suitenumerique
diff --git a/‎Makefile‎
Lines changed: 4 additions & 4 deletions b/‎Makefile‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎compose.yaml‎
Lines changed: 1 addition & 0 deletions b/‎compose.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎env.d/development/backend.defaults‎
Lines changed: 3 additions & 1 deletion b/‎env.d/development/backend.defaults‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎env.d/development/backend.e2e‎
Lines changed: 4 additions & 0 deletions b/‎env.d/development/backend.e2e‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎env.d/development/client-bridge.e2e‎
Lines changed: 2 additions & 0 deletions b/‎env.d/development/client-bridge.e2e‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/backend/.pylintrc‎
Lines changed: 1 addition & 1 deletion b/‎src/backend/.pylintrc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/backend/core/api/serializers.py‎
Lines changed: 18 additions & 14 deletions b/‎src/backend/core/api/serializers.py‎
Lines changed: 18 additions & 14 deletions
diff --git a/‎src/backend/core/api/viewsets/config.py‎
Lines changed: 3 additions & 1 deletion b/‎src/backend/core/api/viewsets/config.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/backend/core/urls.py‎
Lines changed: 14 additions & 11 deletions b/‎src/backend/core/urls.py‎
Lines changed: 14 additions & 11 deletions
diff --git a/‎src/backend/e2e/management/commands/e2e_demo.py‎
Lines changed: 136 additions & 0 deletions b/‎src/backend/e2e/management/commands/e2e_demo.py‎
Lines changed: 136 additions & 0 deletions
@@ -135,7 +135,7 @@ logs: ## display all services logs (follow mode)
 .PHONY: logs
 
 start: ## start all development services
-	@$(COMPOSE) up --force-recreate --build -d frontend-dev backend-dev worker-dev mta-in --wait
+	@$(COMPOSE) up --force-recreate --build -d frontend-dev backend-dev worker-dev mta-in client-bridge --wait
 .PHONY: start
 
 start-minimal: ## start minimal services (backend, frontend, keycloak and DB)
@@ -361,21 +361,21 @@ logs-e2e: ## Show logs from e2e services
 
 test-e2e-bare: ## Run e2e tests in headless mode
 	@echo "$(BLUE)\n\n| 🎭 Running E2E tests... \n$(RESET)"
-	$(COMPOSE_E2E) run --rm --service-ports runner npm run test -- $(args)
+	$(COMPOSE_E2E) run --rm --service-ports e2e-runner npm run test -- $(args)
 	@echo "$(GREEN)> 🎭 E2E tests completed!$(RESET)\n"
 .PHONY: test-e2e-bare
 
 test-e2e-ui-bare: ## Run e2e tests in UI mode
 	@echo "$(BLUE)\n\n| 🎭 Running E2E tests in UI mode... \n$(RESET)"
 	# Note: || true allows graceful exit when user closes the UI
-	@$(COMPOSE_E2E) run --rm --service-ports runner npm run test:ui || true
+	@$(COMPOSE_E2E) run --rm --service-ports e2e-runner npm run test:ui || true
 	@echo "$(GREEN)> 🎭 You killed the UI!$(RESET)\n"
 .PHONY: test-e2e-ui-bare
 
 test-e2e-dev-bare: ## Run e2e tests in UI mode with dev frontend
 	@echo "$(BLUE)\n\n| 🎭 Running E2E tests in dev mode... \n$(RESET)"
 	# Note: || true allows graceful exit when user closes the UI
-	E2E_PROFILE=dev $(COMPOSE_E2E) --profile dev run --rm --service-ports runner npm run test:ui || true
+	E2E_PROFILE=dev $(COMPOSE_E2E) --profile dev run --rm --service-ports e2e-runner npm run test:ui || true
 	@echo "$(GREEN)> 🎭 You killed the UI!$(RESET)\n"
 .PHONY: test-e2e-dev-bare
 
 
@@ -121,6 +121,7 @@ services:
       mailcatcher:
         condition: service_started
 
+  # Minimal backend service for development tasks that don't require all service dependencies
   backend-db:
     extends: backend-base
     profiles:
 
