Parse forwarded email bodies to extract original recipients (#549)

When users forward emails to addie+prospect@, the actual prospect
recipients are in the email body as quoted headers, not in the
webhook TO/CC fields. This adds a parser to extract them.

- Add forwarded-email-parser.ts utility with detection for Gmail,
  Apple Mail, and Outlook forwarding formats
- Integrate into handleProspectEmail() to merge extracted recipients
- Add 39 unit tests covering parsing, edge cases, and security

Security improvements based on code review:
- Added MAX_BODY_SIZE (1MB) limit to prevent DoS
- Rewrote parseHeaderValue to use iterative approach (avoids ReDoS)
- Fixed unbalanced bracket handling in splitAddresses
- Added tests for XSS-like display names and large recipient lists

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <[email protected]>

Author: bokelley

.changeset/green-bottles-fly.md

@@ -0,0 +1,2 @@
+---
+---

server/src/routes/webhooks.ts

@@ -29,6 +29,11 @@ import {
   handleEmailInvocation,
   type InboundEmailContext,
 } from '../addie/email-handler.js';
+import {
+  parseForwardedEmailHeaders,
+  formatEmailAddress,
+  mergeAddresses,
+} from '../utils/forwarded-email-parser.js';
 
 const logger = createLogger('webhooks');
 
@@ -549,15 +554,41 @@ async function handleProspectEmail(data: ResendInboundPayload['data']): Promise<
   const emailBody = await fetchEmailBody(data.email_id);
 
   // Use original recipients from headers if available, otherwise fall back to webhook data
-  const toAddresses = emailBody?.originalTo?.length ? emailBody.originalTo : data.to;
-  const ccAddresses = emailBody?.originalCc?.length ? emailBody.originalCc : data.cc;
+  let toAddresses = emailBody?.originalTo?.length ? emailBody.originalTo : data.to;
+  let ccAddresses = emailBody?.originalCc?.length ? emailBody.originalCc : data.cc;
+
+  // Check if this is a forwarded email and extract original recipients from the body
+  const forwardedInfo = parseForwardedEmailHeaders(data.subject, emailBody?.text);
+
+  if (forwardedInfo.isForwarded && forwardedInfo.confidence !== 'low') {
+    // Extract additional recipients from the forwarded email headers in the body
+    const forwardedTo = forwardedInfo.originalTo.map(formatEmailAddress);
+    const forwardedCc = forwardedInfo.originalCc.map(formatEmailAddress);
+
+    // Merge with existing addresses, avoiding duplicates
+    toAddresses = mergeAddresses(toAddresses, forwardedTo);
+    ccAddresses = mergeAddresses(ccAddresses || [], forwardedCc);
+
+    logger.info({
+      isForwarded: true,
+      confidence: forwardedInfo.confidence,
+      forwardedToCount: forwardedInfo.originalTo.length,
+      forwardedCcCount: forwardedInfo.originalCc.length,
+      forwardedTo: forwardedInfo.originalTo.map(a => a.email),
+      forwardedCc: forwardedInfo.originalCc.map(a => a.email),
+      originalSubject: forwardedInfo.originalSubject,
+    }, 'Extracted recipients from forwarded email body');
+  }
 
   logger.info({
     webhookTo: data.to,
     webhookCc: data.cc,
     originalTo: emailBody?.originalTo,
     originalCc: emailBody?.originalCc,
+    finalTo: toAddresses,
+    finalCc: ccAddresses,
     usingOriginalRecipients: !!(emailBody?.originalTo?.length || emailBody?.originalCc?.length),
+    isForwarded: forwardedInfo.isForwarded,
   }, 'Resolving email recipients');
 
   // Get all external participants using original recipients