From d06e11197ae9a2917bb54159af9d596a4f8be341 Mon Sep 17 00:00:00 2001
From: mikael-lovqvists-claude-agent <mikaels.claude.agent@efforting.tech>
Date: Tue, 17 Mar 2026 23:00:40 +0000
Subject: [PATCH] Support wildcard topic in mail permissions

topic: null in a permission entry now matches any topic, allowing
broad grants without specifying a specific topic. set-mail-permission
topic param is now optional; omitting it stores null (wildcard).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md             | 2 +-
 server/actions.mjs    | 4 ++--
 server/mail_perms.mjs | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 243c49d..eadc9e7 100644
--- a/README.md
+++ b/README.md
@@ -145,7 +145,7 @@ Built-in actions:
 | `open-browser` | queue | `url` (http/https only) |
 | `open-terminal` | queue | `path` (optional, defaults to workspace) |
 | `send-email` | auto-accept | `to`, `subject`, `body`, `topic` |
-| `set-mail-permission` | auto-accept | `target_user`, `to`, `topic`, `allow` (bool) |
+| `set-mail-permission` | auto-accept | `target_user`, `to`, `allow` (bool), `topic` (optional — omit to match any topic) |
 | `get-mail-permissions` | auto-accept | `target_user` (optional) |
 
 `send-email` checks that the caller has a mail permission entry matching `(caller, to, topic)` before sending. Permissions are managed via `set-mail-permission`, which requires the caller to have `canApprove` over the target user — so only humans can grant/revoke permissions for agents.
diff --git a/server/actions.mjs b/server/actions.mjs
index 576e34a..f9496f8 100644
--- a/server/actions.mjs
+++ b/server/actions.mjs
@@ -92,11 +92,11 @@ export const actions = {
 		params: [
 			{ name: 'target_user', required: true,  type: 'string' },
 			{ name: 'to',          required: true,  type: 'string' },
-			{ name: 'topic',       required: true,  type: 'string' },
+			{ name: 'topic',       required: false, type: 'string' },
 			{ name: 'allow',       required: true,  type: 'boolean' },
 		],
 		policy: 'auto-accept',
-		handler: ({ target_user, to, topic, allow }, { caller, users, mail_perm_store }) => {
+		handler: ({ target_user, to, topic = null, allow }, { caller, users, mail_perm_store }) => {
 			if (!check_can_approve(users, caller, target_user)) {
 				throw new Error(`Not authorized to set mail permissions for '${target_user}'`);
 			}
diff --git a/server/mail_perms.mjs b/server/mail_perms.mjs
index bdad27f..627631e 100644
--- a/server/mail_perms.mjs
+++ b/server/mail_perms.mjs
@@ -23,7 +23,7 @@ export function load_mail_perms(file_path) {
 	}
 
 	function check(user, to, topic) {
-		return allowed.some(e => e.user === user && e.to === to && e.topic === topic);
+		return allowed.some(e => e.user === user && e.to === to && (e.topic === topic || e.topic === null));
 	}
 
 	function add(user, to, topic) {