@@ -101,7 +101,9 @@ FEATURE_AI_SUMMARY=False
 FEATURE_AI_AUTOLABELS=False
 
 # Client bridge (IMAP/SMTP email client access)
-FEATURE_CLIENTBRIDGE=False
+FEATURE_CLIENTBRIDGE=True
+FEATURE_MAILBOX_ADMIN_CHANNELS=widget,client-bridge
+CLIENTBRIDGE_PUBLIC_CONFIG={"imap_host":"localhost","imap_port":8919,"imap_security":"PLAIN","smtp_host":"localhost","smtp_port":8920,"smtp_security":"PLAIN"}
 
 # Third-party services
 # Drive - https://github.com/suitenumerique/drive
 
@@ -30,5 +30,9 @@ AWS_S3_DOMAIN_REPLACE=
 # Email configuration (use mailcatcher from main services or disable)
 EMAIL_BACKEND=django.core.mail.backends.console.EmailBackend
 
+# Client bridge (IMAP/SMTP email client access)
+FEATURE_CLIENTBRIDGE=True
+CLIENTBRIDGE_API_SECRET=e2e-shared-secret-clientbridge-at-least-32-bytes
+
 # Debug
 DJANGO_DEBUG=True
@@ -0,0 +1,2 @@
+MESSAGES_API_BASE_URL=http://backend:8000/api/v1.0/
+CLIENTBRIDGE_API_SECRET=e2e-shared-secret-clientbridge-at-least-32-bytes
@@ -7,7 +7,7 @@ extension-pkg-whitelist=pypff
 
 # Add files or directories to the blacklist. They should be base names, not
 # paths.
-ignore=migrations
+ignore=migrations,.venv
 
 # Add files or directories matching the regex patterns to the blacklist. The
 # regex matches against base names, not paths.
 
@@ -911,6 +911,7 @@ class Meta:
             "is_trashed",
             "is_archived",
             "has_attachments",
+            "mime_id",
             "signature",
             "stmsg_headers",
         ]
@@ -1499,9 +1500,9 @@ class Meta:
         read_only_fields = ["id", "mailbox", "maildomain", "created_at", "updated_at"]
 
     # Keys in settings that should be moved to encrypted_settings, per channel type.
-    ENCRYPTED_SETTINGS_KEYS = {
-        "client-bridge": ["password"],
-    }
+    # Note: client-bridge is NOT listed here — its passwords are always
+    # server-generated (on create or via rotate-password), never user-supplied.
+    ENCRYPTED_SETTINGS_KEYS = {}
 
     def _move_sensitive_settings(self, validated_data):
         """Move sensitive keys from settings to encrypted_settings."""
@@ -1529,19 +1530,15 @@ def _move_sensitive_settings(self, validated_data):
         return validated_data
 
     def create(self, validated_data):
-        validated_data = self._move_sensitive_settings(validated_data)
         if validated_data.get("type") == "client-bridge":
+            # Server-generated password — never accept user-supplied ones
             password = generate_base58_password()
-            validated_data.setdefault("encrypted_settings", {})
-            validated_data["encrypted_settings"]["password"] = password
-            # Remove any user-supplied password from settings
-            if "settings" in validated_data and "password" in (
-                validated_data["settings"] or {}
-            ):
-                validated_data["settings"].pop("password")
+            settings_data = validated_data.get("settings") or {}
+            settings_data.pop("password", None)
+            validated_data["settings"] = settings_data
+            validated_data["encrypted_settings"] = {"password": password}
             # Set default role if not provided
-            validated_data.setdefault("settings", {})
-            validated_data["settings"].setdefault("role", "sender")
+            settings_data.setdefault("role", "sender")
             # Validate role
             role = validated_data["settings"]["role"]
             if role not in enums.CLIENT_BRIDGE_ROLES:
@@ -1556,15 +1553,18 @@ def create(self, validated_data):
             # Stash password so the view can return it once
             instance._generated_password = password  # noqa: SLF001  # pylint: disable=protected-access
             return instance
+        validated_data = self._move_sensitive_settings(validated_data)
         return super().create(validated_data)
 
     def update(self, instance, validated_data):
-        validated_data = self._move_sensitive_settings(validated_data)
         channel_type = validated_data.get("type") or (
             instance.type if instance else None
         )
         if channel_type == "client-bridge":
+            # Strip any user-supplied password — passwords can only be
+            # changed via the dedicated rotate-password endpoint.
             settings_data = validated_data.get("settings") or {}
+            settings_data.pop("password", None)
             if "role" in settings_data:
                 if settings_data["role"] not in enums.CLIENT_BRIDGE_ROLES:
                     raise serializers.ValidationError(
@@ -1574,6 +1574,10 @@ def update(self, instance, validated_data):
                             }
                         }
                     )
+            # Prevent encrypted_settings from being overwritten
+            validated_data.pop("encrypted_settings", None)
+        else:
+            validated_data = self._move_sensitive_settings(validated_data)
         return super().update(instance, validated_data)
 
     def validate_settings(self, value):
 
