feat: Dead Drop / Mailbox auto-responder (async per-source message store)

[TheWISPRer]

Summary

Adds a Dead Drop / Mailbox feature — an asynchronous, per-source message store ("mesh voicemail"). A node DMs the connected radio msg <name> <text>; MeshMonitor holds the message until the named recipient retrieves it with inbox / inbox play. The recipient need not be online when the message is sent.

It's implemented as a fifth auto-responder responseType: 'mailbox', so it reuses the existing auto-responder machinery (DM gating, per-node cooldown, parameter extraction, message chunking, per-source scoping) rather than reinventing it. Configuration is entirely through the existing Auto Responder UI — no scripts required.

Commands (DM-only)

Command	Description
msg <name> <text>	Store a message for <name> (short name, long name, or !nodeid)
inbox	Show count + which senders are waiting
inbox play	Release up to 5 oldest messages (header + body per message)
inbox play <name>	Release only messages from one sender
inbox delete <id>	Delete one message by its 4-char id
inbox clear	Delete already-played messages

How it fits the architecture

• Schema src/db/schema/deadDrop.ts — dead_drop_messages, all three backends (SQLite/PostgreSQL/MySQL), per-sourceId.
• Migration src/server/migrations/094_create_dead_drop.ts (registered in src/db/migrations.ts; migrate-db TABLE_ORDER/SOURCE_SCOPED_TABLES updated).
• Repository src/db/repositories/deadDrop.ts (Drizzle only) → databaseService.deadDrop.
• Service src/server/services/deadDropService.ts — command parser/executor (repo injected for testability).
• Integration src/server/meshtasticManager.ts — responseType === 'mailbox' dispatch branch.
• Settings validation src/server/routes/settingsRoutes.ts — accepts the mailbox type (no response field required).
• UI — "Mailbox" option in the Auto Responder editor (auto-responder/types.ts, TriggerItem.tsx, AutoResponderSection.tsx).

Design notes:

• Recipient matching is by name as typed, resolved against the requesting node's identity forms (short/long name, !hex, node number) at retrieval — the DM sender context proves identity, avoiding a fragile store-time node lookup.
• Per-source: each connected radio keeps its own mailbox.
• Metadata and body are separate messages, so a near-200-byte body is never truncated by the header line.
• Limits: 180-byte body, 5 per inbox play, 20 pending per recipient/sender, 7-day expiry.
• Commands are the canonical msg / inbox verbs (DM-only).

Testing

• Unit/integration: repository (per-source isolation, caps, expiry filtering), service (every command + edge cases), settings-save validation, migration registry, and migrate-db table-list sync. Full npm run test:run passes with 0 failures.
• Live over-the-air: validated end-to-end on real Meshtastic hardware across three nodes — store → inbox → inbox play (header + body delivery) → inbox clear — with the dead_drop_messages rows confirmed (created → played → deleted) at each step.

Docs

• docs/features/automation.md — new Mailbox (Dead Drop) section.
• docs/internal/dev-notes/DEAD_DROP_TESTING.md — architecture + testing brief.

[Yeraze]

I'm curious, why did you implement this directly in-tree and not as a plugin/script ?

[Yeraze]

Automated code review (high-effort, 8 finder angles + verification). Ranked most→least severe. 🔴 #1 (message loss) and #2 (unbounded dead_drop_messages growth) I'd treat as blockers; 🟠 #3–#5 are functional bugs; 🟡 #6–#8 hardening; 🟢 #9–#10 altitude/cleanup. Per-source scoping, the migration recipe (count + last-name), the raw-SQL ban, and settings-key registration all check out — no convention violations. Nice tests.

[Yeraze]

🟢 5th near-duplicate response branch (cleanup/altitude).

The enqueue loop + verifyResponse ? 3 : 1 + cooldown-set + start/duration logging are copy-pasted from the http/script/traceroute/text branches. Five copies must be kept in sync. Consider extracting a shared enqueueAutoResponderReplies(lines, message, packetId, trigger, triggerIdx) helper.

Minor: mailboxTarget re-inlines !hex formatting without the >>> 0 unsigned coerce that deadDropService.nodeIdHex uses (cosmetic — log-only here).

[TheWISPRer]

I believe that the enqueue loop + verifyResponse ? 3 : 1 + cooldown-set + start/duration logging would be out-of-scope for this PR as it is effectively a 5-branch refactor. I am more than happy to help address this, but I believe that this should be split into a separate pathway as this is an overarching system optimization (scope creep on this PR)

[TheWISPRer]

@Yeraze Fair question. Honestly, the script path is reasonable. The first version I built of this was a Python script on the existing responseType: script hook.

