chore: ignore .claude/ dir (CLAUDE.md now lives under .claude/)

Signed-off-by: disqualifier <dev@disqualifier.me>

.gitignore

@@ -1,5 +1,5 @@
 # claude
-CLAUDE.md
+.claude/
 
 # python
 __pycache__/

README.md

@@ -11,21 +11,23 @@ This reads codes from email; it does not generate them (that is `pyotp`'s job).
 `requirements.txt`:
 
 ```
-aiomail @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.0
+aiomail @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.5
 # OAuth token providers (Microsoft / Google) need the extra:
-aiomail[oauth] @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.0
+aiomail[oauth] @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.5
 ```
 
 Direct:
 
 ```bash
-pip install "aiomail @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.0"
+pip install "aiomail @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.5"
-pip install "aiomail[oauth] @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.0"
+pip install "aiomail[oauth] @ git+ssh://git@git.rethinkstudios.io/rethink-public/aiomail.git@v0.1.5"
 ```
 
 Requires `aioimaplib` and `beautifulsoup4` (pulled transitively). The `oauth`
 extra adds `aiohttp` for the refresh-token providers.
 
+Drop the `@v0.1.5` suffix from the line above to install the latest unpinned.
+
 ## Password auth
 
 ```python

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "aiomail"
-version = "0.1.0"
+version = "0.1.5"
 description = "async IMAP one-time-code retrieval with password/OAuth2 auth and dynamic matching"
 requires-python = ">=3.10"
 dependencies = [

src/aiomail/__init__.py

@@ -29,4 +29,4 @@ __all__ = [
     "DEFAULT_FOLDERS",
 ]
 
-__version__ = "0.1.0"
+__version__ = "0.1.5"

src/aiomail/auth.py

@@ -38,6 +38,15 @@ class PasswordAuth:
             raise RuntimeError(f"login failed: {result} {data}")
 
 
+def _as_str(token) -> str:
+    """coerce a token to str (a provider may hand back bytes)
+
+    both XOAUTH2 entrypoints downstream need a str (one .encode()s it, the SASL
+    builder interpolates it), so normalize here rather than crashing on bytes.
+    """
+    return token.decode() if isinstance(token, bytes) else token
+
+
 def _sasl_xoauth2(user: str, token: str) -> str:
     """build the base64 XOAUTH2 SASL initial-response string"""
     raw = f"user={user}\x01auth=Bearer {token}\x01\x01".encode()
@@ -71,18 +80,23 @@ class OAuth2Auth:
             token = await result if hasattr(result, "__await__") else result
             if not token:
                 raise RuntimeError("token provider returned an empty token")
-            return token
+            return _as_str(token)
-        return self._token  # type: ignore[return-value]
+        return _as_str(self._token)  # type: ignore[arg-type]
 
     async def authenticate(self, mail) -> None:
         token = await self._resolve_token()
-        # aioimaplib exposes mail.xoauth2(user, token: bytes) — note the token must
+        # aioimaplib's mail.xoauth2(user, token) builds the SASL string by f-string
-        # be bytes, not str. older/other clients that lack it but expose a generic
+        # interpolating the token, so token MUST be str — passing bytes interpolates
-        # authenticate() are driven via the SASL string from _sasl_xoauth2.
+        # the b'...' repr and corrupts the Bearer value. _resolve_token already
+        # returns str (via _as_str). clients lacking .xoauth2 are driven via the
+        # SASL callback from _sasl_xoauth2.
         xoauth2 = getattr(mail, "xoauth2", None)
         if xoauth2 is not None:
-            result, data = await xoauth2(self.user, token.encode())
+            result, data = await xoauth2(self.user, token)
         elif hasattr(mail, "authenticate"):
+            # escape hatch for a non-aioimaplib client: the shipped aioimaplib IMAP4
+            # always has .xoauth2 and never .authenticate, so this branch never runs
+            # for it; the SASL-callback signature here is untested against any driver
             result, data = await mail.authenticate(
                 "XOAUTH2", lambda _: _sasl_xoauth2(self.user, token)
             )

src/aiomail/client.py

@@ -9,6 +9,7 @@ import asyncio
 import email
 import email.message
 import logging
+import re
 from typing import List, Optional
 
 from aioimaplib import IMAP4, IMAP4_SSL
@@ -17,6 +18,22 @@ from .auth import Auth
 
 log = logging.getLogger(__name__)
 
+# IMAP LIST reply: (flags) "<delim>" <name>  — delim is server-defined (often "/" or
+# "." or NIL); capture the trailing name regardless, quoted or bare
+_LIST_RE = re.compile(rb'^\([^)]*\)\s+(?:"[^"]*"|NIL)\s+(.+)$')
+
+
+def _folder_name(raw: bytes) -> str:
+    """extract the folder name from a LIST reply line, delimiter-agnostic
+
+    parses the real reply form `(flags) "<delim>" <name>` so any server hierarchy
+    delimiter works (not just "/"); falls back to the last quoted/space token if the
+    line doesn't match the canonical shape.
+    """
+    match = _LIST_RE.match(raw.strip())
+    name = match.group(1).decode() if match else raw.decode().rsplit(" ", 1)[-1]
+    return name.strip().strip('"')
+
 
 class IMAPClient:
     """connection-managing IMAP client driven by an injected auth mechanism
