay senders (#316, #299) — security hardening of the inbound authentication gate.
  • HTTP MCP server is now stateless (#317).
  • Events API gated on the outbox flag — returns 501 when disabled (#315).
  • SDK version-skew guardrails in CI (@e2a/sdk@4.0.0) (#310).
  • HITL approval buttons stack on mobile so they render correctly (#313).
  • Web: wrap long DNS/identity values so records & chips don't overflow (#311); stop overlaying the SPF probe onto the ownership DNS row (6ddd35c).

Docs

  • Webhook examples aligned with the metadata-only email.received (#323).
  • Documented the inbound gate's From-authentication limitation (#318, #320).

Full changelog: v1.0.5...v1.0.6