All work

Mailbridge for Apple Mail

A local-first MCP server and plugin that lets trusted AI hosts work with accounts already configured in Apple Mail—without handing a hosted connector an email password.

Local integration, explicit authority

Mailbridge lets Codex, Claude Code and other trusted MCP hosts work with accounts already configured in Apple Mail. It searches and reads mail, manages message state, creates drafts and supports tightly controlled attachment-free sending without requiring provider passwords, OAuth tokens or a hosted relay.

The project is distributed through the PMTechDev plugin marketplace, a monorepo containing the Mailbridge plugin, reusable MCP safety primitives, validated packaging and a scaffold for future local-first integrations.

Security is part of the product

Email is both sensitive data and an untrusted input surface, so authority is deliberately visible:

The bridge supports two installation modes: a direct MCP registration with conservative defaults, and a bundled plugin whose prompted workflow can request narrowly reviewed write actions.

  • Direct MCP registrations start read-only.
  • Bundled plugins use prompted mode and show the exact sender, recipients, subject and body before a send.
  • Account allowlists provide an additional boundary for reviewed direct registrations.
  • Inputs, searches, bodies, attachments, subprocesses, queues and responses are bounded.
  • Opaque identifiers keep clients from constructing arbitrary Mail queries or automation commands.

Mailbridge does not read Mail’s private database, request Full Disk Access, run a remote service or include telemetry. It also documents the remaining trust boundary clearly: a connected host and its model provider may receive message content selected by the user.

A narrow surface by design

Permanent deletion, mailbox administration, rule changes, credential access, arbitrary scripting, background monitoring, bulk sending and attachment sending are outside the tool surface. This is not an inbox automation free-for-all; it is a constrained bridge with auditable capabilities.

Release integrity

Published packages include SHA-256 checksums, a CycloneDX SBOM and signed GitHub provenance attestations. CI covers strict typing, linting, deterministic fake-backed tests, package validation and MCP initialisation without touching a live mailbox.

What this demonstrates

Mailbridge combines product engineering, protocol design, macOS integration and practical security. The central design decision is not how many actions an agent can perform. It is how clearly the system limits authority, reports incomplete or failed operations and keeps consequential actions under human control.

Tell me what you’re building.

Share the useful context. I’ll read it personally and reply if I can help.