@@ -67,10 +84,34 @@ class IMAPClient:
                 return True
             except Exception as exc:
                 log.warning("connect attempt %d/%d failed: %s", attempt + 1, self.max_retries, exc)
+                if self._mail is not None:
+                    await self._discard_mail(self._mail)
                     self._mail = None
                 await asyncio.sleep(2 * (attempt + 1))
         return False
 
+    @staticmethod
+    async def _discard_mail(mail) -> None:
+        """tear down a half-built IMAP4 without leaking its connect task
+
+        aioimaplib's IMAP4 schedules `create_connection` as a fire-and-forget task it
+        never retrieves; on a refused connection that task raises and asyncio logs a
+        noisy "Task exception was never retrieved" traceback. cancel/await it here (and
+        retrieve its exception) before discarding, so a failed connect stays quiet.
+        """
+        task = getattr(mail, "_client_task", None)
+        if task is not None and not task.done():
+            task.cancel()
+        if task is not None:
+            try:
+                await task
+            except (asyncio.CancelledError, Exception):
+                pass
+        try:
+            await mail.logout()
+        except Exception as teardown:
+            log.debug("logout error ignored during failed connect: %s", teardown)
+
     async def close(self) -> None:
         """log out and drop the connection, swallowing teardown errors"""
         if self._mail is not None:
@@ -90,14 +131,6 @@ class IMAPClient:
         except Exception:
             return await self.connect()
 
-    def is_throttled(self) -> bool:
-        """best-effort detection of a provider throttling response"""
-        return bool(
-            self._mail is not None
-            and getattr(self._mail, "resp", None)
-            and "THROTTLED" in str(self._mail.resp)
-        )
-
     async def get_folders(self) -> List[str]:
         """list mailbox folder names"""
         if not await self.ensure_connection():
@@ -110,7 +143,7 @@ class IMAPClient:
         folders: List[str] = []
         for folder in folder_list or []:
             try:
-                folders.append(folder.decode().split(' "/" ')[-1].strip('"'))
+                folders.append(_folder_name(folder))
             except Exception:
                 continue
         return folders
@@ -138,7 +171,14 @@ class IMAPClient:
             return []
         if result != "OK" or not data or not data[0]:
             return []
-        ids = [int(x) for x in data[0].split()]
+        ids = []
+        for token in data[0].split():
+            try:
+                ids.append(int(token))
+            except (TypeError, ValueError):
+                # tolerate a malformed/non-numeric token in the SEARCH response
+                # instead of crashing the whole search
+                log.debug("skipping non-numeric search token: %r", token)
         return sorted(set(ids), reverse=True)
 
     async def fetch(self, email_id: int, *, icloud: bool = False) -> Optional[email.message.Message]:
@@ -157,8 +197,14 @@ class IMAPClient:
         if result != "OK" or not data:
             return None
         for item in data:
-            if isinstance(item, (bytes, bytearray)) and len(item) > 20:
+            # aioimaplib stores the literal message payload as the only bytearray in
+            # the response; every other line (including the `<id> FETCH (...` header)
+            # is plain bytes. select by structure, not length — a length heuristic
+            # mismatches the header line for any 2+ digit id or a BODY[]/UID fetch.
+            if isinstance(item, bytearray):
                 return email.message_from_bytes(bytes(item))
+            # cross-version fallback: aioimaplib 2.0.x never yields tuples here, but an
+            # imaplib-style (header, payload) tuple is handled if a future/alt driver does
             if isinstance(item, tuple) and len(item) > 1:
                 return email.message_from_bytes(item[1])
         return None

src/aiomail/extract.py

@@ -76,7 +76,7 @@ def _scan(text: str, patterns: list[Pattern], lengths: set[int]) -> Optional[str
             return m.group(1) if m.groups() else m.group(0)
     for token in re.split(r"\s+", text):
         digits = "".join(c for c in token if c.isdigit())
-        if digits and len(digits) in lengths and digits.isdigit():
+        if digits and len(digits) in lengths:
             return digits
     return None
 
@@ -121,6 +121,8 @@ def as_predicate(spec: MatchSpec) -> Callable[[Optional[str]], bool]:
     if isinstance(spec, re.Pattern):
         return lambda value: bool(spec.search(value or ""))
     if callable(spec):
-        return spec
+        # coalesce None like the string/regex branches so the documented Optional[str]
+        # predicate contract holds even if a caller's callable assumes a real string
+        return lambda value: bool(spec(value or ""))
     needle = str(spec).lower()
     return lambda value: needle in (value or "").lower()

src/aiomail/oauth.py

@@ -6,6 +6,7 @@ without aiohttp raises a clear error only when a provider is instantiated.
 
 credentials (client_id, refresh_token) are always supplied by the caller.
