Advisories for Npm/@Agenticmail/Api package

A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to GET /api/agenticmail/tasks/pending?assignee=<name>. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the capability-style task mutation endpoints (/tasks/:id/claim, /tasks/:id/result, /tasks/:id/complete, /tasks/:id/fail) to claim, complete, or fail tasks assigned to a different agent. Because ordinary authenticated agents can discover agent names through GET /api/agenticmail/accounts/directory, …

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct storage metadata access through raw SQL; fail-closed outbound worker secret handling; SMTP envelope/header control-character validation before command construction; and TLS certificate verification as the default for MailSender with an …