I moved it in-tree for a few things scripts can't really cover:

• It's real per-source data. Held messages live in dead_drop_messages alongside everything else. Per-source scoped, through the same Drizzle layer (SQLite/Postgres/MySQL), and included in system backup/restore. A script can only write a sidecar SQLite file under /data, which isn't in backups and is SQLite-only. I hit this with the prototype - the held messages weren't part of any backup.
• No per-message subprocess. inbox/msg can be hit often; the script hook spawns an interpreter per matching DM. In-tree it's a direct call (~10ms in practice).
• Configured in the existing Auto Responder UI as a response type, with validation: No script files/interpreters to manage.

That said, if you'd rather keep core lean, I'm glad to repackage it as a maintained script/companion instead. Is there a plugin architecture you have in mind beyond the script responseType? Happy to go whichever way you prefer before I work through the review items.

[TheWISPRer]

I did consider building this as a UI module/tile (the way the Solar Monitoring report is a card under Analysis & Reports) so there'd be a browser-based way to read your mailbox (out-of-band from receiving it over Meshtastic itself). But since a mailbox isn't really an analytics or reports feature, I figured tying message handling into the existing Auto Responder was a good first step.

I do still plan some version of a recipient-facing mailbox UI as a companion, but as a later/bolt-on release — partly because of the access model and privacy side of it. Recipients are often node operators who don't have a MeshMonitor login, so a browser view would need an out-of-band way to authenticate: e.g. prove you control your node by entering a one-time code DM'd to it on the mesh, which mints a scoped, mailbox-only session (or lets you set up a trusted login just for the mailbox). That's enough design surface on its own that I deliberately kept it out of this PR.

[TheWISPRer]

Thanks for the detailed review — pushed fixes for all 10 (fe3177c), and rebased onto 4.11 along the way (only collision was the migration number, renumbered 092 → 093).

• 🔴 "Claude PR Assistant workflow" #1 message loss — handleCommand now returns { responses, playOnDelivery }; messages are marked played from the body line's delivery-success callback, so a dropped DM leaves the message pending instead of lost.
• 🔴 feat: traceroute highlighting and UI improvements #2 unbounded growth — purgeExpired wired into databaseMaintenanceService (runs with the daily retention sweep).
• 🟠 "Update Claude PR Assistant workflow" #3 cap bypass — per-recipient cap resolves the typed name → node and counts across all its identity forms, matching the set retrieval pools.
• 🟠 feat: traceroute request tracking and auth documentation #4 cooldown — mailbox bypasses the per-node cooldown entirely (interactive flow).
• 🟠 feat: add telemetry graphs, node sorting, and fix duplication #5 sender filter — inbox play <sender> now matches the !hex/node-num hint forms too.
• 🟡 feat: telemetry parsing, direct messages, danger zone, and UX improvements #6 non-DM — returns [] (true no-op, no unsolicited DM).
• 🟡 feat: Messages UI redesign, telemetry fixes, and emoji support #7 enumeration — inbox delete returns the same response for not-yours vs non-existent ids.
• 🟡 feat: enhance device info display and Messages UI improvements #8 try/catch — mailbox dispatch wrapped like the script branch.
• 🟢 feat: Add GitHub Container Registry publishing and pre-built images #9 prefix parser — removed the command-prefix tolerance; canonical msg/inbox only (also drops the reply-hint caveat).
• 🟢 fix: Change Docker publishing to trigger only on GitHub Releases #10 — used the shared nodeIdHex (with the unsigned coerce) for the log target. On the helper: the mailbox branch now threads per-line delivery callbacks for "Claude PR Assistant workflow" #1 so it's no longer a pure copy — I left the shared enqueueAutoResponderReplies refactor across the http/script/traceroute/text branches out of this PR, happy to do it as a follow-up.

Replying inline on the threads too.

[Yeraze]

Re-review of the latest commit (fe3177cf) — all 10 findings resolved ✅

I re-reviewed against the actual code at HEAD (not just the commit message). The prior blockers and functional bugs are genuinely fixed, CI is green.

Blockers — fixed

• "Claude PR Assistant workflow" #1 Message loss (played-state committed before delivery). handleCommand now returns { responses, playOnDelivery }; the manager maps each body line's index → messageId and calls markDelivered(...) from the delivery-success callback (meshtasticManager.ts mailbox branch), not at build time. A dropped body DM now leaves the message pending.
• feat: traceroute highlighting and UI improvements #2 Unbounded growth (purgeExpired had no caller). Now invoked in the scheduled databaseMaintenanceService routine (alongside the neighbor/waypoint sweeps + VACUUM), returning a deleted count for logging.

Functional bugs — fixed

• "Update Claude PR Assistant workflow" #3 Cap bypass via identity forms. Store-time cap now counts inArray(recipientName, recipientForms) via the injected node resolver — the same identity set retrieval pools by.
• feat: traceroute request tracking and auth documentation #4 Cooldown swallows interactive flow. cooldownSeconds = responseType === 'mailbox' ? 0 : … — gate skipped, none set in the branch.
• feat: add telemetry graphs, node sorting, and fix duplication #5 inbox play <sender> hint. Filter now matches every identity form (incl. !hex/node-num).