 """
+import asyncio
 import logging
 import time
 from typing import Optional, Sequence
@@ -75,18 +76,21 @@ class _RefreshTokenProvider:
                     async with aiohttp.ClientSession(timeout=timeout) as session:
                         async with session.post(endpoint, data=data) as resp:
                             if resp.status == 200:
-                                token = (await resp.json()).get("access_token")
+                                # content_type=None: some token endpoints return a 200 with
+                                # text/plain or text/javascript; default json() would raise
+                                # ContentTypeError and discard a valid token body
+                                token = (await resp.json(content_type=None)).get("access_token")
                                 if token:
                                     self._failures = 0
                                     return token
                             else:
-                                body = await resp.text()
+                                # log a truncated error body only — a token-endpoint
+                                # response can carry sensitive material; never dump it whole
+                                body = (await resp.text())[:200]
                                 log.warning("token endpoint %s -> %s: %s", endpoint, resp.status, body)
                 except Exception as exc:
                     log.warning("token request to %s failed: %s", endpoint, exc)
             if attempt < self.max_retries - 1:
-                import asyncio
-
                 await asyncio.sleep(2 ** attempt)
 
         self._failures += 1

src/aiomail/retrieve.py

@@ -20,16 +20,18 @@ log = logging.getLogger(__name__)
 DEFAULT_FOLDERS: Sequence[str] = ("INBOX", "Junk", "Spam", "Archive", "All Mail")
 
 
-def _server_query(sender: MatchSpec, subject: MatchSpec) -> str:
+def _server_query(sender: MatchSpec, subject: MatchSpec, match_field: str = "from") -> str:
     """build a narrowing IMAP query from plain-string specs only
 
-    only plain strings translate to server-side FROM/SUBJECT filters; regex and
+    only plain strings translate to server-side filters; regex and callable specs
-    callable specs fall back to ALL and are filtered client-side, so dynamic
+    fall back to ALL and are filtered client-side, so dynamic matching always works
-    matching always works even when the server cannot express it.
+    even when the server cannot express it. `match_field` selects which header the
+    `sender` spec searches: "from" filters by the sender address (default), "to"
+    filters by the recipient address (the per-user alias the code was sent to).
     """
     parts: List[str] = []
     if isinstance(sender, str):
-        parts.append(f'FROM "{sender}"')
+        parts.append(f'TO "{sender}"' if match_field == "to" else f'FROM "{sender}"')
     if isinstance(subject, str):
         parts.append(f'SUBJECT "{subject}"')
     return f"({' '.join(parts)})" if parts else "ALL"
@@ -52,6 +54,7 @@ async def retrieve_otp(
     *,
     sender: MatchSpec = None,
     subject: MatchSpec = None,
+    match_field: str = "from",
     folders: Optional[Iterable[str]] = None,
     patterns: Sequence[Union[str, Pattern]] = DEFAULT_PATTERNS,
     lengths: Iterable[int] = DEFAULT_LENGTHS,
@@ -64,14 +67,18 @@ async def retrieve_otp(
 ) -> Optional[str]:
     """return the newest OTP matching the filters, or None
 
-    sender/subject accept a substring, a compiled regex, or a callable. folders,
+    sender/subject accept a substring, a compiled regex, or a callable. `match_field`
-    patterns, code lengths, max age and retry behavior are all tunable. set
+    selects which header the `sender` spec is matched against: "from" (default)
-    `max_age=None` to disable the freshness check.
+    matches the sender address; "to" matches the recipient address (the per-user
+    alias the code was sent to) and additionally accepts a forwarded match on the
+    From header, so a forwarded code still resolves. folders, patterns, code lengths,
+    max age and retry behavior are all tunable. set `max_age=None` to disable the
+    freshness check.
     """
     folders = list(folders) if folders is not None else list(DEFAULT_FOLDERS)
     sender_ok = as_predicate(sender)
     subject_ok = as_predicate(subject)
-    query = _server_query(sender, subject)
+    query = _server_query(sender, subject, match_field)
 
     for attempt in range(retries + 1):
         for folder in folders:
@@ -91,7 +98,12 @@ async def retrieve_otp(
 
                 from_hdr = message.get("From", "")
                 subj_hdr = message.get("Subject", "")
-                if not sender_ok(from_hdr) or not subject_ok(subj_hdr):
+                if match_field == "to":
+                    to_hdr = message.get("To", "")
+                    matched = sender_ok(to_hdr) or sender_ok(from_hdr)
+                else:
+                    matched = sender_ok(from_hdr)
+                if not matched or not subject_ok(subj_hdr):
                     continue
 
                 code = extract_code(message, patterns=patterns, lengths=lengths)