bext-plugin-api 0.2.0

Plugin trait definitions and shared types for bext — the public ABI for plugin authors
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

//! Mailer capability trait. See `plan/ecosystem/02-capabilities.md`.
//!
//! A `MailerPlugin` sends transactional email. The trait is shaped so
//! that vendor-specific details never leak: `@bext/mailer-smtp`
//! (lettre-backed) and `@bext/mailer-ses` (AWS SES) both satisfy the
//! same surface, and a project can swap between them by editing
//! `bext.config.toml` without touching code.
//!
//! # Design notes
//!
//! - **Pre-rendered bodies.** Callers hand the mailer a fully rendered
//!   `text` and/or `html` body. Templating lives in the future
//!   `Template` capability; the mailer is a transport.
//! - **Opaque message id.** `SendOutcome::id` is a vendor-assigned
//!   string (SMTP `Message-ID`, SES `MessageId`, ...) that callers
//!   treat as an opaque correlation handle. The trait makes no
//!   promises about its structure.
//! - **Batch as a first-class op.** SES natively sends many messages
//!   per API call and the cost difference matters. The default
//!   `send_batch` impl loops over `send` for transports that don't
//!   batch natively.
//! - **Generic error shape.** `MailerError` variants classify
//!   failures in a way both SMTP and API backends can populate. No
//!   `ses_error_code`, no `smtp_reply_code`; backends that want to
//!   surface their own detail pass it in the variant's `String`.

use serde::{Deserialize, Serialize};

/// An RFC 5322 mailbox: an email address plus an optional display
/// name. Both SMTP and SES accept the same shape; neither drives the
/// field layout.
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
pub struct Address {
    /// `local@domain` — MUST be a syntactically valid email address.
    pub email: String,
    /// Optional display name. When present the backend MUST format
    /// the envelope as `"Name" <email@domain>`.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
}

impl Address {
    /// Convenience constructor for an address with no display name.
    pub fn new(email: impl Into<String>) -> Self {
        Self { email: email.into(), name: None }
    }

    /// Convenience constructor for an address with a display name.
    pub fn named(email: impl Into<String>, name: impl Into<String>) -> Self {
        Self { email: email.into(), name: Some(name.into()) }
    }
}

/// A single file attached to an outgoing message.
///
/// Backends that have attachment size limits (SES: 40 MB per message)
/// surface violations via [`MailerError::Rejected`].
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct Attachment {
    /// Filename shown to the recipient (e.g., `invoice.pdf`).
    pub filename: String,
    /// MIME type (e.g., `application/pdf`). Defaults to
    /// `application/octet-stream` if empty.
    pub content_type: String,
    /// Raw attachment bytes. For large attachments, transports are
    /// free to stream from a temp file; the API hands over owned
    /// bytes for simplicity.
    pub bytes: Vec<u8>,
    /// Optional `Content-ID` for inline attachments referenced from
    /// HTML bodies (`<img src="cid:...">`). `None` means a regular
    /// non-inline attachment.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub content_id: Option<String>,
}

/// A message to send. Pre-rendered: callers supply finished bodies.
///
/// At least one of `text` or `html` MUST be `Some` — a backend that
/// receives a message with both bodies empty returns
/// [`MailerError::InvalidMessage`] without attempting a send.
#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
pub struct Message {
    /// Sender. Used for both the `From:` header and the SMTP
    /// envelope sender. To separate them (DSN routing, bounce
    /// handling) set `return_path`.
    pub from: Address,

    /// Primary recipients. MUST be non-empty.
    pub to: Vec<Address>,

    /// Carbon-copy recipients. May be empty.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub cc: Vec<Address>,

    /// Blind carbon-copy recipients. May be empty.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub bcc: Vec<Address>,

    /// Reply-to addresses. Empty means "use `from`".
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub reply_to: Vec<Address>,

    /// Optional envelope sender (SMTP MAIL FROM / SES Return-Path).
    /// `None` means the backend should reuse `from.email`.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub return_path: Option<String>,

    /// Subject line. UTF-8; backends handle MIME-encoding if needed.
    pub subject: String,

    /// Plain-text body. Either this or `html` (or both) MUST be set.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub text: Option<String>,

    /// HTML body. Either this or `text` (or both) MUST be set.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub html: Option<String>,

    /// File attachments. May be empty.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub attachments: Vec<Attachment>,

    /// Extra headers. Use for standards-defined headers like
    /// `List-Unsubscribe`, `List-Unsubscribe-Post`,
    /// `In-Reply-To`, `References`. Keys are case-insensitive.
    ///
    /// Backends MAY reject (`MailerError::InvalidMessage`) headers
    /// they explicitly forbid (e.g., `Bcc`, `Date`, `Message-ID`
    /// when they assign them themselves).
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub headers: Vec<(String, String)>,
}

/// Result of a successful send.
///
/// The `id` is an opaque, backend-assigned identifier. Do not parse
/// it; use it only as a correlation handle (logs, webhook matching,
/// idempotency keys).
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct SendOutcome {
    /// Backend-assigned message id.
    pub id: String,
}