Hardening — fixed

• feat: telemetry parsing, direct messages, danger zone, and UX improvements #6 non-DM returns []; feat: Messages UI redesign, telemetry fixes, and emoji support #7 inbox delete returns identical "not found" for nonexistent vs not-yours (no enumeration); feat: enhance device info display and Messages UI improvements #8 mailbox dispatch wrapped in try/catch like the script branch.

Altitude

• feat: Add GitHub Container Registry publishing and pre-built images #9 prefix tolerance removed → canonical msg/inbox only (in-repo docs updated).
• fix: Change Docker publishing to trigger only on GitHub Releases #10 the 5-branch enqueue refactor — agreed it's out of scope for this PR; it's a cross-cutting cleanup of pre-existing copy-paste, fine as a follow-up. The minor nodeIdHex unsigned-coerce part was addressed.

Residual minor items (non-blocking, follow-ups)

1. This PR description is stale — it still advertises the "Optional command-keyword prefix (betamsg/betainbox)" feature that fe3177cf removed. The in-repo docs are correct; the description should be trimmed to "canonical msg/inbox only."
2. Reliability when Verify response is off — played-state now hinges on the delivery callback, and maxAttempts = verifyResponse ? 3 : 1, so a single-attempt unacked send could mark a voicemail played on transmit. A one-line doc rec to enable Verify response on the mailbox trigger would harden this. (Same semantics as the other auto-responder branches, so low priority.)
3. purgeExpired does count-then-delete (two scans) — cosmetic; could return the delete rowCount directly.

⚠️ Merge blocker — migration number collision (needs rebase)

The branch is currently conflicting with main. Since this PR was opened, main merged 093_autoack_matrix.ts, so this PR's 093_create_dead_drop.ts now collides on the migration number. The conflicts are in src/db/migrations.ts and src/db/migrations.test.ts (both register #93 and assert the count + last-migration name).

To resolve:

1. Rebase on the latest main.
2. Renumber the migration 093_create_dead_drop.ts → 094_create_dead_drop.ts (file, registry.register({ number: 94, … }), and the 093→094 reference in this PR's body/docs).
3. Update src/db/migrations.test.ts to the new count (94) and last-migration name (094_create_dead_drop).
4. Re-confirm migrate-db TABLE_ORDER / SOURCE_SCOPED_TABLES still include dead_drop_messages.

Verdict

The feature itself is well-structured and convention-respecting (per-source scoping, three-backend schema, raw-SQL ban honored, good tests), and all 10 review findings are resolved. Approving on substance — just needs the rebase + migration renumber above before it can merge. Items 1–3 are optional follow-ups.

— Automated re-review (Claude Opus 4.8)

[TheWISPRer]

Thanks for the thorough re-review — all addressed. Pushed fde45d2 (rebased onto main @ 57854ea, v4.11.2).

Merge blocker — migration collision ✅

Rebased onto latest main and renumbered to avoid the 093_autoack_matrix collision:

• 093_create_dead_drop.ts → 094_create_dead_drop.ts (file + runMigration094Postgres/Mysql + Migration 094 label).
• src/db/migrations.ts: keeps main's feat: improve map visualization and traceroute scheduling #93 autoack_matrix, registers dead-drop as a separate [FEAT] Improve display of hops without traceroute in MeshMonitor #94 block (settingsKey: migration_094_create_dead_drop).
• src/db/migrations.test.ts: count → 94, last migration create_dead_drop @ [FEAT] Improve display of hops without traceroute in MeshMonitor #94, sequential 1 to 94.
• Re-confirmed migrate-db TABLE_ORDER + SOURCE_SCOPED_TABLES still include dead_drop_messages.

build:server clean; the dead-drop + migration + settings suites pass (105/105). PR now shows MERGEABLE.

Residual follow-ups

1. Stale PR description ✅ — trimmed. Dropped the betamsg/betainbox prefix bullet and the "prefix tolerance" test note; the migration ref now reads 094; added a line noting commands are the canonical msg/inbox verbs.
2. Verify-response reliability ✅ — added a doc rec on the Mailbox trigger to enable Verify response (default on), since played-state hinges on the delivery callback and maxAttempts = verifyResponse ? 3 : 1. With it on, an undelivered body resurfaces on the next inbox play.
3. purgeExpired count-then-delete — left as-is intentionally. Drizzle's delete result shape differs across the three backends (changes / rowCount / affectedRows), so the count-then-delete keeps the returned number portable without a per-backend branch. Happy to switch to a direct rowCount if you'd prefer — it's cosmetic and N is tiny (expired rows only).

#10 (the 5th enqueue branch) remains the open follow-up as agreed.