@@ -231,6 +231,8 @@ def get(self, request):
 
         # Client-bridge connection settings
         if settings.FEATURE_CLIENTBRIDGE and settings.CLIENTBRIDGE_PUBLIC_CONFIG:
-            dict_settings["CLIENTBRIDGE_PUBLIC_CONFIG"] = settings.CLIENTBRIDGE_PUBLIC_CONFIG
+            dict_settings["CLIENTBRIDGE_PUBLIC_CONFIG"] = (
+                settings.CLIENTBRIDGE_PUBLIC_CONFIG
+            )
 
         return drf.response.Response(dict_settings)
@@ -248,17 +248,6 @@
         ProvisioningMailDomainView.as_view(),
         name="provisioning-maildomains",
     ),
-    # Client-bridge endpoints (IMAP/SMTP auth and message submission)
-    path(
-        f"api/{settings.API_VERSION}/client-bridge/auth/",
-        ClientBridgeAuthView.as_view(),
-        name="client-bridge-auth",
-    ),
-    path(
-        f"api/{settings.API_VERSION}/client-bridge/submit/",
-        ClientBridgeSubmitView.as_view(),
-        name="client-bridge-submit",
-    ),
     # Alias for MTA check endpoint
     path(
         f"api/{settings.API_VERSION}/mta/check-recipients/",
@@ -273,6 +262,20 @@
     ),
 ]
 
+if settings.FEATURE_CLIENTBRIDGE:
+    urlpatterns += [
+        path(
+            f"api/{settings.API_VERSION}/client-bridge/auth/",
+            ClientBridgeAuthView.as_view(),
+            name="client-bridge-auth",
+        ),
+        path(
+            f"api/{settings.API_VERSION}/client-bridge/submit/",
+            ClientBridgeSubmitView.as_view(),
+            name="client-bridge-submit",
+        ),
+    ]
+
 if settings.DRIVE_CONFIG.get("base_url"):
     urlpatterns += [
         path(
 
@@ -5,6 +5,10 @@
 for E2E testing across different browsers (chromium, firefox, webkit).
 """
 
+from email.mime.text import MIMEText
+from email.utils import format_datetime
+
+from django.conf import settings
 from django.core.management.base import BaseCommand
 from django.db import transaction
 from django.utils import timezone
@@ -21,6 +25,7 @@
 BROWSERS = ["chromium", "firefox", "webkit"]
 DOMAIN_NAME = "example.local"
 SHARED_MAILBOX_LOCAL_PART = "shared.e2e"
+CLIENTBRIDGE_APP_PASSWORD = "e2e-client-bridge-password"  # noqa: S105
 
 
 class Command(BaseCommand):
@@ -122,6 +127,18 @@ def handle(self, *args, **options):
         for browser in BROWSERS:
             self._create_outbox_test_data(domain, browser)
 
+        # Step 7: Create client-bridge channels and IMAP test data
+        if settings.FEATURE_CLIENTBRIDGE:
+            self.stdout.write(
+                "\n-- 6/6 📧 Creating client-bridge channels and IMAP test data"
+            )
+            for _user, mailbox in regular_users:
+                self._create_clientbridge_channel(mailbox)
+            self._create_clientbridge_channel(shared_mailbox)
+            # Create IMAP test messages on the first regular user's mailbox
+            _first_user, first_mailbox = regular_users[0]
+            self._create_imap_test_messages(first_mailbox, domain)
+
     def _create_user_with_mailbox(
         self, email, domain, is_domain_admin=False, is_superuser=False
     ):
@@ -387,3 +404,122 @@ def _create_thread_with_message(self, mailbox, sender_contact, subject, recipien
         thread.update_stats()
 