/// Why a send failed, classified in a backend-neutral way.
///
/// The inner `String` carries backend-provided detail suitable for
/// logs and error pages. Do not parse it; use the variant for
/// branching.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub enum MailerError {
    /// The message is malformed before the backend even tries to
    /// send: missing recipient, empty body, forbidden header,
    /// attachment too large. The caller MUST NOT retry blindly —
    /// the message needs to change.
    InvalidMessage(String),
    /// The caller is not authorised to send as `from.email` (SES
    /// unverified sender, SMTP AUTH refused for that domain, etc).
    /// Usually a config problem.
    Unauthorized(String),
    /// The backend explicitly rejected the message after accepting
    /// the request: policy reasons, spam filter, recipient on
    /// suppression list. Do not retry.
    Rejected(String),
    /// Transient delivery problem at the transport layer (TCP
    /// reset, DNS failure, 5xx SMTP reply, 5xx API response).
    /// Safe to retry with backoff.
    Transport(String),
    /// The backend asked the caller to slow down (SMTP 421, SES
    /// throttling exception). Retry after a delay.
    RateLimited(String),
    /// Anything the backend couldn't classify. Treat like
    /// `Transport` unless you have reason to believe otherwise.
    Unknown(String),
}

impl MailerError {
    pub fn invalid(message: impl Into<String>) -> Self {
        MailerError::InvalidMessage(message.into())
    }

    pub fn unauthorized(message: impl Into<String>) -> Self {
        MailerError::Unauthorized(message.into())
    }

    pub fn rejected(message: impl Into<String>) -> Self {
        MailerError::Rejected(message.into())
    }

    pub fn transport(message: impl Into<String>) -> Self {
        MailerError::Transport(message.into())
    }

    pub fn rate_limited(message: impl Into<String>) -> Self {
        MailerError::RateLimited(message.into())
    }

    pub fn unknown(message: impl Into<String>) -> Self {
        MailerError::Unknown(message.into())
    }

    /// Borrow the inner detail string, regardless of variant.
    pub fn message(&self) -> &str {
        match self {
            MailerError::InvalidMessage(m)
            | MailerError::Unauthorized(m)
            | MailerError::Rejected(m)
            | MailerError::Transport(m)
            | MailerError::RateLimited(m)
            | MailerError::Unknown(m) => m,
        }
    }
}

impl std::fmt::Display for MailerError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let tag = match self {
            MailerError::InvalidMessage(_) => "invalid-message",
            MailerError::Unauthorized(_) => "unauthorized",
            MailerError::Rejected(_) => "rejected",
            MailerError::Transport(_) => "transport",
            MailerError::RateLimited(_) => "rate-limited",
            MailerError::Unknown(_) => "unknown",
        };
        write!(f, "mailer {}: {}", tag, self.message())
    }
}

impl std::error::Error for MailerError {}

/// Per-message outcome for a batch send: success with an id, or
/// failure with a classified error. The index in the returned vector
/// lines up 1:1 with the index in the input vector, so callers can
/// correlate partial failures.
pub type BatchOutcome = Result<SendOutcome, MailerError>;

/// A plugin that sends transactional email.
///
/// All methods are synchronous and return `Result` values to match
/// the rest of `bext-plugin-api` (WASM guests cannot express async
/// traits today). Async backends bridge by blocking on their own
/// runtime inside the trait body.
///
/// Host functions `mailer.send` and `mailer.send_batch` call through
/// to the currently registered implementation.
pub trait MailerPlugin: Send + Sync {
    /// Unique identifier, e.g. `"smtp"`, `"ses"`.
    fn name(&self) -> &str;

    /// Send a single message. Backends MAY buffer internally but
    /// MUST have handed the message off to the transport before
    /// returning `Ok`.
    fn send(&self, msg: Message) -> Result<SendOutcome, MailerError>;

    /// Send many messages in one call. Default impl loops over
    /// [`send`](MailerPlugin::send); backends that support native
    /// batching (SES `SendBulkEmail`) override this for efficiency.
    ///
    /// Returns one outcome per input message in the same order.
    /// A transport-level failure that aborts the whole batch is
    /// reflected by every entry carrying the same error kind.
    fn send_batch(&self, msgs: Vec<Message>) -> Vec<BatchOutcome> {
        msgs.into_iter().map(|m| self.send(m)).collect()
    }

    /// Optional health check. Default: always healthy. Backends that
    /// maintain a connection pool (SMTP) override this to probe the
    /// pool; API-based backends (SES) usually leave it as-is.
    fn is_healthy(&self) -> bool {
        true
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn address_constructors() {
        let a = Address::new("a@b");
        assert_eq!(a.email, "a@b");
        assert!(a.name.is_none());

        let b = Address::named("a@b", "Alice");
        assert_eq!(b.name.as_deref(), Some("Alice"));
    }

    #[test]
    fn mailer_error_helpers_and_display() {
        let e = MailerError::invalid("no recipient");
        assert!(matches!(e, MailerError::InvalidMessage(_)));
        assert_eq!(e.message(), "no recipient");
        assert!(e.to_string().contains("invalid-message"));
        assert!(e.to_string().contains("no recipient"));

        let t = MailerError::transport("dns fail");
        assert!(matches!(t, MailerError::Transport(_)));
    }

    struct LoopMailer;
    impl MailerPlugin for LoopMailer {
        fn name(&self) -> &str { "loop" }
        fn send(&self, msg: Message) -> Result<SendOutcome, MailerError> {
            if msg.to.is_empty() {
                return Err(MailerError::invalid("no recipient"));
            }
            Ok(SendOutcome { id: format!("loop-{}", msg.to[0].email) })
        }
    }

    #[test]
    fn default_batch_preserves_order_and_errors() {
        let m = LoopMailer;
        let out = m.send_batch(vec![
            Message { to: vec![Address::new("a@b")], ..Default::default() },
            Message { to: vec![], ..Default::default() },
            Message { to: vec![Address::new("c@d")], ..Default::default() },
        ]);
        assert_eq!(out.len(), 3);
        assert_eq!(out[0].as_ref().unwrap().id, "loop-a@b");
        assert!(matches!(
            out[1].as_ref().unwrap_err(),
            MailerError::InvalidMessage(_)
        ));
        assert_eq!(out[2].as_ref().unwrap().id, "loop-c@d");
    }
}