         return thread
+
+    def _create_clientbridge_channel(self, mailbox):
+        """Create a client-bridge channel with a known password for e2e testing."""
+        # Use the first user with admin access to this mailbox
+        access = models.MailboxAccess.objects.filter(
+            mailbox=mailbox, role=MailboxRoleChoices.ADMIN
+        ).first()
+        if not access:
+            self.stdout.write(
+                self.style.WARNING(
+                    f"  No admin user found for {mailbox}, skipping channel"
+                )
+            )
+            return
+
+        _channel, created = models.Channel.objects.get_or_create(
+            mailbox=mailbox,
+            type="client-bridge",
+            defaults={
+                "name": f"E2E client-bridge ({mailbox})",
+                "user": access.user,
+                "settings": {"role": "sender"},
+                "encrypted_settings": {"password": CLIENTBRIDGE_APP_PASSWORD},
+            },
+        )
+        if created:
+            self.stdout.write(
+                self.style.SUCCESS(f"  Created client-bridge channel for {mailbox}")
+            )
+        else:
+            self.stdout.write(
+                self.style.SUCCESS(
+                    f"  Client-bridge channel already exists for {mailbox}"
+                )
+            )
+
+    @staticmethod
+    def _make_eml(subject, sender_email, recipient_email, body, sent_at):
+        """Build a minimal RFC 5322 message and return raw bytes."""
+        msg = MIMEText(body, "plain")
+        msg["Subject"] = subject
+        msg["From"] = sender_email
+        msg["To"] = recipient_email
+        msg["Date"] = format_datetime(sent_at)
+        return msg.as_bytes()
+
+    def _create_imap_test_messages(self, mailbox, domain):
+        """Create messages for IMAP read/unread e2e testing.
+
+        Creates two threads with proper EML blobs so the client-bridge
+        can serve envelope data (subject, from, date) over IMAP.
+        """
+        sender_email = f"imap-sender@{domain.name}"
+        recipient_email = str(mailbox)
+        sender_contact, _ = models.Contact.objects.get_or_create(
+            email=sender_email,
+            mailbox=mailbox,
+            defaults={"name": "IMAP Test Sender"},
+        )
+
+        # Thread 1: an unread message
+        now = timezone.now()
+        thread1 = models.Thread.objects.create(subject="IMAP unread test")
+        models.ThreadAccess.objects.create(
+            thread=thread1,
+            mailbox=mailbox,
+            role=ThreadAccessRoleChoices.EDITOR,
+            read_at=None,  # No read_at → all messages unread
+        )
+        eml1 = self._make_eml(
+            "IMAP unread test",
+            sender_email,
+            recipient_email,
+            "This message should appear as unread in IMAP.",
+            now,
+        )
+        blob1 = mailbox.create_blob(content=eml1, content_type="message/rfc822")
+        models.Message.objects.create(
+            thread=thread1,
+            sender=sender_contact,
+            subject="IMAP unread test",
+            is_sender=False,
+            is_draft=False,
+            sent_at=now,
+            blob=blob1,
+        )
+        thread1.update_stats()
+
+        # Thread 2: a read message
+        sent_at2 = now - timezone.timedelta(minutes=5)
+        thread2 = models.Thread.objects.create(subject="IMAP read test")
+        models.ThreadAccess.objects.create(
+            thread=thread2,
+            mailbox=mailbox,
+            role=ThreadAccessRoleChoices.EDITOR,
+            read_at=now,  # read_at set → messages before this are read
+        )
+        eml2 = self._make_eml(
+            "IMAP read test",
+            sender_email,
+            recipient_email,
+            "This message should appear as read in IMAP.",
+            sent_at2,
+        )
+        blob2 = mailbox.create_blob(content=eml2, content_type="message/rfc822")
+        models.Message.objects.create(
+            thread=thread2,
+            sender=sender_contact,
+            subject="IMAP read test",
+            is_sender=False,
+            is_draft=False,
+            sent_at=sent_at2,
+            blob=blob2,
+        )
+        thread2.update_stats()
+
+        self.stdout.write(
+            self.style.SUCCESS(f"  Created IMAP test messages for {mailbox}")
+        )
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+MESSAGES_API_BASE_URL=http://backend:8000/api/v1.0/`
	`2`	`+CLIENTBRIDGE_API_SECRET=e2e-shared-secret-clientbridge-at-least-32-bytes`